Request for Information – Cybersecurity products

The Norwegian public civil sector consists of approximately 190 government entities, and optionally 16 regional municipalities and 357 local municipalities, ranging from small municipalities to mid-market and enterprise entities with an estimated total of an estimated 800.000 employees.

MPS is acting and operating as a Central Purchasing Body (CPB) according to the EU Directive 2014/24 on public procurement [3], Article 37.

MPS is exploring the establishment of framework agreements/contracts at the national level covering a wide range of tools and services for information security and data protection. The purpose is to contribute to strengthening the security and compliance posture across the Norwegian public sector.

This round of RFIs (see below) focuses mainly on cybersecurity and data protection products/services delivered as Software-as-a-Service (SaaS) from the market. An additional round of RFIs for more comprehensive services/capacities (such as incident response, penetration testing, compromise assessment, managed detection and response, and potentially others) will be published at a later stage and those types of services/capacities is generally not part of this RFI.

In accordance with the annual risk and threat assessments by relevant Norwegian authorities (Norwegian National Security Authority [4], Norwegian Police Security Service [5] and the Norwegian Intelligence Service[6]), our cybersecurity adversaries range from nation states (e.g., advanced persistent threats), to organized crime (e.g., fraud and cybercrime groups and hacktivism) and opportunistic actors (e.g., insiders and fraudsters).

We therefore strongly encourage both best-of-breed and high-end niche players; as well as best-of-suite vendors to participate in this RFI.

We are in addition open for all types of SaaS-solutions whether open source or closed source and we are first and foremost looking for products/services/tools. Offered services should have flexibility in deployment (i.e., Cloud-based, hybrid or on-premises deployment).

Furthermore, the offered services should provide capabilities to support the implementation of the following regulations and standards:

• GDPR: Demonstrate capabilities to support our GDPR compliance efforts, including data minimization and secure data processing practices during incident response.
• NIS2: Meet the Network and Information Systems Directive 2 requirements for essential and important entities, ensuring the security of network and information systems, and including the incident reporting requirements.
• Other Standards: Meet industry-specific security standards such as ISO 27001, NIST CSF, C5 and DORA, and national standards such as NSM grunnprinsipper (link) and NORMEN, and others as may apply.

The RFI intentionally contains very few free-text fields and is structured as follows:

• Information about your company
• Scope of services
• Information security and Data Protection (GDPR)
• Commercials
• Procurement

We will reach out and arrange follow-up meetings on a rolling basis with vendors we consider interesting prior to the potential initiation of a procurement procedure.

For this early stage RFI we have very little information regarding volumes, assets, number of endpoints, assets in scope, number of users, numbers of entities, etc. and refer to the Norwegian public sector as the scope in general.

We will likely aim for multiple contract/agreement awards for each announcement (or divide into lots), and this is one of the areas of interest to us that we seek to clarify through this process.

The information you provide to MPS will be processed in accordance with applicable Norwegian laws regarding both confidentiality and GDPR. The RFI process and potential following announcements are governed by the Norwegian law on Public Procurement [7] (which complies with the EU Directive on public procurement).

The announcements of the procurement procedures for the services/tools we select to move forward with is planned to take place in September/October 2024 and will be published on the European Commission website Tenders Electronic Daily [8] (TED) and Doffin.

Note that we use the term “should” in the scope descriptions. If we give the impression that any part of the scope descriptions are “shall” requirements, please interpret this as a “should” or “can” statement, as this is an RFI.

We have in addition taken reasonable steps to avoid terms and descriptions that correspond to potential suppliers/products/tools, and we emphasize that any perceived correspondence between terms used in the RFI and a supplier or product, tool or service is unintentional and will not impact our assessments following this RFI. We are not, for this RFI, seeking information on managed services to be separately delivered as a service on top of the cybersecurity and data protection services in scope.

The market dialogue starts immediately, participation will be accepted on a rolling basis, and no announcement of a procurement procedure will take place until after the deadline for this RFI.

Please note that we have published several RFIs, as we are aware that several vendors offer the services/tools as bundles or modules (and similar). If your company provides multiple services/tools, please see the list below and fill out the RFIs relevant to your business.

• Vulnerability Scanning
• Endpoint Detection and Response (EDR)
• Security Information and Event Management (SIEM)
• Distributed Denial of Service (DDoS) Protection
• Information Security Governance, Risk, and Compliance (GRC)
• Web Application Firewall (WAF)
• Cybersecurity and Data Protection Training and Awareness
• Third Party Privacy Compliance Management
• Threat Intelligence Platform

---