RFP No. 03/UPPCL/RAPDRP-A/CSSI/2024 Dated: 23.02.

2024

Request for Proposal

for Selection of Cyber Security System Integrator for Cyber Security Tools for PuVVNL, MVVNL,
DVVNL, PVVNL, KESCo.

Cost of Bid Document: INR 11,800 (Inclusive of GST @ 18%) (Non-refundable)

Earnest Money Deposit (EMD): 60.00 Lacs (Refundable)

Superintending Engineer IT-III

RAPDRP-A/IT UPPCL
5th Floor, Shakti Bhawan Extension, 14-Ashok Marg, Lucknow-226001
Phone No. 0522-4300615
E-mail: se.it3@uppcl.org

Page 1 of 97
 Notice Inviting Tender (NIT)
RFP No. 03/UPPCL/RAPDRP-A/CSSI/2024 Dated: 23.02.2024
E-tenders are invited in two parts (Part-I Technical and Part II Financial) for Selection of Cyber Security
System Integrator for Cyber Security Tools for PuVVNL, MVVNL, DVVNL, PVVNL, KESCo. Bid
document (RFP) is available online on https://etender.up.nic.in as per particulars indicated below. Any
changes in the Bid Schedule, corrigendum etc. shall also be notified via same website. Prospective bidders are
therefore requested to regularly check the website for any updates.
S.N. Particulars Details
1 e-Tendering Notice no. 03/UPPCL/RAPDRP-A/CSSI/2024
2 e-Bid Portal https://etender.up.nic.in
3 Name of Work Selection of Cyber Security System Integrator for Cyber
Security Tools for PuVVNL, MVVNL, DVVNL,
PVVNL, KESCo
4 Tender Cost Rs. 11,800 (Inclusive of GST @ 18%) (Non-refundable)
5 Earnest Money Deposit (EMD) Rs. 60,00,000.00 (Rs. Sixty Lacs)(Refundable)
6 Document sale start date 11.09.2024 1000 Hrs onwards
7 e-Bid submission start date 11.09.2024 1000 Hrs onwards
8 Pre-Bid Meeting* 21.09.2024 1200 Hrs at Shakti Bhawan Lucknow
9 Document sale end date/time 30.09.2024 1700 Hrs
10 e-Bid submission end date/time 30.09.2024 1700 Hrs
11 Opening date of e-bid part-I 01.10.2024 1400 Hrs
12 Opening date of e-bid part-II To be notified later
Bids are invited from the competent firms, accompanied with the prescribed Earnest Money Deposit and
Tender fee drawn in favor of following account: -
Bank Name State Bank of India
Branch Name and Address 14, Ashok Marg, Hazratganj, Lucknow
Account No 10101987510
Account Name UPPCL ELY KEND BHU PRA EXP A/C
IFSC Code SBIN0003347
ACCOUNTS OFFICER, CENTRAL PAYMENT CELL,
Unit Name
UPPCL
Note: Bid shall be accepted through the e-tender portal. Tender issuing authority is not responsible for the
delay/downloading of tender document by the recipient due to any problem in accessing the e-tender website.
The tender issuing authority is also not responsible for delay in uploading bids due to any problem in the e-
tender website’.
Further details are available at website: https://etender.up.nic.in
UPPCL reserves the right to reject any or all proposals or cancel the bid without assigning any reason thereof.

Superintending Engineer(IT)-III,
RAPDRP-A/IT,U.P. Power Corporation Ltd, 5th Floor,
Shakti Bhawan Extension,14 Ashok Marg,Lucknow – 226001
Email: se.it3@uppcl.org

Page 2 of 97
 Sections of RFP

S. No. Section Content

1 Section: 1 Introduction

2. Section: 2 Eligibility Criteria

3. Section: 3 Scope of Work

4. Section: 4 Technical Compliance

5. Section: 5 Instructions to Bidder
6. Section: 6 Bid Forms (Part-1) Technical

7. Section: 7 Form 12: Letter for Submission of Financial Bid

Page 3 of 97
 Section-1
Introduction

About UPPCL
1. The creation of Uttar Pradesh Power Corporation Ltd. (UPPCL) on January 14, 2000 is the
result of power sector reforms and restructuring in UP (India) which is the focal point of the
Power Sector, responsible for planning and managing the sector through its transmission,
distribution and supply of electricity.

Uttar Pradesh Power Corporation Ltd. (UPPCL) will be professionally managed utility
supplying reliable and cost-efficient electricity to every citizen of the state through highly
motivated employees and state of art technologies, providing an economic return to our owners
and maintaining leadership in the country.

2. Uttar Pradesh Power Corporation Limited (UPPCL) is divided in the following Power
Companies as follows –
i. Poorvanchal Vidyut Vitran Nigam Limited (PuVVNL),
ii. Madhyanchal Vidyut Vitran Nigam Limited (MVVNL),
iii. Dakshinanchal Vidyut Vitran Nigam Limited (DVVNL),
iv. Paschimanchal Vidyut Vitran Nigam Limited (PVVNL),
v. Kanpur Electricity Supply Company (KESCO)
vi. Uttar Pradesh Power Transmission Corporation Limited (UPPTCL)
vii. Uttar Pradesh State Load Dispatch Center (UPSLDC)

Each of these companies will be responsible for the efficient management and distribution of power
within their respective geographical areas, ensuring a more focused and customer-centric approach.

Objective
UPPCL has implemented many online systems to facilitate its consumers and employees and doing
continuous efforts to make online systems more robust and efficient. To achieve a reliable IT system, it
is very important to have a secured system. With the day-to-day enhancement in technology, a secured
IT system in place becomes the first priority. To strengthen the security of the system, it is very
important to enhance system security.
In view of the growing use of IT and the evolving new threat environment, UPPCL has decided to
enhance Current Security landscape (integrate (Security Information and event management (SIEM),
Security Orchestration, Automation, and Response (SOAR), Network Intrusion Prevention System,
Host Based Intrusion Prevention System, Next Generation Firewall - DC, DR, Network Behavior
Analysis, Malware Analytics, Data Traffic Flow Analyzer, Secure Workload) and integration of new
set of cyber security tools such as Unified End Point Management (UEM), End point Detection and
Response (EDR), Secure Service Edge (SSE), Privileged Access Management (PAM) for hybrid
Infrastructure and End-points, Database Activity Monitoring (DAM), Anti-Distributed Denial of
Service (Anti-DDoS), for better security monitoring and response capabilities

UPPCL has decided to invite bids from System Integrators (SIs) for design, implement and Integration
of Security solutions mentioned in this document to provide comprehensive cyber security posture for
PuVVNL, MVVNL, DVVNL, PVVNL and KESCo. The selected Bidder will be responsible for
implementing security tools asked in this RFP (as per the details mentioned in the Bill of Quantity
(BoQ)) and also integrate the same with existing security systems and SIEM.

Page 4 of 97
 Section – 2
Eligibility Criteria

2.1 Eligibility Criteria

Please note that Bidders should submit all documents confirming the qualification as per the Eligibility
Criteria mentioned in this section as part of Technical Bid. The bid is liable to be rejected without
submission of relevant documents.

2.2 – General Conditions of the Eligibility

Detailed Pre-qualification Criteria is mentioned in the section below.
1. Bid can be submitted by Bidder as an individual entity. No consortium allowed.
2. Bidders shall continue to maintain compliance with the Eligibility and Qualification Requirements
specified herein. Failure to comply with the below requirements shall make the Bid from such
Bidders liable for rejection at any stage of the bidding process.

2.2.1 Minimum Eligibility Requirements-

The technical and financial requirements of qualification of Cyber Security System Integrator (CSSI)
(Bidder) and respective Original Equipment Manufacturers (OEMs) of Security Tools are as follows:
S. No. Requirements Supporting Documents

1. GENERAL – CSSI (Bidder)

1.1 The Bidder should be a company registered under the i. Certificate of incorporation /
provisions of the Indian Companies Act, 1956 / 2013 or ii. GST Registration
the Limited Liability Partnerships Act, 2008 or by the act iii. Certificate of commencement of
of parliament or by the central or state legislature. business (if applicable)
1.2 The Bidder should have at least CMMi level 3 valid Copy of certification from authorized
certificate certification body valid as on date of
opening of the bid
1.3 The Bidder should be authorized system integrator / Manufacturer’s Authorization Form /
implementation partner of the following listed OEMs Letter from OEM of offered OEM
Product(s) for sale, support, and services- Product(s)
1. UEM (Unified End point Management)
2. Endpoint Detection and Response (EDR)
3. Secure Access Service Edge (SSE)
4. PAM (Privileged Access Management)
5. Anti-DDoS (Anti-Distributed Denial of Service)
6. DAM (Database Activity Monitoring)

The Bidder should not be blacklisted or debarred by any The Bidder member shall submit self-
govt. organization or public sector organization as on the declaration from Company Secretary
1.4
date of opening of the bid.

The Bidder must have at least more than 200 full time Copy of Self-declaration Certificate from
resources on their roles for the IT implementation services Company Secretary.
out of which 20 professionals should be from Cyber
Security related implementation works with certifications
1.5
from any or combination of the following
1 CISSP
2 CISM

Page 5 of 97
S. No. Requirements Supporting Documents
3 CISA
4 COMPTIA Security A+
5 CEH

2. Minimum Eligibility Criteria Financial (Bidder)

2.1 The Bidder should have a minimum average annual

turnover (MAAT) of Rs.60 Crores during the last Audited Balance Sheet of last 3
three financial years (FY 2021-22, 2022-23 and 2023- financial years needs to be enclosed
(FY 2020-21, 2021-22 and 2022-23).
24) and Certificate from the Chartered
Turnover of the Group of Companies will not be Accountant.
considered.
2.2 Net worth of the bidder should be positive. Net worth Copy of Annual Audited Financial
means the sum total of the paid up capital and free Statements certified by Chartered
reserves (excluding reserves created after revaluation) Accountant FY 2020-21, 2021-22 and
reduced by aggregate value of accumulated losses 2022-23 (supporting documents should be
(including debit balance in profit and loss account in submitted)
current year ) and intangible assets .

3. CREDENTIALS AND EXPERIENCE (Bidder)

3.1 Necessary Purchase order / LOI / Contract

The Bidder should have implemented either of the / Certification on client letterhead /
following Turnkey IT System Integration works with Completion certificate from customer /
security products including supply of Hardware, certification for project being operational
Software, Licenses along with installation, as on date of Bid, as proof of services
configuration, customization, implementation, as well provided.
as providing operation and management services and
In case of ongoing projects, proof of
System Operation services during the last 5 years (FY partial delivery amounting to the
2019-20 2020-21, 2021-22, 2022-23 and 2023-24), qualification criteria, with partial
worth – delivery/installation certificate from
customer should be submitted.
One Project costing not less than the amount equal to
INR. 48 Cr.; Or,

Two projects each costing not less than the amount

equal to INR. 30 Cr.; Or,

i. Three projects each costing not less than the amount

equal to INR. 24 Cr.

Page 6 of 97
S. No. Requirements Supporting Documents
3.2 The Bidder should have successfully implemented IT For Completed Projects: Bidders must
System Integration Projects in India last 5 years (FY provide the necessary Purchase order /
2019-20, 2020-21, 2021-22, 2022-23 and 2023-24), LOI / Contract Agreement. Further Bidder
with at least any three (3) must provide the successful completion
of the following listed technologies (combined or certificate from the client. Successful
completion shall include at least one-year
separate projects) and must have implemented at least
FMS after Go-Live.
any two (2) of the following listed technologies in a
Central/State Government/ PSUs/ BFSI Sector (only  For On-going Projects:
BSE/NSE listed companies)/ Public Sector Banks -
Bidders must provide the necessary
1. UEM (Unified Endpoint Management) Purchase order / LOI / Contract
2. Endpoint Detection and Response (EDR) Agreement. Further Bidder must provide a
3. Security Service Edge (SSE) letter from the client explicitly mentioning
4. PAM (Privileged Access Management) that the project has successfully achieved
5. Anti-DDOS (Distributed Denial of Service) full or partial Go-Live Status.
6. DAM (Database Activity Monitoring)

Projects should be successfully completed, i.e. – Go-

Live achieved).

For the tools in which the bidder does not have

implementation experience, the bidder shall submit a
OEM undertaking mentioning that:
1. OEM shall implement the tool as per scope of work
of the RFP
2. After go live, OEM shall provide support to the bidder
for the entire tenure of the contract.
4. The technical requirements of qualification of UNIFIED ENDPOINT MANAGEMENT (UEM) OEM
are as follows:

S. No. Requirements Supporting Documents

4.1 The offered UEM OEM Should have presence in India, at-
Confirming the same in Company letter
least for a period 3 years and have registered office, Sales,
head duly signed by authorized signatory.
support in place.
4.2 The offered UEM OEM must be listed in the Leadership or
Challenger Quadrant in the Latest Gartner Report or in Supporting Documents by OEM should be
Leaders or Strong Performers quadrant in the latest submitted by the bidder
Forrester wave Reports.
4.3 The offered UEM OEM product should have been
successfully implemented at least 3 (three) UEM Projects
OEM must provide the necessary Purchase
in India in last 5 years with at least 2000 Endpoints in each
order / LOI / Contract Agreement. Further
project.
OEM must provide a letter from the client
Out of the three (3) projects at least One (1) project must
explicitly mentioning that the offered
have been implemented in a Central / State PSU/
product has been successfully
Government Organization/Public Sector Bank/Public
implemented.
Listed Companies/BFSI with not less than 5000 end
points.

Page 7 of 97
S. No. Requirements Supporting Documents
4.4 The offered UEM OEM should have Service Level
Agreement (SLA) based support for offered products &
Details with address of Support Centers /
related issues with first level support point in India, which
TAC India, along with Self Certification
should be available on 24x7x365basis.
by the authorized signatory of the UEM
The Technical Assistance Centers (TAC) / Support Centre
OEM
based in India should offer post-sales support including
Tele- Support for the offered products & related issues.
4.5 The offered UEM OEM must comply Technical UEM OEM Self-Declaration from the
Specifications listed in this scope of RFP (Section-3 and authorized legal signatory on signed letter
Section-4) and should be available from day 1. head
4.6 The offered UEM OEM should not be debarred and / or
blacklisted by any organizations of Govt. of India/State OEM Self-Declaration from the authorized
Government/PSU/Public Sector Banks as on last date of sig on signed letter head
bid submission.
4.7 The UEM OEM will ensure that all data collected or
processed under this contract must be stored and managed UEM OEM Self-Declaration from the
within India only. Any transfer outside India jurisdiction authorized legal signatory on signed letter
requires explicit consent. Non-compliance may result in head
contract termination.
5. The technical requirements of qualification of Endpoint Detection and Response (EDR) OEM are
follows:

S. No. Requirements Supporting Documents

5.1 The offered EDR OEM Should have presence in India, at-
Confirming the same in Company letter
least for a period 3 years and have registered office, Sales,
head duly signed by authorized signatory.
support in place.
5.2 The offered EDR OEM must be listed in the Leadership or
Challenger Quadrant in the Latest Gartner Report or in Supporting Documents by OEM should be
Leaders or Strong Performers quadrant in the latest submitted by the bidder
Forrester wave Reports.

5.3 The offered EDR OEM product should have been

successfully implemented at least 3 (three) EDR Projects
EDR must provide the necessary Purchase
in India in last 5 years with at least 2000 Endpoints in each
order / LOI / Contract Agreement. Further
project.
OEM must provide a letter from the client
Out of the three (3) projects at least One (1) project must
explicitly mentioning that the offered
have been implemented in a Central / State PSU/
product has been successfully
Government Organization/Public Sector Bank/Public
implemented.
Listed Companies/BFSI with not less than 5000 end
points.
5.4 The offered EDR OEM should have Service Level
Agreement (SLA) based support for offered products &
Details with address of Support Centers /
related issues with first level support point in India, which
TAC India, along with Self Certification
should be available on 24x7x365basis.
by the authorized signatory of the EDR
The Technical Assistance Centers (TAC) / Support Centre
OEM
based in India should offer post-sales support including
Tele- Support for the offered products & related issues
5.5 The offered EDR OEM must comply Technical EDR OEM Self-Declaration from the
Specifications listed in this scope of RFP (Section-3 and authorized legal signatory on signed letter
Section-4) and should be available from day 1. head

Page 8 of 97
S. No. Requirements Supporting Documents
5.6 The offered EDR OEM should not be debarred and / or
blacklisted by any organizations of Govt. of India/State OEM Self-Declaration from the authorized
Government/PSU/Public Sector Banks as on last date of sig on signed letter head
bid submission.

5.7 The EDR OEM will ensure that all data collected or
processed under this contract must be stored and managed EDR OEM Self-Declaration from the
within India only. Any transfer outside India jurisdiction authorized legal signatory on signed letter
requires explicit consent. Non-compliance may result in head
contract termination.
6. The technical and financial requirements of qualification of Security Service Edge (SSE) OEM are as
follows:

S. No. Requirements Supporting Documents

6.1 The offered SSE OEM Should have presence in India, at-
Confirming the same in Company letter
least for a period 3 years and have registered office, Sales,
head duly signed by authorized signatory.
support in place.
6.2 The offered SSE OEM must be listed in the
Leadership or Challenger Quadrant in the Latest Supporting Documents by OEM should be
Gartner Report or in Leaders or Strong Performers submitted by the bidder
quadrant in the Forrester wave Reports.
6.3 The offered SSE OEM product should have been
successfully implemented at least 3 (three) SSE Projects in
OEM must provide the necessary Purchase
India in last 5 years with at least 2000 Endpoints in each
order / LOI / Contract Agreement. Further
project.
OEM must provide a letter from the client
Out of the three (3) projects at least One (1) project must
explicitly mentioning that the offered
have been implemented in a Central / State PSU/
product has been successfully
Government Organization/Public Sector Bank/Public
implemented.
Listed Companies/BFSI with not less than 5000 end
points.

6.4
The offered SSE OEM should have Service Level
Agreement (SLA) based support for offered products &
related issues with first level support point in India, which Details with address of Support Centers /
should be available on 24x7x365basis. TAC India, along with Self Certification
by the authorized signatory of the SSE
The Technical Assistance Centers (TAC) / Support Centre OEM
based in India should offer post-sales support including
Tele- Support for the offered products & related issues

6.5 The offered SSE OEM must comply Technical SSE OEM Self-Declaration from the
Specifications listed in this scope of RFP (Section-3 and authorized legal signatory on signed letter
Section-4) and should be available from day 1. head
6.6 The offered SSE OEM should not be debarred and / or
blacklisted by any organizations of Govt. of India/State OEM Self-Declaration from the authorized
Government/PSU/Public Sector Banks as on last date of sign on signed letter head
bid submission.

Page 9 of 97
S. No. Requirements Supporting Documents
6.7 The SSE OEM cloud dataplane/ datacenter location must
SSE OEM Self-Declaration from the
be within India and No end users transaction processing authorized legal signatory on signed letter
should move out of country for any inspection head

7. The technical and financial requirements of qualification of Privileged Access Management (PAM)
OEM are as follows:

S. No. Requirements Supporting Documents

7.1 The offered PAM OEM Should have presence in India, at-
Confirming the same in Company letter
least for a period 3 years and have registered office, Sales,
head duly signed by authorized signatory.
support in place.
7.2 The offered PAM OEM must be in the Leadership or
Supporting Documents by OEM should be
Challengers Latest Gartner Magic Quadrant or in leaders
submitted by the bidder
or strong performers in the Forrester wave Reports.

7.3 The offered PAM OEM product should have been

successfully implemented at least 3 (three) PAM Projects
in India in last 5 years with at least 2000 Endpoints in each OEM must provide the necessary Purchase
project. order / LOI / Contract Agreement. Further
OEM must provide a letter from the client
Out of the three (3) projects at least One (1) project must explicitly mentioning that the offered
have been implemented in a Central / State PSU/ product has been successfully
Government Organization/Public Sector Bank/Public implemented.
Listed Companies/BFSI with not less than 5000 end
points.
7.4
The offered PAM OEM should have Service Level
Agreement (SLA) based support for offered products &
related issues with first level support point in India, which Details with address of Support Centers /
should be available on 24x7x365basis. TAC India, along with Self Certification
by the authorized signatory of the PAM
The Technical Assistance Centers (TAC) / Support Centre OEM
based in India should offer post-sales support including
Tele- Support for the offered products & related issues

7.5 The offered PAM OEM must comply Technical PAM OEM Self-Declaration from the
Specifications listed in this scope of RFP (Section-3 and authorized legal signatory on signed letter
Section-4) and should be available from day 1. head
7.6 The offered PAM OEM should not be debarred and / or
blacklisted by any organizations of Govt. of India/State OEM Self-Declaration from the authorized
Government/PSU/Public Sector Banks as on last date of sig on signed letter head
bid submission.

7.7 The Offered PIM/PAM OEM Solution must be certified Supporting Documents by OEM should be
for Common Criteria Certificate EAL 2+. submitted by the bidder
7.8 Supporting Documents by OEM should be
The Offered PAM OEM should have a SOC2 certification
submitted by the bidder

7.9 The PAM OEM will ensure that all data collected or PAM OEM Self-Declaration from the
processed under this contract must be stored and managed authorized legal signatory on signed letter
within India only. Any transfer outside India jurisdiction head

Page 10 of 97
S. No. Requirements Supporting Documents
requires explicit consent. Non-compliance may result in
contract termination.

8. The technical and financial requirements of qualification of Anti-Distributed Denial of Service

(DDOS) OEM are as follows:

S. No. Requirements Supporting Documents

8.1 The offered Anti-DDOS OEM Should have presence in

Confirming the same in Company letter
India, at-least for a period 3 years and have registered
head duly signed by authorized signatory.
office, Sales, support in place.
8.2 The offered Anti-DDOS OEM product should have been
successfully implemented in at least 3 (three) Anti-DDOS OEM must provide the necessary Purchase
Projects in India in last 5 years. order / LOI / Contract Agreement. Further
OEM must provide a letter from the client
Out of the three (3) projects at least One (1) project must explicitly mentioning that the offered
have been implemented in a Central / State PSU/ product has been successfully
Government Organization/Public Sector Bank/Public implemented.
Listed Companies/BFSI.
8.3 The offered Anti-DDOS OEM should have Service Level
Agreement (SLA) based support for offered products &
related issues with first level support point in India, which Details with address of Support Centers /
should be available on 24x7x365basis. TAC India, along with Self Certification
by the authorized signatory of the DDOS
The Technical Assistance Centers (TAC) / Support Centre OEM
based in India should offer post-sales support including
Tele- Support for the offered products & related issues

8.4
The offered Anti-DDOS OEM must comply Technical DDOS OEM Self-Declaration from the
Specifications listed in this scope of RFP (Section-3 and authorized legal signatory on signed letter
Section-4) and should be available from day 1. head

8.5 The offered Anti-DDOS OEM should not be debarred and

/ or blacklisted by any organizations of Govt. of OEM Self-Declaration from the authorized
India/State Government/PSU/Public Sector Banks as on sig on signed letter head
last date of bid submission.
8.6 The Anti-DDoS OEM will ensure that all data collected or
processed under this contract must be stored and managed Anti-DDoS OEM Self-Declaration from
within India only. Any transfer outside India jurisdiction the authorized legal signatory on signed
requires explicit consent. Non-compliance may result in letter head
contract termination.
8.7 The offered Anti-DDoS OEM must be in the latest
Leaders or strong performer in the latest Forrester wave Supporting Documents by OEM should be
reports or in the latest Leaders or Major players in the IDC submitted by the bidder
report.
9. The technical and financial requirements of qualification of Database Activity Monitoring (DAM)
OEM are as follows:

S. No. Requirements Supporting Documents

Page 11 of 97
S. No. Requirements Supporting Documents
9.1 The offered DAM OEM Should have presence in India, at-
Confirming the same in Company letter
least for a period 3 years and have registered office, Sales,
head duly signed by authorized signatory.
support in place.
9.2 The offered DAM OEM must be in the Leadership
Section in the Latest Kuppinger Cole Leadership or
Supporting Documents by OEM should be
Challenger Compass for Data Security. submutted by the bidder.
No Gartner report available as since Gartner does not
evaluate DAM tool.
9.3
The offered DAM OEM product should have been
successfully implemented at least three (3) DAM Projects OEM must provide the necessary Purchase
in India in last 5 years with at least 50 Database Servers. order / LOI / Contract Agreement. Further
Out of the three (3) projects at least One (1) project must OEM must provide a letter from the client
have been implemented in a Central / State PSU/ explicitly mentioning that the offered
Government Organization/Public Sector Bank/Public product has been successfully
Listed Companies/BFSI with not less than 50 database implemented.
servers.

9.4 The offered DAM OEM should have Service Level

Agreement (SLA) based support for offered products &
Details with address of Support Centers /
related issues with first level support point in India, which
TAC India, along with Self Certification
should be available on 24x7x365basis.
by the authorized signatory of the UEM
The Technical Assistance Centers (TAC) / Support Centre
OEM
based in India should offer post-sales support including
Tele- Support for the offered products & related issues

9.5 The offered DAM OEM must comply Technical DAM OEM Self-Declaration from the
Specifications listed in this scope of RFP (Section-3 and authorized legal signatory on signed letter
Section-4) and should be available from day 1. head
9.6 The offered DAM OEM should not be debarred and / or
blacklisted by any organizations of Govt. of India/State OEM Self-Declaration from the authorized
Government/PSU/Public Sector Banks as on last date of sig on signed letter head
bid submission.

9.7 The DAM OEM will ensure that all data collected or
processed under this contract must be stored and managed DAM OEM Self-Declaration from the
within India only. Any transfer outside India jurisdiction authorized legal signatory on signed letter
requires explicit consent. Non-compliance may result in head
contract termination.

Page 12 of 97
2.2.2 Technical Evaluation Criteria -
Sr. Maximum
Requirements Scoring
No. Marks
1.
The Bidder must have 50 cyber
security certified resources of
20 <=Certified Resources <=30: 5
certification of either of these:
Marks
CISSP/ CISM/ CISA/ COMPTIA
Security A+/CEH on its payroll 15
I 30 < Certified Resources <=40: 10
Marks
i.
40 < Certified Resources : 15 Marks

2.
The Bidder should have successfully
implemented IT System Integration
Projects in India in last 5 years (FY
2019-20 2020-21, 2021-22, 2022-23
and 2023-24) with at least any
three(3) of the following listed
technologies (combined or separate
projects) :

i. UEM (Unified Endpoint

Management) listed technologies = 3: 20 Marks
ii. Endpoint Detection and 3< listed technologies <=5: 30 Marks
40
Response (EDR) listed technologies >5 : 40 Marks
iii. Secure Access Service Edge
iv. PAM (Privileged Access
Management)
v. DDoS (Distributed Denial of
Service)
vi. DAM (Database Activity
Monitoring)

Page 13 of 97
Sr. Maximum
Requirements Scoring
No. Marks
3.
The Bidder should have implemented 10
and maintained licenses for more
than 2000 end-points in any
Central/State PSU/Government
Organization/ Public Sector Banks
/BFSI /Listed Companies in any three
(3) for the following technologies.

1. UEM (Unified End point i. 2000<= end-points <=5000: 2.5

Management) Marks

2. Endpoint Detection and Response ii. 5000<end-points <=10000: 5

(EDR) Marks

3. Secure Access Service Edge iii. 10000< end-points: 10 Marks

4. PAM (Privileged Access

Management)

5. DDoS (Distributed Denial of

Service)

6. DAM (Database Activity

Monitoring)

Technical Presentation by the bidder- i. Requirement Analysis along with

i. Requirement Analysis along with Understanding of challenges
Understanding of challenges – 5 Marks
ii. Detailed security tools integration ii. Detailed security tools integration
process. Steps must only address the process. Steps must only address the
following, following,
a. Security Architecture a. Security Architecture
b. Integration with existing IT b. Integration with existing IT
Ecosystem Ecosystem
- 15 Marks
4 35
iii. Detailed risk assessment report iii. Detailed risk assessment report
with a mitigation plan on how with a mitigation plan on how this
this implementation protects against implementation protects against
internal and external security threat internal and external security threat
iv Understanding of Cyber Security in -10 Marks
Power Distribution Sector iv Understanding of Cyber Security
in Power Distribution Sector
-5 Marks

Total 100 Minimum Qualifying: 75

Page 14 of 97
Note:
a. Bidder(s) shall upload an undertaking certifying that all the information, documents and CVs
furnished along with the Bid are true and correct, and Bidder(s) shall be fully responsible for the
correctness of the information, documents and CVs submitted.
b. In case of non-furnishing the requisite documents along with the bid, the bid will be considered
non-responsive, and the bid may be summarily rejected.
c. The minimum qualifying marks in this Section 2.2.2 “Technical evaluation criteria” is 75.
d. The bidders who will qualify in Section 2.2.1 “Minimum Eligibility Requirements” will be evaluated
further for Section 2.2.2 “Technical evaluation criteria”.
e. Price bid of only those bidders, who will be having technical score in Section 2.2.2 “Technical
evaluation criteria” at least 75, will be opened and evaluated further.

Page 15 of 97
 Section 3
Scope of Work
3.1 Current Setup-
1. UPPCL and it’s Discoms have the following IT Systems in place to provide various services to its
consumers, vendors and employees-
System
S. No. Application Implementation OEM Hosted at
Agency
DC Lucknow/
1 ERP - Finance, HR, MM, Projects Accenture SAP
DR Noida

2 UPPCL GIS System (RAPDRP+IPDS) Ceinsys Tech Ltd ESRI Azure Cloud

UIDAM -unified Identity and Access

3 GenX Info Oracle Oracle Cloud
Management System

4 Smart Meter MDM/HES system EESL / LNT Oracle Cloud

Omninet Tech/ . Net
5 Govt. Verified Bill/ Payment System Azure Cloud
Genx Technologies Technology
. Net
6 CM Dashboard Omninet Tech /NIC Azure Cloud
Technology
Infinite . Net
7 Jhatpat Connection Portal Azure Cloud
Technologies Technology
Infinite . Net
8 Nivesh Mitra Portal (Udyog Bandhu) Azure Cloud
Technologies Technology
. Net
9 Private Tube Well Connection Portal Omninet Tech Azure Cloud
Technology
Closed Loop UPPCL e-Wallet System (for GenX Info
10 java Azure Cloud
bill fetch and payments) Technologies
Integration of Billing App (to be
developed by the RMS System Integrator) GenX Info
11 java Azure Cloud
with UPPCL Wallet system to enable Technologies
payments by meter readers.
Payment Reconciliation System (Multi
source Transaction/ Instrument GenX Info
12 SAS/java Azure Cloud
Reconciliation System built on SAS Technologies
analytics)
. Net
13 Raid Management Portal Magnus Solution Azure Cloud
Technology
. Net
14 Feeder Monitoring – Modem and System Radius Synergies Azure Cloud
Technology
DC Lucknow/
15 RTDAS GE India java DR Noida
DC Lucknow/
16 DT Monitoring – Modem and System BC-ITS java
DR Noida

17 1912 Customer Care System – distributed Sify Technologies Cisco 5 Discoms

Page 16 of 97
 in 5 Discoms

Indiaideas.com
18 Payment Gateway java Mumbai
(Billdesk)

Banking Systems / Kiosks /ATM/ POS Onboard Banks – java and .net At various
19
Machine Various technologies locations

20 SMS Gateway Karix java Noida

Secure / Genus /
java and .net At various
21 Prepaid Meters system Radius/Capital DS-
DR/STS Meters technologies locations

java and .net

22 AADHAR (UIDAI) system In approval New Delhi
technologies
java and .net At various
23 GOI and UP state Govt APPs/Portals NIC and others
technologies locations

Business java and .net

24 Samvida Karmi Portal Azure Cloud
Innovation technologies

java and .net

25 WhatsApp API and Chatbot Sinch Noida
technologies
Infinite Oracle Cloud
26 Unified Revenue Management System Oracle
Technologies Mumbai

To be
migrated in
27 Kesco Online Billing System (Kanpur) Fluentgrid m-Power
new RMS
system

java and .net At various

28 Website of 5 Discoms Various Agencies
technologies locations
Internal . Net
29 Advocate Recruitment Portal Azure Cloud
Development Team Technology
Internal . Net
30 Bijli Mitra Portal Azure Cloud
Development Team Technology
Internal . Net
31 Director Recruitment Portal Azure Cloud
Development Team Technology
Internal . Net
32 Inhouse CS3/CS4, E-sampark Portal Azure Cloud
Development Team Technology
. Net
33 Disciplinary Proceeding Portal Omninet Tech Azure Cloud
Technology
. Net
34 Energy Accounting Portal Omninet Tech Azure Cloud
Technology
. Net
35 Verified Bill Portal Omninet Tech Azure Cloud
Technology

Page 17 of 97
 . Net
36 UPPCL Website Omninet Tech Azure Cloud
Technology
. Net
37 IGRS Portal Omninet Tech Azure Cloud
Technology
Internal . Net
38 Library Management Portal Azure Cloud
Development Team Technology
. Net
39 Office Order Portal Omninet Tech Azure Cloud
Technology
Advance Metering Infrastructure Service Different Technologies- Yet
40 Various Agencies
Providers to be implemented

2. The above system applications are being used by all Discoms viz. 1- PuVVNL, 2- MVVNL, 3-
DVVNL, 4- PVVNL and 5- KESCo.
3. These applications and systems are designed to serve more than 3.4 Crore consumers and 32
thousand employees across all Discoms.
4. There are few systems which are being used by the Discoms for their specific requirements which
are as below-

Sr. No. UPPCL/ Discom Name Software Systems Agency Name

1 UPPCL (Finance Unit) i. GST Suvidha Provider M/s Pinacle

2 UPPCL (PMC) ii. Power Portfolio Management M/s Mercados EMI

3 PuVVNL PuVVNL Website M/s UPDESCO

4 i. MULTIPOINT M/S Radius

MVVNL
5 ii. MVVNL Website M/s UPDESCO

6 DVVNL DVVNL Website M/s Inventive

7 i. MULTIPOINT M/S Radius

8 PVVNL ii. PVVNL Website M/S Solarman

9 iii. Semi SCADA M/s Radius

Offer for Engagement of Agency

for Design, Development and
Hosting of Real Time Billing
Software/ Mobile App for Meter
M/s Pragyaware Pvt.
10 Reading, Payment Collection,
Ltd.
Dash Board for Monitoring of
Billing Activity with complete
operation & Maintenance for
KESCo three years in KESco.
Operation and maintenance of
online Billing Application
(Mpower) including
11 implementation of new Required M/s Fluentgrid Ltd
modules with Annual Technical
Support (ATS) For Four years.
(Approx 5.9 Lac Consumers)

Page 18 of 97
 Supply of IT Hardware and
software with Installation,
Testing, Commissioning, Data M/s Axis infoline Pvt
12
Migration & 3 Years ATS Ltd.
Services of Secure Meter AMR
Application in Kesco.
Work of Data Recovery Server
M/s ACME Digital
13 online basis with Hardware
Solutions. Pvt. Ltd
Software & Service Support.
Design, development and
M/s Infinite Computer
14 operation of Revenue
Solution India Ltd.
management Application
Facilitating the cloud based M/s Navyal Softech
15 server and Environment Solution Pvt. Ltd
M/s Vitologic Infra
16 Cyber Security
Pvt. Ltd.
M/s GEO Space
17 Real Time Modem
Maping Solutions

18 SD WAN Connectivity M/s Webel Technology

5. Integration of Systems- There are integrations among above mentioned IT systems as well as with
external systems such as online payment gateway aggregators, GST, Multipoint, Prepaid Meters,
Smart Meters. Also, after smart meter implementation under AMISP integrations will increase.
6. There are field offices, Discom headquarters and UPPCL headquarter from where employees are
accessing various applications listed above-
Quantity of Field Offices

Discoms Headquarters Zone Circle Distribution SDO Test

Division Division Total
Dakshinanchal Vidyut Agra 6 28 77 190 23 324
Vitran Nigam Ltd
(DVVNL)

Madhyanchal Vidyut Lucknow 6 29 105 317 30 487

Vitran Nigam Ltd
(MVVNL)

Purvanchal Vidyut Varanasi 6 30 96 194 22 348

Vitran Nigam Ltd
(PuVVNL)

Paschimanchal Vidyut Meerut 6 29 95 211 29 370

Vitran Nigam Ltd
(PVVNL)

Kanpur Electricity Kanpur 1 4 20 45 4 74

Supply Company
(KESCo)

Uttar Pradesh Lucknow NA 100

Power Corporation
Ltd

Sub Total (A) 25 120 393 957 108 1703

Page 19 of 97
 7. The above locations are connected through MPLS connectivity at approximately 4000 locations and
approximately 17000 end point devices (computer systems, router, switch etc.) are connected.
8. Presently the following cyber security tools are implemented with the SAP-ERP solution stack with
the following tools-
S. No. Security Tools Quantity Throughput/ OEM
Quantity
1. Data Traffic Flow Analyzer 2 NA, Unlimited Flow License Cisco

2. Network Intrusion Prevention 4 53 Gbps, 30 million concurrent Cisco

System sessions
3. Next Generation Firewall - DC, 4 53 Gbps, 30 million concurrent Cisco
DR sessions
4. Host Based Intrusion Prevention 4 53 Gbps, 30 million concurrent Cisco
System sessions
5. Secure Workload 1 100 VMs Cisco

6. Network Behavior Analysis 2 NA, Unlimited Flow License Cisco

7. Malware Analytics 2 1000 Cisco

8. Security Information and event 2 10000 EPS IBM Qradar

management (SIEM)

9. Security Orchestration, 2 Unlimited User IBM

Automation, and Response Resilient
(SOAR)

9. Requirements: -
9.1. Integration of Existing tools with complete IT Ecosystem- The cyber security tools mentioned in
point 8 are integrated with ERP Solution stack which is hosted in Data Center Lucknow.
9.2. The existing tools i.e. Security Information and event management (SIEM), Security Orchestration,
Automation, and Response (SOAR), Network Intrusion Prevention System (NIPS), Host Based
Intrusion Prevention System (HIPS), Next Generation Firewall - DC, DR, Network Behavior
Analysis, Malware Analytics, Data Traffic Flow Analyzer, Secure Workload needs to be integrated
with all traffic/applications/systems of Data Center Lucknow, Disaster Recovery Center Noida,
Oracle Cloud and Azure Cloud infrastructure.
9.3. These tools has to be integrated with complete IT eco system of UPPCL/Discoms which is
summarized in point 1 and 4 -
10. End point Security and other advance security systems (New Procurement and Implementation)-
The following tools also needs to be procured and integrated with completed IT ecosystem of UPPCL
/Discoms-
S. No. Particulars
Part-A : Components
A.1 Unified Endpoint Management (UEM)
A.2 Endpoint Detection and Response (EDR)
A.3 Secure Access Service Edge (SSE)
A.4 Privileged Access Management
A.5 Database Security (DAM)

Page 20 of 97
 A.6 Anti-DDOS Solution
Part-B: Project Implementation Services

B.1 One-time Implementation and Integration Services

B.2 AMC/Support, Operations and Maintenance Services for 5 years

11. Main Activities-

The scope of the bidder is primarily consisting of following three areas:
1. Supply, Installation, Integration of new security solutions as mentioned in this RFP.
2. Design, develop and deploy complete cyber security system of UPPCL and Discoms using these tools.
3. Coordination with UPPCL Cyber Security Operation Center team and comply to the requirements.
4. Bidder is required to work with the existing System Integrator(s) of the UPPCL to integrate the
security solutions with existing solutions/platforms, server and storage environment, enterprise
network, existing ISP, security solutions, ticketing tools etc.
5. Bidder will work with the existing IT vendors to integrate all the new cybersecurity solutions in this
RFP.
6. The AMC/ATS are required to be provided for a period of 5 Years. The AMC/ATS must be with the
OEM(s) on a back-to-back basis.
7. All type of system, access logs and data related to it will be stored for the entire duration of contract
and shall be handed over to UPPCL when the contract ends .

12. Integration with Existing tools-

i. The CSSI will integrate existing security solutions (mentioned at point 8) which are currently
integrated with ERP system of UPPCL, with complete IT systems and infrastructure of UPPCL
mentioned at point 1 and 9.
ii. Through this integration, it will be ensured that all events are captured in SIEM and are mitigated
using SOAR and other security solutions.
iii. The CSSI will integrate with CSOC’s Security Management Dashboard.
iv. The CSSI will be integrated with all applications in such a manner that if someone logs in
to departmental application and tools (UEM/EDR/SSE/PAM) are not installed on that
system, there will be a pop-up (prompt) which will force user to install the uninstalled tool.
v. The CSSI will coordinate with UPPCL Cyber Security Operation Center (CSOC) and will work on
the inputs provided by the CSOC team and tools (Security Management Dashboard). CSSI will
assist the IT system vendors to patch the vulnerabilities identified by CSOC and tools.

13. New Tools-

13.1The following tools will be provided by the CSSI with the technical specifications (mentioned in
Section 4 of this RFP) with the below quantity of users-
1. UEM (Unified Endpoint Management) for 17000 Users.
2. EDR (Endpoint Detection & Response) for 17000 Users.
3. Secure Access Service Edge (SSE) for 17000 Users.
4. PAM (Privileged Access Management) for 100 Admin Users, 600 Server Devices. 400 Network
Devices, two public cloud tenants’ viz: Azure and Oracle Cloud.
5. DAM (Database Access Monitoring) for 10 Database Instances.
6. Anti-DDOS Solution – 4 Nos for Data Center and Disaster Recovery Center (2 for each- for High
Availability) and Oracle and Azure Cloud (Approximately 50 applications)

Page 21 of 97
 13.2Bidders need to propose the Hardware Sizing requirement for above tools. All servers /compute
/storage etc will be given by the bidder (on cloud/on premise). For any other requirement like
Operating System, Database etc, Bidder need to factor in their commercials.
13.3The bidder will own the responsibility of AMC of the System as per defined SLAs. The
Appliances/ Hardware proposed by the bidder should be rack mountable at DC/DR, if applicable.
Bidder should ensure that the any newly supplied Equipment’s will not be declared End of sale
within 60 months of the date of delivery and EOSL within the contract period. The software
supplied must be the latest version of the OEM. Beta versions of any software shall not be
accepted.
13.4In case of Cloud based solution, the cloud dataplane/ datacenter location must be within India
and No end users transaction processing should move out of country for any inspection. Non-
compliance may result in breach and consequent contract termination.
13.5These tools must be integrated with UPPCL existing security solutions mentioned at point 8 so
that UPPCL can have the centralized view of the overall security posture and any
threats/vulnerabilities can be mitigated.
i. The CSSI will integrate new tools with CSOC’s Security Management Dashboard.
ii. The bidder shall impart training to the UPPCL identified officials/Agency, at a location suggested
by UPPCL covering the following areas:
I. Deployed Solution Architecture and flow
II. Functionalities & configuring.

14. Scope of Services

The Bidder’s scope shall cover the following activities:
1. For Supply, Installation, Configuration, Commissioning and AMC of Security Tools as mentioned in this
RFP, the Successful bidder has to study the existing setup of the UPPCL before deploying the proposed
new solutions and components as per industry best practices, in consultation & supervision of concerned
OEM.
a. Supply, implement, and integrate, the Cyber security solutions as per RFP for Contract period.
b. Unified End Point Management solution will ensure that if a system/user who tries to open
applications mentioned at point 1 and 4 and system is not under UEM, that application will
prompt a message and forcefully ensure that UEM is installed, and system comes under
monitoring.
c. The bidder must ensure to have all understanding about licensing, architecture, integration, and
other relevant details to operate and manage all the cyber security solution.
d. Bidder needs to do transition to O&M agency after Go-Live of each solution.
e. Bidder is required to ensure that business is not impacted due to infrastructure change
management which is related with new or enhanced security solution implementation,
integration, or operationalization.
f. All the services / solutions in scope need to be designed and implemented with adequate
redundancy and fault tolerance to ensure compliance with SLAs for uptime as outlined in this
RFP.
g. Bidder to provide Escalation matrix so that issue / dispute is resolved in a time bound manner.
h. The Bidder must submit a certificate / Letter from OEM that the proposed solution, any other
related software and the solution offered by the bidder to the UPPCL are correct, viable,
technically feasible for implementation and the solution will work without any hassles.
i. Bidder should take complete ownership of deployed cyber security solutions as mentioned in the
RFP, if any up-grade/Update or replacement needed in existing infrastructure has to be informed
to UPPCL during the requirement gathering stage by bidder to deploy the solution with proper
documentation.
j. Bidder is required to work with the existing System Integrator(s) of the UPPCL to integrate the
security solutions with existing solutions/platforms, server and storage environment, enterprise
network, existing ISP, security solutions, ticketing tools etc.
k. Bidder will work with CSOC team and based on their inputs, necessary changes, patches, bug
fixing will be done.
l. UPPCL will provide the network bandwidth for the in-scope solution.
m. The bidder shall provide the high-level technical architecture for Implementation in the proposal.

Page 22 of 97
 n. The Bidder will be responsible of integration of all the cyber security solutions with the existing
or any new security solutions procured by UPPCL, if required, the UPPCL shall provide adequate
support to bidder for the purpose of integration.
o. UPPCL will not take any responsibility of any assumptions made by the bidder. It is the
responsibility of the bidder to ensure successful implementation/integration of the cyber security
solution as per RFP.
p. The proposal submitted by the bidder should be a No-Deviation Bid, any assumption, deviation,
or conditions quoted by the bidder anywhere in the proposal stands null & void.
q. The Successful bidder must ensure that all the solution(s) supplied as a part of the RFP are
compatible and work along with the applicable existing deployed endpoints /servers/
devices/solutions in UPPCL as per scope of Tender.
r. The bidder should submit an authorization letter from the OEM whose solution/product is being
quoted.
s. The Bidder shall adhere to the IT Policy / Information Security Policy of UPPCL.
t. Where ever applicable the bidder shall comply with the guidelines issued by NCIIPC , CERT-IN
& CEA
2. The new Security solutions proposed to be deployed under scope of this RFP, should be complete in
all respects. There should not be any deployment dependency on any other third- party solution/
licenses/ tools for implementation of proposed solutions. In case any such requirement of additional
third-party solution/ licenses/ appliances for virtual software tools is there for implementation of
proposed solution, the same should be clearly factored in the costing/ commercial details by the bidder
under this RFP and the successful bidder must provide these third-party solutions/ licenses/ tools.
3. The bidder should provide all technical and operational support to UPPCL Cyber Security Operation
Center team and agencies so that all vulnerabilities, threats, attacks can be mitigated timely.
4. Bidder has to submit an implementation plan and the details of plan should not be limited to
Architecture Diagram, low level detailed network diagram considering the interfaces, peer
connectivity, VM details, etc. along with project schedule date for deployment of new security
solutions proposed as per this RFP.
5. The successful bidder also has to prepare solution-wise architecture diagrams (HLD and LLD) with
proper version controls and the same need to be reviewed on a quarterly basis without any delay.
6. The bidder/OEM must do implementation and integration of new security solutions and upgradation
& also integration of existing solutions under scope of this RFP. The deployment and full
implementation of all the solutions must be taken care of by respective bidder/OEM till successful
handover/Sign-Off of the solution to UPPCL.
7. Prior to configuration and integration of any Security solution, the bidder needs to understand the
requirements of UPPCL and prepare a detailed implementation plan. On approval of the same by
UPPCL, integration of the solution needs to be carried out. Detailed solution architecture, design,
traffic flow and policies (existing) should be documented. Deployment of the solution will start only
after acceptance by UPPCL.
8. Successful Bidder has to provide implementation reports for all the solutions on a daily basis for
executive reporting in addition to the detailed reports. Some of the reports may be required multiple
times in a day. UPPCL may also ask customized reports of any solution based on UPPCL’s
requirement and the same has to be provided.
9. Any feature available in the new proposed solutions to be deployed but not being implemented at
present, is to be implemented by the successful bidder/ new Service Provider later during the Contract
Period as per requirement of the UPPCL, at no extra cost to the UPPCL.
10. All the services listed below should be delivered by the Bidder:
a. Study/Review of existing architecture & propose enhanced architecture as per best practice.
b. Should take approval for each new configuration/ feature to be enabled before implementation.
c. All Design & configurations should be as per industry best practice of solution.
d. Submission of complete documentation on (Operational & Maintenance document,
troubleshooting guide).
e. Provide OEM's confirmation on the configuration done as per best practices.
f. Get final sign off from UPPCL Team.
g. The proposed solution should meet all the technical criteria mentioned in the RFP.
h. The OEM/Bidder will provide AMC support Services to maintain the system and ensure uptime
of the system. Bidder must ensure that UPPCL gets all necessary support from the OEM TAC

Page 23 of 97
 (Technical Assistance Center) team to address technical issues for timely resolution.
11. The Bidder should ensure agent upgradation as per OEM recommendation within the timeline
stipulated by the UPPCL for the proposed solution. The agent should be
deployed/installed/redeployed/upgraded using the bidder's supplied solution without any need to have
dependency on any other solution in the UPPCL.
12. All the solutions have to be integrated for necessary system/application logs before Signing-Off the
respective solutions.
13. The successful Bidder should provide an escalation matrix within their organization as well as
concerned OEMs.
14. The Security Solutions proposed to be implemented as per scope of RFP should be able to integrate
with existing as well as any future Industry standard security devices in UPPCL as per applicability &
given requirement.
15. UPPCL may perform its own Vulnerability assessment/ Penetration testing (VAPT) & Risk
assessment on the entire solution before going live and the solution provider needs to fix all the
vulnerabilities/risks highlighted in the reports at no extra cost to the UPPCL.
16. Training-
a. For all the Security Tools to be implemented as per Scope of the RFP, the successful Bidder must
prepare architecture design, suggest network optimization, if need, to increase performance,
documentation, project plan and training as part of the implementation services.
b. Bidder shall share implementation details and provide Knowledge Transfer to UPPCL’s solution
administrators/IT Team/O&M Vendor. KT (Knowledge Transfer) shall cover all H/LLD details,
configurations, general administration activities, SOP/User manual and help in developing
troubleshooting skills related to appliance/solution.
c. Bidder/OEM needs to arrange instructor-led training on proposed solution for nominated
members at UPPCL HQ at their own cost. It should also cover complete Administration,
Configuration, Troubleshooting, customization & day-to-day maintenance of the offered
solutions.
d. The bidder will provide certificate level training also to the Chief Information Security Officers
(CISOs) and Assistant Chief Information Security Officers (ACISOs) and other nominated
officers of UPPCL and Discoms for the Security Tools viz., 1.Unified Endpoint Management
(UEM), 2. End Point Detection and Response (EDR), 3. Security Service Edge (SSE), 4.
Privileged Access Management (PAM), 5. Database Activity Monitoring (DAM), 6. Anti-
Distributed Denial of Service and 7. IBM-QRADAR.
e. Bidder will provide Expert level training along with one-time certification examination voucher
for each tool to fifteen (15) employees identified by UPPCL. Ten training/examination vouchers
to be consider for each tool, cost shall be in the scope of bidder, cost of which shall be included
in the cost quoted for respective tools. Each employee mentioned above will be trained against 4
tools therefore total 60 vouchers.

1. The selected Bidder shall appoint a single point of contact, with whom UPPCL will deal with, for any
activity pertaining to the requirements of this contract.
2. For all SaaS based solutions, the SaaS offering should be hosted in India and all the Data should reside in
India.
3. In case of a SaaS solution if any component is required to be hosted on-prem than it is bidders’
responsibility to provide and implement the hardware as well as software components on-prem. UPPCL
will only provide the connectivity and space.

15. Operation and Maintenance-

a. For Declaring Go-Live , UPPCL shall perform UAT and test other parameters mentioned in the RFP.
Only after successful UAT and other relevant compliances as desired in the RFP , Go Live shall be
declared by UPPCL
b. The Operation and Maintenance phase shall start after Successful Go-Live, which shall be declared by
UPPCL
c. The Bidder will operate and maintain all the components of the Security Solutions
(Software/Hardware and Licenses) supplied through this RFP for the entire contract period.

Page 24 of 97
 d. During Operations and Maintenance phase, bidder shall ensure that service levels are monitored on
continuous basis; service levels are met and are reported to UPPCL.

e. Bidder shall address all the errors/bugs/gaps in the functionality of the solution implemented at no
additional cost during the Operations and Maintenance phase.

f. All patches from OEMs shall be implemented by the bidder ensuring customization done in the
solution as per the UPPCL’s requirements are applied.

g. A detailed change management process should be in place for any update which requires re-sizing of
the hardware and software during the contract period may be taken separately at UPPCL’s discretion.

h. Issue log for the errors and bugs identified in the solution and any change made in the solution shall
be maintained by the bidder and should be periodically submitted to the UPPCL team.

i. The bidder will inform UPPCL on a monthly basis about any new updates available for all software
components of the solution along with a detailed action report.

16. Human Ressources-

16.1. The Bidder should deploy onsite technical support within 30 days from the date of signing of the
agreement. The manpower requirement mentioned here is the total number of resources who must be
present on each day and mark their attendance in the UPPCL/Discoms.
16.2. The successful bidder will deploy the ressources at UPPCL/Discoms level as below-

S. No. Particulars Quantity Duration Location

1 Implementation As per requirements for timely 6 months Lucknow and As per

and implementation (Project requirements
Commissioning Implementation Team)
Separate implementation teams
will be deployed by the
successful
Bidder

2. Operation, Project Coordinator (PuVVNL- After Go-Live Project Coordinator

Maintenance 2 (PuVVNL- Varanasi
and Support MVVNL-2 MVVNL -Lucknow
DVVNL- 2 DVVNL- Agra PVVNL-
PVVNL- 2 Meerut KESCo – Kanpur
KESCo – 1 UPPCL- Lucknow )
UPPCL - 2)
Project Manager – at
Project Manager -1 for Lucknow for PuVVNL,
PuVVNL, MVVNL, DVVNL, MVVNL, DVVNL,
PVVNL, KESCo PVVNL,
and UPPCL KESCo and UPPCL

16.3. Minimum qualifications of the Ressources-

S. No. Description Minimum Qualification and Experience

Page 25 of 97
 1. Project Manager The Project Manager will be responsible for overall
project management of the project. Responsible for
requirement, resource management and timely delivery.
Resources will be deployed at UPPCL or provide support
remotely as per the requirement of UPPCL.
Minimum Relevant Experience- 12 Years
2. Project Coordinator The Project Coordinator will be responsible for providing
overall support for the project.
Minimum Relevant Experience- 5 Years
3. Project The Project Implementation Team shall be responsible for
Implementation Understanding / Identification of Business Requirements,
Team Alignment of Software Solution with Business needs and
Overall implementation / Support of Cyber Security
Solution.

The team will interact with UPPCL/Discom users and work

towards analyzing user related, acceptance related,
technical and functional issues of solution and work
towards closure of them. This will also involve
identification of key technical risks associated with the
various functionalities and work with developers/SI Team
towards closure.

16.4. Bidders may use their own helpdesk tool or setup helpdesk for incident management. Costing for the
same should be incorporated in the overall cost accordingly in the price bid.
16.5. Minimum Qualification and experience of on-site resource as mentioned below:
S.
Resource type Minimum Qualification and Experience
No.

i. B.E/B. Tech/ MCA degree

ii. Certification: OEM Certification
Project iii. Should hold CISSP /CISM /CISA /COMPTIA Security A+ /CEH
1. Coordinator certification
iv. 3+ years of overall experience with at least 2 years of relevant
experience in tools like UEM, SSE, DAM, PAM, EDR etc. Should have
project/IT Infra/DC Infra management skill.

i. B.E/B. Tech/ MCA degree

ii. Certification: OEM Certification
iii. 7+ years of overall experience with at least 3 years of relevant
2. Project Manager experience in tools like UEM, SSE, DAM, PAM, EDR etc. Should have
project/IT Infra/DC Infra management skill and project management
skills.

iv. Should hold CISSP /CISM /CISA /COMPTIA Security A+ /CEH

Page 26 of 97
16.6. The UPPCL will perform the technical competency of the resources provided by the CSSI either on
its own or through third party resources. However, background verification and police verification of
the resources shall be the responsibility of the bidder.
16.7. The UPPCL will also monitor the performance of the resources deployed during the tenure of the
contract. Following will be the criteria on which the performance of the resources and overall
implementation will be measured:
1 Number of on-time reports submitted as per SLA.
2. Number of use cases developed, and the rules deployed
3. Number of IoC (Indicators of Compromise) detected.
3. Number of security training sessions (ad-hoc/ scheduled) conducted.
4. Number of real incidents detected against the total number of false positives.
5. Number of devices added/ total number of devices integrated and are being reported in the
security management dashboard.
6. Resolution times (a measure of the length of time from when the incident/ticket was
received, the length of time from when the incident/ ticket was dispatched, etc.).

17. Bidder to arrange yearly analysis of product adoption, best practices and usage policies along
with recommendations by OEM against the deployment done at UPPCL by conducting
respective OEM Audits. These findings shall be presented by respective OEM to UPPCL
management on Yearly basis.

Page 27 of 97
 Section 4
Technical Compliance of Security Tools
4.1 Technical Specification of Unified Endpoint Management (UEM) (SaaS Based)-
Compliance
S. No. Feature
(Yes/No)
The UEM Solution should provide the single integrated Console for
Admin for management of all type of devices (Desktop/
Laptop/Tablet/ Mobile Phones), OS Types (Windows10 and above,
1
Linux, Android, Ios, Mac). It should provide a consistent and
integrated user experience, as well as a single source of truth and a
single pane of glass for device and app management.

The UEM Solution should allow organizations to monitor and report

2 on device and app compliance, such as device health, app status, and
policy adherence

The Solution Should Provide provides dashboards, reports, and alerts

3
to help identify and remediate compliance issues

The Solution should offers compliance management capabilities that

are unique to each platform, such as device health attestation and
4
device encryption for iOS and Android, and device configuration and
device health for Windows 10 and above

The Solution Should automate the process of provisioning new

5
devices for users, both for corporate-owned and personal devices

Solution must be able to restrict access to resources if device is not

6
compliant with organizational compliance policies

Solution must support out of the box templates to deploy security settings
7
as per CIS/NIST benchmarks

Solution must be able to encrypt devices and support rotation of encryption

8
keys

Solution must support cloud based deployment of quality deployments,

9
feature updates.

Solution must support complete application lifecycle management with

10
install, remove, upgrade etc.

11 Solution must support zero touch provisioning of Windows devices

12 Solution must be able to deploy certificates centrally

Solution must be able to deploy various Windows

settings remotely including email, VPN and Wifi profiles .
13
The solution must allow remote access to take remote of devices for remote
support .

Page 28 of 97
 Compliance
S. No. Feature
(Yes/No)
Solution must support adding own security posture checks for Windows
14
devices which are not available out of the box.

Solution should be able to provide insights into employee experience like

15
Proactive Avg. resource Usage, Device Health Monitoring etc.

16 Solution should be able to support password less authentication options

Solution must be able to support deploying security settings as per

17
NIST/CIS standards

18 Solution should be support tunneling functionality for managed devices

Technical Specifications for UEM to cover Mobile Devices and Apps

Solution should be able to restrict (allow/block/step up authentication)
access to corporate resources available over intranet and intranet from
19 devices only compliant to organization policy like Network location,
Managed Devices, Approved applications and enforce users if they are not
adhering to corporate polices.
Solution should be able to restrict (allow/block/step up authentication)
20 access to corporate resources based on risky sign-ins, malicious Ips,
anonymous logins in real time
Solution should provide native integration with proposed email,
21
collaboration and unified communication systems
Solution should provide secure access to proposed email, collaboration and
22
unified communication systems
The Unified Endpoint Management Solution should support selective and
23 full wipe of corporate data after 5 No. of Wrong PIN or inactivity or offline
status on supported platform.
Solution should be able to integrate with Digital Rights Management
24
solutions to protect data in transit

Solution should be able to enforce Application-level authentication like

25 PIN/Touch ID along with encryption and should allow storing of managed
apps data to organization approved repositories.
Mobile Device Management solution should have centralized system for
device management and data security for the complex and heterogeneous
26
mobile device landscape (iOS, Windows, Android, macOS, Linux,
ChromeOS).
Mobile Device Management solutions should allow mobile administrators
to enable policy controls from passwords and application restrictions,
certificate distribution and remote actions like device lock or wipe. Solution
27 should be able to do out-of-the-box & custom compliance check on the
managed devices based on device status (jailbreak, rooted, patch level,
password complexity, encryption), user status (group membership), or
threat protection status (security installed, definitions up-to-date and no

Page 29 of 97
 Compliance
S. No. Feature
(Yes/No)
malware)

Mobile Device Management solution should provide prevention of

enterprise data loss and elimination of privacy concerns by separating
organization/corporate and personal data. It should remove only
28
organization/corporate data upon employee departure, without touching
personal data. Identify only organization/corporate email, apps, docs, and
any other content.
Mobile Device Management solutions should provide cross-platform device
management, with enterprise directory integration, role- based access-
29
control and content delivery. Solution should be able to restrict admins to
view & manages the devices they have rights for.
Mobile Device Management solutions should support role-based access
control. Organizations should be able to leverage the native reporting
30 capabilities built into the system using predefined and customizable reports
or leverage the product APIs for reporting via third-party or internal
reporting systems.
Mobile Device Management solution should provide end-user friendly apps
delivery & application lifecycle for mobile devices of web apps,
organization/corporate apps, third-party apps and apps form the OEM Play
store. It should support both push delivery of organization/corporate
31
required apps and on-demand delivery of end user selected optional apps.
To safeguard apps and data, IT can apply granular application-level policies
related to user authentication, data loss prevention and more on managed,
un-managed devices or BYOD devices.
Mobile Device Management solution should report exact details of
enterprise mobile assets at all times by leveraging built-in dashboards,
32
reports, and alerts. Provides user, device, app, and profile details through
detail views and customizable reports.
Mobile Application Management solution should add security by wrapping
app to apply a layer of security and policy management, with/without a
SDK or source code changes.
- User authentication, re-authentication, and single sign-on
- Data Encryption (FIPS Certified Algorithms)
33
- Local Data Storage Control
- Enabling Offline Access
- Enabling document sharing, copy/paste or other data loss policies
- Secure Network Communication
- Jailbreak / root detection
Mobile Application Management solution should be able to restrict users to
have only work mail
- secure app that brings organization/corporate email, calendar, contacts,
notes, and tasks to the users.
- Email data at rest on the device must be protected with FIPS-certified
34
encryption that is independent of the device to help secure
organization/corporate data in the event the device passcode is
compromised.
- Secure application days by configuring security policies such as
preventing copy/paste of content or limiting the apps in which email

Page 30 of 97
 Compliance
S. No. Feature
(Yes/No)
attachments can be opened.

Mobile Application Management solution should have work web - secure

35 Web browser to provide safe access to internal Web-based applications and
content.
Mobile Application Management solution should provide application
36 management that enables self-service distribution of apps to employees and
other authorized users, such as contractors or partners with Work Hub.
Solution should allow admin to create policies to restrict enrollment of
devices based on conditions like :
37 - No of device per user
- Device OS Version
- Device Ownership (corporate and personal)
Solution should allow organization to create policy for admins to have Just
38 in time access on the management console and should provide detailed
audit reports
Solution should allow admin send custom notifications, term and
39
conditions, organizational messages to the end users

Solution should allow admins to enroll devices using Zero Touch

40
provisioning with minimal or no interaction to end user devices by IT.
The solution should allow admins to create policies in MDM console to
restrict users from installing only applications approved by IT using
41
functionalities like Application Guard, Application Control available on
Windows devices.
The solution should allow users to reset their password from any device
42
once approved using MFA.
Solution should allow organizations to provide flexibility to manage
43 supported devices either from cloud or on-premises device management
solution using same licenses.
The solution should provide a seamless integration between cloud & on-
44
premises device management solution.
The solution should allow UPPCL/ Discoms to have a common inventory
45
for the application hosted on cloud & on-premises

46 MDM,MAM,IAM solution should be natively integrated as one solution

Pre-configured policy reports (Compliance, asset management,

47
applications, email, content, certificates, etc.)

48 Real time device data reporting and dashboard views

Centralized event log to capture all device and administrative events

49
(logins, policy changes, application updates, configuration updates, etc.)

50 Solution should allow organization to block users configuring simple

Page 31 of 97
 Compliance
S. No. Feature
(Yes/No)
passwords, passwords having restricted keywords.

Solution should allow users to create and consume protected content by

51
using Windows clients and Office applications

Solution should allow users to create and consume protected content by

52
using mobile devices

53 Solution should allow admins to create departmental templates

The solution should evaluate content, context, identity and other attributes
54
of unstructured data to make classification, policy decisions.
The solution should support the ability to trigger classification based on
55 different user activities like Send, Save/Save As, New Email, Close,
Forward and classification change.
The solution should provide context-sensitive help throughout the user
56 interface to reinforce security training and help users select the correct
classification, category and policy remediation options.
The solution should enable the classification of emails, documents,
57 Document Libraries, Personal File Storage Solution, and PDF items without
the need of an classification client.
The solution should allow classification and protection for other file
58
formats, like PTXT, PJPG, and PFILE.
The solution should allow administrators to define own regex for adding
59
capability to detect any new type of regex.
The solution should be capable of applying protection profiles on labelled
resources. These profiles should include:
1. Encrypting classified/ labelled resources
2. Defining granular access control permissions for classified/labelled
resources
3. Defining an expiry period for classified/labelled resources
60
4. Enforcing authentication for accessing classified/labelled resources even
outside of organizational boundaries
5. Enforcing custom privacy and sharing permission on classified/labelled
resources
6. Ability to add watermarks, headers, and footers in documents
7. Applying the Do Not Forward protection label to email and sharing.

The soultion should have the ability to retain classification and protection
61
profiles outside of organizational boundaries.

The solution should support dynamic/tailored classification selections based

62
on the user's Active Directory attributes or groups.

Page 32 of 97
 Compliance
S. No. Feature
(Yes/No)
The solution should provide the ability to warn/prevent users from
downgrading or changing a classification.
63
It solution should provide the ability to prompt users to enter a justification
when overriding a policy warning.
The solution should support hierarchical and conditional classification
64 fields, so that the appearance of a sub-field is conditional on the value
selected in the higher-level field.

The solution should have the ability to extend classification to line-of-

65
business apps, third party apps and services.

The solution should have some guidance mechanism while user selects a
66 classification level, to inform the users what is the context of a said
classification level as per organization's policy.

The solution should provide role based access for administrators,

67 compliance teams where anyone other than administrators may not have
access to full console.

The solution should provide a centralized, web-based Administration

68
Console for device classification, configuration and policy management.

The solution should work on Windows 10 and above Operating Systems,

69
MAC OS, iOS, and Android.

Solution should be able to allow access to resources from corporate

70
approved applications

OEM should arrange training for the respective stakeholders. The trainer
should be certified in the quoted product and have experience for similar
71
trainings. The training should cover initialization of product installation,
configuration, administration, and customization. It should also cover day
to day operation of the product.

The Solution must be SaaS based & the OEM should have the SOC 2
72
Certificate.

2. Technical Specification of Endpoint detection and response (EDR) (SaaS Based)-

Compliance
S.No. Technical Specification
(Yes/No)
Endpoint Detection and Response solution should support Variety of OS
1 (Operating System) such as but not limited to Microsoft, MAC, OS,
Linux.

Page 33 of 97
 Endpoint Detection and Response agent should comes with a single agent
2 and that offer capability of Endpoint protection along with the Endpoint
Detection and response.

The Endpoint agent offer out of the box policies leveraging Virtual
Patching, Application Control, Data Fingerprinting/ Classification, Web
reputation, Exploit Prevention, Behavioral Monitoring & Machine
3 learning technologies. These prebuilt policies for Windows & Linux
environments should monitor and prevent suspicious server activity and
must be capable of working in connected and non-connected mode

The solution must be able to push out new upgraded versions of the
4 endpoint agents from its own controller. There should not be any need of
third-party solution to upgrade the deployed agents.

Behavior Monitoring along with ransomware protection engine and offer

automatic recommendations against existing known & undisclosed
vulnerabilities, dynamically tuning leveraging Virtual Patching,
Application Control, Data Fingerprinting/ Classification, Exploit
5 Prevention, Behavioral Monitoring & Machine learning technologies
(Selecting rules, configuring policies, updating policies) provide
automatic recommendation of removing assigned policies if vulnerability
no longer exists.

6 Proposed solution should have IPv4 and IPv6 support

The solution should be able to detect and prevent the known malware with
7 machine learning capabilities. The solution should be able to detect and
work in low bandwidth mode

The solution must support containment of suspected hosts while

8
maintaining access to the Endpoint Forensics solution for investigation

Solution must be able to mitigate the impact of a compromised system

9
with network isolation in order to prevent lateral spread.

Proposed solution should provide global real-time threat intelligence

10
based on good file reputation data correlated across a global network,

Endpoint Detection and Response agent should record real time events
listed below and should perform a triage collection for forensic analysts to
investigate those endpoints:
• Process starts and end events
11 • DNS Lookups
• Network connections
• IP address changes
• Registry accesses
• File writes

Page 34 of 97
 Solution should be able to automatically generate forensic package/reports
detection of a threat or IOC match or deep level forensic by Incident
12
Responders. The ability to generate Forensic package/reports should be
both automatic (upon detection of threat) or manual when required.

The solution must be able to acquire/record detailed volatile/non-volatile

13 forensics metadata on System Information, File System, Registry, Event
Logs, Processes, Services , real-time events.

The solution must be able to acquire/record Files, Process memory,

14 memory images/files. The solution must be able to scan both in memory
and fileless malwares

Endpoint Detection and Response should also have the capability of

15
AntiVirus, Antimalware, Integrity Monitoring, Log Inspection

Signature- Based antivirus, Anti Malware and AI/ML technology should

16 eradicate malware on a system to protect against viruses, worms, Trojans,
spyware, bots, adware, and rootkits

The antivirus should also have the capability of Behavioural based

17
detection, machine learning detection capability and exploit detection

The solution must support meta data and file acquisition / detection using
18
API mode.

Proposed solution must be compliant with data localization guidelines of

19 India for all their scoped services such as Data Lake, Management
console, sandbox, logs, and analytic services.

Proposed solution must have an update definition or content, directly via

management server, Cloud, mediator component or peer agent also should
20
push agent from the console without any additional licences

Proposed solution must have a mechanism to support deployment in an

21 isolated network where no direct internet access is allowed for endpoint or
servers.

Proposed solution should be able to submit unknown files by its own to

sandbox without user/administrator intervention and it should support
22 customized sandbox solution handling files from Windows servers
(Win 10, Win 11, Windows Server 2012, 2016, 2019, 2022 or higher)
and Linux servers.

Proposed solution must support ad-hoc or schedule scanning of endpoints,

23
and it must have dedicated ransomware protection engine

Proposed solution must provide anti-ransomware capability using ML and

24
offer an option roll back files.

The proposed solution must have unified agent for detection, prevention,
25
response and forensics and it must be lightweighted.

Page 35 of 97
 The proposed solution shall support automatic as well as manual
collection of the forensic information from windows machine for further
investigation purposesthat includes.
-Basic Information Evidence
26 -File Timeline Evidence
-Process Information Evidence
-Service Information Evidence
-System Execution Evidence
-Portable Executable (PE) Attributes

Solution should be able to identify SSO, AD based attacks and able to

27
prevent any malicious threat that may compromise AD security.

Proposed solution should have offer visibility for existing operating

28 system and application running in the environment to secure from
application based attacks.

Proposed solution should support forensics collection from same agent

without making any change at endpoint system, and forensic collection
29
also support devices without an internet connection to support threat
investigation and incident response.

The proposed solution shall have GUI/CLI based remote task manager as
response ca-File hash Information collection
-Termination of the service
-Download of binary
-Addition of hash value to block list
30
-Delete the file
-Send the hash to get the verdict (TI integration)
-Execute a python script
-Execute a PowerShell scriptpabilities. Live terminal should support
features such as below:

Complete implementation of proposed edr solution should be done from

31
OEM payroll engineer.

The Server agent in the proposed solution must prevent malicious

applications from inserting code into trusted applications having
capability of malicious activity detection, exploit prevention, Virtual
Patching, Application Control, Data Fingerprinting/Classification and
protection capability in a single agent. The Solution must have signatures
32
for known attack patterns also capable of automatic Provisioning and De-
Provisioning of rules to shield known and undisclosed vulnerabilities
leveraging virtual patching and should have capabilities to initiate
schedule recommendation scan for assessing risk posture.

Page 36 of 97
 Solution must have an option of automatic Provisioning and De-
Provisioning of rules for Vulnerability Protection, Integrity Monitoring &
log analysis module as per the Server posture also should have capability
to mitigate undisclosed vulnerabilities (>30 Per Year) of Microsoft/
33
Adobe/ Flash/ Oracle/ 3rd party continuously from past 5 years and data
should be publicly available having recognised as per latest Frost &
Sullivan Reports achieving 100% breach detection rating as per NSS
Labs.

The proposed Endpoint Detection and Response should also have the
capability of Antivirus, Anti-malware, Anti-Phishing & Anti-ransomware.
34
It should provide the capability of enabling and disabling this
functionality and use on-demand as and when required.

The agent in the proposed solution must provide tamper protection such as
prevent agent services or processes from being terminated by
35 administrators or power users. Solution should be able to quarantine or
isolate the endpoint during an investigation.

The solution must be able to detect and prevent the known malware with
machine learning capabilities that may be missed by traditional security
36 like AV & HIDS/HIPS. The solution must be able to detect and block
malware even if the signatures are not updated for a few days due to low
bandwidth constraints at branches using IPS rules

The proposed solution must provide the ability to automatically capture

record and analyse wide array of endpoint parameters, behavior, execution
and subsequent events in order to assess system operations and enable
37 threat hunting and Incident forensic activities. Below is the minimum,
your proposed solution shall be capable of capture out of box including
registry, user activity, process & services, software changes, file activity,
login activity, process tracking.

Sandboxing should support analysis of more than 100+ protocol & file
types and also include custom sandbox images without any programming
effort including Domain Check, Software Check, Patches, OS Language,
Configurations, User Settings check, Requisite file check Office version
check, Windows License check Browser Check (Sandbox Customized
38 with OS and Applications in the Environment) also solution
should supporting following operating systems Win 10, Windows Server
2003, 2008, 2012, 2016, 2019, 2022 and Linux) having malicious samples
submission capability of 10000 Samples scalable up to 30000 as per
future traffic load achieving supporting 60 sandbox images having 100%
breach detection rating as per NSS Labs.

Page 37 of 97
 OEM should arrange training for the respective stakeholders. The trainer
should be certified in the quoted product and have an experience for
39 similar trainings. The training should cover initialization of product
installation, configuration, administration, and customization. It should
also cover day to day operation of the product.

The Solution must be SaaS based & the OEM should have the SOC 2 & 3
40
as well as PCI DSS Certificate securing users billing transactions
Proposed solution should integrate with Active Directory supporting non-
proprietary industry-class database such as MS-SQL, Oracle, PostgreSQL
41 and also protect existing storage devices from ransomware threats.

Solution should able to integrate with network security solution to provide

network level threat along with server/endpoint security posture having
technologies including deep packet Inspection, Intrusion Prevention, URL
reputation, advanced malware analysis on a Flow Based inspection
including packet header and payload supporting Asymmetric Traffic
42
Inspection, DGA, DDOS filters to protect against Syn floods, connections
floods, connection per second floods also Integration with VA Scanners
(Rapid7,Qualys,Tenable) to map CVE to detect and prevent attacks on the
Endpoints, Servers and network holistically for known as well undisclosed
vulnerabilities and payloads.
Proposed solution should enable the capability to inspect encrypted traffic
& enforcing Ransomware filters/ rules to trace and extract a private key
43
from the network flow in order to help restore encrypted files to the victim
while blocking traffic to the Command and Control (CnC) server.

3. Technical Specification of Security Service Edge (SSE) (SaaS Based)-

Compliance
S. No. Features / Descriptions
(Yes / No)
The SSE solution must have 17,000 named users license from day 1 and
1 scalable to 25,000 users with additional subscription/ license support. The
user licenses and below mentioned features must be available from day 1.

The solution must operate in a full-proxy architecture and should perform

100% SSL inspection at scale. The solution should detect and block
2
uploading / downloading of malware HTTPs through SSL inspection
solution for Internet & SaaS Apps.

The end user license should not have any bandwidth or data capping for
3
Internet and Internal Apps access.

The solution platform must have Internet, Public cloud and DC corporate
internal application access using single unified management, configuration
4 and reporting console (in case of a separate admin consoles, the logging
and forensics to be managed on a unified converged platform by the
bidder without any additional cost).

The solution must have a single end user agent to provide all
functionalities as per UPPCL’s requirement. The Software agent required
5 must be available for Windows, macOS, Linux, Ubuntu, ChromeOS,
Android and iOS platforms. The user agent on the client machines should
be tamperproof (even with local system admin rights) for Windows.

Page 38 of 97
 Compliance
S. No. Features / Descriptions
(Yes / No)

The solution must not have a single point of failure and should have
seamless failover transparently to secondary site (running with same full
scale & specified features) if primary site goes down. All the Security
6
features must be available for roaming user environment with direct to
Internet access via (without backhauling to DC / Hub when users are
outside of the office).

The SSE solution should have been hosted in at least 2 own / co-located/
Meity- empaneled cloud service provider’s data centers in India. Each of
7 these must process all data traffic including threat inspection and Web
DLP within India.

The solution must be able to form encrypted phase 1 and encrypted phase
8 2 IPsec tunnel from UPPCL's Firewall/Router/Gateway to steer Internet
Traffic to OEM DCs from Day 1.

9 The solution must have PAC based traffic forwarding methods.

The solution must have Secure Web Gateway (SWG), Cloud Access
Security Broker (CASB), Web DLP (Data Loss Prevention), Web IPS
10 (Intrusion Prevention System), UEBA (User Entity Behavior Analytics),
Firewall, DEM (Digital Experience Management), and Zero Trust
Network Access (ZTNA) capabilities

The solution must be able to integrate with Customer on-premises AD

without any inbound exposure from the Internet. In addition, the solution
11
must be able to integrate with UPPCL IDP services through SAML 2.0
and provide seamless integration with SD WAN solutions.
The solution must be able to integrate with SAML 2.0 (Azure AD, OKTA
12
and ADFS etc.)

The solution must have in-built protection for user credentials by

13 preventing UPPCL employees to login using UPPCL credentials to any
unauthorized websites based on URL categories.

The solution must have ISO 27001, ISO 27017, and ISO 27018
14 certifications or if under approval must be available by the time of bid
submission date.
The solution must have SOC2 and latest certifications for last year and
15
must be under approval or available by the time of bid submission date.
The solution must be a member of Microsoft Active Protections Program
16
(MAPP).

The solution must be able to obfuscate specific fields for restricted

17 admin users.

The solution unified admin console must have in-built end users logging
for minimum of 180 days for the desired features (SWG, CASB, Web
18
DLP, Web IPS, UEBA, Firewall and ZTNA) and integrate with UPPCLs
SIEM solution for longer data retention periods.

Page 39 of 97
 Compliance
S. No. Features / Descriptions
(Yes / No)

The solution must have granular end user’s device posture validations
across multiple parameters as like Device Encryption, Registry Check,
19
Process Check, AD Domain Check and Certificates to provide Internet
and Internal App Access.

The solution user agent must have continuous end user’s device posture
20 validation (<10 mints) after first login for both Internet and Internal App
Access.
The solution should be able to provide dedicated Public IPs in SSE OEM's
21
Cloud DCs for specific Internet destinations / URL's traffic.

The solution must have Gateway Antivirus / Antimalware and Web IPS
22
for protection against web threats.
The solution must be able to add manual IOCs (MD5 /hashes /URLs
23
/Categories) directly from the admin console in real time to minimize risk.

The solution must be able to provide URL Filtering for 100+ web
24 categories and have capability to enforce granular activity control based
on categories.

The solution must provide in-line protection from Patient Zero infections
25 using AI-powered sandbox solution. The sandbox must support detonation
of 10+ file types and provide protection against Zero-Day Attacks
The solution must be able inspect & block 5 times zipped / compressed
26
files.
The solution must be able to enforce Granular Activity controls for
27
Internet Apps
The solution must have inbuilt granular access control policies based on
28 various YouTube categories like Movies, Education and Entertainment
etc.

The solution must provide real-time visibility for 40000+ web applications
with risk score based on CSA or CSS Standards. The solution must be
29
able to report the security compliances and certifications achieved by
these apps and enforce application risk score-based access policy controls.

The solution must be able to enforce granular activity-based policies via

30 identity or reverse proxy on users trying to access sanctioned Internet
Apps (O365, Google and more) from Unmanaged Devices.

The solution must have a Web DLP incident management page /dashboard
31 for admins to download the Original DLP violating files and manage the
complete incident workflow.

The solution must be able to create Web DLP Policies based on content,
32 keywords, patterns, size, upload URL, user group and a combination of all
or some of these.

Page 40 of 97
 Compliance
S. No. Features / Descriptions
(Yes / No)
The solution must have a Web DLP incident management page /
33 dashboard for admins to download the Original DLP violating files and
manage the complete incident workflow.

The solution must have an in-built, dedicated Incident Management Page

for Threat Protection and Data Protection Incidents. The admin must be
34
able to download the Original File violating DLP Policy for forensic
analysis and manage the complete incident workflow.

The solution must have outbound Internet Firewall feature with all logs
and define policies based on App ID, 5 tuple rules, fqdn destination, any
35
TCP and UDP ports, user and groups from both office locations and
roaming users (without backhauling to DC / DR).

The solution must have capability to provide UEBA profiling based on

36 parameters like data exfiltration, locations awareness, bulk upload and
download of files, bulk deletion of files, login-failures etc.
The solution must have in-built data lake analytics for granular interactive
customized reporting across all features (SWG, CASB, Web DLP, UEBA,
37 Firewall & ZTNA etc.) from a single admin console (in case of a separate
admin consoles, the logging and forensics to be managed on a unified
converged platform by the bidder without any additional cost).
The solution should protect all Enterprise Internal applications from
38 external attack. Even if there are some Vulnerability on the application it
should not be exposed to external attacker.

The solution must enable seamless access to Internal applications across

multi-DC's (no need to connect any VPN/Remote Access Agent every
39
time application access is required). The solution should be always-on
whenever Internet is reachable.

Any Connector / VM component installed in the UPPCL DC / DR / Public

Cloud must not need any inbound ACL rule on Perimeter Firewall to
40
provide access to Private Application (No inbound Internet / DMZ
exposure to any ZTNA component).

The solution must provide access to all TCP & UDP Internal Applications
41
(user to app access) including Thick Client Applications.
The solution must be able to on-board 3rd party non-domain users based
on personal email for the UPPCL internal application access (Any iDP /
42
SAML required to be provisioned and managed by bidder in the same
cost).
The solution should have the capability to add minimum of 20 Application
43
segments for granular policy controls based on users and groups.

The solution must be able to provide access to Internal Private Web

44 Applications to contractors/third parties based on browsers with SAML
IDP integration (without the need of installing any user agent).
The solution must have Zero trust access for Internal Private Apps for all
45
on-premises users (For LAN and MPLS users accessing apps in DCs)

Page 41 of 97
 Compliance
S. No. Features / Descriptions
(Yes / No)
from day-1. The FQDN based app access must Not resolve to the actual
server IP addresses from LAN and MPLS access to reduce the attack
surface. Zero Trust broker in DCs may have inbound ACL on firewall
allowed only for this use-case.

The solution must have direct OEM 24x7x365 Support with 30 Minutes
46
response time for P1 tickets.

47 The solution must provide 99.999% uptime SLA.

OEM should arrange training for the respective stakeholders. The trainer
should be certified in the quoted product and have an experience for
48 similar trainings. The training should cover initialization of product
installation, configuration, administration, and customization. It should
also cover day to day operation of the product.

The Solution must be SaaS based & the OEM should have valid
49
SOC 2 certificate as on the date of submission of the bid.

4. Technical Specification of PAM (Privileged Access Management) For On-Premises, Public

Cloud Infrastructure and Endpoints
Compliance
S. No. Description
(Yes/No)
1 The solution should have the capability to auto-onboard assets via
integration with AD or bulk uploads (VM's, databases, network
devices), groups, and discover accounts. It should be further able to
configure rules to auto-assign the desired relationships/roles based
on the least privileges.

2 The solution should be able to onboard the Organization structure

from a directory store.
3 The solution should have integration capabilities with Virtualization
platforms, IaaS, and PaaS besides On-Prem AD/LDAP.

4 The solution should be able to onboard various systems including

operating system accounts (Windows, Unix/Linux, Customized OS)
and other infrastructure assets like Network devices, databases,
application servers, etc.
5 The Solution Should support integration with devices like, Routers,
Switches, Firewalls, UTM devices, NIPS, DDoS appliances, SIEM,
HSM, WAF devices and Load Balancers for Web UI, GUI and CLI.

6 The solution should be able to integrate with a solution that provides

a ready stack of APIs to help integrate with any HR or other such
solutions that is the source of truth for identities within the
organization.
7 Auto Discovery of Privileged Accounts

Page 42 of 97
8 The solution should be able to perform auto-discovery of privileged
accounts on target systems and perform two-way reconciliation.

9 The solution should provide a feature for user governance and

schedule a governance workflow and user certification process with
an adequate review process.

10 Map privileged and personal accounts on various target systems

11 Ability to identify private and public SSH keys, including orphaned

SSH keys, on Unix/Linux machines, extracts key-related data, and
ascertain the status of each key.

12 Manage Lifecycle of Human, Non-Human and Cloud Identities

13 The solution should provide a directory store that is agile and offers
industry-best security features.

14 The solution should be able to integrate with public cloud

15 The solution should have the capability to integrate with other IAM
solutions and should provide SCIM compliant APIs.

16 Authentication Models

17 The solution should have the capability to integrate with any

directory stores like Active Directory (AD) and Open LDAP or
equivalent

18 The solution should provide an in-build directory store for local

authentication with features of MFA authentication

19 The solution should provide features of SAML/OAuth/OIDC

authentication as an identity consumer or identity provider.

20 The solution should have the capabilities to integrate with any

adaptive or MFA authentication tools. It should support MFA
integration at Vault user level as well as target device level from day
one.

21 The solution should have built-in capabilities for adaptive and MFA
especially the bio- metrics and mobile authenticators.

22 The solution should allow agile use of all or any authentication

methodology at any given time.

Page 43 of 97
23 The solution should provide a multi-domain authentication feature
whereby the entire operations can operate in a distributed
environment. This feature should be provided for authentication of
users as well as Identity authentication for target systems.

24 The solution should allow the use of MFA to specific

applications/portal and devices, systems based on the criticality of
use.

25 The solution should provide ease of registration (for multiple MFAs)

by end-users.

26 Access Technologies

27 The solution should have an initiative workspace wherein the access

technologies for various applications or devices/systems should be
auto on boarded and ready for use.

28 The solution should provide Browser based/ Native App workspace

platform (browser- agnostic)

29 The adapters required for various technologies should be out of the

box and for any unsupported technology the solution should provide
a framework to build adapters

30 The solution should include a BOT builder/API for developing

automated functions for transparent target connections, as well as
any required dependencies, such as pre/post connection or manual
input. For ease of integration, this is a necessity.

31 The solution should provide transparent connections to any target

systems, including business applications and/or devices/systems
(with or without passwords/ keys/ tokens).

32 The solution should be able to ensure that the technology adapter

can work in a multi- domain environment, that is, it should be able
to authenticate multiple systems even if they operate in distributed
authentication modes, such as multi-domain authentication.

33 The solution should be able to establish a large number of

concurrent connections from a secure gateway/Gateway that can also
serve as a firewall for end-user applications, devices, and systems.
34 Wherever applicable, technology adapters should be able to provide
direct connections to end applications/systems/devices requiring the
usage of a secured gateway/jump server, important for IoT/OT

Page 44 of 97
35 For the best path of access, the solution should be able to handle
multi-location architecture or distributed architecture with seamless
integration at the user level. The solution should be able to
intelligently route the user to the intended target system access in the
safest possible way, taking into account simplicity of use and
experience.
36 The solution should have the capability to launch enterprise
applications for admin access

37 Public Cloud access mechanisms should be supported, and

transparent login to Cloud Management Consoles should be
possible.
38 Access Control

39 The solution should have the ability to grant role-based access to the
target systems.

40 A user should be able to submit JIT requests for planned support,

quick access, time- based access, or one-time access through the
platform.

41 The solution should provide access to end-users based on least

privilege principles. and then grant the user the ability to elevate
his/her access based on certain roles and access approval
methodologies with inbuilt dynamic workflows.

42 The solution should offer RDP, SSH, or telnet protocol filtering (to
detect, filter, or block specific commands or data)? (As well as for
which protocols.)

43 The solution should provide an extra layer of security especially on

systems OS to provide access control on shared accounts and the
ability to filter commands even if the rights are natively available to
the share accounts. The capabilities include black- listing or white-
listing of commands.

44 The solution should be able to restrict usage of critical commands

over SSH-based console based on any combination of target
account, group or target system and end- user.
45 The Solution should include workflow control while accessing
critical assets like OS, DB, Network devices etc.

46 The solution should restrict privileged activities on a windows server

(e.g. host to host jumps, cmd/telnet access, application access, tab
restrictions) from sessions initiated with PAM

47 To ensure adequate segregation of duties, users on the access

management system should be given role-based access.

Page 45 of 97
48 In order to ensure that the solution is easy to manage it is imperative
that the solution should have features for creating adequate roles for
team leads, where in two/four eyes’ principles are used for
administration

49 Vault Integration

50 Secured Vault platform - main password storage repository should

be highly secured (built-in firewall, hardened machine, limited and
controlled remote access, etc.)

51 "The solution should provide a robust and mature vault to manage

credentials, passwords, Keys secrets, certificates and such other
artifacts as one would like to vault

52 The solution should provide out of box connector integrating all

standard systems to the Vault.

53 The solution should provide for auto vaulting features as soon as the
system is on- boarded.

54 The solution should be able flexible to configure the policies and

procedures of the organization, especially for passwords and secrets.

55 The solution should provide features to create local or general

exceptions to the rules or policies.

56 The solution should provide capabilities such as no-code to create

custom connectors for credential rotation

57 The solution should be able to provide rotation capabilities at scale

(across technologies)

58 The solution should be able to correlate dependencies such as similar

credentials on one or many and related dependencies on one or many

59 The solutions should be able to create a sequence or automate events

or actions based on technology requirements to ensure that any
rotation activity is end to end without any manual intervention
60 The solution should be able to provide features for JIT, on-demand,
and time-based rotations
61 The solution should be able to integrate with HSM's to for key
management
62 The solution should be able to identify unused or dormant keys

63 The solution should be able to automatically sync any out of sync

passwords without using any external utilities (on target
systems/applications)

Page 46 of 97
64 The solutions should have the capability to vault personal secrets
and organizational secrets with the added capability of creating a
team-based structure for sharing

65 The solution should be able to create teams such that the

organizational secrets are always available no matter who the creator
or owner is.

66 A single person/user should not be able to check out any credentials,

always two or four eyes’ principles should be applied

67 Offline access of managed credentials in case of vault failure should

generate audit logs that are synced with the Vault once it's back
online.

68 The solution should provide a high-velocity vault that is agile and

dynamic to generate not unique passwords/secrets but also unique
credentials especially for cloud assets that are auto-scaled

69 The solutions should be able to onboard and support credential

management for cloud and containerized environment
70 "The solution should have the capability integrate with CI/CD
pipelines, OpenAPIs and SDKs /plugins for various CI/CD tools like
Gitlab, Bitbucket, Ansible, Chef etc

71 The solution should provide a secure method to facilitate access to

managed assets in case of PAM failure for identified users (local
vault) like fail safe features

72 Administration

73 The solution should have a central administration console for unified

administration

74 The tool uses Active Directory/LDAP and MFA as an identity store

for administrators.

75 The solution should allow users to tag/re-name/create groups of their

choice on the workspace which can be different from the parent
groups.

76 The tool should enable an administrator to define groups (or similar

container objects) of administrators, business applications

77 The tool should enable an administrator to add an administrator or

end user to more than one group or to add a group to more than one
supergroup.

Page 47 of 97
78 The tool enables an administrator to define a hierarchy of roles
without limit.

79 Segregation of Duties - The Administrator user cannot view the data

(passwords) that are controlled by other teams/working groups
(UNIX, Oracle, etc.).

80 Solution Workflow
81 The solution should have an inbuilt workflow to manage: -

82 i) Electronic/Dual Approval based Password Retrieval

83 ii) Onetime access / Time Based / Permanent Access
84 Multi-level approval workflow with E-mail and SMS notification
and delegation rules

85 Ability to provide for the delegation at all levels in the workflow

86 Supports a workflow approval process that is flexible to assign

multiple levels of approvers based on product or model (i.e. require
2 or more approvals before access is allowed).

87 Supports a workflow approval process that requires approvers to be

in sequence before final approval is granted.

88 Notification Engine

89 The solution should have the capability to provide alerts and

notifications for critical PAM events over SMS & Email

90 The solution should have the capability to provide alerts and

notifications for all administration/configuration activities over SMS
& Email

91 Customizable notification for command executed on SSH and Telnet

based devices

92 Logging, Session Monitoring and Auditing Capabilities

93 The solution should be able to support a session recording of any

session initiated via the session management solution including
applications, servers, network devices, databases, and virtualized
environments.

94 The solution should be able to log commands for all commands fired
over SSH Session and for database access.

Page 48 of 97
95 The solution should be able to log/search text commands for all
sessions of the database even through the third-party utilities

96 The solution should be able to log/search text commands for all

sessions on RDP

97 The solutions should support search options for session-based

recording on any combination of target account, group or target
system and end-user.

98 The solution logs all administrator and end-user activity, including

successful and failed access attempts and associated session data
(date, time, IP address, MAC as optional). The tool can generate —
on-demand or according to an administrator- defined schedule —
reports showing user activity filtered by an administrator, end-user,
or user group.

99 The solution should be able to record old and new values for all logs
related to the administrative activities within the solution
100 The system should be able to define critical commands for alerting
& monitoring purposes through SMS or Email alerts
101 The solution should provide separate logs for commands and session
recordings. Session recordings should be available in image/ video-
based formats
102 Secure and tamper-proof storage for audit records, policies,
entitlements, privileged credentials, recordings, etc.

103 The session recording should be SMART to help jump to the right
session through the text logs
104 The proposed solution shall cater for live monitoring of sessions and
manual termination of sessions when necessary

105 The proposed solution shall support correlation by integrating with

SIEM and unified auditing for shared and privileged account
management and activity.

106 Session management support in browsers using browser based with

and without the need for the user endpoint to open an RDP, ssh, or
local application

107 Dashboard, Reporting and Analytics Capabilities

108 The solution should provide out of the box reports for general daily
operations
109 The system shall have the ability to run all reports by frequency, on-
demand, and schedule.

Page 49 of 97
110 The solution should provide detailed and scheduled reporting with
the following basic report sets Entitlements Reports, User’s
activities, Privileged Accounts inventory and Activities log
111 The solution should have the ability to report on all system
administrative changes performed by Access System Administrators
with relevant auditable records
112 Access Management System Security

113 The Solution should be TLS 1.2 and SHA-2 compliant for PCI-DSS
compliance

114 The Administrator user cannot see the data (passwords) that are
controlled by the solution.

115 The solution should secure master data, records, entitlement, policy
data, and other credentials in a tamper-proof storage container.

116 The solution should store Password and SSH keys safekeeping in the
certified vault (minimum AES 256-bit encryption)

117 The solution should support common protocols to connect to PAM

servers to ensure the best interoperability with environments.

118 System Architecture

119 The solution architecture should be highly scalable both vertically as

well as horizontally.

120 The solution should support multiple active instances with load
balancing and fully automatic failover to another active instance

121 The solution if required should be available to install on a virtual

server

122 The system should be highly available (24x7x365) and redundant

from a application failure, data failure.

123 Out of box Integration

124 Ability to integrate with enterprise authentication methods e.g.

multiple 3rd party authentication methods including AD, LDAP,
Windows SSO, PKI, RADIUS and a built- in authentication
mechanism.

Page 50 of 97
125 Ability to integrate with ticketing systems like Service Now, etc.

126 Ability to integrate with Automation software for enhancing

productivity in the data center

127 The proposed solution supports integration with the Hardware

Security Module (HSM) devices to store the encryption keys.

128 Inbuilt ticketing system with multi-level workflow approval with

ticket level validation, risk and impact assessments as per
group/tenant wise, Service type and user type. This ticketing system
will help in creating a work order on an executor, who will then
request access through the request workflow with this valid ticket

129 SIEM Integration

130 The solution should be able to integrate with leading SIEM solution
like RSA Net Witness, QRadar, ArcSight, Splunk etc.

131 The solution should be able to integrate with applications like VA

Systems like Qualys, performance monitoring applications to
eliminate hard-coded passwords

132 Public Cloud Infrastructure and Entitlements Management

133 The solution should have the capability to discover and manage
permissions and entitlements in the public cloud such as Azure,
AWS,OCI etc

134 The solution should provide centralized visibility and controls of

permissions and entitlements across organizations public cloud.

135 The solution should have the capability to monitor and identify any
changes in the entitlement or permissions in real-time and
report/notify of any inappropriate changes

136 The solution should have the capability to provide suggestions or

remediations to excessive privileges based on policies defined

137 Privilege Management for Endpoints

138 The solution should have the capability to discover and manage local
admin accounts on the end-devices

Page 51 of 97
139 The Proposed solution should have the capability to strict and alert
for any access taken out of the PAM solution to a target device.

139 The solution should have the capability to restrict the operations of
the local admin accounts (for example the local admin account
should not be allowed to able to create a user’s or change the
password of an existing user.)

140 The solution should be able to create a blacklist rule for local admin
accounts (including processes if spawned by the main process) or
even the domain accounts

141 The solutions should have the capability to Whitelist/Blacklist

application installation by software publisher, application, Software
category/genre (Application Categorization), URLs, application hash
etc.

142 The solutions should have the capability to Whitelist/Blacklist

application execution by software publisher, application, Software
category/genre (Application Categorization), application hash, URLs
etc.

143 The solutions should have an integrated password vault to attach

password policies to local admin accounts

144 The solution should have the capability to rotate the passwords of
the local admin accounts

145 The passwords for all local admin users should be vaulted and can
be accessed by approved users only through workflow-based
approvals.

146 Consider a distributed network the solution should have the

capability for user account elevation for installation by software
application, file hash, script files like batch, power-shell, python, etc.
The same should be workflow enabled for approvals

147 The blacklist/Whitelist/Elevation should work for all user categories

such as end user, local admin user, domain user etc.

148 Consider a distributed network the solution should have the

capability for user account elevation for execution by software
application, hash etc.

149 The solution should be able to control USB access, Bluetooth file
sharing, the same should be workflow enabled for approval

Page 52 of 97
150 The whitelist/Blacklist and Elevation features should be permanent,
time based and the same should be based on workflow approvals.

151 The solution should include a portal for remote access by end-point
support staff. They should be able to access the system without the
knowledge of the local admin password. They should land on the
endpoint as an administrator for that session. This should be possible
only when the end-user allows either full access or read access

152 Ticket Management Portal wherein the user can create, modify,
assign or delete a ticket. The support user can then initiate session
requests based on the tickets.

153 File transfer between two devices during support remote session

154 Remote access should be possible without the RDP being enabled on
the endpoints. The streamers should be implemented on-premises

155 The solution should also provide a feature of unattended access i.e.
for approved user one can remote access to the endpoints based on
approvals

156 The solution should be capable of monitoring the sessions of end-

point users on need to do basis

157 The solution should be the capability of monitoring the session of

local admin users, who have taken access either from the endpoint or
from remote.

158 The solution should have the capability to capture text logs, key logs
of the end user or admin users on need basis.

159 The solution to be able track the geo location of the endpoints

160 The solution should be able to work offline for the blacklist/whitelist
profiles

161 The solution should be able to work offline even for elevated profile
if approval is granted before the endpoint goes offline.

162 The solution should have the capability to attach MAF to local
applications or processes.

Page 53 of 97
 163 The solution should be able to provide role bases access

164 The administration module should be MAF enabled or should have

the capability to integrate with any third party MAF

165 The solution should have the capability to attach profiles either on
users or on endpoints

166 The solution should have the capability to be installed via the
following methods SCCM/Intune, GPO, CLI or scripting toolkits.

167 The solution should be compatible with Windows, Ubuntu and

MacOS.

168 The Solution must be SaaS based & the OEM should have the SOC 2
Certificate.

6. Technical Specifications of Database Activity Monitoring (DAM) (SaaS Based)-

S. Compliance
Minimum Technical Specifications
No. (Yes/No)
Solution Sized for 10 Database Servers.
The Solution should meet regulatory compliance such as SOX, PCI DSS,
1
Data Privacy Law, GDPR, Industry best practices etc.
Creation of an inventory through auto discovery of all structured/semi
2
structured databases and database users, deployed across the enterprise.
The proposed DAM solution should be able to monitor in scope
3
structured/semi structured database without dropping any log.
The solution should have the capability to detect vulnerabilities including
behavioral vulnerabilities such as excessive administrative logins, account
sharing and unusual after- hours’ activity by scanning databases, data
4 warehouses and big data environments. The solution should identify issues
such as missing patches, weak passwords, unauthorized changes and
misconfigured privileges. Further, comprehensive reports should be
provided along with suggestions to address all vulnerabilities.
The solution should provide capability to detect DB attacks and prevent
attacks such as SQL injection, leakage of sensitive data etc. and also
5 should be able to detect and alert unauthorized or unusual queries, access
to sensitive and confidential data etc. for various databases including big
database.
Each image of DAM Gateway/ Collector must support up to 60K TPS and
this 60K TPS support should be for all types of Queries and not limited to
6
just privileged queries. In case the TPS goes beyond 60K then the DAM
Gateway/Collector must support horizontal scaling.
The solution should support integration of customized application
7 database (where DB is inbuilt in application itself) i.e. in-memory
databases

Page 54 of 97
 The solution should support the installation manager on each database
8 server to avoid manual efforts to coordinate agent activities along with up-
gradation and configuration changes.
The solution should be able to monitor and detect breaches/ anomalies for
9 all the structured/ unstructured (NoSql) databases like MSSQL, MYSQL,
Oracle, mongo DB, IBM DB 2, SAP HANA etc.
The solution should audit all types of database access across the
10 organization regardless of database type or operating system of the host
without relying on native auditing.
The solution should be capable of performing real-time monitoring and
11 recording of all privileged activity like DDL, DML and DCL, Schema
Creation, modification of accounts/roles and privileges.
The solution should capture and analyze all database activity, from both
application user and privileged user accounts, providing detailed audit
12
trails that shows the “Who, What, When, Where, and How” of each
transaction.
The solution should allow the grouping of the database objects and
13
accordingly allow the implementation of various rules.
Minimum usage of system resources: For agent-based systems, the
transaction processing overhead should not exceed 3% and CPU
14
utilization on the DB server should not exceed 5% beyond present
utilization.
The solution should be able to integrate with leading NGSOC solutions
such as SIEM to generate meaningful correlated events. Also, it should be
15
able to integrate with PAM to prevent DBA from creating another user
without proper authorization.
The solution should be able to integrate with external ticketing
16
management tools for recording and managing change.
The solution should be centrally manageable from a single console
17 including update of agents, pushing upgrades, patch updates,
configurations updates, policy updates, start/stop/restart etc.
The solution should have the capability to build an inventory by discovery
18 of all the databases and database users. The discovery supported by it
should be both auto discovery and on demand discovery.
The solution should have the ability to generate a report consisting of the
details of all the databases like IP address, Database type, Agent version
19
(if agent based), status (active/inactive) and timestamp of last
communication.
The solution should detect sensitive data types as defined by the UPPCL
20
such as user ID, email address, passwords etc., in database objects
The solution should enable segregation of duty in terms of account
21
management, security administration and database administration.
The solution should have various notification mechanisms like Mails,
22 SNMP traps etc. for security monitoring and health monitoring and the
notification mechanism must be real time.
The solution should be capable of identifying the missing patches and
23 report the same and should have capabilities of virtual patching of known
vulnerabilities till the patch is installed.
The solution should leverage AI/ML to
24 • Fine tune database users and their activities to raise alerts in case of any
abnormality.

Page 55 of 97
 • Reduce false positives to minimum and raise only actionable and
materialistic alerts.
The solution should have the ability to generate a report showing the
25 access of each user to the tables of each database along with the user who
granted them the permission.
The solution should provide optimum utilization of resources by using
26
Load balancing between its devices, if it is using multiple boxes/gateways
27 The solution must have tamper-proof log storage capability.
The proposed solution required monitoring should be delivered while
28
solution is enabled and in blocking mode
The solution should support creation of policies/rules for enforcing access
29
control and proper rights management on databases.
The solution must support Reporting of deviations to the policies and
30
access control
Solution should continuously learn the user and application behavior in
31 respect of accessing database. Learning should be a continuous process
and should not stop after a certain stage.
Solution must monitor privileged user access or local SQL activity that
32 does not cross the network such as Bequeath, IPC, Shared Memory, or
Named Pipes
DAM solution should identify abnormal server and user behavior and
providing early detection of possible attacks using outliers. For example:
· User accessing a table for the first time User selecting specific data in a
33 table that he has never selected before
· Exceptional volume of errors
· Activity that itself is not unusual, but its volume is unusual
· Activity that itself is not unusual, but the time of activity is unusual.
Solution must support filtering/hiding of the bind variables of all the SQL
34
activities captured
The solution should not store sensitive data in plain text in logs generated
35
by the application (e.g. passwords)
Logs and audit-trail generated by the solution should not be editable by
36
users/ administrator and should be read-only
The Proposed Solution should support automatic updates to the signature
37 database and based on global threat intelligence, ensuring complete
protection against the latest threats.
38 Communication from Agent to management server must be encrypted
39 Solution must be able to monitor database which run on non-standard port
The solution should be able to auto discover privilege users in the
40 database and should support user entitlement reviews on database
accounts
The solution should be able to auto discover default passwords in the
41
default DB accounts
42 Solution tracks the dormant accounts as per defined rule.
The solution should inspect both in-coming and out-going DB traffic,
43
compare with the rules and generate alert.
Solution should detect attacks attempting to exploit known vulnerabilities
44 as well as common threat vectors and can be configured to issue an alert
and\or terminate the session in real time

Page 56 of 97
 The solution should discover misconfigurations in the database and its
45
platform and suggest remedial measures.
Solution should have capability to track execution of stored procedures,
46 including who executed a procedure, what procedure name and when,
which tables were accessed.
Solution should also be able to detect any change happens in stored
47
procedure
Solution should have capability to monitor local access & encrypted
48
connections (Oracle ASO, SSL, IPSec etc.)
The solution should provide full details needed for analysis of audited
49
events:
The solution supports creation of different type of security and audit
50 policies such as rule, report based on heuristic and content based. These
policies should support customization.
Ability to kill sessions for accessing sensitive data/policy violations and
51
keeping all activity in the logs
The solution should be capable of blocking access real time, execution of
52 commands which violate the rules/ policies, store the events securely and
report the same in real time.
The solution should support installation of agents, update of agents,
53 configurations updates, policy updates, start/ stop/restart etc at all the
databases from management server centrally.
There should be no down-time of the OS or database for deployment of
54
agents.
The agent should not require a reboot of OS and DB after installation /
configuration. Only one agent to be installed, no third-party agents
55
permitted. All agents should be managed from the centralized
management console.
If the agent mal-functions or uninstalled or disabled on server, immediate
56
alert to be issued.
If the communication between agent and the console is lost, immediate
57
alert to be issued.
The solution should be able to support/monitor all database activities in
OS like AIX, Linux, Solaris, Windows and Databases like Oracle, MS-
58
SQL, MySQL, postgress at a minimum provided that DB vendors still
support the versions in scope.
The solution should generate alert for any violation of security policy real
59
time
The solution should discover all the databases with details i.e. IP, type,
60
OS, available in the UPPCL network
The solution should also discover if any new database and DB objects
61
created within the monitored network/systems.
62 The solution must allow administrators to add and modify policies.
63 The solution should log the actual client IP.
The solution should auto profile the activities to filter noise or known false
64
positives and should generate alert if any violation
The solution support individual user access auditing for packaged
65 applications databases like SAP HANA, PostGre SQL etc., which the
UPPCL proposes to implement in future.

Page 57 of 97
 Separate policies should be applied for different databases configured in
66
DAM
The solution should have pre-built templates for well-known security and
67
audit policies.
The resource overhead (hardware, software) for the agent should not
68 exceed 5% of the normal requirement of the CPU. There should be only
one agent.
The solution should provide CPU, RAM, disk capping capabilities on
69
agent- based solution
The solution should have the capability to facilitate rule creation at a very
70 granular level. Example: Which user can connect from which source,
access what objects, have which rights, at what time window etc.
The Proposed Solution should include a Web based single administration
71
interface.
The Proposed solution should have an out-of-band management
72
capability.
The Proposed Solution should be managed centrally for Both DC & DR
73
Setup.
Management solution should support Role-Based Access Control or
74 multiple user roles that facilitate separation of duties. i.e. Administrator
(Super- User), Manager, read only etc.
The solution should support the following authentication mechanism for
accessing the solution:
(i) In-built authentication in the solution
75
(ii) Kerberos authentication
(iii) LDAP/AD authentication
(iv) RADIUS authentication
Should be able to report events and alerts via standard mechanisms, for
76
example, to a syslog or SNMP server or a SIEM solution.
The solution must support the creation of custom log messages and
provide system variable placeholders mechanism to make this use case
77
possible. For example, the Username placeholder looks like
(${Alert.username})
The solution must support generation/ both predefined as well as custom
78 built reports as per UPPCL’s requirements with both tabular views, pdf
and data analysis graphical views.
The solution should have easy option to customize report without
79
developing or require lot of customization/changes from scratch
Alert should be generated in case of violation of rules through SMTP
80
(mail).
The solution should provide facilities for scheduling of reports with
81 respect to time, type of activity, nature of event, violation of specific rules,
user, source of origin, DB instance etc.
The solution should be able to generate the reports in PDF, Excel & CSV
82
formats
The solution should store all audit logs in tamper-proof flat file format and
83
have faster retrieving process for reporting purpose
solution should not write any logs on the database server when using
84
agent-based monitoring

Page 58 of 97
 The Risk Analytics solution appliances must be purposefully built and be
85 self-contained with all the necessary software on a pre-hardened Unix
operating system.
The Risk Analytics Solution should provide unified console which
86 aggregates threat indicators across the enterprise data assets, including
databases.
The Risk Analytics Solution should provide an intuitive dashboard page
containing widgets that give a quick informative and drill down
capabilities view of the following:
a) Protected Assets
87 b) Open Issues
c) Security Events Over Time
d) Entities With Most Severe Incidents
e) Events Analyzed
f) System Health Status
The Risk Analytics Solution must provide behaviour analytics algorithm
88
to establish behavioural baseline and find deviations
The Risk Analytics Solution must be able to differentiate between
89
suspicious behaviour from risky/abusive behaviour (anomaly vs incident)
The Risk Analytics Solution should be able to access user's risk potential
90 (compare user suspicious behavior rate to the rest of the organization and
etc)
The Risk Analytics Solution should automatically detect the following
a) Nature of accounts which connect to the database (Service Account,
DBA User Account. etc)
91
b) Purpose of database tables (Business Critical Tables, System Tables,
and etc)
c) Data access habits (working hours, amount of data retrieved)
The Risk Analytics Solution must be able to detect Abnormal
Behavior such as
Database Access at Non-Standard Time
Database Service Account Abuse
Excessive Database Record Access
Excessive Failed Logins
92 Excessive Failed Logins from Application Server
Excessive Multiple Database Access
Machine Takeover
Suspicious sensitive system tables scan
Suspicious Application data access
Suspicious Database command execution
Suspicious Dynamic SQL activity
The Risk Analytics Solution must be able to identify/detect the
following
93
a) Typical end point information
b) Typical database access patterns
The Risk Analytics Solution should be able to detect suspicious activity
94 including scans for sensitive and valuable data, which may indicate the
reconnaissance phase of a potential breach
The Risk Analytics Solution must be able to integrate with active
95
directory to enhance forensics and provide line of sight into user identity.

Page 59 of 97
 The Risk Analytics Solution should be able to perform peer group analysis
96
when integrated with active directory
The Risk Analytics Solution should provide context based on user
information on AD which include the following widgets
a) Employee Details with information such as email, phone numbers and
office location
b) Incidents which show a graphical view of the employee's number of
incidents by severity
97
c) Anomalies which show a graphical view of the employee's number of
anomalies on a scale of Low to High
d) Endpoints Activity which presents details on the number of endpoints
that were used to access the resources by the employee
e) Databases Activity which presents details on the number of databases
that were accessed by the employee
98 All communications invoking API must be done over SSL
The Risk Analytics Solution should be able to whitelist behavior which is
99 authorized or acknowledge behavior that cannot be remediated
immediately
The Risk Analytics Solution must be able to send syslog to SIEM or other
100
Risk Analytics Solution for seamless incident management
The Risk Analytics Solution must give incidents details which include
101 Username, Source, Destination, Related/Correlated Issues, Type, Time,
Severity and Priority
The Risk Analytics Solution must be able to extract all available
102 information on an incident directly without needing to access Secure
Sphere
The Risk Analytics Solution should automatically assign a Priority Score
103 (a more granular threat score, on a scale of 1-100) to each incident for
easier classification of important events
The Risk Analytics Solution should include comprehensive incident
details when investigating an incident, details should include
a) Description
104 b) Severity Influencing Reasons
c) Client and Server Details
d) Incident Details
e) Typical Behaviour
The Risk Analytics Solution must be able to export detected incidents and
105
anomalies to an excel file for offline review
The Risk Analytics Solution must be able to send email notification on
106
detecting an issue/incident
OEM should arrange training for the respective stakeholders. The trainer
should be certified in the quoted product and have experience for similar
107 trainings. The training should cover initialization of product installation,
configuration, administration, and customization. It should also cover day
to day operation of the product.
DAM solution should have capability to map the application users /
108
end users to Db users or service account.

Page 60 of 97
 User to Data Tracking (UDT) Solution should be able to Non-
intrusive [ without any application changes] to track actual
application user ID of the end users. On application platforms like

109 - .NET Core

- .NET Framework
- Nodes
- Java
- Python
The User to Data Tracking solution should be deployed across all critical
110
applications.
The solution should be able to enhance the logs with the required
111 information in case the Data query needs to be enhanced with user details
UDT (user to data tracking)
The User to Data Tracking (UDT) should run as a plug in so that there are
112 no code level changes at the time of deployment.
User to Data Tracking (UDT) should have airgap deployment (no
113 inbound/outbound network connectivity)
114 User to Data Tracking (UDT) should generate logs in JSON format
User to Data Tracking (UDT) should be leveraging the patented
115 Language Theoritic Security(LANGSEC) techniques

7. Technical Specifications of Anti-DDOS Solution-

S. Compliance
Specifications
No. (Yes/No)
Proposed Solution should have Stateless appliances in DC. Solutions should
support Active - Active (High Availability) and Active - Passive Deployment.
Solution should support inbuilt Software Bypass feature for business continuity
1 on all inspection interfaces including copper and fibre interfaces to achieve
faster network convergence in High Availability/Resilient Deployment. No
external bypass switch is accepted as it adds another point of failure in the
network.
Proposed appliance must be purpose-built DDoS prevention system and should
be stateless technology not having any kind of state limitation such as TCP
connections etc. Proposed appliance should be a dedicated appliance based
2
solution (not a part of Router, UTM, Application Delivery Controller, Load
Balancer, IPS, Proxy based architecture or any Stateful Device), Attack
Concurrent Sessions: Unlimited
System should have a Scalable Clean Throughput License approach for
Legitimate Traffic. System should support Clean Throughput License Scalability
upto 40 Gbps over next 5 years without changing the appliance. System should
3
support Clean Throughput License of 10 Gbps from day 1 to be quoted.
Mitigation throughput: 40Gbps from day1

Solution should inspect, detect and mitigate IPV4 & IPv6 Attacks and Solution
should Detect and Mitigate DDoS on application protocols in the network like
HTTP/DNS/VoIP/Mail/VPN/File/Login along with Layer 3 and Layer 4
4
Protocols as well as Layer 7 including L3 Floods, Sate Exhaustion, Reflection
and Amplification and Low and Slow attacks. Solution should inspect, detect
and mitigate IPV4 & IPv6 Attacks

Page 61 of 97
 Solution should be transparent bridge to pass 802.Q tagged frames and other
5 control protocols like VLAN and in inline mode system must not modify MAC
or IP addresses of passed frames
6 System should support Multiple Segment protection for up to 4 Segments
The device operating system should be hardened, and the responsibility shall fall
7
on OEM to ensure the same
Proposed appliance should support minimum of 30 million packet per seconds.
This performance figure must be mentioned in public facing datasheet. Should
8 support latency less than 90 microseconds. Latency should be documented in
datasheet

System should support 8x10G Fiber protection ports from day 1. Additionally
9 4x1G copper/4x10G fiber interfaces option in future. All the protection ports
should support Software Bypass.
Should Support dual redundant Hot-Swappable AC power supplies from day
10
one
Solution should support SNMP v2/v3 MIB and Traps and Solution must support
REST API management and Integration with RADIUS and/or TACACS+ along
11
with Device should integrate with DCs existing SIEM engine seamlessly
through Syslog messages
System should have more then a million IOCs by the OEM and should have
12 STIX/TAXII support for ingestion of feeds from CERT-in and third party feed
providers.
The system must have a dedicated management port for 2x1G RJ45 Out-of-
Band management; Management interfaces must be separated from traffic
interfaces. System management must not be possible on traffic interfaces.
13
Proposed solution should have inbuilt GUI based monitoring, configuration
management, diagnostics and reporting and provision of Centralize management
in future.

The system must support configuration via standard up to date web browsers.
Solution should support Configuration and Login Audit trails and Solution
14
should support Role/User Based Access Control and reporting functionality.
System should have mechanism to upgrade the firmware and application

Quoted OEM should have technical support in India and the organization should
be able to raise TAC support with/without the involvement of partner. The
15
proposed DDoS solution should not reach End of Support within 3 years from
the date of submission of bid.

OEM Anti-DDoS Solution should be deployed and used by at least 4

Gov/PSU/BFSI customer in India to protect their own Core infrastructure from
DDoS attacks and proposed solution should support Integration with ISP clean
16 pipe for preventing the volumetric attacks. In case of volumetric attack on
premise DDos solution should send signal to the ISP Scrubbing centre for
automated scrubbing at the ISP level for future use. Auto signalling should be
supported with atleast 4 Tier 1 ISPs Clean pipe services in India

The solution shall provide real time dashboard displaying statistics on data such
17 as total traffic, passed/blocked, top IPs/services/domains, attack types, top
sources by IP location (Geo IP) and blocked sources, etc.

Page 62 of 97
 OEM should have their own Threat Research Team that should provide a Threat
18 Intelligence feed as part of the solution. This feed should be automatically
updated in the appliance at a configurable interval.
The system must be able to block invalid packets (including checks for
Malformed IP Header, Incomplete Fragment, Bad IP Checksum, Duplicate
Fragment, Fragment Too Long, Short Packet, Short TCP Packet, Short UDP
19
Packet, Short ICMP Packet, Bad TCP / UDP Checksum, Invalid TCP Flags,
Invalid ACK Number) and provide statistics for the packets dropped. Solution
should also support packet Anomaly Protection.
System should support suspension/dynamic suspension of traffic from offending
20 source based on a signature detection / host behavioural analysis / malformed
packets / payload expression matching

System should have countermeasures & challenge response/automated real-time

signature-based approach for immediate mitigation of flood attacks—protecting
against unknown DDoS attacks without manual intervention. The system should
not depend only on signatures for mitigation of DDoS attacks. It should restrict
the IP address from specific segment like from TOR network and Proposed
21 appliance should be able to block traffic based on Geo location feed that is
updated automatically at configurable intervals

Appliance should have at least million IOCs to block known attacks.

Solution should mitigate zero-day attack with real time signature / http
authentication / challenge response within few seconds
System must be able to detect and mitigate Spoofed SYN Flood attacks and
should support different mechanisms like:
22 a) TCP Authentication
b) TCP Out of Sequence Authentication
c) HTTP Authentication – JavaScript
System must be able to detect and block HTTP and HTTPS GET/POST Flood
23
and should support mechanisms
System should Mitigate Encrypted attacks and should support minimum
90,000+ SSL CPS measured with 2048-bit key. System protects against
24 SSL/TLS Encrypted DoS and DDoS threats both at the SSL/TLS Layer and
HTTPS layer. Solution should support deployment for all DNS flood detection
and mitigation (especially for random sub-domain attack)
OEM should arrange training for the respective stakeholders. The trainer should
be certified in the quoted product and have an experience for similar trainings.
25 The training should cover initialization of product installation, configuration,
administration, and customization. It should also cover day to day operation of
the product.
OEM needs to ensure protection (Anti-DDoS) of web applications hosted on
Azure and Oracle Cloud with a capacity of 100 mbps legitimate throughput
26
along with unlimited attack session handling. Scrubbing Centre should be in
INDIA.

Page 63 of 97
Section – 5
Instructions to Bidders
ARTICLE–1: e-Tendering Instructions
1. GENERAL
1.1. Submission of Bids only through online process is mandatory for this Tender.
1.2. For conducting Electronic Tendering, UPPCL is using the Portal of NIC, a Government of India
Undertaking (https://etender.up.nic.in)
2. TENDER BIDDING METHODOLOGY
Sealed Bid System: e-tenders are invited in two parts (Part-I Technical Bid and Part-II Financial Bid)
2.1. BROAD OUTLINE OF ACTIVITIES FROM BIDDER’S PERSPECTIVE
i. Procure a Digital Signing Certificate (DSC)
ii. Register on NIC (https://etender.up.nic.in).
iii. Create Users and assign roles on NIC Portal.
iv. View Notice Inviting Tender (NIT) on NIC Portal.
v. Download Official Copy of Tender Documents from NIC Portal.
vi. Clarification to Tender Documents on NIC Portal
a. Query to UPPCL (Optional)
b. View response to queries posted by UPPCL, as addenda.
vii. Bid-Submission on NIC Portal.
2.2. DIGITAL CERTIFICATES
For integrity of data and its authenticity/ non-repudiation of electronic records, and be compliant with IT
Act 2000, it is necessary for each user to have a Digital Certificate (DC). also referred to as Digital
Signature Certificate (DSC), of Class2 or above, issued by a Certifying Authority (CA) licensed by
Controller of Certifying Authorities (CCA) [refer http://www.cca.gov.in]
2.3. REGISTRATION
i. To use the e-Tender Portal of NIC (https://etender.up.nic.in), bidder needs to register on
the Portal (if not registered earlier). Registration of each organization is to be done by one of its
senior persons who will be the main person coordinating for the e-tendering activities. In NIC
PORTAL terminology, this person will be referred to as the Super User (SU) of that organization.
For further details, please visit the website/Portal, and click on the ‘Supplier Organization’ link
under ‘Registration’ (on the Home Page), and follow further instructions as given on the site.
ii. Pay Registration Fee and other charges (as applicable) on the NIC Portal.

2.4. BID RELATED INFORMATION FOR THIS TENDER (SEALED BID)

The entire bid-submission would be online on NIC Portal and upload the necessary scanned documents
such as bid documents etc. Broad outline of submissions are as follows:
i. Submission of digitally signed copy of Tender Documents/ Addendum/addenda
ii. Two Parts of Bid
a. Technical Bid–Part I
b. Financial Bid-Part II
iii. Bidders must ensure that all documents uploaded on e-tender Portal as files or zipped
folders, contain valid files and are not corrupt or damaged.
iv. It shall be the responsibility of bidder himself for proper extractability of uploaded
zipped files. Any error/ virus creeping into files/folder from client end PC system cannot be
monitored by e-tender software/ server and will be bidder’s responsibility only.
v. In case the files are non-extractable or illegible otherwise, then the bidder’s authorized
representative shall be given one chance by Tender Opening Committee to open contents of bid
data downloaded from the e-tender Portal in his presence.
vi. If, even after above chance, the bidder is unable to open & demonstrate the contents of
bid data downloaded from the e-tender Portal in his presence then no fresh bid in any form, soft or
hard copies, shall be accepted by tendering authority and his bid shall be summarily rejected and
treated as non-responsive.

ARTICLE – 2: COST OF BIDDING (Tender Cost and EMD)

i. The Bidder shall bear all costs associated with the preparation and submission of the Bid
and UPPCL will in no case be responsible for those costs, regardless of the conduct or outcome of
the bidding process.

Page 64 of 97
 ii. The Bidder will have to remit Non-refundable Bid Processing Fees (Tender Cost) of Rs.
11,800 (Inclusive of GST @ 18%) .
iii. The Bidder will have to submit Earnest Money Deposit (EMD) amount of Rs 60,00,000/-
(Rs. Sixty Lacs Only) (Refundable) into official bank account of UPPCL by direct NEFT/RTGS
account remittance, on or before the date & hours of submission of the bids. Scanned copy of EMD
RTGS UTR No./Copy of Bank Guarantee will be uploaded with the E-tender document.
iv. Failure in online submission of EMD and bid processing fees at UPPCL on or before given
time may lead to the rejection of the bid. In case of non-receipt of Bid processing fees & EMD as
mentioned above, bid will be rejected by UPPCL as non-responsive.
v. EMD can be submitted in the form of bank guarantee, issued from nationalized bank in the
format attached in this RFP at FORM 12
vi. Bid fee and EMD are exempted for Startup and Micro Small Medium Enterprises and as
per UPPCL guidelines for the same.
ARTICLE – 3: BIDDING DOCUMENTS
i. Bidder is expected to examine all instructions, forms, terms, and specifications in the
bidding documents. Failure to furnish all information required by the bidding documents or bid not
substantially responsive to the bidding documents in all respect may result in the rejection of the
Bid.
ARTICLE – 4: QUERIES AND CLARIFICATION ON BID & RESPONSE DOCUMENTS
a. The queries of all the Bidders, in writing, should reach over email (se.it3@uppcl.org)
under the subject “Pre-bid queries against the RFP No. 03/UPPCL/RAPDRP-A/CSSI/2024
Dated: 23.02.2024” one day prior to the date of pre-bid meeting.
b. UPPCL may seek clarification on submitted technical bid from bidders. Acceptance or
rejection of bidder’s response will be at sole discretion of UPPCL.
ARTICLE – 5: AMENDMENT OF BIDDING DOCUMENTS
At any time prior to the deadline for submission of bids, UPPCL, for any reason, whether at its own initiative
or in response to the clarifications requested by prospective bidders may modify the bidding documents by
amendment.
In order to allow prospective bidders reasonable time to take the amendment in to account in preparing their
bids, UPPCL, at its discretion, may extend the deadline for the submission of bids.

ARTICLE – 6: LANGUAGE OF BID

The Bid prepared by the Bidder, as well as all correspondence and documents relating to the Bid exchanged
by the Bidder and UPPCL shall be in English. Supporting documents and printed literature furnished by the
bidder may be in another language provided they are accompanied by an accurate translation of the relevant
pages in English. For purposes of interpretation of the bid, the translation shall govern.

ARTICLE – 7: SECTIONS COMPRISING THE BIDS

Digitally signed copies of all the required documents asked in the RFP must be uploaded on e- tender website.
1. Bid Security Section:
Bid Processing Fees & EMD Details: The bid processing fee (non-refundable) & EMD (refundable) to be
furnished to UPPCL account up to the date of submission of bid.
2. Eligibility & Technical Section:
In this section, Bid letter form and Clause-by-Clause Compliance Statement as per eligibility criteria, all
the forms/format, documentary proof, Forms/format and compliance to Scope of Work.
UPPCL reserves the right to reject any bid upon finding the offered submitted compliance and
demonstrated features to be unsatisfactory to the technical requirements of UPPCL during technical bid
evaluation.
3. Price bid Section: As per bid form only.
i. All the forms should be in the Prescribed Format Only.
ii. All forms/Tables, duly filled-in with necessary proofs, as required and stated in the bid
document & supporting documents for eligibility criteria should be uploaded.

3. ADMISSIBILITY:
Only those bids for which the bidder has uploaded all required documents on the portal
(https://etender.up.nic.in) shall be considered eligible.

Page 65 of 97
ARTICLE – 8: BID FORMS
i. Wherever a specific form is prescribed in the Bid document, the Bidder shall use the
form to provide relevant information. If the form does not provide space for any required
information, space at the end of the form or additional sheets shall be used to convey the said
information. Failing to submit the information in the prescribed format, the bid is liable for
rejection.
ii. For all other cases, the Bidder shall design a form to hold the required information.
iii. UPPCL shall not be bound by any printed conditions or provisions in the Bidder’s Bid
Forms.
ARTICLE – 9: FRAUDULENT & CORRUPT PRACTICE
Fraudulent practice means a misrepresentation of facts in order to influence a procurement process or the
execution of a work order and includes collusive practice among Bidders (prior to or after Bid submission)
designed to establish Bid prices at artificial noncompetitive levels and to deprive the UPPCL of the benefits of
free and open competition.
“Corrupt Practice” means the offering, giving, receiving or soliciting of anything of value, pressurizing to
influence the action of a public official in the process of work order execution.
UPPCL will reject a proposal for award and may forfeit the E.M.D. and/or Security deposit if it determines
that the bidder recommended for award has engaged in corrupt or fraudulent practices in competing for, or in
executing, contract(s).

ARTICLE – 10: LACK OF INFORMATION TO BIDDER

The Bidder shall be deemed to have carefully examined all contract documents to his entire satisfaction.
Any lack of information shall not in any way relieve the Bidder of his responsibility to fulfill his obligation
under the Contract.
ARTICLE – 11: CONTRACT OBLIGATIONS
If after the award of the contract the bidder does not sign the Agreement or fails to furnish the security
deposit along with the inception report and working schedule as per the bid requirements & if the operation
is not started within 15 working days after submission of security deposit, UPPCL reserves the right to
cancel the contract and apply all remedies available under the terms and conditions of this contract.

ARTICLE – 12: BID PRICE

i. The price bid should indicate the prices only in the format prescribed in price schedule
(Form 13 of Section 7).
ii. The quoted prices shall be inclusive of all applicable taxes, except GST which shall be
chargeable as per actual.
iii. Any effort by a bidder or bidder’s agent / consultant or representative howsoever described
to influence the UPPCL in any way concerning scrutiny / consideration/ evaluation/ comparison of the
bid or decision concerning award of contract shall entail rejection of the bid.
iv. Validity of the price bid will be 180 days from the date of opening of bid.

ARTICLE–13: Variation Clause

If needed UPPCL/Discoms may increase/reduce quantum of work/services not more than 50% of total
contract value (excluding taxes).

ARTICLE – 14: BID CURRENCY

The prices should be quoted in Indian Rupees only. Payment shall be made in Indian Rupees only.

ARTICLE–15: REFUND OF EMD

Unsuccessful bidder’s E.M.D. will be returned as promptly as possible after the expiration of the period of bid
validity OR upon the successful Bidder signing the agreement, whichever is earlier.
The EMD may be forfeited at the discretion of UPPCL, on account of one or more of the following reasons:
a. If Bidder withdraws their Bid during the period of Bid validity.
b. If Bidder does not respond to requests for clarification of their Bid
c. If Bidder fails to co-operate in the Bid evaluation process, and
d. In case of a successful Bidder, the said Bidder fails:
i. To sign the Agreement / Contract in time.
ii. To furnish Security Deposit as prescribed.

Page 66 of 97
 iii. If the bidder is found to be involved in fraudulent practices.

ARTICLE – 16: PERIOD OF VALIDITY OF BIDS

i. Bids shall remain valid for 180 days from the date of their submission. A Bid valid for a
shorter period shall be rejected and considered as non-responsive.
ii. In exceptional circumstances, UPPCL may solicit Bidder’s consent to an extension of the
period of validity. The request and the responses there to shall be made in writing. The Bid security
shall also be suitably extended.

ARTICLE – 17: BID DUE DATE

i. Bid must be submitted by bidder not later than the date specified in the RFP.
ii. The UPPCL may, as its discretion, extend the bid due date, in which case all rights and
obligations of the UPPCL and the bidders, previously subject to the bid due date, shall thereafter be
subject to the new bid due date as extended.

ARTICLE – 18: LATE BID

UPPCL shall not consider any Bid that arrives after the deadline for submission of Bid.

ARTICLE – 19: MODIFICATION AND WITHDRAWAL OF BID

i. The Bidder may modify or withdraw its bid before the due date of bid submission.
ii. No Bid may be modified subsequent to the deadline for submission of bids.
iii. No Bid may be withdrawn in the interval between the deadline for submission of bids and
the expiration of the period of Bid validity specified by the Bidder on the bid letter form. Withdrawal of a
Bid during this interval may result in the bidder's forfeiture of its Bid security.

ARTICLE – 20: OPENING OF BIDS BY UPPCL

i. Bids will be opened on e-tender portal.
ii. Immediately after the closing time, the UPPCL contact person shall open the Technical
(Part-I) Bids and list them for further evaluation.

ARTICLE – 21: REJECTION OF BIDS

UPPCL right to reject any or all bids: UPPCL reserves the right to reject any Bid, and to annul the bidding
process and reject all bids at any time prior to award of Contract, without thereby incurring any liability to the
affected Bidder(s) or any obligation to inform the affected Bidder(s) of the grounds for such decision.

ARTICLE – 22: EVAUATION OF BID:

Quality and Cost Based Selection (QCBS) methodology with 80:20 ratio (80%
weightage for technical score and 20% weightage for financial score) shall be followed
for the bid evaluation.
The first stage would be a technical evaluation against qualification criteria. Second stage
would be a price evaluation. The details of evaluation have been explained below.
a. Technical evaluation against qualification criteria: The first stage of evaluation would
involve examination of the bid documents of each of bidders against the qualification
criteria set out. This is to ensure that the technical skill base, experience and financial
capacity and other bidder attributes claimed therein are consistent with the needs of this
project. These conditions have been listed down under the section 2 “Eligibility
Criteria” which includes Minimum Eligibility Requirements and Technical evaluation
criteria.
b. The bidders who are qualifying in Section 2 Clause 2.1 Eligibility Requirements, will be
evaluated further in Section 2 Clause 2.2 Technical evaluation criteria.

c. UPPCL may ask bidder(s) for additional information, visit to bidders’ site and/or arrange

Page 67 of 97
 discussions with their professional, technical faculty to verify claims made in bid
documentation. Please note that the qualification cum technical proposal must not contain
any pricing information. The bids qualify the Minimum Eligibility Criteria will be
eligible for further evaluation.
d. Price evaluation: The price bids of only those bids that meet each of the section 2
“Eligibility Criteria” mentioned would be opened for price evaluation. The price
evaluation will take into account the information supplied by the Bidders in the Price
Proposal.
e. Technical Score: The bidder having total marks received in Section 2 Clause 2.2
Technical evaluation criteria will be the bidder’s Technical Score.
f. Financial Score: The following formula will be used for calculating Financial Score-
Financial Score = (Minimum Financial Bid/Quoted Amount)x 100
g. The Final Score for evaluation shall be computed giving 80% weightage to the
“Technical score” and 20% weightage to the “Financial Score”
Final Score = 0.8 x Technical Score + 0.2 x Financial Score
h. The bidder with the highest Final Score (the Successful Bidder) shall be awarded the
project at the Quoted Price in the Financial Bid. The Successful Bidder may be asked for
further price negotiation by the UPPCL.

ARTICLE – 23: AWARD OF CONTRACT

i. The bidder with the highest Final Score (the Successful Bidder) shall be awarded the project at the
Quoted Price in the Financial Bid. The Successful Bidder may be asked for further price negotiation
by the UPPCL.
ii. In case, if lowest bidder does not accept the award of contract or is found to be involved in corrupt
and/or fraudulent practices the next bidder (2nd Highest Final Score) will be awarded the contract after
price negotiation, if needed and so on.
iii. The rates of the bid should remain valid for 180 days.

Page 68 of 97
ARTICLE – 24: FORCE MAJEURE
Force Majeure shall mean any event or circumstances or combination of events or circumstances that
materially and adversely affects, prevents or delays any Party in performance of its obligation in accordance
with the terms of the Agreement, but only if and to the extent that such events and circumstances are not
within the affected party's reasonable control, directly or indirectly, and effects of which could have prevented
through Good Industry Practice or, in the case if construction activities through reasonable skill and care,
including through the expenditure of reasonable sums of Money. Any events or circumstances meeting the
description of the Force Majeure which have same effect upon the performance of any contractor shall
constitute Force Majeure with respect to the Bidder. The Parties shall ensure compliance of the terms of the
Agreement unless affected by the Force Majeure Events. The Bidder shall not be liable for forfeiture of its
implementation / Security deposit, levy of Penalties, or termination for default if and to the extent that it’s
delay in performance or other failure to perform its obligations under the Agreement is the result of Force
Majeure.
Force Majeure Events: The Force Majeure circumstances and events shall include the following events to the
extent that such events or their consequences (it being understood that if a causing event is within the
reasonable control of the affected party, the direct consequences shall also be deemed to be within such party's
reasonable control) satisfy the definition as stated above.
Without limitation to the generality of the foregoing, Force Majeure Event shall include following events and
circumstances and their effects to the extent that they, or their effects, satisfy the above requirements:
Natural events (“Natural Events”) to the extent they satisfy the foregoing requirements including:
a) Any material effect on the natural elements, including lightning, fire, earthquake, cyclone,
flood, storm, tornado, or typhoon;
b) Explosion or chemical contamination (other than resulting from an act of war);
c) Epidemic such as plague;
d) Any event or circumstance of a nature analogous to any of the foregoing.
Other Events (“Political Events”) to the extent that they satisfy the foregoing requirements including Political
Events which occur inside or Outside the State of UP or involve directly the State Government and the Central
Government (“Direct Political Event”), including:
a) Act of war (whether declared or undeclared), invasion, armed conflict or act of foreign
enemy, blockade, embargo, revolution, riot, insurrection, civil commotion, act of terrorism or
sabotage.
b) Strikes, work to rules, go-slows which are widespread, nation-wide, or state-wide and are of
political nature;
c) Any event or circumstance of a nature analogous to any of the foregoing.

FORCE MAJEURE EXCLUSIONS:

Force Majeure shall not include the following event(s) and/or circumstances, except to the extent that they are
consequences of an event of Force Majeure:
Unavailability, late delivery, Delay in the performance of any contractor, sub-contractors or their agents

PROCEDURE FOR CALLING FORCE MAJEURE:

The Affected Party shall notify to the other Party in writing of the occurrence of the Force Majeure as soon as
reasonably practicable, and in any event within 5 (five) days after the Affected Party came to know or caught
reasonably to have known, of its occurrence and that the Force Majeure would be likely to have a material
impact on the performance of its obligations under the Agreement.

ARTICLE – 25: CONTRACT OBLIGATIONS

Once a contract is confirmed and signed, the terms and conditions contained therein shall take precedence
over the Bidder’s bid and all previous correspondence.

ARTICLE – 26: AMENDMENT TO THE AGREEMENT

Amendments to the Agreement may be made by mutual agreement by both the Parties. No variation in or
modification in the terms of the Agreement shall be made except by written amendment signed by both the
parties. All alterations and changes in the Agreement will take into account prevailing rules, regulations and
laws.

Page 69 of 97
ARTICLE – 27: DELIVERY TIMELINES, SERVICE LEVEL AGREEMENT AND PENALTY
a. DELIVERY TIMELINES-
Sr.
Activity Timeline in Weeks
No

1. Delivery of Software/Appliances T+14 Weeks

2. Installation of Software/Appliances T+20 Weeks

3. Commissioning, Integration of the complete solution. T + 20 Weeks

4. User Acceptance Test T+ 22 Weeks

5. Go Live T + 24 Weeks

Note: Date of contract signing shall be herein after referred as T.

b. Service Level Agreement (SLA)

Service Level Agreement (SLA) shall be monitored as per the SLA Matrix. It is expected that system shall
meet the minimum threshold of service defined against each level. Any degradation below this minimum
threshold will attract penalties as per bands of service level met. The idea is that it triggers a proper review
of any defect / failure / performance that had been agreed upon for the project, and to find resolutions in
keeping with the highest standards of service excellence.

c. Service Levels
The service levels are defined for all the products which are mentioned in this RFP.
Uptime (Solution Uptime)
The vendor shall ensure that the system gives minimum 99.95% uptime (Calculated on monthly basis,
which includes servers, storage, switches, collectors, co-relation engine and solution as a whole). For
every 0.10% or fraction thereof of additional downtime, UPPCL will impose a penalty of 1% of the
monthly payment (subject to maximum of 10% of the contract value during warranty and AMC contract
value during AMC period).
Service Level Agreement
The bidder and /or OEM will also have to enter into a Service level agreement for Service Support as per
the terms and conditions of this RFP and covering the scope of work and technical requirements.

Incident Type Definition (As per NIST Guidelines)

i. Low risk means that a threat event could be expected to have a limited adverse effect on organizational
operations, organizational assets, individuals, other organizations, or the Nation.
ii. Medium risk means that a threat event could be expected to have a serious adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the Nation
iii. High risk means that a threat event could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the Nation.
iv. Very high risk means that a threat event could be expected to have multiple severe or catastrophic
adverse effects on organizational operations, organizational assets, individuals, other organizations, or the
Nation.

Page 70 of 97
d. Broad SLA parameters for all components-
S. No. Component Parameter SLA
1. Closure of Audit Compliance to be submitted High Risk observations = Penalty of
Observations received within 7 working days for all 1% of billing cycle payment after 7
from Cyber Security High Risk Observations. days, per week thereafter, till the full
Operation Center compliance
For all other observations,
Other Observations = Penalty of 1%
compliance to be submitted
of billing cycle payment after 1
within 1 month.
month, per week thereafter, till the
full compliance.
2. Any component In case of faulty component, the Penalty of 1% of the cost of the
becoming faulty even bidder will have to replace the component (as per bill of material
though remaining component within 7 days. submitted by the bidder) after 7 days
solution is working Moreover it should be ensured from date of device becoming faulty,
by the Bidder that the Faulty/Out per week thereafter from billing
dated component should not cycle payment, till the replacement of
hamper the working of the the component.
Solution
3. Patching/ loading latest The latest software versions/ Penalty of 1% of billing cycle
versions of the software patches to be installed after payment after 1 month, per week
components in place testing within 7 days from the thereafter, till the report of patching/
release of latest version/update version upgrade is submitted to the
by OEM for On-premises tools. UPPCL

Page 71 of 97
4. Attrition of Resources The bidder has to give 3 i. UPPCL will not allow to leave
months advance notice in case the resource till 3 months are
any resource deployed by the completed from date of
bidder for this project is notification.
leaving this project. ii. The bidder will ensure that the
resource should not leave before
The bidder shall deploy 3 months.
another resource within 3 iii. In case, the resources leave
months from date of before that, then that will be
notification to the UPPCL. considered as “Absent” till the
completion of 3 months period.
Any L1 resource going on Penalty will be levied
leave (Absentee) shall be accordingly.
replaced by another L1 For absentee penalty is as follows:
resource immediately. 1. Project Coordinator = Rs.5,000/=
per day.
Resource replacement should 2. Project Manager = Rs.10,000/=
be acceptable to UPPCL. per day
In case the replacement resource is
not deployed within 3 months from
notification, UPPCL will deduct
penalty as follows:
1. Project Coordinator = Rs.5,000/=
per day.
2. Project Manager = Rs.10,000/=
per day
Penalty will be applied in quarterly
billing cycle.
In case the bidder fails to meet the
resource requirement for any
quarter, UPPCL shall impose
penalty as mentioned above and
would also not make payment for
the absent resource.

5. Reporting Integration and Security Tool Non-submission of daily and

wise reports- monthly reports will attract penalty
of Rs.300 per report per day. Penalty
a. Daily/Weekly/Monthly: No. will be calculated during quarterly
of Live Devices payment cycle
b. No of devices from whom
logs received vs Total
number of devices.

Any other periodicity or format

defined by UPPCL
6. Training Pre-Implementation 1% of quarterly billing payment for
each training missed.
Post-Implementation
Refresher Training

Page 72 of 97
7. Additional Licenses Additional Licenses of tools Additional lot of 500 of each tool
(in a lot of 500 for each required to be configured and should be made Go-live within 10
tool )- made go live as per requirement days.
1. UEM (Unified End of UPPCL/ Discoms Delay penalty – 0.1 % per day delay
point Management) against cost of Additional lot of 500
2. Endpoint Detection of each tool
and Response (EDR)
3. Secure Access
Service Edge
4. PAM (Privileged
Access
Management)
5. Anti-DDoS (Anti-
Distributed Denial of
Service)
6. DAM (Database
Activity Monitoring)

8. Failure to prevent attacks Failure to prevent attacks for which

the tool/ solutions have been
procured. Penalty of 5% on next
billing cycle payment for each
attack reported.

e. Penalty-
Once the contract is awarded, the bidder shall not refuse to accept the same. In case of refusal by the
bidder, UPPCL may revoke the EMD/Performance Bank Guarantee.
i. The selected bidder shall ensure services at a level of excellence which matches with the Scope
of Work requirements of the RFP.
ii. The agency shall render the services strictly adhering to the expected timeline mentioned in this
section and Delivery, Installation and Commissioning timelines. Any delay, not condoned by
UPPCL, on the part of the bidder in the performance of its obligations shall attract penalty. Post
that UPPCL will have the option of getting the work done through alternate sources at the cost
and risk of the SI, which will be realized from pending payments of the bidder, or from the
security deposit, or from the Performance Bank Guarantee or by raising claims.
iii. UPPCL/ User departments reserve the right to levy/ waive off penalty considering various
circumstances at that point in time.
iv. If at any time during performance of the work order, the CSSI encounter conditions impeding
timely performance of the ordered services, the CSSI shall promptly notify UPPCL in writing of
the fact of the delay, it’s likely duration and its cause(s).
v. For non-execution of work orders for reasons attributable to the agency, UPPCL would be free
to use defaulting agency’s Performance Bank Guarantees received against the affected work
order and/or termination of the Contract provided agency fails to remedy such default in spite of
30 days written notice from UPPCL to cure such default
vi. The general terms w.r.t the service level agreement is defined as mentioned below.
a) Response / Resolution time starts from the time the call is logged
b) For the purpose of SLA, a day means the period from the commencement of business hours (8
AM) to close of business hours (8 PM). Sunday will be considered as a non-working day.
Further, the holiday list will be determined by the calendar being followed by the Department /
Ministry / User Location

Page 73 of 97
 Penalty for delay in delivery and installation of service
i. Delivery of all the quoted ICT infrastructure and service components shall be completed strictly
adhering to the expected timeline mentioned in this section and Delivery, Installation and
Commissioning timelines.
ii. Each lot mentioned in the Technical Specification shall be considered as a single package and
the delivery shall be considered to be complete only when all the individual components
mentioned in the tool are configured at UPPCL in the stipulated time.
iii. Partial deliveries of the lot components shall be permitted while adhering to the delivery
timelines. However, the payment against each tool shall be released only after the complete
implementation, configuration and Go-Live of all the items in that category and consignee
acceptance of the components.
iv. Penalty on each tool shall be charged for each tool lot not made Go-Live in time mentioned in
Delivery Timelines and SLA, as per the below table.
Clause Penalty

0.5 % per week applicable for undelivered hardware / software

Delay in Delivery
with max capping of 10%

Delay in Go-Live 1 % per week with max capping of 10% of Contract Value

Note: CSSI shall provide a valid business reason to UPPCL for delay in delivery, installation and go-live. If
no valid reason and/or effect of force majeure condition is established, then UPPCL may choose to take
disciplinary action and revoke the CSSI ’s Bank Guarantee.

ARTICLE – 28: USE OF AGREEMENT DOCUMENTS AND INFORMATION

The Bidder shall not without prior written consent from UPPCL/Discom disclose the Agreement or any
provision thereof or any specification, plans, drawings, pattern, samples or information furnished by or on
behalf of UPPCL in connection therewith to any person other than the person employed by the Bidder in the
performance of the Agreement. Disclosure to any such employee shall be made in confidence and shall extend
only as far as may be necessary for such performance.
The Bidder shall not without prior written consent of UPPCL/Discom make use of any document or
information made available for the project except for purposes of performing the Agreement.
All project related documents issued by UPPCL/Discom other than the Agreement itself shall remain the
property of UPPCL and Originals and all copies shall be returned to UPPCL on completion of the Bidder's
performance under the Agreement, if so, required by the UPPCL.

ARTICLE 29–: PERFORMANCE BANK GURANTEE

a. The Bidder shall, within thirty (30) days of the notification of Contract award, provide a
Performance Bank Guarantee to the tune of 10% of the Total Contract Value for the due performance of
the contract.
b. The Performance Bank Guarantee shall be valid for the full period of the contract with an
extended claim period of 6 months.
c. Payments will be made to the Bidder only after receipt of the Performance Bank Guarantee by
UPPCL/Discom.
d. UPPCL/Discom may at its sole discretion invoke the Performance Bank Guarantee and
appropriate the amount secured there under, in the event that the Bidder commits any delay or default in
the implementation of the Solution during the contract period or commits any other breach of the terms
and conditions of the Contract.
e. The Performance Bank Guarantee shall be discharged by UPPCL/Discom and returned to the
Bidder not later than six (06) months following the date of completion of the Bidder s performance
obligations under the Contract, including any warranty and O&M obligations, unless specified
otherwise in the RFP.
ARTICLE – 30: TAXES & DUTIES
Bidder shall be liable to bear all taxes duties and levies, except GST which shall be applicable and payable on

Page 74 of 97
actual at the time of billing.

ARTICLE–31: BOOKS & RECORDS

Bidder shall maintain adequate books and records in connection with Contract and shall make them available
for inspection and audit by GoUP/GoI during the terms of Contract until expiry of the Security Deposit.
UPPCL is subjected to various audits [internal / external etc.]. In the event of any observation by the audit
agency bidder to assist the UPPCL/Discom for compliance of the same.

ARTICLE–32: ASSIGNMENT & SUBCONTRACTS

a) Assignment by Bidder
The Bidder(s) shall not assign, in whole or in part, its rights and obligations to perform under the
Agreement to a third party, except with the prior written consent from UPPCL/Discom.
b) Sub contracts
The Bidder(s) shall not subcontract or sub-let any of the work assigned to them under the Contract
Agreement to a third party, except with the prior written consent from UPPCL. Even then any such sub-
contracting shall not relieve the Bidder from any liability or obligation under the Agreement. The Bidder
shall fully indemnify UPPCL for any claims/damages whatsoever arising out of the subcontracts.

ARTICLE – 33: RESOLUTION OF DISPUTES

System Integrator (SI) is required to follow the Uttar Pradesh Power Corporation Limited (UPPCL)'s
established procedures and guidelines for resolving any disputes that may arise during the duration of the
contract.

Page 75 of 97
ARTICLE – 34: PAYMENTS TERMS-
The payments shall be strictly made based on acceptance and quality of deliverables, performance and
timelines of services delivered by the System Integrator (As applicable).
The Cyber Security System Integrator (CSSI) should produce a completion/ installation certificate indicating
“Ready-for-use” status (i.e., delivery, installation, commissioning, and successful operation of system) for
respective deliverable/services for project system, duly signed as accepted by the UPPCL.

i. Project Implementation Phase Cost-

Payment
S. No. Activity Payment Terms
Milestones
1. Supply of Software Licenses/ Hardware / For implementation phase Due After Go
Services (New Tools) a. 80% of the cost of Software live
1. UEM (Unified End point Licenses/ Services/ Hardware
Management) after Go-Live
2. Endpoint Detection and Response b. 20% of the cost of Software
(EDR) Licenses/ Services/ Hardware at
3. Secure Access Service Edge the end of year of Go Live date
4. PAM (Privileged Access
Management) (For Line item 1, 2, 3, 4, 5 and 6 of
5. Anti-DDoS (Anti-Distributed Denial Price Bid 1 (PB1))
of Service)
6. DAM (Database Activity Monitoring) For Operation Phase-
c. 80% of the cost of Software
Licenses/ Services/ Hardware at
start of each year of Operation
& Support
d. 20% of the cost of Software
Licenses/ Services/ Hardware at
end of each year of Operation &
Support
(For Line item 1, 2, 3, 4, 5 and 6 of
Price Bid 1 (PB1))
2. Development, Implementation, and a. 80% of the cost line item 7 of a) Due after Go
Integration Services (New Tools and Price Bid 2 (PB2) after Go-Live live
Existing tools) b. 20% of the cost line item 7 of
Price Bid 2 (PB2) at the end of
year of Go Live date

3. AMC/ATS, Operation, Support, Change a. Payable quarterly after end of a. Due after Go
Management each quarter of line item 8 of live
Price Bid 3 (PB3) b. Uptime basis

4. Human Resource Cost a. Payable quarterly after end of a) Performance

each quarter of line item 9 of and
Price Bid 3 (PB3) Attendance
basis

Note: The payment shall be made in the following manner:

i. The agency shall submit all the Key deliverables and services to UPPCL as per the contract agreement.
ii. The completion of work and services shall be verified by UPPCL designated technical committees.
iii. Payment shall be made after due verification and acceptance of completed work and services.

Page 76 of 97
ARTICLE – 35: CONTRACT PERIOD
Implementation period post contract signing will be for six (6) months.
The Bidder will have to provide the services for a period of five (5) years as per the detailed
Requirement given under section 3 and section 4. The tenure of the project will start from the date of
agreement of the project by the UPPCL. The UPPCL will be reviewing the performance of the bidder
after 3 years from acceptance of project. After that, the UPPCL reserves the right to extend the
contract by another 2 years depending upon the performance of the bidder. All the hardware,
software and licenses shall be covered under warranty for 5 years and under AMC for rest of the
contract period. Further the contract may be extended by another two years as per requirements of
UPPCL on same terms and conditions.

ARTICLE – 36: COMMISSIONING AND DELAY

Successful bidder will inform the UPPCL/Discoms of the readiness and commissioning.
The bidder has to ensure the solutions are ready within the defined timelines. Whenever requested by
the UPPCL/Discoms, bidder would ensure that the solutions are configured according to
UPPCL’s/Discoms.

ARTICLE – 37: PENALTY

a. The Penalty clause will be governed by SLA terms & condition and link commissioning timelines.
b. Inability of the service provider to provide services at the service levels defined would result in
breach of contract and would invoke the penalty clause.
c. Maximum penalty will be 10% of total contract value.

ARTICLE – 38: INSTALLATION AND UNISTALLATION

During installation/ uninstall of any equipment, Bidder shall not cause any damage to government buildings/
premises/ property. However, if any damage occurs, the Bidder shall restore it to the original state at their own
cost up to the satisfaction of the UPPCL/Discoms with no extra cost.

ARTICLE -39 ERASURES OR ALTERATIONS

The offers containing erasures or alterations may not be considered. Any interlineations’, erasures or
overwriting in technical Bids may be considered at the discretion of UPPCL/Discoms only if they are initialed
by the person signing the Bids. However, any interlineations’, erasures or overwriting in any form will not be
accepted in the Price Bid. There should be no hand-written material, corrections or alterations in the offer.
Technical details must be completely filled up.

ARTICLE–40: TERMINATION
a) Termination Notice:
The contract may be terminated at point under circumstances and specified and described below, but
with a due notice of 30 days.
b) Termination for Default:
i. UPPCL/Discom may, without prejudice to any other remedy for breach of Contract, by Notice
of default sent to the Contractor, terminate the Contract in whole or in part:
ii. If the Contractor fails to deliver any or all of the Services within the period specified in the
Contract, or within any extension thereof granted by UPPCL/Discom pursuant to requirement
and scope of RFP; or
iii. If the Contractor is found not to be satisfactory as per the given committed SLA’s as per the
RFP for a sustained period of three (03) months, then the contract may be terminated by
UPPCL/Discom at its sole discretion. All due payments for services rendered before
deterioration of SLA would be made by UPPCL post contract termination.
iv. If the Contractor, in the judgment of UPPCL/Discom has engaged in corrupt, fraudulent,
collusive, or coercive practices, as defined in RFP subsequent Sections, in competing for or in
executing the Contract; or
v. If any representative on made by the Bidder in the proposal is found to be false or misleading;
or

Page 77 of 97
 vi. If the Contractor commits any breach of the Contract and fails to remedy or rectify the same
within the period of two weeks (or such longer period as UPPC/Discom in its absolute
discretion decide) provided in a notice in this behalf from UPPCL/Discom; or
vii. As specified in the Service Level Agreement.
viii. In the event UPPCL/Discom terminates the Contract in whole or in part, UPPCL/Discom may
procure, upon such terms and in such manner as it deems appropriate, Goods or Related
Services similar to those undelivered or not performed, and the Contractor shall be liable to
UPPCL/Discom for any additional costs, Services. However, the Contractor shall continue
performance of the Contract to the extent not terminated.
c) Termination for Insolvency: UPPCL/Discom may at any time terminate the Contract by giving
Notice to the Contractor if the Contractor becomes bankrupt or otherwise insolvent. In such event,
termination will be without compensation to the Contractor, provided that such termination will not
prejudice or affect any right of action or remedy that has accrued or will accrue thereafter to
UPPCL/Discom.
d) Termination for Convenience: UPPCL/Discom, by Notice sent to the Contractor, may
terminate the Contract, in whole or in part, at any time for its convenience. The Notice of termination
shall specify that termination is for UPPCL/Discom’s convenience the extent to which performance of
the Contractor under the Contract is terminated, and the date upon which such termination becomes
effective.
e) Consequences of Termination: Upon Termination of the Contract, the Contractor shall:
i. Prepare and present a detailed exit plan within five (5) calendar days of termination notice
receipt to the UPPCL/Discom.
ii. UPPCL/Discom will review the Exit plan. If approved, Contractor shall start working on the
same immediately. If the plan is rejected, Contractor shall prepare alternate plan within two
(2) calendar days. If the second plan is also rejected, UPPCL/Discom will provide a plan for
Contractor, and it should be adhered by in totality.
iii. The Contractor and the Authorized Personnel from UPPCL/Discom will sign a completion
certificate at the end of successful completion (all points tracked to closure) of the Exit Plan.

ARTICLE 41 - Bid Features-

1. The bidders are required to quote rate for the entire contract period for each of the items in
schedule of rates (online mode only). The format of price bid is enclosed in at Section 7 for
reference.
2. The bidders shall quote rate in each of the line items of price bid. UPPCL reserves the right to
reject all incomplete Bids.
3. The quoted rates will include the cost of required Hardware, Software, licenses, AMC, ATS,
Installation, commissioning, transportation and O&M to complete the project in totality excluding
the GST as applicable at the time of billing.
4. The rates quoted by bidders shall remain firm.
5. Bidder shall submit the detail specifications of proposed Central Cyber Security Center solution
including hardware, software, and license in their technical bid. Non submission of these details
will lead to the rejection of bid.
6. Consortium is not allowed.
7. The Purchaser reserves right to modify the terms and conditions of the Contract, during the Project
execution, so as to meet contingency situations, which can arise from time to time. Such
modifications would be discussed and agreed upon by the successful bidder taking into
consideration the Cost, time and other implications. After finalization of modification, the Contract
Agreement may be suitably amended, if required.
8. The bid should be complete in all respects including all supporting documents.
9. The participation in this tender, implicitly confirm that if any functions, activities, responsibilities or
services which are either not specifically described in this RFP or specifically described but has to
undergo suitable changes/modifications due to regulatory/statutory changes and are termed necessary
or appropriate by UPPCL for the proper performance of the contract, such functions, activities,
responsibilities or services (with applicable changes, if any) will be deemed to be implied by and
included within the scope of services under this RFP and Bidder’s response to the same extent and in
the same manner as if specifically described in this RFP and Bidder’s response.

Page 78 of 97
ARTICLE 42:- Non-Disclosure Agreement
The successful bidder (CSSI) will sign Non-Disclosure agreement with UPPCL. Model format for
non-disclosure agreement is mentioned on CERT-In website. (CERT-In - > Empanelment by CERT-
In -> Model NON-Disclosure Agreement) (https://cert-in.org.in/PDF/NON-
Disclosure_Agreement.pdf ).

ARTICLE-43- Limitation of Liabilities- Except in cases of gross negligence or wilful misconduct

neither Party shall be liable to the other Party for any indirect or consequential loss or damage, loss of
use, loss of production, or loss of profits or interest costs, provided that this exclusion shall not apply
to any obligation of the Bidder to pay liquidated damages to UPPCL; and the aggregate liability of the
Bidder to UPPCL, whether under the Contract, in tort, or otherwise, shall not exceed the amount
specified in the Contract Price, provided that this limitation shall not apply to the cost of repairing or
replacing defective equipment, or to any obligation of the bidder to indemnify UPPCL in respect to
patent infringement if any.

ARTICLE-44- Intellectual Property Rights-

The Intellectual Property Rights (IPR) stipulates that all intellectual property, including but not
limited to patents, copyrights, and trademarks, arising from the execution of the contracted project,
shall be the exclusive property of the UPPCL. The bidder agrees to promptly disclose and assign all
rights to such intellectual property to the UPPCL/government, and undertakes not to assert any moral
or statutory rights that may impede the government's use, reproduction, or dissemination of the
intellectual property. In cases where third-party intellectual property is utilized in the project, the
contractor is responsible for securing necessary licenses and permissions. The UPPCL reserves the
right to sublicense or transfer the intellectual property rights to third parties if deemed necessary.

ARTICLE-45- Indemnity Clause-

a. The Agency hereby agrees to indemnify UPPCL, for all conditions and situation mentioned in
this clause, in a form and manner acceptable to UPPCL. The Agency agrees to indemnify UPPCL
and its officer’s servant agents (͞UPPCL Indemnified Persons) from and against any costs, loss,
damages, expense, claims including those from third parties or liabilities of any kind howsoever
suffered, arising or incurred inter alia during and after the Contract period out of:

a.1 Any negligence or wrongful act or omission by the Agency or its agents or employees or any
third Party associated with Agency in connection with or incidental to this Contract; or

a.2 Any infringement of patent, trademark/copyright or industrial design rights arising from the
use of the Services or any part thereof.

b. The Agency shall also indemnify UPPCL against any privilege, claim or assertion made by
third party with respect to right or interest in, ownership, mortgage or disposal of any asset,
property, movable or immovable as mentioned in any

c. The Agency shall fully indemnify, hold harmless and defend UPPCL indemnified Persons from
and against any and all suits, proceedings, actions, claims, demands, liabilities and damages
which DISCOMs indemnified Persons may hereafter suffer, or pay by reason of any demands,
claims, suits or proceedings arising out of claims of infringement of any domestic or foreign
patent rights, copyrights or other intellectual property, proprietary or confidentiality rights with
respect to Services, information, design or process supplied or used by the Agency in
performing the Agency s obligations or in any way incorporated in or related to the Project. If
in any such suit, action, claim or proceedings, a temporary restraint order or preliminary
injunction is granted, the Agency shall make every reasonable effort, by giving a satisfactory

Page 79 of 97
 bond or otherwise, to secure the suspension of the injunction or restraint order. If, in any such
suit, action, claim or proceedings, the Services, or any part thereof or comprised therein, is held
to constitute an infringement and its use is permanently enjoined, the Agency shall promptly
make every reasonable effort to secure for UPPCL a license, at no cost to UPPCL, authorizing
continue dues of the infringing work. If the Agency is unable to secure such license within a
reasonable time, the Agency shall, at its own expense, and without impairing the specifications
and standards, either replace the affected work, or part, or process thereof with non-infringing
work or part or process, or modify the same so that it becomes non-infringing.

d. UPPCL may impose a penalty on Implementation partner and that penal amount may be
recovered adjusted from invoices. UPPCL also reserve the right to forfeit the BG.

e. Survival on Termination: The provisions of this Section shall survive up to the period of
Termination of the contract.

Page 80 of 97
 Section – 6

Bid Forms (Part-I) Technical

FORM1: BID COVERING LETTER

(To be submitted on the Bidder letter head)
[Covering Letter shall be on the official letterhead of the Bidder]
[Reference No.] From:
[Address of the Bidder][Telephone No., Fax No., Email]
[Date]

To:
Superintending Engineer IT-III, RAPDRP (Part A)/IT
5th Floor, Shakti Bhawan Extension, 14-Ashok Marg, UPPCL, Lucknow- 226001.

Sub:- RFP for “Selection of Cyber Security System Integrator for Cyber Security Tools for PuVVNL,
MVVNL, DVVNL, PVVNL, KESCo.”

Ref: Your Tender No. XXXXXXX (the “RFP”).

Dear Sir,
We, the undersigned...................... [Insert name of the Bidder] having read, examined and understood in detail
the RFP for “Selection of Cyber Security System Integrator for Cyber Security Tools for PuVVNL, MVVNL,
DVVNL, PVVNL, KESCo.”

Here by submit our Bid comprising of Technical and Financial Bids.

1. We give our unconditional acceptance to the RFP including but not limited to all its
instructions, terms and conditions, and formats attached thereto, issued by UPPCL, as amended. In
token of our acceptance to the RFP, the same have been initialed by us and enclosed to the Bid. We
shall ensure that we shall execute such requirements as per the provisions of the RFP and provisions
of such RFP shall be binding on us.
2. Fulfillment of RFP Eligibility
We agree to abide by this Proposal, consisting of this letter, the Qualification Criteria forms and the
Technical Proposal form, the firms authorized signatory through letter of authorization from CS and
all attachments, for a period of 180 days from the date fixed for submission of Proposals as stipulated
in the RFP modification resulting from contract negotiations, and it shall remain binding upon us and
may be accepted by you at any time before the expiration of that period.
3. Bid Fee
We have enclosed a proof for Bid fee of Eleven thousand eight hundred only (Rs.11,800/- inclusive
GST@18%) in The form of a RTGS/ NEFT No.……………dated 2024
4. Earnest Deposit Money
We have enclosed a Bid Security of Sixty Lakh only (Rs.60,00,000/-) in the form of a RTGS/ NEFT
No.……………dated… 2024
5. Acceptance
We hereby unconditionally and irrevocably agree and accept that the decision made by UPPCL in
respect of any matter regarding or arising out of the RFP shall be binding on us. We here by expressly
waive any and all claims in respect of Bid process.
We confirm that there are no litigations or disputes against us, which materially affect our ability to
fulfill our obligations with regard to fulfilling our obligations as per the RFP.
6. Familiarity with Relevant Indian Laws and Regulations
We confirm that we have studied the provisions of the relevant Indian laws and regulations as
required to enable us to submit this Bid and execute the RFP Documents, in the event of our selection
as Selected Bidder.
7. Contact Person
Details of the contact person representing our Bidder’s Organization supported by the firms
authorized signatory through letter of authorization from CS are furnished as under:

Page 81 of 97
 Name : ………………………………………………..
Designation:……………………………………………….
Company:…………………………………………………...
Address:…………………………………………………….
Mobile :…………………………………………………
Phone:………………………………………………………
Fax:………………………………………………………….
Email:……………………………………………………….
8. We are submitting here with the Technical Bid on e-Tender portal.
9. We are also submitting here with the Financial Bid on e-Tender portal.
10. It is confirmed that our Bid is consistent with all the requirements of submission as
stated in the RFP and subsequent communications from UPPCL.
11. The information submitted in our Bid is complete, strictly as per the requirements
stipulated in the RFP and is correct to the best of our knowledge and understanding. We would be
solely responsible for any errors or omissions in our Bid.
12. We confirm that all the terms and conditions of our Bid are valid for acceptance for a
period of 180 days from the Bid Submission Deadline.
13. Weconfirmthatnoorder/rulinghasbeenpassedbyanyCompetentCourtorAppropriateCommi
ssio n against us or Associates in the preceding one (1) year from the Bid Submission Deadline for
breach of any contract and that the Bid Security submitted has not been forfeited, either partly or
wholly, in any bid process in the preceding one (1) year from the Bid Submission Deadline.

Dated the……………[Insert date of the month] day of………[Insert month, year] at [Insert place].

Thanking you, Sincerely yours,

Page 82 of 97
FORM2: GENERAL INFORMATION

S.NO. Particulars Details to be furnished

1. Details of responding Bidder

a) Name
b) Address
c) Telephone & Fax
d) Website
2. Details of Contact Person
a) Name
b) Designation
c) Address
d) Telephone no.
e) Mobile no.
f) Fax no.
g) E-mail
3. Details of Authorized Signatory (please attach proof)
h) Name
i) Designation
j) Address
k) Telephone no.
l) Mobile no.
m) Fax no.
n) E-mail
4. Information about responding Bidder
o) Status of Bidder (Public Ltd. /Pvt. Ltd etc.)
p) No. of years of operation in India
q) Details of Registration & GST No.
r) No. of resources/staff in India
s) Locations and addresses of Offices (in India and overseas)

Page 83 of 97
FORM 3: PERFORMA OF COMPLIANCE LETTER/AUTHENTICITY OF INFORMATION
PROVIDED

(Shall be submitted as scanned copy on Bidder’s letterhead duly signed by Authorized signatory)
[On the letter head of Bidder] [Reference No.] From:
[Address of the Bidder] [Telephone No., Fax No., Email] [Date]

To,
Superintending Engineer IT-III, RAPDRP (Part A)/ IT
5th Floor, Shakti Bhawan Extension,
14. Ashok Marg, UPPCL,Lucknow -226001

Sub: - RFP for “Selection of Cyber Security System Integrator for Cyber Security Tools for PuVVNL,
MVVNL, DVVNL, PVVNL, KESCo.”
Ref: - Your Tender No. XXXXXXX (the “RFP”).
Dear Sir,
We, ………………….…….… [Insert name of the Bidder] have read, examined and understood the
RFP and RFP Documents for work of ‘Selection of Cyber Security System Integrator for Cyber Security
Tools for PuVVNL, MVVNL, DVVNL, PVVNL, KESCo.”.
We hereby confirm our concurrence with the RFP including in particular the Bid submitted by [Insert
name of the Bidder], in response to the RFP.
We confirm that the Bid has been reviewed and each element of the Bid is agreed to including but not
limited to the commitment and obligations of our Company.
The details of contact person are furnished as under:
Name: ……………………………………
Designation:…………………………
Name of the Company : ……………………………………
Address:……………………………………
Dated the …… day of of 20…
Thanking you, Yours faithfully,
………………………………
[Signature, Name, Designation of Authorized Signatory of Company and Company's Seal]

Page 84 of 97
FORM 4: Bid Processing Fees & Earnest Money Deposit Details-

S. Name of the Bank Online

No. Item Amount (In & Branch Transaction detail
Rs.)

1 Bid Processing Fees

2 Earnest Money Deposit

(E.M.D.)

Page 85 of 97
FORM 5: ELIGIBILITY CRITERIA

Form No. E1: Certificate of Registration/Incorporation

S. Name of Address Certification Copy of Certificate of

N. Organization Date Registration/ Incorporation
Uploaded

Note: Please fill this form and upload the copy of Certificate of Registration/Incorporation

Form No. E2: Financial strength of the bidder

Financial Turnover Net Audited Accounts

Year (Rs. In Worth uploaded? (Yes/No)
Crores) (Rs In
Crore)
2020-21

2021-22

2022-23

Grand Total

Note: Please fill this form and upload the Audited Annual Accounts / Balance Sheet along with Profit &
Loss Account for the last three financial years and Certificate from the Chartered Accountant / Company
Secretary.

Form No. E3: Bidder’s Experience (Customer References)

Email ID Type of
Name Of Address Contact Contact of Project Supporting
Sr. Customer Person Number of Customer Completion Document
No. Customer Date Attached

Page 86 of 97
FORM No. E4: OEM’s Experience (Customer References)

Email ID of No of Type of
Sr. Name Of Addres Contact Contact Customer Project Delivered Supporting
No. Customer s Person Number Completion Mailboxes Document
of Date Attached
Custome
r

Page 87 of 97
`Form 6: Format for Queries to UPPCL

[Query (Only in below format) format may be sent to the Chief Engineer (Level-2), RAPDRP-A/IT, UPPCL
at email-to-Email ID: etender.uppcl@gmail.com]
From: [Reference No.]
[Address of the Bidder] [Telephone No., Fax No., Email] [Date]
To:
Superintending Engineer IT-III RAPDRP-A/IT, UPPCL
5th Floor, Shakti Bhawan Extension, Ashok Marg, Lucknow -226001

Sub: Query.
Ref: Your Tender No. XXXXXXX (the “RFP”). Dear Sir,
Please find below our query with respect to the RFP subject to the terms and conditions therein:

S. RFP RFP Para No./ Description Queries/ Bidder Name

No. Section Page No. Clause as per RFP Clarification of Remarks
No. No. the Bidder

Thanking you, sincerely yours, [Insert Signature here] [Insert Name here]
[Insert Designation here]

Page 88 of 97
FORM 7: No-Déviations Certificate

[Reference No.]

From:
[Address of the Bidder] [Telephone No., Fax No., Email] [Date]

To,
Superintending Engineer IT-III, RAPDRP (Part A)/IT
5th Floor, Shakti Bhawan Extension, Ashok Marg,UPPCL, Lucknow -226001

The Bidders hereby certifies that the bid response submitted by them are in compliance and accordance with the
RFP clauses and there is “No Deviation” submitted by them.

Seal of the Company Full Signature:

Name:
Designation:
Date:

Please Note: In case any deviation is found in the bid submitted by the bidder, their bids are liable for rejection.

Page 89 of 97
FORM 8: Declaration that the bidder has not been blacklisted

[Reference No.] From:

[Address of the Bidder]
[Telephone No., Fax No., Email][Date]
To,
Superintending Engineer IT-III, RAPDRP (Part A)/IT
5th Floor, Shakti Bhawan Extension, Ashok Marg,UPPCL, Lucknow -226001

Ref: RFP no ………….

Subject: Self Declaration of not been blacklisted in response to the RFP for Selection of Cyber Security System
Integrator for Cyber Security Tools for PuVVNL, MVVNL, DVVNL, PVVNL, KESCo.”.
Dear Sir,

We confirm that our company, _ , is not blacklisted in any manner whatsoever by any of
the Central or State Ministries / PSUs / Govt. Department on any ground including but not limited to indulgence
in corrupt practice, fraudulent practice, coercive practice, undesirable practice or restrictive practice.

Seal of the Company Full Signature: Name:

Designation
:Date:

Page 90 of 97
FORM 9: FORMAT FOR AGREEMENT BETWEEN DISCOM AND BIDDER
THIS AGREEMENT is made on this day of (Month), (Year), between
of (hereinafter
called “the Purchaser”) which expression shall unless repugnant to the context thereof include his successors,
heirs, assigns, of the one part, and of (here in
after called “the Supplier”) which expression shall
unless repugnant to the context thereof include his successors, heirs, assigns, of the other part.
WHEREAS the Purchaser had invited bids for certain Services, viz.,
……………………………………………………. (eg. Name of bid) vide their bid document number.
……………….. Dated ……………..AND WHERE AS various applications were received pursuant to the said
bid
AND WHEREAS the Purchaser has accepted a Bid by the Supplier for providing those Services in the sum of.
(herein after “the Contract Price”).
And in pursuance of having accepted the said bid the parties have agreed to enter into this agreement. NOW THIS
AGREEMENT WITNESS AS FOLLOWS:
1. In this Agreement word sand expressions shall have the same meanings as are respectively assigned to
the min the Contract referred to.
2. The following documents (collectively referred to as "Contract Documents”) shall be deemed to form and
be read and construed as part of this Agreement, viz.:
a. the Detailed award of contract.
b. the Service level agreement.
c. The RFP
d. the Purchaser’s Notification to the Supplier for Award of Contract & the supplier’s acceptance of
same.
e. Bidder’s response(proposal) to the RFP, including the Bid Submission Sheet and the Price
Schedules submitted by the Supplier.
f. Annexures to Bid
In the event of any discrepancy or inconsistency within the Contract documents, then the documents shall
prevail in the order listed above.
3. In consideration of the payments to be made by the Purchaser to the Supplier as indicated in this
Agreement, the Supplier here by covenants with the Purchaser to provide the Services and to remedy the
defects there in and bring the inconformity in all respects with the provisions of the Contract.
4. The Purchaser here by covenants to pay the Supplier inconsideration of the provision of the Services and
the remedying of defects there in, the Contract Price or such other sum as may become payable under the
provisions of the Contract at the time sand in the manner prescribed by the Contract.

IN WITNESS where of the parties here to have caused this Agreement to be executed in accordance with
the laws of on the day, month and year indicated above.

Signed by Signed by
(Authorized Utility official) (for the Bidder)
Witness-1 …………………………
Witness-2 …………………………..

Page 91 of 97
 FORM 11: FORMAT OF SECURITY DEPOSIT TO BE PROVIDED BY SELECTED BIDDER

[To be on non-judicial stamp paper of Rupees One Hundred Only (INR100/-) or appropriate value as per
Stamp Act relevant to place of execution, duly signed on each page. Foreign entities submitting Bid are required
to follow the applicable law in their country]
Reference No. Bank Guarantee No. Dated: To,

Dear Sir,
WHEREAS [Insert name of the Bidder] with address [Insert address of the Bidder]
having its registered office at [Insert address of the Bidder] (hereinafter the Contractor) subsequent to
participation in Tender No._ _ _ _ _ issued by UPPCL (hereinafter the Beneficiary ) “Selection of Cyber Security
System Integrator for Cyber Security Tools for PuVVNL, MVVNL, DVVNL, PVVNL, KESCo.”., have been
issued the Letter of Award as the Selected Bidder.
And WHEREAS a Bank Guarantee for Rupees [Insert amount in words] ( ) [Insert amount in figures] valid till
[Insert date six years from the date of issue of this Security Deposit] is required to be submitted by the Contractor
as per the terms and conditions of the RFP.
We, [Insert name of the Bank and address of the Branch giving the Bank Guarantee] having our registered office
at [Insert address of the registered office of the Bank] hereby give this Bank Guarantee No. [Insert Bank
Guarantee number] dated [Insert the date of the Bank Guarantee], and hereby agree unequivocally
and unconditionally to pay immediately on demand in writing from the Beneficiary any officer authorized by it in
this behalf any amount not exceeding Rupees [Insert amount in words] () [Insert amount in figures] to the said
Beneficiary on behalf of the Bidder.
We [Insert name of the Bank] also agree that withdrawal of the Bid or part thereof by the Bidder within its
validity or non- submission of Security Deposit by the Bidder within the stipulated time of the Letter of Award to
the Bidder or any violation to the relevant terms stipulated in the RFP would constitute a default on the part of the
Bidder and that this Bank Guarantees liable to be invoked and uncashed within its validity by the Beneficiary in
case of any occurrence of a default on the part of the Bidder and that the uncashed amount is liable to be forfeited
by the Beneficiary.
This agreement shall be valid and binding on this Bank up to and inclusive of [Insert the date of validity of the
Bank] and shall not determinable by notice or by Guarantor change in the constitution of the Bank or the firm of
the Bidder Or by any reason what so ever and our liability here under shall not be impaired or discharged by any
extension of time or variations or alternations made, given, concede with or without our knowledge or consent by
or between the Bidder and the Beneficiary.
NOT WITHSTANDING anything contained herein before, our liability under this guarantee is restricted to
Rupees _. Our Guarantee shall remain in force till[Insert date six years from the date of issue of
this Security Deposit].Unless demand so claims under this Bank Guarantee are made to us in writing on or before
[Insert date six years and one month from the date of issue of this Security Deposit],all right so the Beneficiary
under this Bank Guarantee shall be for feinted and we shall be released and discharged from all
liabilities there under.
[Insert the address of the Bank with complete post all branch code, telephone and fax numbers, and official round
sealof the Bank]
[Insert signature of the Bank’s Authorized Signatory
Attested: [Signature] (Notary Public) Place:
Date:
[Reference No.]

Page 92 of 97
FORM 12: FORMAT OF Earnest Money Deposit (in the form of Bank Guarantee) TO BE PROVIDED
BY BIDDER

(For depositing earnest money in case the amount for deposit exceeds Rs. 5,000 Bank guarantee should be on
a non-judicial stamp Paper of Rs. 100.00 or as per present Act and should be checked by the tenderer at the time
of issuing the Bank Guarantee for any change in the Stamp value.)
To,
Accounts Officer, Central Payment
Cell,
UP Power Corporation Ltd. Shakti Bhawan, Lucknow
Sir,
WHEREAS, a company incorporated under the Indian Companies
Act, itsregistered office at / a firm registered under the Indian Partnership
Act and
having its business office at son of at / Sri
son of
resident of at Sri son of
resident of partner carrying on business under the firm’s name and style of
M/s at Which is an unregistered partnership
(hereinafter called “The Tender”) has/have in response to your Tender Notice against <specification number>
for offered to supply and/or execute the works as contained in the Tender’s letter No .
AND WHEREAS the Tenderer is required to furnish you a Bank Guarantee for the sum of Rupees 60,00,000
(Sixty Lac) Only as Earnest Money against the tenderer’s offer as aforesaid.
AND WHEREAS we (Name and full address of the Bank) have at the
request ofthe tenderer agreed to give you the guarantee as hereinafter contained.
NOW THEREFORE in consideration of the premises we the undersigned hereby covenant that the aforesaid
tender of the tenderer shall remain open for acceptance by you during the period of validity as mentioned in
the tender or any extension there of as you and the tenderer may subsequently agree and if the tenderer shall
for any reason back out whether expressly or implied from his said tender during the period of its validity or
any extension thereof as aforesaid, we hereby guarantee to you the payment of sum of On demand
notwithstanding the existence of any dispute between the Uttar Pradesh Power Corporation Limited and
the tenderer, in this regard AND we hereby further agree as follows:
That you may without affecting this guarantee grant time or other indulgence to or negotiate further with the
tenderer in regard to the conditions contained in the said tender and hereby modify these conditions or add
thereto any further conditions as may be mutually agreed upon between you and the tenderer.
That guarantee hereinbefore contained shall not be affected by any charge in the constitution of our Bank or in
the constitution of the tender.
That any account settled between you and the tenderer shall be conclusively evidence against us of the
amount due hereunder and shall, not be questioned by us.
That this guarantee commences from the date hereof and shall remain in force till the tenderer. If his tender
is accepted by you, furnishes the security as required under the said specifications and executes a formal
agreement as therein provided or till Six months after the period of validity or the extended period of validity,
as the case may be of tender whichever is earlier.
Not with standing anything contained above liability of the Guarantor hereunder is restricted to the said sum
of and this guarantee shall expire on the Unless a claim under the guarantee
is filled with the Guarantor within six months of such date, all claims shall laps and the Guarantor shall be
discharged from the guarantee.
That the expressions ‘the tender’ and the Bank the Uttar Pradesh Power Corporation Limited herein used
shall, unless such Interpretation is repugnant to the subject or context include their respective successors and
assigns.
We (Name of Bank) lastly undertake to pay to the (UPPCL) any money so

Page 93 of 97
demanded notwithstanding any dispute or disputes raised by the Bidder(s) / Supplier(s) in any suit or
proceeding pending before any court or Tribunal relating arbitration thereto of liability under the present
being absolute and unequivocal.
The payment so made by us under this bond shall be a valid discharge of our liability for payment thereunder and
the Bidder(s) / supplier(s) shall have not claim against us for making such payment.

[Insert the address of the Bank with complete postal branch code, telephone and fax numbers, and officialround
seal of the Bank]
[Insert signature of the Bank’s Authorized Signatory]
Attested:
[Signature] (Notary Public)
Place: Date:

Page 94 of 97
 Section-7

LETTER FOR SUBMISSION OF FINANCIAL BID

To:
Superintending Engineer IT-III, RAPDRP (Part A)/IT
5th Floor, Shakti Bhawan
Extension, Ashok Marg,
UPPCL, Lucknow -
226001

Sub: Financial Bid for Appointment of ************. Ref:- Your Tender No.
******** (the “RFP”).
Dear Sir,
We the undersigned [Insert name of the Bidder, having read, examined and
understood in
details for “Request for Proposal for Selection of Cyber Security System Integrator
for Cyber Security Tools for PuVVNL, MVVNL, DVVNL, PVVNL, KESCo.”
hereby submit our Financial Bid. We hereby undertake and confirm that:
A. We have submitted our Financial Bid strictly in accordance with the RFP
without any deviations or condition.
B. Our Financial Bid is consistent with all the requirements of submission as
stated in the RFP and subsequent communications from the Bid Process
Coordinator.
C. Rates quoted in this Bid are exclusive of GST. All other charges like freight
charges, transportation insurance, packaging/ loading/ unloading charges,
and/or any other taxes or charges applicable to such work. Any escalation in
such taxes/ levies during the tenure of the Agreement/ order will be the liability
of the bidder, and the bidder is advised to take into consideration any such
escalations in the prevailing taxes/ levies/ duties.
D. The details quoted herein shall stand valid at least 180 days from the date of
submission of this Financial Bid and for implementation of Project, if awarded,
as per the timeframe indicated in the RFP.
E. Our Quoted Prices are as per the Annexure attached herein.

Dated the …………… [Insert date of the month] day of …………… [Insert month, year] at
……………
[Insert place]. Sincerely yours, [Insert
Signature here][Insert Name here]

Page 95 of 97
 Section-7

FORM 13: PRICE BID

RFP No. 03/UPPCL/RAPDRP-A/CSSI/2024 Dated 23-02-2024
“Request for Proposal for Selection of Cyber Security System Integrator for Cyber Security Tools for
PuVVNL, MVVNL, DVVNL, PVVNL, KESCo.”
(All Values to be put in INR)
Price Bid

Unit Total Price for 5

Quantity Unit
S. No. Description Rate Years (INR)#
(A) (B)
(C) (D=A*C*5)
Price Bid 1 (PB1) - New Tool Procurement

1 Unified Endpoint Management (UEM) 17,000 User per year

Endpoint Detection and Response

2 17,000 User per year
(EDR)

3 Security Service Edge (SSE) 17,000 User per year

Admin User
100
Per year

Server
600 Device per
year
PAM for Cloud Infrastructure, On-
4
Premises Datacenters and Desktops Network
400 Device per
year

Public Cloud
2 (Oracle and
Azure)

Instance per
5 Database Security (DAM) 10
year

4 Nos per year

6 Anti-DDOS Solution
Application
50 per year
(on Cloud)

Price Bid 2 (PB2)- Implementation and Commissioning

Page 96 of 97
 Total Price for
One time
Unit
S. No. Description Quantity Unit Implementation
Rate
and
Commissioning
Development, Implementation, and One
7 Integration Services (New Tools and 1 Lot time
Existing tools) Cost
Price Bid 3 (PB3)- Annual Maintenance Contract (AMC)/Annual Technical Support (ATS),
Operation, Change Management and Support
Unit Total Price for 5
Quantity Unit
S. No. Description Rate Years (INR)#
(A) (B)
(C) (D=A*C*5)
AMC/ATS, Operation, Support,
8 5 Year
Change Management
Resource per
9 Human Resource Cost 12
Year

Total Cost (PB1+PB2+PB3)

# GST Extra and shall be payable as per actual

Note-:
i. Price Bid will be done on Total Cost (PB1+PB2+PB3).
ii. The award value shall be based on Price Bid and will be on Quality and Cost Based Selection (QCBS)
basis
iii. UPPCL/Discom shall reserve the right to make changes in quantities at plus minus 30% against any
line items at any point of time during the contract period.
iv. Quantities mentioned against line items will not be considered firm and may be adjusted with any
other line items at any point of time.
v. Quantities mentioned against each line items will not be considered firm and amount will be payable
against actual live licenses/software/hardware for a year as the case may be.
vi. Any item/ material either hardware or software required to meet the functionality specified in the
tender document whose related component is missing in the above table has to be accounted by the
Bidder and the price of the same is assumed to be reflected and taken care in the price specified to the
Client by the Bidder in this price bid.
vii. All the licenses shall be in the name of Uttar Power Corporation Ltd for the period of 5 years
viii. For all the line items 1, 2, 3, 4, 5 and 6 of Price Bid 1 (PB1) - New Tool Procurement must include
all costs of software, license, activation, commissioning and hardware for completed Go-Live and
successful operation of each tool. No additional cost will be payable to the successful bidder.

Page 97 of 97