KartavyaDesk

Para 9.9 - Cyber Auditing | KartavyaDesk

Consultancy Manual

Original Rule Text

8. Cyber auditing and Testing of hardware: The tenders issued by the Procuring Entities should include detailed requirements for security auditing and testing of devices intended for perpetual internet connectivity e.g., Servers, loT (Internet of Things) devices/ CCTV cameras etc., to mitigate security vulnerabilities and breaches of Government Systems. The specifications must underscore the necessity of security measures at both hardware and software levels to ensure the security and integrity of such devices or systems. CERT-IN77 empanelled organizations specialize in conducting security auditing, vulnerability assessments, and penetration testing of computer systems, networks, and applications. However, their primary domain may not encompass comprehensive hardware security testing and evaluation of loT Devices/ CCTV cameras, which is the domain of STQC-IN. STQC, under the aegis of the Ministry of Electronics and Information Technology (MeitY), has expertise for thorough evaluation of loT Devices' hardware to ensure adherence to specified standards and comprehensive evaluation of security aspects in the loT Devices.

What This Means

Para 9.9 of the Manual for Procurement of Consultancy Services focuses on ensuring the security of government IT infrastructure, particularly devices connected to the internet like servers, IoT devices, and CCTV cameras. When a government department is procuring these devices through a tender process, this rule mandates that the tender documents must include detailed requirements for security auditing and testing. This is to protect government systems from cyber threats and vulnerabilities. The rule affects all government departments and agencies involved in procuring such devices, as well as the vendors supplying them.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

  • Mandates security auditing and testing for internet-connected devices procured by government entities.
  • Applies to devices like servers, IoT devices, and CCTV cameras.
  • Tender documents must include detailed security requirements.
  • Emphasizes security measures at both hardware and software levels.
  • Suggests leveraging CERT-IN empanelled organizations for security auditing and STQC-IN for hardware security testing of IoT devices.

Practical Example

The Ministry of Rural Development is issuing a tender for 500 IoT-enabled water quality monitoring devices to be installed in rural areas. Following Para 9.9, the tender document explicitly requires vendors to provide evidence of security auditing and testing conducted by CERT-IN empanelled organizations. Furthermore, the tender specifies that the hardware of the IoT devices must undergo thorough evaluation by STQC-IN to ensure adherence to security standards. M/s SecureTech Solutions, a bidding company, must demonstrate compliance with these security requirements to be considered for the contract, valued at ₹50,00,000. This ensures the devices are secure and prevents potential breaches of the Ministry's network.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

What types of devices are covered under Para 9.9?
Para 9.9 primarily covers devices intended for perpetual internet connectivity, such as Servers, IoT (Internet of Things) devices, and CCTV cameras.
Who is responsible for ensuring compliance with Para 9.9?
The Procuring Entities (government departments/agencies) are responsible for including detailed security requirements in their tender documents. Vendors are responsible for demonstrating compliance with these requirements.
What is the role of CERT-IN and STQC-IN in this context?
CERT-IN empanelled organizations specialize in security auditing, vulnerability assessments, and penetration testing. STQC-IN has expertise in thorough hardware evaluation of IoT devices.
If a device is not perpetually connected to the internet, does Para 9.9 apply?
Para 9.9 specifically mentions devices intended for 'perpetual internet connectivity'. If a device is not intended for continuous internet connection, the applicability of this specific paragraph might be limited, but general security considerations should still be addressed.
What happens if a vendor fails to comply with the security requirements outlined in the tender?
Failure to comply with the security requirements outlined in the tender could result in the vendor's bid being rejected. The Procuring Entity may also have grounds for legal action if a security breach occurs due to non-compliance.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Test Your Knowledge

Question 1 of 3

According to Para 9.9 of the Manual for Procurement of Consultancy Services, what is a mandatory requirement for tenders issued by procuring entities for devices intended for perpetual internet connectivity?

Related Rules

Para 8Manual for Procurement of Consultancy Services, 2025 - Para 8 - Chapter 10 - Annexure 18Para 9Manual for Procurement of Consultancy Services, 2025 - Para 9 - Chapter 10 - Annexure 18Para 1.10.2Manual for Procurement of Consultancy Services, 2025 - Para 1.10.2 - Chapter 1Para 1.11Manual for Procurement of Consultancy Services, 2025 - Para 1.11 - Chapter 1Para 1.13Manual for Procurement of Consultancy Services, 2025 - Para 1.13 - Chapter 1

Need help understanding this rule?

Ask Niti — your AI assistant for Consultancy Manual and other government rules