Danmarks Nationalbank and the most important financial institutions have established a Danish intel-led red-team test program for the Danish financial sector. TIBER-DK stands for Threat Intelligence Based Ethical Red-teaming.
The tests will contribute to improve the ability to discover and react to hacker attacks which potentially can affect critical functions in the financial institutions.
TIBER-DK is based on a common European framework developed by the ECB.
This procurement seeks to establish a Framework Agreement with a primary and a secondary supplier of security testing with Tiber DK covering both Threat Intelligence reports and Red Team testing for a period of four years.
The tenderer shall be able to document at least one reference regarding an institution, which is a member of FSOR where the tenderer has delivered a TCT attested Targeted Threat Intelligence (TTI) report and Threat Intelligence Red Team Testing (RT) based on TIBER DK, cf. section III.1.3).
Deadline
Fristen for modtagelse af bud var på 2023-02-09.
Indkøbet blev offentliggjort på 2023-01-04.
Leverandører
Følgende leverandører er nævnt i tildelingsbeslutninger eller andre indkøbsdokumenter:
Objekt Omfanget af udbuddet
Titel:
“Tender for a Framework Agreement on the delivery of TIBER-DK related services
TS-213476”
Produkter/tjenester: It-tjenester: rådgivning, programmeludvikling, internet og support📦
Kort beskrivelse:
“Danmarks Nationalbank and the most important financial institutions have established a Danish intel-led red-team test program for the Danish financial...”
Kort beskrivelse
Danmarks Nationalbank and the most important financial institutions have established a Danish intel-led red-team test program for the Danish financial sector. TIBER-DK stands for Threat Intelligence Based Ethical Red-teaming.
The tests will contribute to improve the ability to discover and react to hacker attacks which potentially can affect critical functions in the financial institutions.
TIBER-DK is based on a common European framework developed by the ECB.
This procurement seeks to establish a Framework Agreement with a primary and a secondary supplier of security testing with Tiber DK covering both Threat Intelligence reports and Red Team testing for a period of four years.
The tenderer shall be able to document at least one reference regarding an institution, which is a member of FSOR where the tenderer has delivered a TCT attested Targeted Threat Intelligence (TTI) report and Threat Intelligence Red Team Testing (RT) based on TIBER DK, cf. section III.1.3).
1️⃣
Yderligere produkter/tjenester: Sikkerhedsrådgivning📦
Sted for udførelsen: Byen København🏙️
Hovedsted eller sted for udførelsen: København Ø
Beskrivelse af udbuddet:
“The TI provider shall provide Targeted Threat Intelligence (TTI) reports during the contract period. The TTI reports shall formulate threat scenarios to be...”
Beskrivelse af udbuddet
The TI provider shall provide Targeted Threat Intelligence (TTI) reports during the contract period. The TTI reports shall formulate threat scenarios to be mimicked by the Red Team Provider against the flags set in the Detailed Scope document to be provided by the White Team. The TTI report shall be shared with the Red teaming. The TTI report shall be based on the General Threat Landscape (GTL) report provided by the TIBER Cyber Team (TCT).
The Red Team shall provide Red Team Attack planning and execution in accordance with TIBER-DK. Based on the Red Teaming, the Red Team provider shall provide a Red Team Report and plan and facilitate Replay/Purple Teaming workshops as part of closing of the exercises.
The Threat Intelligence Based Ethical Red Team tests shall be conducted on Danmarks Nationalbank during the contract period. The tests shall be conducted in accordance with the Danish implementation of the TIBER framework: TIBER-DK, including the TIBER-DK General Implementation Guide, the TIBER-DK Operational Guide and underlying specific guides. In areas where no general or detailed TIBER-DK guidance exists, the TIBER-EU guidance – if any - shall be followed.
The Supplier shall ensure consultants with knowledge in Danish, as the TI reports and the cooperation with the Customer will be carried out in Danish.
The tenderer shall authorize the Contracting Authority as part of the procurement process to request confirmation on any declared successful conduct of previous TIBER engagement via the TCT (this procedure ensures the anonymity of the references given by the tenderer).
Vis mere Kriterier for tildeling
Prisen er ikke det eneste tildelingskriterium, og alle kriterier er kun anført i udbudsdokumenterne
Omfanget af udbuddet
Anslået samlet værdi ekskl. moms: DKK 4 175 000 💰
Kontraktens, rammeaftalens eller det dynamiske indkøbssystems varighed
Nedenstående tidsramme er udtrykt i antal måneder.
Beskrivelse
Varighed: 48
Juridiske, økonomiske, finansielle og tekniske oplysninger Teknisk og faglig kompetence
Liste og kortfattet beskrivelse af udvælgelseskriterier:
“The tenderer must submit the ESPD with the following information:
A list of up to the 5 most significant comparable services, see sections II.1.4) and...”
Liste og kortfattet beskrivelse af udvælgelseskriterier
The tenderer must submit the ESPD with the following information:
A list of up to the 5 most significant comparable services, see sections II.1.4) and II.2.4), that the tenderer has carried out in the latest 3 years before the expiry of the deadline for submission of tender.
Only references relating to services carried out at the time of submission of tender will be given importance in the evaluation of whether the minimum requirements regarding technical and professional capacity have been complied with, see below. Hence, in the case of an ongoing task, only the part of the ser-vices already performed at the time of submission of tender will be included in the evaluation of the reference.
Each reference is requested to include a brief description of the deliveries made. The description of the delivery should include a clear description of the services set out in sections II.1.4) and II.2.4) to which the delivery related and the tenderer's role(s) in the performance of the delivery. The reference is furthermore requested to include the financial value of the delivery (amount), the date of delivery and the name of the customer (recipient).
When indicating the date of the delivery, the tenderer is requested to indicate the date of commencement and finalisation of the delivery. If this is not possible, for example if the tasks were performed on a continuous basis under a framework agreement, the tenderer is asked to indicate how the date is specified.
No more than 5 references may be stated, irrespective of whether the tenderer is a single operator, whether the tenderer relies on the technical capacity of other entities, or is a group of operators (e.g. a consortium). Where more than five references are stated, only the most recent five references will be taken into account. Any additional references will be disregarded. If it is not possible to decide which references are the most recent five references, the references will be selected by drawing lots.
If the tenderer relies on the professional experience of other entities for the performance of specific parts of the services comprised by the framework agreement, see section II.2.4), such specific parts of the services under the framework agreement must be performed by the entity on which the tenderer relies.
The ESPD serves as provisional documentation that the tenderer fulfils the minimum suitability requirements in respect of technical and professional ability, see section III.1.3).
Before the award decision is made, the tenderer to whom the contracting entity intends to award the framework agreement must submit documentation that the information stated in the ESPD is accurate.
No additional documentation of technical and professional capacity will be required from the tenderer. However, the contracting entity reserves the right to contact the Danish Tiber Cyber Team (TCT) in Danmarks Nationalbank, to ensure that the reference has in fact an attestation from the Danish Authority (TCT).
Vis mere Betingelser for deltagelse
Betingelser for deltagelse (tekniske og faglige kvalifikationer):
“As a minimum requirement, the tenderer shall document at least one reference regarding an institution, which is a member of FSOR where the tenderer has...”
Betingelser for deltagelse (tekniske og faglige kvalifikationer)
As a minimum requirement, the tenderer shall document at least one reference regarding an institution, which is a member of FSOR where the tenderer has delivered a TCT (Tiber-DK Cyber Team at Danmarks Nationalbank) attested Targeted Threat Intelligence (TTI) report and Threat Intelligence Red Team Testing (RT) based on TIBER DK.
The tenderer can document the references for TTI and RT to the same institution (one reference) or the tenderer can document the TTI and the RT on separate references (two references).
Vis mere Betingelser i forbindelse med kontrakten
Betingelser for opfyldelse af kontrakten:
“The framework agreement has incorporated the corporate social responsibility considerations, as appropriate, as laid down in the conventions on the basis of...”
Betingelser for opfyldelse af kontrakten
The framework agreement has incorporated the corporate social responsibility considerations, as appropriate, as laid down in the conventions on the basis of which the principles of the UN Global Compact are worded and as laid down in the OECD Guidelines for Multinational Enterprises.
The framework agreement lays down requirements on compliance with the law on processing of personal data
The framework agreement contains requirements that relevant staff handling tasks in connection with the performance of the framework agreement must be able to pass security clearance.
If the framework agreement is awarded to a group of operators (such as a consortium), the participants of the group must undertake joint and several liability and appoint a joint representative.
Procedure Type af procedure
Åben procedure
Oplysninger om en rammeaftale eller et dynamisk indkøbssystem
Rammeaftale med flere operatører
Beskrivelse
Påtænkt maksimalt antal deltagere i rammeaftalen: 2
Administrative oplysninger
Frist for modtagelse af bud eller ansøgninger om deltagelse: 2023-02-09
12:00 📅
Sprog, på hvilke bud eller ansøgninger om deltagelse kan indgives: engelsk 🗣️
Nedenstående tidsramme er udtrykt i antal måneder.
Minimumsfrist, inden for hvilken tilbudsgiveren skal opretholde tilbuddet: 3
Betingelser for åbning af buddene: 2023-02-09
12:00 📅
Supplerende oplysninger Oplysninger om gentagelse
Der er tale om et tilbagevendende indkøb ✅
Anslået tidsplan for offentliggørelse af yderligere bekendtgørelser: Primo 2026
Oplysninger om elektroniske arbejdsgange
Der vil blive anvendt elektronisk bestilling
Elektronisk fakturering vil blive accepteret
Yderligere oplysninger
“Participation in the tendering procedure may only take place by electronic means via the electronic tendering system used by the contracting entity, see the...”
Participation in the tendering procedure may only take place by electronic means via the electronic tendering system used by the contracting entity, see the address set out in section I.3).
The tenderer must together with its tender submit an ESPD as preliminary documentation of the circumstances set out in section 148(1), paras 1-3 of the Danish Public Procurement Act (udbudsloven).
There is an information meeting held on Friday 13 January 2023, at 14:00 local time, see more in the document "additional information about the contract notice".
In this procedure, the tenderer may rely on the technical capacity of other operators to fulfil the suitability requirements stated in section III.1.3). The operator(s) making its/their technicalcapacity available to the candidate must sign a letter of commitment, see further in the tender specifications. The form is enclosed as an attachment to the tender specifications.
The tenderer will be excluded from participation in the tender procedure if the tenderer is subject to the compulsory grounds for exclusion set out in sections 134 a, 135 and 136 of the Danish Public Procurement Act, unless the tenderer has submitted sufficient documentation of its reliability in accordance with section 138 of the Danish Public Procurement Act.
Before the award decision is made, the tenderer to whom the contracting entity intends to award the framework agreement must provide documentation of the information submitted in the ESPD pursuant to sections 151-152, cf. section 153 of the Danish Public Procurement Act. As an alternative to the documentation mentioned in sections 153-155, 157 and 158 of the Danish Public Procurement Act, the tenderer may submit to the contracting entity a certificate of registration in an official list of approved economic operators, see section 156 of the Danish Public Procurement Act, issued by the competent authority. The contracting entity only accepts certificates of registration in an official list from tenderers established in the country holding the official list.
-o0o-
Further information:
See the document “Additional information about the contract notice” in relation to estimated and maximum value of the framework agreement.
The contracting entity may use the procedure of section 159(5) of the Danish Public Procurement Act in the event that applications or tenders do not comply with the formal requirements of the procurement documents.
See also the document “Additional information about the contract notice” which contains additional information regarding this section. The document is accessible via the electronic tendering system at the address set out in section I.3).
Vis mere Gennemgå organ
Navn: Klagenævnet for Udbud
Postadresse: Nævnenes Hus, Toldboden 2
Postby: Viborg
Postnummer: 8800
Land: Danmark 🇩🇰
Telefon: +45 72405600📞
E-mail: klfu@naevneneshus.dk📧
URL: https://klfu.naevneneshus.dk/🌏 Organ med ansvar for mæglingsprocedurer
Navn: There is no such body
Postby: København
Land: Danmark 🇩🇰 Gennemgangsprocedure
Præcise oplysninger om fristerne for gennemgangsprocedurer:
“Pursuant to the Danish Act on the Complaints Board for Public Procurement, etc. (lov om Klagenævnet for Udbud m.v.) (the Act is available (in Danish) at...”
Præcise oplysninger om fristerne for gennemgangsprocedurer
Pursuant to the Danish Act on the Complaints Board for Public Procurement, etc. (lov om Klagenævnet for Udbud m.v.) (the Act is available (in Danish) at www.retsinformation.dk), the following deadlines apply to the lodging of complaints:
Complaints for not having been selected must be submitted to the Danish Complaints Board for Public Procurement before the expiry of 20 calendar days, see section 7(1) of the Act, from the day after submission of notification to the candidates concerned of the identity of the successful tenderer where the notification is accompanied by an explanation of the grounds for the decision in accordance with section 2(1), para (1) of the Act and section 171(2) of the Danish Public Procurement Act.
In other situations, complaints of award procedures, see section 7(2) of the Act, must be lodged with the Danish Complaints Board for Public Procurement before the expiry of:
1) 45 calendar days after the contracting entity has published a notice in the Official Journal of the European Union that the contracting entity has entered into a contract. The deadline is calculated from the day after the day when the notice was published.
2) 30 calendar days calculated from the day after the day when the contracting entity has notified the candidates concerned that a contract based on a framework agreement with reopening of competition or a dynamic purchasing system has been entered into where the notification has included an explanation of the relevant grounds for the decision.
3) 6 months after the contracting entity entered into a framework agreement calculated from the day after the day when the contracting entity notified the candidates and tenderers concerned, see section 2(2) of the Act and section 171(4) of the Danish Public Procurement Act.
4) 20 calendar days calculated from the day after the contracting entity has submitted notification of its decision, see section 185(2) of the Danish Public Procurement Act.
Not later than at the time of lodging a complaint with the Danish Complaints Board for Public Procurement, the complainant must notify the contracting entity in writing that a complaint has been lodged with the Danish Complaints Board for Public Procurement and whether the appeal was lodged during the standstill period, see section 6(4) of the Act. In cases where the complaint was not lodged within the standstill period, the complainant must furthermore indicate whether a suspensory effect of the complaint has been requested, see section 12(1) of the Act.
The e-mail address of the Complaints Board for Public Procurement is set out in section VI.4.1.
The Complaints Board’s own complaints procedure is available at https://naevneneshus.dk/start-din-klage/klagenaevnet-for-udbud/vejledning/
Vis mere Tjeneste, hvorfra der kan indhentes oplysninger om klageproceduren
Navn: Konkurrence- og Forbrugerstyrelsen
Postadresse: Carl Jacobsens Vej 35
Postby: Valby
Postnummer: 2500
Land: Danmark 🇩🇰
Telefon: +45 41715000📞
E-mail: kfst@kfst.dk📧
URL: http://www.kfst.dk🌏
Kilde: OJS 2023/S 006-012856 (2023-01-04)
Bekendtgørelse om indgåede kontrakter (2023-11-16) Objekt Omfanget af udbuddet
Samlet værdi af indkøbsaftalen (ekskl. moms): DKK 6 000 000 💰
Kriterier for tildeling
Kvalitetskriterium (navn): Team
Kvalitetskriterium (vægtning): 30%
Kvalitetskriterium (navn): Methodology and work modalities
Kvalitetskriterium (vægtning): 20%
Kvalitetskriterium (navn): Risk mangement and information security
Pris (justeringskoefficient): 30%
Procedure Type af procedure
Ingen bud eller ingen egnede bud/ansøgninger om deltagelse som svar på den åbne procedure
Tildeling af en kontrakt uden forudgående offentliggørelse af en indkaldelse af bud i Den Europæiske Unions Tidende (begrundelse):
“Before the deadline for tenders on 9 February 2023, at 12:00, local time, Danmarks Nationalbank received three tenders. None of the tenders complied fully...”
Tildeling af en kontrakt uden forudgående offentliggørelse af en indkaldelse af bud i Den Europæiske Unions Tidende (begrundelse)
Before the deadline for tenders on 9 February 2023, at 12:00, local time, Danmarks Nationalbank received three tenders. None of the tenders complied fully with the tender documents.
It is stated in the public procurement act, § 80, that a contracting authority may apply negotiated procedure without prior publication when, in connection with open or restricted procedures for works, supplies or services, only tenders which are irrelevant in relation to the contract have been received.
Danmarks Nationalbank has thus decided to annul the existing procurement, cf. contract notice 2023/S 006-012856, and initiated a negotiated procedure without prior publication with the three tenderers,
Vis mere Oplysninger om rammeaftalen
Indkøbet indebærer, at der indgås en rammeaftale
Administrative oplysninger
Tidligere offentliggørelse vedrørende denne procedure: 2023/S 006-012856
Tildeling af kontrakt
1️⃣
Kontraktnummer: 1
Titel: Tender for a Framework Agreement on TIBER-DK related services - supplier 1
Dato for indgåelse af kontrakten: 2023-04-27 📅
Oplysninger om udbud
Antal modtagne bud: 2
Antal bud, der er modtaget ad elektronisk vej: 2
Navn og adresse på kontrahenten
Navn: WithSecure A/S
Nationalt registreringsnummer: 32559409
Postadresse: Rued Langgaardsvej 8
Postby: København S
Postnummer: 2300
Land: Danmark 🇩🇰
Telefon: +45 70207525📞
Region: Byen København🏙️
Entreprenøren er en SMV ✅ Oplysninger om kontraktens/parcellens værdi (ekskl. moms)
Anslået samlet værdi af kontrakten/partiet: DKK 5 000 000 💰
Kontraktens/parcellens samlede værdi: DKK 6 000 000 💰
2️⃣
Kontraktnummer: 2
Titel: Tender for a Framework Agreement on TIBER-DK related services - supplier 2
Dato for indgåelse af kontrakten: 2023-11-06 📅
Navn og adresse på kontrahenten
Navn: NCC Group A/S
Nationalt registreringsnummer: 26373549
Postadresse: Svanevej 12
Postby: København NV
Postnummer: 2400
Oplysninger om kontraktens/parcellens værdi (ekskl. moms)
Anslået samlet værdi af kontrakten/partiet: DKK 5 000 000 💰
Kontraktens/parcellens samlede værdi: DKK 6 000 000 💰
Kilde: OJS 2023/S 224-706287 (2023-11-16)