Clarifications
There are 117 clarifications for this DPS
2535. Hi, For Question 52. Please confirm if you intend to use a supply chain for this contract.
We are not sure if we would look to use a supply chain in the future as we may partner depending on the support requirement in the bid. Just wanted to double-check if that was allowed, as we may choose to not use anyone else in the future to support if that's not the case.
Question 52 refers to use of third parties to fulfil the DPS Services. If your organisation has recognised a need to use third parties to fulfil the DPS Services specified in DPS Schedule 1, please respond to this question with a 'yes' and provide further details were required. Please also refer to the 'Read First RM3764iii Cyber Security Services DPS Needs' within the bid pack.
We recognise that arrangements in relation to Subcontracting and Groups of Economic Operators may be subject to future change, and may not be finalised until a later date. If you are successfully appointed to the DPS and are awarded a RM3764iii DPS Appointment, any changes to arrangements in relation to Subcontracting and Group of Economic Operators arrangements which are made following the award will be dealt with in accordance with DPS Schedule 6 (Key Subcontractors) of the DPS Appointment Form.
Answered
27/03/2023 14:00
2534. Hi, for Question 78 - reference 'Standards'. Do you mind elaborating on this point as to what you mean by 'standards', as we have people who have the options listed but not all of our team. Probably more capabilities from us.
Please refer to 'DPS Schedule 1 - Specification' and 'RM364iii Cyber services 3 DPS Buyer Needs' within the bid pack.
Answered
27/03/2023 13:50
2506. Good afternoon, ISO27001 has been listed within the below clarifications as an appropriate alternative to Cyber Essentials. The Cyber Security Services 3 DPS Application questionnaire has Cyber Essentials as pass/fail. Will we have an opportunity to evidence ISO certificate before being Failed?
Answered directly via a separate query to the Customer Service Centre
Answered
22/02/2023 13:26
2504. Just some questions regarding the Service Matrix categories.
Filter 4 - does 'Civil Nuclear Communications' need to be specifically communications? Or can it relate to the Civil Nuclear sector as a whole?
Filter 4 - Does Energy include Energy Networks? Or should this be added as other?
There is a separate filter for Civil Nuclear and Communications, this can be viewed in Q80 of the DPSQ. Energy refers to the sector as a whole.
Answered
15/02/2023 13:11
2498. Good Morning,
We have a subcontractor based in the Netherlands, they have do not have a UK residency. They are wholly owned by another company who do have a UK residency.
We are going to input the UK address of that company, but in regards to company number and details, should it be the company based in the UK or the company based in the Netherlands?
Thanks!
As stated in the DPS needs document you must disclose details for all subcontractors who directly contribute to your ability to meet your obligations under the DPS agreement, if this is the company based in the UK these are the details you will need to include within your submission
Answered
13/02/2023 13:10
2500. Is there a closing date for submissions to the Cyber Security DPS 3 Ref RM3764.iii?
Suppliers can apply to join at anytime within the lifetime of the agreement
Answered
13/02/2023 11:47
2502. It is our intention to add accreditations and standards over time.
Can one update one's service filter matrix once appointed, to keep is up-to-date with the company's development?
Once appointed a supplier can update their DPSQ at any time which allows them to add or remove applicable accreditations and standards
Answered
13/02/2023 09:00
2483. Good Evening,
I've asked a previous question about whether an ISO 2007 supersedes the need for a cyber essentials certificate.
In the answer, we were told that cyber essentials is mandatory but an ISO 2007 supersedes the need.
Are you please able to confirm if we will be able to complete a successful application with only an ISO 2007 certification. Thankyou.
With regards to equivalence and subsequent acceptance, we refer you to the Procurement Policy Note 09/14 (Cyber Essential scheme certification). Please refer to Annex A & C (of the PPN) which covers the key requirements and provides an overview of equivalence specific to those organisations holding ISO 27001 certification.
Answered
02/02/2023 11:08
2479. Regarding Joint Schedule 8 Article 2.1, the guarantee does not have a limit of amount. In paragraph 2.2. of the template it states that The Guarantor irrevocably and unconditionally undertakes upon demand to pay to the Beneficiary all monies and liabilities which are now or at any time hereafter shall have become payable by the Supplier to the Beneficiary under or in connection with the Guaranteed Agreement or in respect of the Guaranteed Obligations as if it were a primary obligor.
Could there be a limit please? Two times the value of the contract for example?
CCS does not agree, the schedule and clause shall remain as drafted.
Answered
31/01/2023 16:18
2470. Is a cyber essentials certificate required if we have a ISO 27001 Certification instead. Or is the cyber essentials certificate required regardless?
Thank you
The Cyber Essentials Scheme (set of controls) is mandatory, however as detailed in PCR 2015 suppliers can offer alternative certification to evidence they have achieved these controls. ISO 27001 is a suitable alternative, any certification must be verified by an accrediting body and evidence that you meet the scheme requirements.
Answered
30/01/2023 14:13
2466. Hello,
I have searched through the bid pack and I am unable to find clarification.
Does a ISO 27001 Certification supersede the need for a Cyber Essentials basic? Or is the Cyber Essentials certificate still required?
Could you please confirm whether you are referring to the mandatory or additional accreditations and standards as detailed in the 'buyer needs' document within the bid pack?
Answered
26/01/2023 15:05
2431. r.e. Joint Schedule 3 - Article 1.3, specifically, ''The Supplier shall ensure that the public and products liability policy contain an indemnity to principals clause under which the Relevant Authority shall be indemnified in respect of claims made against the Relevant Authority in respect of death or bodily injury or third party property damage arising out of or in connection with the Deliverables and for which the Supplier is legally liable. ''
Is it mandatory to have the indemnity to principals clause within our public and products liability policy?
CCS can confirm that is correct as detailed in Joint Schedule 3, clause 1.3
Answered
20/01/2023 13:10
2197. Both of the previous two questions regarding submitting evidence and parent company guarantee relate to the supporting evidence requested by CCS, not the Cyber Security DPS SQ itself.
Answered directly
Answered
20/01/2023 11:23
2412. Regarding DPS Core Terms 3.2.11
With respect to article 3.2.11. You state: "The Buyer can cancel any order or part order of Goods which has not been Delivered. If the Buyer gives less than 14 days notice then it will pay the Supplier's reasonable and proven costs already incurred...". Can you confirm that if the Buyer cancels an order through no fault of the Supplier but the Supplier has incurred costs then the costs can be recovered even if more than 14 days is given?
CCS does not agree. The clause shall remain as drafted.
Answered
05/01/2023 13:01
2415. Nothing is foreseen within the Core Terms Article 10.3 regarding the payment for the work already performed. Please could you clarify if there would be payment for the work already performed?
CCS can confirm that existing payment obligations formed via provision of Deliverables prior to Termination would still apply. We would refer you to 10.5.2 and 10.5.7 for the consequences of Termination under 10.3
Answered
05/01/2023 13:00
2413. Regarding Joint Schedule 8 Article 2.1
Please could you confirm that a company can be the guarantor (where it is stated that the guarantor shall be ''any person acceptable to CCS/Buyer to give a DPS/Order Guarantee'')? And can there be a limit of amount?
Please refer to the Deed of Guarantee within Joint Schedule 8. The guarantor can be a company and will need to guarantee all of the suppliers obligations. Please see previous response a guarantor is not a condition of appointment to this DPS unless specified by CCS Commercial Finance team in the event that a supplier fails to meet the financial threshold score.
Answered
03/01/2023 13:42
2414. r.e. Article 1.3, is it mandatory to have the indemnity to principals clause within our public and products liability policy?
Could you please confirm the clause you are referring to?
Answered
03/01/2023 13:35
2416. In Article 7.5 and 8.3 we note there is no limit to the indemnity. Could you please clarify if this article is covered by Articles 11.1 (Each Party's total aggregate liability in each Contract Year under this DPS Contract is no more than £100,000) and 11.2 (Each Party's total aggregate liability in each Contract Year under each Order Contract is no more than the greater of £1 million or 150% of the Estimated Yearly Charges unless specified in the Order Form)?
Please refer to Core terms 11.5 and Special Term 7 within the DPS Appointment Form
Answered
03/01/2023 13:34
2268. Could you please clarify question 180: 'Upload documentary evidence for a certificate for each principal contract for goods and/or services provided in the last 3 years'. Can you provide guidance on what is expected of such a certificate and what it should contain?
Please refer to the 'Read First RM3764.3 Cyber Services DPS Needs' document within the bid pack. This question is not applicable and no evidence is required as part of your DPS submission. Awarding buyers only may request for evidence in accordance with their statement of requirements at award stage.
Answered
18/10/2022 09:02
2215. The CCS frameworks website lists "managed security services including crest accredited Security Operations Centre (SOC) and managed detection and response".
The Services Matrix v3 in the Bid Pack v4 does not have SOC and MDR listed.
Can you please confirm if Buyers can buy SOC and MDR services through this framework? If so, how many Orders have been placed for these services to date?
The service matrix includes SOC, MDR and Crest Accredited SOC
Answered
28/09/2022 15:41