Tender No.

C-DACNOIDA/MMG/02/2023-2024

PROCUREMENT OF SECURITY AUDITING SERVICE FOR WEB BASED

APPLICATIONS FROM FIRMS EMPANELLED BY CERT-IN FOR SECURITY
AUDIT FOR PERIOD OF 2 YEARS AT
CENTRE FOR DEVELOPMENT OF ADVANCED COMPUTING
ANUSANDHAN BHAWAN,C-56/1,INSTITUTIONAL AREA SECTOR-62, NOIDA
201309,UTTAR PRADESH

Centre for Development of Advanced Computing,

(An Autonomous Scientific Society of Ministry of Electronics and Information
Technology, Govt. of India),
Anusandhan Bhawan,C-56/1 ,Institutional Area
Sector-62, Noida 201309
Tender No. C-DACNOIDA/MMG/02/2023-2024

SUBJECT: PROCUREMENT OF SECURITY AUDITING SERVICE FOR WEB BASED

APPLICATIONSFROM FIRMS EMPANELLED BY CERT-IN FOR SECURITY AUDIT
FOR PERIOD OF 2 YEARSAT C-DAC, NOIDA

Centre for Development of Advanced Computing (C-DAC), Noida under the Ministry of
Electronics and Information Technology, Govt. of India, invites GeM Customized Bidding to
select and on-board CERT-In empaneled vendor to conduct Application Security Audit &
certification of around 189 numbers (plus 25% tolerance as per GeM provision) Web Based
Applications (Collectively called “Applications” henceforth) with 50% minimum quantity
commitment for a period of 2 years. The selected vendor (henceforth referred to as “Vendor”)
would provide “Safe-to-Host” Security Audit Certificates valid for one year from the date of
issuance for the Applications, so as to ensure that such applications are safely hosted on
production servers.

In case of any query, technical support, eligibility or scope of work, pre-bid queries etc. for
the above service, please contact the following Members:

1. Sh. Puneet Gurmukhani (Sr. Admin.Officer)- For General Queries

Ph: 0120-2210824/9868320132 email: [email protected]

GC (MMG)
Phone:0120-2210823/824/825
Email:[email protected]

Page 2 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

1. Scope of Work

Background
Centre for Development of Advanced Computing (C-DAC) intends to select and on-board
CERT-In empanelled vendor for Application Security Audit certification of Web Applications as
the case be (collectively called “Applications” henceforth). The selected vendor(s) (henceforth
referred to as “Vendor” would provide “Safe-to-Host” Security Audit Certificates for the
Applications, so as to ensure that such applications are safely hosted on production servers.

Objectives
The overall objective of the work is to review the security controls / vulnerability assessments &
Penetration Testing of Applications. In order to meet the confidentiality, integrity and
availability requirements of the organizations.

Web Application Audit & Vulnerability Management of the web enabled applications has to be
strictly done as per the guidelines issued for Third Party Audit by Cert-in & STQC.

The vendor would conduct third-party testing meeting government and industry compliance
standards such as WASA, OWASP, SANS top 25, ISO27001 etc. as per latest releases.

Web-enabled Application is to be audited as per latest OWASP (www.owasp.org) criteria (Open

Web Application Security Project).

Note:
a) Refer https://owasp.org/www-project-web-security-testing-guide/v42/andfurtherlatest
releases for checklists to be used for applicable scanning for the applications.
b) The scanning has to be performed as per the OWASP top ten 2021 categories or latest
releases.
c) OWASP ASVS 4.0 or latest releases.
d) MITRE / SANS 2022 CWE Top 25 Most Dangerous Software Weaknesses or latest
releases.
e) Standards/references for audit should not be limited to OWASP top 10, SANS Top 25
and other such limited lists. Audit should include discovery of all known vulnerabilities
based on the comprehensive standards/frameworks like ISO/IEC, Cyber Security Audit
Baseline Requirements, Open Source Security Testing Methodology Manual
(OSSTMM3), OWASP Web Security Testing Guide along with applicable regulatory
framework and directions & guidelines issued by agencies such as CERT-In.
f) Wherever the functionalities like Payment Gateway, Aadhaar Integration and any other
such features or functionalities are used compliance to the respective regulatory
frameworks issued by RBI, UIDAI, etc. and the standard industry best practices as
defined in PCIDCC, etc as applicable has to tested and compliance should be included in
the vulnerability report.

Page 3 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

2. Audit Process

A. Once the successful bidders selected through GeM bidding, C-DAC would contact them for
starting the audit process based on the requirements.

B. The selected vendor would use their own vulnerability scanning tools (Vulnerability
Assessment / Penetration Testing), for conducting the security audit of the applications and
facilitate C-DAC to carry out bug fixing so that the Cert-In Security Audit ‘Safe to Host’
certificate is attained for the application under audit.

C. Minimum two different tools shall be used for the security audit of applications. Audit must
be conducted as per industry standard methodologies, best practices for security testing.

D. Security testing shall not be solely based on tools, the manual pen test and confirmation of
the vulnerabilities shall be provided.

E. The vendor shall be in a position to explain all the vulnerabilities reported in the
applications, its details, description, process of exploitation, penetration testing proof of
concept, impact of vulnerability, patching solution (including work around, if any) and any
other details about the vulnerability.

F. Auditors should deploy a verification team (Red Team) to verify the work performed by
their audit team (White Team).

G. All the observations made during the audit are well supported with objective evidences and
all evidences are compiled carefully and correctly with the report. All the evidences
gathered during the process of audit are presented in a manner that the decision makers are
able to use them effectively in making credible risk based decisions.

H. The security and confidentiality of the auditee data should be managed effectively and well
established procedures should be defined and documented to handle auditee data during and
after the audit.

I. The information regarding audit team selected for conducting audit should be shared with
the auditee and a documented approval regarding the same should be procured before the
formal commencement of audit.

J. Auditors should setup a communication channel to inform/alert auditee about information

security related latest development feasible to auditee environment.

K. All Audit related data should be stored only on systems located in India with adequate
safeguards and should keep informed of the means & location of storage and seek consent
where necessary. During project engagement, audit related data should be kept in encrypted
form in auditor's laptop. Auditing organization should also ensure that data is wiped from
auditor’s laptop after completion of the project.

Page 4 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

L. The sharing and disclosure of auditee related data, where necessary, should only be done
with prior consent of auditee organization. The auditee/project related data should not be
shared with or disclosed to any overseas partner, unless specifically authorized by the
auditee.

M. The audit outcome & related matters should only be communicated to the specified Point of
Contact (POC) of the auditee organization. The audit outcome should only be shared using
secure methods such as use of passwords, encryption etc. Auditing organization should
prefer only official email id for sharing of audit report/data with auditee.

N. Organization should have Incident Management Policy and related processes in place with
clearly defined escalation matrix and procedures to deal with non-compliance. This process
for dealing with incidents should be shared with the auditee.

O. In case of the incidents where client audit related data is leaked to unauthorized entity
(intentionally or unintentionally), the auditing organization should inform the auditee of
incident and take all necessary actions to address the incident as may be required.

P. The ‘number of forms’ is used to estimate the application size. Considering the present
application sizes deployed by C-DAC, the minimum number forms will be 200 on an
average basis.

Q. Applications are from variety of domains and have a range of modules, including supply
chain management, health information systems, equipment maintenance systems, and
quality management systems.

R. The assessment should be done completely ethically and the vendor should not reveal the
information arising from the Security Audit to any other party except C-DAC. For the
purpose, the vendor will sign a ‘Non-Disclosure Undertaking’ as per Annexure-VI

S. At the minimum, Audit Scope will include discovery of latest OWASP Top 10 application
security risks, standard security audit guidelines of CERT-In, and all known vulnerabilities
at that time. The assessment should include evaluation whether the code can be manipulated
by attacker to communicate sensitive data out of the organization, and check the different
validations so as to ensure the level of IT security desired.

T. The vendor is expected to suggest remedial solutions or provide recommendations against

the vulnerabilities, threats or risks so as to help the development team in mitigation of the
same.

U. ‘Safe-to-host’ certificate will be issued in compliance of Cert-In Security Audit Guidelines

having validity of 1 Year.

V. Payments towards Application Security Audits would be as per the terms mentioned under
‘Terms of Payments’.
Page 5 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

W. The validity of the contract shall exist only until the company is empanelled with the Cert-In
(or) till the contract period of 2 years, (whichever is earlier).

X. The vendor is expected to perform audit in multiple rounds of iterations (if required), and
share the Audit reports to the C-DAC who in turn shall be responsible for resolution of the
issues in a time bound manner.

Y. The service charges/rates charged by the selected vendor for one single application (till
issuance of 1-year valid certification)shall be strictly as per unit rate derived out from the
GeM Lump-Sum rate quoted (inclusive of GST)for the total 189 applications during the
period of contract i.e. 2 Years and no additional charges shall be paid.

Z. During the term of the contract, if required, the auditor must be present at C-DAC-Noida
with the required tools already set up on his computing device within a 2-day notifying time.

Page 6 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

3. Deliverables, Milestones and Time Schedule

Milestones and Time Schedule

S. No Time of Milestones
Completion
1 T0 Issue of Mail Intimation for Individual Transaction
2 T0 + 5 Days  Iterative Cycle 1 For Application
3 T1  Code Corrected Resent For Iterative Cycle 2
4 T1 + 4  Iterative Cycle 2 For Application
5 ………………….  Iteration 3,4 ……… Same as S. No 3 & S. No 4
6 T2 Completion of Audit
7 T2 + 5 Days Submission of Certificate in Hard and Soft Copy
Note: In case of any delay in the stage wise process on the part of selected vendor, C-DAC
shall levy LD Charges.

Deliverables

A. SERVICES
 Application Audit & Vulnerability Audit of the application.
 Patch Assistance and Management.
 Comprehensive Reporting with Management / Technical Reports.
 Recommendations on the counter measures.
 Guidance to the Software developers for removal of the vulnerabilities detected.
B. REPORTS
 Audit Report as per the GoI guidelines issued from time to time. The information
security audit report from the information security auditor should clearly state that
application, including the backend database and scripts, if any, are free from any
vulnerability and malicious code, which could be exploited to compromise and gain
unauthorized access with escalated privileges into the web server system hosting the said
application.
 Vulnerability Management Reports of the application as per the clauses in Cert-in
guidelines issued towards Third Party Audit Clause.
 Overall, Threat Assessment and Mitigation Report
 Audit reports shall contain all the details as per the reporting format specified by CERT-
In for web applications and OWASP WSTG Guide v4.2 or later as released time to time.
C. GUARANTEES
 Comprehensive Protection from threats as detailed under clause1.
 Non-Disclosure Undertaking (Refer Annexure-VI)

Page 7 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

4. Pre-Qualification (PQ) Criteria

S.No. Criteria Documents Required
1. The bidder must be a single legal Certificate of Incorporation / Partnership
entity/individual organization. Deed or As Applicable
Consortium shall not be allowed.
2. Bidder should be having current Copy of respective CERT-In Certificates
valid empanelment and registered
with CERT-In for the last 5 years
w.e.f 01.01.2018.
3. GST Registration GST Number
4. PAN PAN Number must be quoted along with
Proof
5. Average Turn Over of last 3 CA Certificate with Audited Balance sheet
financial years (2019-20, 2020-21, of Last Three Years.
2021-22) should be minimum Rs.5
Crore.

6. The bidder must furnish its Certificate for ISO 9001 and ISO 27001
ISO9001:2008 certificate and an
ISO27001:2013 certificate
7. Bidder should have office in Copy of Address Proof like GST certificate
Delhi/NCR etc.
8. The bidder should have Copy of Work order(s) and completion
successfully executed at least one certificate from the client indicating the
similar work of Application value of the work order.
Security Audit with any
Government Organisation
(PSU/Autonomous
bodies/Departments) during the last
five years (from 2018-19, 2019-20,
2020-21, 2021-22 & 2022-23).
9. Bidder should have at least 25 full A letter from company HR and
time professionals with professional certificates needs to be
professional certifications like submitted along with bid.
CISA / CISM / CISSP / CEH / ISO
27001
10. Tender Acceptance Letter, Bid Annexure-II to IV
Securing Declaration Letter &
Non-Black Listing Undertaking.

Page 8 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

5. Technical Qualification (TQ)

S. No. Evaluation Criteria Supporting Document Maximum
Marks
1 Average turnover of the Company in CA Certificate with 20
the last 3 financial years (i.e., 2019-20, Audited Balance Sheet
2020-21, 2021-22). of last three years.
Rs.5 Cr to 7.5 Crores = 10 Marks
More than Rs.7.5 Cr and up to 10
Crores = 15 Marks
More than Rs.10 Cr and up to15 Crores
or above = 20 Marks
2 The period of CERT-In Empanelment Copy of Certificate 30
5 Years = 10 Marks
More than 5 and up to 7 years = 20
marks
More than 7 Years = 30 Marks
3 Number of qualified Information HR Certificate 15
Security/Cyber security Professionals
(CISA / CISM / CISSP / CEH /
ISO27001 Certified) in the company’s
payroll.
15 to 25 resources = 5 Marks
26 to 50 resources =10 Marks
More than 50 resources = 15 Marks

4 No. of Bidder’s Certifications Copy of Certificates 10

ISO 9001: 2 marks
ISO 27001: 4 marks
ISO 20000: 4 marks
5 Number of work orders (Application Copy of Work Order(s) 20
Security Audit) executed with any and Completion
Government Organisation Certificate from the
(PSU/Autonomous Client indicating the
bodies/Departments) during the last value of the work order.
five years (from 2018-19, 2019-20,
2020-21, 2021-22 & 2022-23)
a) 1to 3 Work order– 5 Marks
b) 4-8 Work orders – 10 Marks
c) Above 8 Work orders – 20 Marks
6 Bidder should be having current valid Copy of STQC 5
empanelment with STQC. Certificates
Total Marks 100

Note: The Bidders who scored the minimum 70 MARKS in the technical evaluation
process will only be eligible for price bid opening.
Page 9 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

6. Financial Bid
Bidders have to quote their Lump-Sum rate including GST (Breakup for unit rate need to be
provided as per price-bid format)for conducting audit for total 189 applications as per the scope
of work given in the tender during the contract period of two years considering the Application
Security Audits up to 200 Input Forms which includes the following:
 Iterative Cycles of Vulnerability Checking
 Reporting& Code Correction, Regression Analysis
 ‘Safe to Host” certification
However, the bill will be settled to the selected vendor based on actual utilization of
services. Therefore, before award of contract the successful bidder need to provide the unit
price breakup in the format as detailed in Annexure-Iin order to settle the bills on actual
work execution basis.
The ‘number of forms’ is used to estimate application size. Base Unit Rate for Applications with
Up to 200 Input Forms; additional estimate for price to be defined on a prorated basis for each
form.

Note: For Detailed Unit Price Break-up Format, please Refer Annexure-I

7. Payment Terms and Schedule

The successful bidder will be intimated by C-DAC to start the Application-wise Audit work
through individual mail correspondences from time to time during the contract period of 2 years.
Accordingly, the payment also shall be made to the vendor application wise in two stages, only
after the supply of deliverables as per scope of work and acceptance of the tasks to the
satisfaction of the concerned Department as detailed below:

S. No Details of Work Deliverables Amount

Payable (%)
Per
Application
1 On Successful testing Services
and submission of  Application Audit & Vulnerability
report of iterative cycle Audit of the web application.
1  Patch Assistance and Management.
 Recommendations on the counter
measures.
 Guidance to the Software developers 30
for removal of the vulnerabilities
detected.

Reports
 Audit Report as per the GoI guidelines
issued from time to time

Page 10 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

 Vulnerability Management Reports of

the application as per the clauses in
Cert-in guidelines issued towards Third
Party Audit Clause.
2 After completion of all Services
iterative cycles of  Application Audit & Vulnerability
vulnerability detection, Audit of the web application.
regression audit code  Patch Assistance and Management.
correction (provide  Recommendations on the counter
Assistance for Code measures.
correction) & patching  Guidance to the Software developers
for removal of the vulnerabilities 70
detected.

Reports
 Audit Report as per the GoI guidelines
issued from time to time
 Vulnerability Management Reports of
the application as per the clauses in
Cert-in guidelines issued towards Third
Party Audit Clause.
 Final “No vulnerabilities “found report
 Safe to Host Certificate
Note:
1. While claiming the payment the selected bidder need to request C-DAC in writing along with
invoices duly describing the services performed as mentioned in above table pursuant to
conditions of the contract.
2. Payments shall be made promptly by the C-DAC after deducting applicable taxes, generally
within thirty (30) days after submission of a proper acceptable invoice as per above table.
3. The GST portion shall be released only after submitting the necessary proof for GST
remittance.

8. Bid Securing declaration Letter:

All the bidders including MSME & Start-ups need to submit the Bid Securing Declaration
format as per the format given at Annexure-III

9. Signing of Contract Agreement

Upon award of Purchase Order through GeM portal, in addition to GeM contract (auto
generated) an agreement need to be executed by the successful bidder with C-DAC within 15
working days from the date of PO as per the format given at Annexure V, including “Special
Conditions of Contract” if any. In case of any deviation, incident will be raised through GeM
including blacklisting etc., as deemed fit.

Page 11 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

10. Security Deposit (SD)

The successful bidder needs to submit 5% of total Lump-Sum contract value as “Security
deposit” in the form of Account Payee DD, FD Receipt from a Commercial Bank, Bank
Guarantee (including e-BG) from a Commercial Bank or Online Payment i.e., NEFT, RTGS
upon award of contract towards performance (Validity of Security Deposit should be 2 Years
Plus Additional Six Months).
In case of any breach of contract, the successful vendor shall be blacklisted by C-DAC, Noida
under intimation to all C-DAC Centres. Further, the Security Deposit shall be forfeited towards
such defaults including claim additional damages, if any.

11. Evaluation / Selection Method

A bidder would be selected on the basis of Least Cost Based Selection Method (LCBS) i.e., L1
method wherein a bidder with adequate technical competence and the most competitive (lowest)
rates/ quote would be selected. In case more than one party quoting same price, GEM will select
the L1 bidder through auto run option, which will bind all parties.

12. Liquidation Damages (LD) Charges

Each Audit process need to be completed within the timeline schedule given under clause (3)
from the starting point triggered by C-DAC. In case of any delay in process beyond the time
limit condoned by C-DAC on justified grounds, each week delay will attract 0.5% LD charges
for the respective transaction but not exceeding 10% value of that individual transaction
rate/charges derived out from the total purchase order value. If the delay is in days i.e. less than a
week, the 0.5% LD charges will be on prorata basis.

In addition to LD on process delay, CDAC may conduct random audit on the application already
audited with specific version & certified by the agency and if any reported vulnerabilities and
new vulnerabilities were found during such audit again, a penalty of 0.5% on the respective
transaction bill value shall be levied for each type vulnerabilities with a limit of maximum of 20
type vulnerabilities of the respective application i.e 10% penalty of the respective transaction
value.

Beyond this maximum 20 vulnerabilities in a single application, the vendor need to do the re-
audit of such application on No-Charge basis and in case, the occurrence of re-audit cases
happens more than 10% of the total projected applications i.e 4 numbers, C-DAC has the rights
to cancel the contract and claim the incidental expenses including forfeiture of SD, blacklisting,
reporting to agencies like CERT-IN etc., as deemed fit.

In overall, the LD charges shall not exceed 10% of the total value of purchase order and beyond
this limit the vendor shall be declared as defaulter and incident shall be raised through GeM
portal in addition to forfeiture of SD coupled with black listing, claiming additional damages
etc., as deemed fit.

Page 12 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

13. Other Terms and Conditions

A. C-DAC, Noida reserve the right to terminate the contract/order of the successful bidder
with notice of 30 days. If the service is found deficient, C-DAC reserve the right to take
admissible /appropriate legal action including claim all incidental losses, if any against
such defaulter parties.
B. Bids shall remain valid for the period of 120 days, after the bid submission deadline date
prescribed by the tendering authority. A bid valid for a shorter period shall be rejected by
the tendering authority as non-responsive bid. In exceptional circumstances, prior to the
expiration of the bid validity period, the tendering authority may request bidders to extend
the period of validity of their Bids. The request and the responses shall be made in writing.
C. All information concerning databases, source code, object code, assemblers, generators,
compilers, subroutine libraries and other computer programs, products, processes,
formulas, trade secrets, innovations, inventions, discoveries, improvements, techniques,
research or development and test results, specifications, data, know-how formats,
marketing plans, business plans, strategies, forecasts, unpublished financial statements,
budgets, projections, and customer and supplier identities, characteristics and agreements,
are confidential.
D. Every deployed member for the audit process shall maintain the strictest secrecy and
confidentially regarding the C-DAC’s affairs and the affairs of its constituents and shall
not divulge, directly or indirectly, any financial, technical, marketing, R&D or any other
information of proprietary or a confidential nature to any outside persons.
E. All materials provided by C-DAC, Noida or falling into the hands of the persons of Audit
Agency or executed by them for C-DAC, Noida shall always remain the property of C-
DAC, Noida, and the intellectual property therein shall be exclusively owned by C-DAC.
F. Force Majeure: Should any of the force majeure circumstances, namely act of God,
natural calamity, fire, Government of India Policy, restrictions, strikes or lock-outs by
workmen, war, military operations of any nature and blockades preventing the C-
DAC/Successful Bidder from wholly or partially carrying out his contractual obligations,
the period stipulated for the performance of the Contract shall be extended for as long as
these circumstances prevail.
In the event of these circumstances continuing for more than three months, either party
shall have the right to refuse to fulfil its contractual obligations without title to
indemnification of any losses I may there by sustain. The party unable to carry out its
contractual obligations shall immediately advise the other party of the commencement and
the termination of the circumstances preventing the performance of the contract. A
certificate issued by the respective Chamber of Commerce shall be sufficient proof of the
existence and duration of such circumstances.
G. Dispute & Arbitration: If at any time, dispute or difference what so ever arises between
the Parties out of or relating to the construction, meaning, scope, operation or effect of this
tender/contract or the validity or breach thereof shall be settled amicably. In case both the
parties are unable to resolve the dispute amicably, the same shall be referred to the
arbitrator appointed by C-DAC only under Arbitration & Conciliation Act 1996 as
Page 13 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

amended from time to time and rules made there under, or any legislative amendment or
modification made there to and the Award made in pursuance thereof shall be binding on
the parties
The venue and seat for the arbitration shall be Noida/New Delhi, India and language shall
be English. The Award given by the Arbitrator shall be final and binding on the Parties.
The rights and obligation of the parties shall remain in full force and effect, pending the
result of any arbitration proceedings.
H. Jurisdiction: The courts at Noida (U.P) alone will have the jurisdiction to try any matter,
dispute or reference between parties arising out of this tender / contract. It is specifically
agreed that no court outside and other than Noida (U.P) Court shall have jurisdiction in the
matter.
I. Bidder must have their Office/Branch office in Delhi/NCR.
J. The Competent Authority on behalf of CDAC does not bind himself to accept the
lowest or any other tender, and reserves to himself the authority to reject any or all of the
tenders received without assigning of any reason. All tenders
in which any of prescribed conditions are not fulfilled or any condition including that of
conditional rebate is put forth by the tenderer shall be, summarily, rejected.
K. No Contractual Obligation: C-DAC is not bound contractually or in any other way to any
prospective bidders to this tender. C-DAC is not liable for any costs of compensation in
relation to expenditure incurred by the prospective buyer to this tender on whatsoever
reasons/grounds whether or not C-DAC terminates, varies, or suspends the tendering
process or takes any other action permitted under this tender provisions during the
course of execution.
L. Confidentiality: This Tender’s provisions and existence, as well as any commercial data
including price or technical data and any information provided in accordance herewith to
the other party shall be considered as confidential. Such information shall not be disclosed
to any third party unless required by any applicable law or authorized in writing by the
other party. All such information shall be used by the other party only for the purposes of
performance of this Tender.
The restrictions here-in-above shall not apply to any information generally available to the
public or received in good faith from a third party without restriction. The parties hereto
agree to keep as confidential all documentation furnished or received by either party at any
time in connection with this Tender. This provision, as far as practicable, shall apply to all
the concerned officials of either party.
Confidentiality will be maintained during existence of this Tender and even on
termination/expiry.
M. Disqualification: Tendering authority may at its sole discretion and at any time during the
processing of bids, disqualify any bidder/ bid from the bid process if the bidder: -
 Has not submitted the bid in accordance with the bidding document.
 Has submitted bid which is not accompanied by Bid Securing Letter.
 Has imposed conditions in his bid.
 During validity of the bid or its extended period, if any, increases his quoted prices.

Page 14 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

 Has made misleading or false representations in the forms, statements and

attachments submitted in proof of the eligibility requirements.
 Has failed to provide clarifications related thereto, when sought.
 Has submitted more than one bid. This will cause disqualification of all bids
submitted by such bidders.
 Is found to canvass, influence or attempt to influence in any manner for the
qualification or selection process, including without limitation, by offering bribes or
other illegal gratification.
N. Sub-contracting: The bidder shall not assign or sub-let his contract or any substantial part
thereof to any other agency.
O. Termination:
CDAC may terminate the contract if any of the following events occur:–
(i)The Agency has neglected or failed persistently to observe or perform his obligations
under the contract or performs unsatisfactorily
(ii) The Agency is found to have acted in breach or violation of any of the terms &
Conditions of the contract and his obligations therein.
(iv) The Agency will be bound by the details furnished by them to CDAC, while
submitting the bid document or at subsequent stage. In case of any such documents
furnished by the Agency / is found to be false at any stage, it would be deemed to be a
breach of terms of contract making the Agency liable for legal action besides termination
of contract.
P. Indemnification:
The successful bidder shall fully indemnify, hold harmless and defend C-DAC and its
officers etc., from and against all claims, liabilities, suits, damages including any criminal
liability due to false declaration by the successful bidder with regard to the subject tender
transaction etc., caused due to negligence/commission/omission of the Successful bidder or
its agents and representatives or sub-contractors or any other person claiming or any other
person claiming under this tender or under the applicable laws of India.

***

Page 15 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

ANNEXURE-I
UNIT PRICE BREAKUP FORMAT
(To be uploaded with Price Bid part in GeM portal)

In addition to total lump sum amount quoted by the bidders for 189 applications towards Audit
Work as per the scope of work given in the tender, the unit price break-up also to be
submitted/uploaded in in the Gem portal in the following format:

S. Entity Unit Rate in GST in (%) GST in Total

No (Rs.) (Rs.) Amount in
(Rs.) Per Unit
Application Security Audits up to 200 Input Forms including
 Iterative Cycles of Vulnerability Checking
 Reporting & Code Correction (provide Assistance for Code correction)
 Regression Analysis
 ‘Safe to Host” certification

Base Unit Rate for

1 Application up to 200
Input Forms
Total Amount for 189 applications including GST (Lump-Sum amount quoted in GeM portal)
=Rs…….
Total Amount in Words:
Note: Do not upload this annexure in the Technical bid documents part in GeM portal
Note:
1. Base Unit Rate for Applications with Up to 200 Input Forms; additional estimate for
price to be defined on a prorated basis for each form.
2. Financial comparison in GeM portal would be done on the basis of Lump-Sum price
quoted for180 applications including GST.
3. All deliverables as per scope of work are to be supplied by successful bidder at the rates
mentioned above.

Yours faithfully,

Authorized
Signatory.(Signature of the Bidder,
with official Seal)
Email Id for correspondence.

Page 16 of 26
 Tender No. C-DACNOIDA/MMG/02/2023-2024

Annexure – II
TENDER ACCEPTANCE LETTER
(To be given in Company Letter Head)
To
Centre for Development of Advanced Computing
Anusandhan Bhawan,
C-56/1 Institutional
Area, Sector-62,

Noida-201309 (U.P.)

SUBJECT: ACCEPTANCE OF TERMS & CONDITIONS- PROCUREMENT OF

SECURITY AUDITING SERVICE FOR WEB BASED APPLICATIONS FROM
FIRMS EMPANELLED BY CERT-IN FOR SECURITY AUDIT FOR PERIOD OF 2
YEARS AT C-DAC, NOIDA

Tender Reference No: Tender No. C-DACNOIDA/MMG/02/2023-2024

Dear Sir,
1. I / We have downloaded / obtained the tender document(s) for the above mentioned
‘Tender/Work’ from the website(s) namely https://gem.gov.in/.
2. I / We hereby certify that I / We have read the entire terms and conditions of the tender
documents from Page No.1 to 26(including all documents like annexure(s), schedules (s),
etc.), which form part of the contract agreement and I/We shall abide hereby by the terms/
conditions/ clauses contained therein.
3. The corrigendum(s) issued from time to time by your department/organization too has also
been taken into consideration, while submitting this acceptance letter.
4. I / We hereby unconditionally accept the tender conditions of above mentioned tender
document(s) / corrigendum(s) in its totality /entirety.
5. I /We do hereby declare that our firm has not been blacklisted / debarred by any Govt.
Department / Public sector undertaking.
6. I/We certify that all information furnished by the our firm is true & correct and in the event
that the information is found to be incorrect / untrue or found violated, then your
department/ organization shall without giving any notice or reason thereof or summarily
reject the bid or terminate the contract, without prejudice to any other rights or remedy
including the forfeiture of the fully said earnest money deposit absolutely.
Yours faithfully,

Authorized
Signatory.(Signature of the Bidder,
with official Seal)
Email Id for correspondence.

Page 17 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

Annexure-III
BID SECURING DECLARATION

To
Centre for Development of Advanced Computing

Anusandhan Bhawan,
C-56/1. Institutional
Area, Sector-62,
Noida-201309 (U.P.)

SUBJECT: PROCUREMENT OF SECURITY AUDITING SERVICE FOR WEB

BASED APPLICATIONS FROM FIRMS EMPANELLED BY CERT-IN FOR
SECURITY AUDIT FOR PERIOD OF 2 YEARS AT C-DAC, NOIDA

Tender Reference No: Tender No. C-DACNOIDA/MMG/02/2023-2024

I/We ............................ declare that I/We understand that, according to your conditions, bids
must be supported by a Bid Security Declaration.

I/We accept that I/We may be disqualified from bidding for any contract with you for a period
of two year from the date of notification if I am /We are in a breach of any obligation under
the bid conditions, because I/We a) have withdrawn/modified/amended, impairs or derogates
from the tender, my/our Bid during the period of bid validity specified in the form of Bid; or
b) having been notified of the acceptance of our Bid by the purchaser during the period of bid
validity (i) fail or reuse to execute the contract, if required, or (ii) fail or refuse to furnish the
Performance Security, in accordance with the Instructions to Bidders.

I/We understand this Bid Securing Declaration shall cease to be valid if I am/we are not the
successful Bidder, upon the earlier of (i) the receipt of your notification of the name of the
successful Bidder; or (ii) thirty days after the expiration of the validity of my/our Bid.

Signed: (insert signature of person whose name and capacity are shown)
in the capacity of (insert legal capacity of person signing the Bid Securing Declaration)
Name: (insert complete name of person signing he Bid Securing Declaration)
Duly authorized to sign the bid for an on behalf of (insert complete name of Bidder)
Dated on …. day of…... (insert date of signing)
Corporate Seal (where appropriate)

Page 18 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

Annexure – IV
NON-BLACKLISTING/DEBARRING LETTER
(To be given in Company Letter Head)
To
Centre for Development of Advanced Computing
Anusandhan Bhawan,
C-56/1,
Institutional Area,
Sector-62,
Noida-
201309(U.P.)
SUBJECT: NON-BLACKLISTING/DEBARRING LETTER -PROCUREMENT OF
SECURITY AUDITING SERVICE FOR WEB BASED APPLICATIONS FROM
FIRMS EMPANELLED BY CERT-IN FOR SECURITY AUDIT FOR PERIOD OF 2
YEARS AT C-DAC, NOIDA

Tender Reference No: Tender No. C-DACNOIDA/MMG/02/2023-2024

I/we hereby certify that our firm namely is neither

blacklisted/debarred by any Central/State Government/Public Undertaking/Institute nor any
criminal case registered / pending against the firm or its owner / partners anywhere in India
(or) against any of its branches (or) partners abroad. Further, we confirm the following that
we are:

a) not be insolvent, in receivership, bankrupt or being wound up, not have its affairs
administered by a court or a judicial officer, not have its business activities suspended
and must not be the subject of legal proceedings for any of the foregoing reasons;
b) not have, and their directors and officers not have, been convicted of any criminal
offence related to their professional conduct or the making of false statements or
misrepresentations as to their qualifications to enter into a procurement contract within a
period of three years preceding the commencement of the procurement process, or not
have been otherwise disqualified pursuant to debarment proceedings;
c) not have a conflict of interest in the procurement in question as specified in the bidding
document.
d) comply with the code of integrity as specified in the bidding document.

I also certify that the above information is true and correct in any every respect and in any
case at a later date it is found that any details provided above are incorrect, any contract
given to the above firm may be summarily terminated and the firm black listed.

Yours faithfully,
Authorized
Signatory (Signature of the
Bidder, with official Seal)
Email Id for correspondence.

Page 19 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

ANNEXURE-V

DRAFT of CONTRACT AGREEMENT

THIS AGREEMENT is made on day of ----------------------------------------------------------- ------

Between

Centre For Development of Advanced Computing (C-DAC), an autonomous scientific

society under the Ministry of Electronics & Information Technology, Government of India,
registered under Societies Registration Act of 1860 and Bombay Public Trusts Act of 1950,
having its registered office at Pune University Campus, Pune, 411 007, India, having one of its
constituent units at C-56/1, Anusandhan Bhawan, Institutional Area, Sector-62, Noida – 201307,
(hereinafter called “C-DAC”, which expression shall wherever the context so submits mean and
include its successors and assigns)
And

(Here in after called

“the Vendor”– the Second Party) of the other part.

WHEREASC-DAC had invited bidding through GeM portal from competent and professional
firms, who meet the minimum eligibility criteria as specified in this bid document for
selecting CERT-In empanelled vendor to conduct Application Security Audit & certification
of around 180 numbers Web Based Applications such as DVDM, EMMS, HMIS etc.,
(collectively called “Applications” henceforth) for a period of 02 years.

AND WHEREAS the Vendor has participated in the said bidding process of C-DAC and has
been selected by C-DAC for providing the aforesaid services i.e Security Audit of
Applications” for 2 years.

AND WHEREAS, the Vendor has agreed to fulfill contractual obligations as per the terms and
conditions of the tender.

Now, therefore, this Agreement witnesses and executed between C-DAC- FirstParty and
Vendor -Second Party for entering into a “Contract” towards providing “Security Audit of
Applications” services for 180 Web based Applications to C-DAC for a period of 02 years on
the GeM Lump-Sum quoted rate of Rs………. (Including GST) on the following terms and
conditions: -

1. That the contract of the vendor shall be effective for a period of 02 years from the date of
GeM Purchase Order No……………………. Dated……….
2. That consequent upon execution of the present agreement by the Vendor for total work
value, application wise separate work assigning e-mails will be issued by C-DAC in
favour of the Vendor as per the need of departments/organizations to start the audit work
of individual transaction/application in order to monitor the work execution as per the
timelines given in the referred tender.
Page 20 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

3. That the Vendor undertakes to fulfil other requirements of contract viz., submission of SD
(Security Deposit) of 5% of the total work order value of the GeM Purchase Order for the
entire contract period of 2 years plus additional 6 months. The SD shall be returned
without any interest after completion of the contract period 2 years plus additional 6
months and after fulfilling the contractual obligations, whichever is later.

4. The exact scope of work, deliverables, milestones and timelines given in the referred
tender need to be abide by the vendor without any deviation.

5. In the event of any increase/decrease in Statuary dues as applicable at the time of delivery
of services during the 2 years’ contract period, the bills will be settled to the Vendor
accordingly.

6. Fall Clause: The firm shall reduce the price of the services as quoted in the GeM portal,
if the firm is rendering similar type of contract to any other government organization at a
price lower than the price offered to C-DAC at any time during the 2 years contract
period.

7. Financials

S. Entity Rate in (Rs.) GST in (%) GST in Total

No per unit (Rs.) Amount in
(Rs.) per
Unit
Application Security Audits up to 200 Input Forms including
 Iterative Cycles of Vulnerability Checking
 Reporting & Code Correction
 Regression Analysis
 ‘Safe to Host” certification

Base Unit Rate for

Application up to 200
1
Input Forms

Total Amount for 180 applications including GST (Lump-Sum amount quoted in GeM
portal) =Rs…...

Total Amount in words:

The total number of applications mentioned in the contract can be increased to the tune of 25%
based on the requirement of C-DAC as per GeM provision. However, there is no minimum
commitment for number of applications from C-DAC side and the bill will be settled to the
selected vendor based on actual utilization of services.

Page 21 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

8. Terms of Payment

S. No Details of Work Deliverables Amount

Payable (%)
Per
Application
1 On Successful testing Services
and submission of  Application Audit & Vulnerability
report of iterative cycle Audit of the web application/website.
1  Patch Assistance and Management.

Reports
30
 Audit Report as per the GoI guidelines
issued from time to time
 Vulnerability Management Reports of
the application as per the clauses in
Cert-in guidelines issued towards Third
Party Audit Clause.
2 After completion of all Services
iterative cycles of  Application Audit & Vulnerability
vulnerability detection, Audit of the web application/website.
regression audit code  Patch Assistance and Management.
correction (provide  Recommendations on the counter
Assistance for Code measures.
correction) & patching  Guidance to the Software developers
for removal of the vulnerabilities
detected. 70

Reports
 Audit Report as per the GoI guidelines
issued from time to time
 Vulnerability Management Reports of
the application as per the clauses in
Cert-in guidelines issued towards Third
Party Audit Clause.
 Final “No vulnerabilities “found report
 Safe to Host Certificate

9. Liquidation Damages (LD) Charges

Each Audit process need to be completed within the timeline schedule given under clause (3)
from the starting point triggered by C-DAC. In case of any delay in process beyond the time
limit condoned by C-DAC on justified grounds, each week delay will attract 0.5% LD charges
for the respective transaction but not exceeding 10% value of that individual transaction
rate/charges derived out from the total purchase order value. If the delay is in days i.e. less than a
week, the 0.5% LD charges will be on prorata basis.

In addition to LD on process delay, CDAC may conduct random audit on the application already
audited with specific version & certified by the agency and if any reported threats and new
threats (within the scope of work) were found during such audit again, a penalty of 0.5% on the

Page 22 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

respective transaction bill value shall be levied for each type threat with a limit of maximum of
20 type threats of the respective application i.e., 10% penalty of the respective transaction value.

Beyond this maximum 20 threats in a single application, the vendor needs to do the re-audit of
such application on free of cost and in case, the occurrence of re-audit cases happens more than
10% of the total projected applications i.e., 4 numbers, C-DAC has the rights to cancel the
contract and claim the incidental expenses including forfeiture of SD, blacklisting etc., as
deemed fit.

In overall, the LD charges shall not exceed 10% of the total value of purchase order and beyond
this limit the vendor shall be declared as defaulter and incident shall be raised through GeM
portal in addition to forfeiture of SD coupled with black listing, claiming additional damages
etc., as deemed fit.

10. Termination:
CDAC may terminate the contract if any of the following events occur:–
1. The Agency has neglected or failed persistently to observe or perform his obligations
under the contract or performs unsatisfactorily
2. The Agency is found to have acted in breach or violation of any of the terms &
Conditions of the contract and his obligations therein.
3. The Agency will be bound by the details furnished by them to CDAC, while submitting
the bid document or at subsequent stage. In case of any such documents furnished by the
Agency / is found to be false at any stage, it would be deemed to be a breach of terms of
contract making the Agency liable for legal action besides termination of contract.

11. Dispute & Arbitration:

If at any time, dispute or difference what so ever arises between the Parties out of or relating to
the construction, meaning, scope, operation or effect of this tender/contract or the validity or
breach thereof shall be settled amicably. In case both the parties are unable to resolve the dispute
amicably, the same shall be referred to the arbitrator appointed by C-DAC only under Arbitration
& Conciliation Act 1996 as amended from time to time and rules made there under, or any
legislative amendment or modification made there to and the Award made in pursuance thereof
shall be binding on the parties
The venue and seat for the arbitration shall be Noida/New Delhi, India and language shall be
English. The Award given by the Arbitrator shall be final and binding on the Parties.
The rights and obligation of the parties shall remain in full force and effect, pending the result of
any arbitration proceedings.

12. Jurisdiction:
The courts at Noida (U.P) alone will have the jurisdiction to try any matter, dispute or reference
between parties arising out of this tender / contract. It is specifically agreed that no court outside
and other than Noida (U.P) Court shall have jurisdiction in the matter.

13. The Referred Bid Document No. __________dated________ consisting of various terms
& condition including Annexures from page number _____ to ____ and the GeM

Page 23 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

Contract Number…..dated ….forms part and parcel of the subject contract.

14. IN WITNESS whereof the parties hereto have executed this Agreement, in accordance
with their respective laws on the day and year first above written.

For and on behalf of For and on behalf of

C-DAC Vendor

(______________) (______________)

WITNESSES:

2.
1.

Page 24 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

Annexure-VI
Non-Disclosure Undertaking Format

This Undertaking is made the ……… day of …….,2023.

By…………….Bidder (Full name and address) hereinafter referred as “Bidder-ABC”.
(together with its successors and assign)
To Centre for Development of Advanced Computing, Noida, a constituent unit of C-
DAC, a Scientific Society under the Ministry of Electronics and Information
Technology, Government of India, registered under the Societies Registration Act, 1860
and Bombay Public Trust Act, 1950, having its registered office at Pune University
Campus, Ganesh Khind, Pune-411007 and place of a centre at C-56/1, Anusandhan
Bhawan, Sector-62, Noida 201309 (hereinafter referred to as “C-DAC”, which term or
expression, unless excluded by or is repugnant to the context, include successors and
assigns).
“Bidder-ABC” and “CDAC" are individually referred to as "Party” and collectively
referred to as “Parties".
WHEREAS
Parties intend to enter into GeM contract No:…..Dated:….. for Security Auditing service
for web based applications (DVDMS, EMMS, HMIS, etc.,) for period of 2 years at
CDAC, NOIDA.

For this purpose, CDAC shall be disclosing certain confidential information such as
……………………………………………………………………………………………
…………………………………………………………………………<To be Filled by
Team> for enabling the Auditing Agency “Bidder-ABC” to complete their contractual
obligations.
As used in this Undertaking the term "Confidential Information" shall mean any,
technical information or data disclosed by CDAC to bidder either in writing, electronic or
recorded, and including by way of illustration and without limitation any written or
printed documents, know-how, computer program, process information or data samples,
computer software, specifications, drawings or designs or any other means of disclosing
such Confidential Information that the Parties may select to use.
Now, therefore, in consideration of CDAC disclosing confidential information, bidder
hereby undertakes to the CDAC that,
1. All confidential information whether technical, proprietary and/or of any other nature
whatsoever supplied or to be supplied by CDAC, shall be treated as confidential by
bidder who shall ensure that all such information is used solely to assist them in the
performance of its tasks under the tender, who shall disclose the information only to
those employees having a need to know and who shall not disclose the information or
any part of it to any other person, firm, entity or company of cooperation without prior
authorization in writing by the CDAC.

Page 25 of 26
Tender No. C-DACNOIDA/MMG/02/2023-2024

2. The bidder member shall protect and preserve all confidential information obtained from
the CDAC here under in the same manner and with the same degree of care and control
as the bidder executes for its own information of a similar nature.

3. All confidential information received pursuant to this undertaking or any copies thereof,
or any report generated out of such information shall remain / respectively becomes the
property of the CDAC and shall not be used / shared without the prior written consent of
the CDAC.

4. This is, however, not the case as regards know-how or information of which the bidder
can document;

a. that the recipient was knowledgeable at the information time,

b. that it was public domain at the information time.
c. that it became public domain after the information time without this being due to
the recipient's negligence, or
d. that it was transferred to the recipient by a third party who had the right to
transfer such information to the recipient.
e. that it is required to be disclosed by recipient to a court of competent jurisdiction
or any appropriately empowered Governmental agency or under any statute.

5. Nothing in this undertaking shall be deemed to grant a license or other right directly or
by implication and/or otherwise under any intellectual property rights in relation to any
information disclosed pursuant to this undertaking.
In witness whereof, this undertaking is executed on the first date above written. All the
above, read, confirmed and signed.

Yours faithfully,
Authorized Signatory.
(Signature of the Bidder, with official Seal)
Email Id for correspondence.

Page 26 of 26