Request for Information for the Procurement Process for Electronique File Transfer for Statistics Canada

This Amendment # 05 is raised to extend the closing date for a submission of Proposal.

The revised final closing date for a submission of Proposal:

November 13^th, 2020 @ 2:00, PM Eastern Standard Time (EST)

____________________________________

This Amendment # 04 is raised to answer the following nine questions:

1. Regarding Statistics Canada Requirement, Signature Integrity under Section 5.8.3, it states, “When the solution must ensure non-repudiation of data, during transport or in storage, a digital signature is required. It must have the ability to respect Federal Government Standards such as the support for file integrity using signatures.”

Question a)

Can you please clarify this requirement as well direct us to the standard you are referring?

Answer a)

Standards for unclassified, Protected A and Protected B information can be found here:

https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-and-protected-b-information-itsp40111

Additional guidance to Networks and Transport can be found here:

https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062

Question b)

How does this apply to a pure cloud-based managed service?

Answer b)

The service must employ algorithms that Canadian Center for Cyber Security deems appropriate for Protected B information.

If the solution provider supports other more stringent standards, please include them in your response and provide details that will allow StatCan to review.

____________________________

This Amendment # 03 is raised to answer the following nine questions:

Questions: Section 5.8.3 - Data Verification

The solution must verify the integrity (e.g. accuracy) of data during transport or in storage (i.e. by possibly using a secure hash). The solution must have the ability to disallow metadata or data to be changed or used except by authorized staff

1. Where is the “validation” expected to take place if cross referencing is required and should this be housed internal or external to the solution

2. Who is going to own / maintain the rules around what is allowed to which roles?

Answers:

1. We are open to options. Please provide pros/cons of each model.

2. Statistics Canada.

Question: Section 5.8.6 - Other Security Requirements

The solution must have the ability to apply rules based on the metadata content and determine if a file can be transmitted or not

• • Does this apply to ALL transfers or is it specific subsets where is the logic currently stored as to what data is allowed to be delivered where ?

    Answer:

    If your proposed solution allows for various levels of applying rules, please elaborate what these are.

    Questions: Section 5.8.6 - Other Security Requirements

    The solution must be able to address vulnerabilities identified in a project-based scan following the Compliance Assessment Framework Process

1. Can you please clarify/explain in more detail the Compliance Assessment Framework Process and how it works (As it pertains to Stats Canada)?

2. What sort of vulnerabilities are scanned and is it user access based / network intrusion ?

Answers:

1. - Statistics Canada conducts a security review for all new solutions prior to their deployment. This process include Security Authorization & Accreditations (SA&A) leading to Authority to Operate (ATO). As part of this, we run various security tests, including but not limited to scans.

• Please include reference to any third party security reviews the proposed solution has been through (if available).

1. These are part of the overall vulnerabilities that are considered.

Questions: Section 5.9 - Service Continuity Requirements (Scalability and Performance)

The document outlines 100,000 distinct users and 5,000 distinct groups... 

1. Is the solution expected to have all users concurrently loaded on the system at a given time ? 

A.1) For licensing purposes, how many “active” users/accounts are required to have a unique authentication account setup on the system as part of phase 1? 

A.1.1) If not in LDAP / AD, are the user/account authentication settings (certificates, usernames, etc.) currently assessable via CyberArk today (encrypted with a key that Stats Canada has access too? 

A.2) There is mention of LDAP / AD. Will this be where the user management will be done from? If so, are all users currently in LDAP / AD now?

A.3) Are there Internal and External LDAPs that will be leveraged to allow for the correct data protection from an access perspective?

1. What is the anticipated max concurrent users that will be using the system at a given time ?

Answers:

1. A threshold of 500 users connected concurrently will be acceptable.

   Please let Statistics Canada know what are the limits of the proposed solution are.

A.1) 10,000 Is the number we are targeting.

Please elaborate on your licensing options, levels.

A.1.1) Current legacy solution supports LDAP/AD, as well as its own user management capability.

Everything is saved inside the vault and hence are all encrypted using the vault protocol.

A Web interface and Desktop Windows interface is available to manage users.

Authentication is implemented using username/password, and Public Key authentication for SFTP users.

A.2) Statistics Canada is open to options. Our internal users are managed using Microsoft Active Directory.

A.3) Yes. However Statistics Canada is open to options.

B) 500+ concurrent users.

Question:

Will Statistics of Canada honor additional questions from the same vendor as long as it’s within the allotted time table?

Answer:

This will be limited to within the posting timelines (closing date RFI is Nov. 9 2020)

___________

This Amendment # 02 is raised to answer the following nine questions:

Question 1: The data requirements needed for running the solution. Clarification: Are you asking server requirements? OS, CPU, Memory, HDD, etc?

Answer 1: - Are there any specific requirements (other than hardware related) that need to exist to enable the proposed solution to operate? - E.g. might include specific limitations (limit in number of concurrent processes, upper limits in number of files per period of times, etc.)

Question 2: Identify all requirements set out in your proposed solution that your organization cannot meet or provide. For each element that your organization cannot meet or provide, describe in your opinion why that is and if possible, propose an alternative solution.

Identification of sensitive data to client’s data. Clarification: How are you wanting to identify sensitive data? Is this based on file name or something else??

Answer 2: In case the solution provider identifies requirements that are/cannot be met by their proposed solution, please describe which ones fall under this category (cannot be met). If possible, describe an alternative solution supported within the proposed solution that could be used as an alternative solution.

• Include any potential capability / feature to handle protected B data.

Question 3: Federal Government Standards such as the support for file integrity using signatures. Clarification: Are you asking if we support MD5 or is this something else?

Answer 3: What are the mechanisms / standards used within the proposed solution to support the transmitted information (files) integrity (e.g.: authenticating digital signatures, encryption standards, etc.)

Question 4: Digital signature for Non-repudiation of data, during transport or in storage. Clarification: I’m not sure what you’re asking here. Could I get someone to elaborate on this?

Answer 4: What are the mechanisms / standards used within the proposed solution to implement data non-repudiation (to ensure proof of origin and integrity of the information asset).

Question 5: Data integrity (Data and Metadata) during transport and storage (i.e. secure hash). Destination data check verification – no conflict with incoming and outgoing location - conflict deny sending to target. Clarification: What would cause a conflict? File already exist?

Answer 5: Describe the features that enable/support information asset (file metadata and payload) integrity (ensuring that the file was not modified during its transport/transmission and its storage).

Question 6: Rule Processing - apply rules based on the metadata to determine transmitted or not. Clarification:  Can I get an example of the metadata?

Answer 6: Describe features within the proposed solution that inform the state of the transmitted information (file) such as transmitted, delivery acknowledged, file opened, etc.

Question 7: Interoperable - Open standard to communicate with other products at its component level. Clarification:  Need more information on this.

Answer 7: Describe features within the proposed solution that inform the state of the transmitted information (file) such as transmitted, delivery acknowledged, file opened, etc.

Question 8: Licensed Users - Can you confirm the expected number of internal and external users who will require access to the platform? For external users specifically, what portion of those would require more access than simply upload and download, and what portion would require full collaboration access with edit, safe creation and invite privileges?

Answer 8:

• We have over 28K external users.
• The vast majority of usage is under an upload/download scenario (triggered by the end user)
• A small number of this uploads/downloads are fully automated.
• The current file transfer service does not consider collaboration as a use case.

Question 9: Automation - Can you provide detail around the frequency, volume, and process descriptions (i.e. source, destination, protocol, scanning)? How many automation processes are active in the current solution?

With the current file transfer service, we have deployed few hundreds of automated processes – The majority of these are bi-directional

Endpoints represent ‘safes’. A given process can have multiple end-points / safes (same file transferred to multiple users)

Answer 9:

• The frequency at which transfer processes run can vary (between 1-6 minutes)
• Source and destination can be any location within or outside our organization.
• Current protocols include HTTPS, FTPS, SFTP, and Vault protocol
• Scanning is supported within current solution.

______________________

This Amendment # 01 is raised to answer a question received in relation to section 6.4.

Question:  Could you please confirm if the 9 items under section 6.4 “Solicited Key Features to Demonstrate” are to be provided as a written response with screenshots, or if SSC will be conducting live presentations with respondents after the close of this RFI? We are trying to determine if the response for the 9 items under this section are required with the response by the due date, or if presentations will be held at a later date.

Answer:  Regarding items 9 under section 6.4 “Solicited Key Features to Demonstrate”, we will be organizing demo sessions where solution providers will be asked to go through each of the features and demonstrate it. We are asking however that the solution providers include a text that demonstrates such feature is available within their recommended/proposed solution.

-------------------

Request for Information (RFI):

Definition of requirement:  To replace Statistic Canada’s current end of life secured Commercial off the shelf (COTS) to transfer files with partners.

1. Security requirement: This solicitation contains a requirement for vendor and personnel security screening.

2. Trade Agreements: The requirement is subject to the provisions of the World Trade Organization Agreement on Government Procurement (WTO-AGP), the Canada-Chile Free Trade Agreement (CCFTA), the Canada-Colombia Free Trade Agreement (CColFTA), the Canada-Panama Free Trade Agreement (CPanFTA) if it is in force, and the Agreement on Internal Trade (AIT)

3. The Final closing date for a submission of Proposal:

November 9^th, 2020 @ 2:00, PM Eastern Standard Time (EST)

4. Bidder Inquiries: Suppliers may inquire or submit emails to:

SSC Data Centre RFP

ssc.ssc-dc-rfp-spc-cd-dp.spc@canada.ca