Agricultural Finance Corporation

Development House – Moi Avenue P.O BOX 30367 -00100 Nairobi

Tel. +254-020-3272000 Fax 2219390 Website: www.agrifinance.org

Email: procurement@agrifinance.org

TENDER NO: AFC/004/02/2018

TENDER NAME: PROVISION OF FIREWALL NETWORK SECURITY

Closing Date: Tuesday, 13th March, 2018 at 12.00 Noon

Negotiation No. 638695

Issued by the Agricultural Finance Corporation: February, 2018

2

TABLE OF CONTENTS

Page

INTRODUCTION ………………………..……………………………………............. 3

SECTION I INVITATION TO TENDER…………………………………. 7

SECTION II INSTRUCTIONS TO TENDERERS……………………….. 8

SECTION III GENERAL CONDITIONS OF CONTRACT……………… 15

SECTION V DESCRIPTION OF SERVICES...…………………………..… 19

SECTION VI STANDARD FORMS……………………………………………. 32

1. Form of tender……………………………………….…….33

2. Confidential Questionnaire form……………...……….34

3. Tender Security Form …………………………………….35

4. Integrity Declaration Form……………………..……….36

5. Non-Debarment Statement Form……………………...37

3

Introduction

The Agricultural Finance Corporation (hereafter AFC), a wholly owned Government

Development Finance Institution (hereafter DFI), was established in 1963 initially as

a subsidiary of the Land and Agricultural Bank. In 1969, it was incorporated as a full

– fledged financial institution under the Agricultural Finance Corporation Act, Cap

323 of the laws of Kenya. It was then tasked in assisting in the effective and

peaceful transfer of land to indigenous farmers, as well as injecting new capital to

farm owners to spur development. After successful implementation of this task, AFC

was further reconstituted in 1969 to assume a wider mandate by taking over the

functions of the Land and Agricultural Bank of Kenya.

Today we remain the leading Government Credit institution mandated to provide

credit for the sole purpose of developing agriculture. This role is crucial given that

Agriculture is the mainstay of the Kenyan economy where 80% of the Kenyan

population which is rural based relies on agriculture as their main support system.

Background and Objectives

AFC is currently running a basic firewall for the internal infrastructure and are

looking to upgrade to a next generation firewall to sustain the institution. The

organization has an MPLS connecting its branches within the country that terminate

at a single point.

We are also currently running a virtualized environment that we wish to fully

virtualize within this project.

Installation, migration and configuration of the firewall Network Security would be performed by the nominated service provider of the proposed vendor solution. This would include but not limited to:

- Active/Passive clustering of solution

- Migration of existing rules and rule sets from the current system into the new

solution

- Central management and logging to same vendor appliances as well as configuration

of granular regulation-based reporting e.g. ISO and PCI Compliance

- Implementation of routing (dynamic, Static, Policy based or combination of the

mentioned)

4

- Ensure critical systems as defined by AFC to be fully operational within the given

time frame

- Implementation of features as required

The nominated service provider would plan for, implement and design a solution

that incorporates the above including any other recommendations deemed

necessary in order to achieve full effectiveness of the solution. Due to the nature of

this project implementation must be handled by staff that are certified in the

proposed vendor’s product. The service provider is also required to ensure the

transfer of skills to AFC staff to understand and maintain the solution.

General requirements

The NGFW must be capable of supporting the following security

features on a unified platform:

Stateful Inspection Firewall

Intrusion Prevention System

User identity Acquisition

Application Control and URL filtering

Anti-Bot and Anti-Virus

Anti-Spam and Email Security

Client-based VPN and clientless VPN

CPU-level evasion resistant Sandboxing

Extraction/Scrubbing of zero-day malware from infected files

Centralized Security Policy Management and Reporting

Correlation of security events

Industry Regulation-based Compliance Reporting i.e. ISO and PCI DSS

Data Loss Prevention

The features above must be must be exclusively supplied by and managed by the

vendor.

The vendor solution must provide a mechanism to constantly educate end users of

the security policy in real time.

Requirements for Integrator

Certificate of Incorporation

5

PIN/VAT Certificate

Tax Compliance Certificate

Audited Accounts 2 years

Proof of address/ Lease (verifiable)

Provide MAF for solution locally verifiable for firewall network security

At least 5 verifiable Reference sites 3 of which must be FSIs

At least 2 certified security engineers

Engineer should have at least CCNA, CCSA or NSE 2 level or equivalent

At least tier 2 level partnership with the security vendor

Requirements for NGFW

The vendor must provide evidence of year over year leadership positions in

enterprise firewall, UTM firewalls and intrusion prevention based on independent

security industry data.

Published production performance figures must not degrade when the most

effective/secure NGFW protections are activated on all the purchased security

blades/features.

Have the ability to integrate with Microsoft Active Directory/LDAP to associate traffic

to user.

CPU-level evasion resistant Sandboxing and automatic extraction of zero-day

malware from infected files

Monitor compliance to major regulations such as ISO, PCI DSS, NERC, CIP v5 etc.

To ensure optimal performance for delay and jitter-sensitive applications, such as

VOIP, High Definition video, and future real-time sensitive applications, the Next

Generation Firewall shall process all data for all active services as a single stream to

minimize delay and jitter.

To prevent evasive tactics used by modern hackers and malware, the NGFW shall be

port agnostic and analyse all data on all ports all the time for applications

identification.

To reduce administrative costs, overhead, and human error, the NGFW shall simplify

management by having a single tab for configuring policy for all running features,

including application, user, and content id’s. It shall be able to use all three

identification methods in a single policy, to accept or deny traffic, packet shape,

QOS, and Policy route traffic.

6

To maximize the granularity of security policies, the NGFW shall allow policy creation

and enforcement based on any combination of date, time-of-day, ingress and egress

hardware port, ingress and egress software port, application identification, user

identification, and content identification.

All required performance specifications shall be from published public sources from

production environments with all required features and applications simultaneously

active.

To prevent evasive users and applications from bypassing security functions, all

product functions for IPS, Advanced Threat Prevention, and Anti-Virus, shall not

require specific software port and protocol combinations for detection, mitigation, or

enforcement.

Identify and control applications sharing the same connection.

Deal with unknown traffic by policy.

Scan for viruses and malware in allowed collaborative applications.

Handle Intrusion Prevention. The IPS and firewall module must be integrated on one

platform.

Ability to handle multiple VPN sessions, support site-to-site VPN, as well as clientless

SSL VPNs for remote access. This should also allow the administrator to apply

security rules to control the traffic inside the VPN.

Ability to provide in-depth reporting and integrate with the same vendor

management system. This system needs to also manage the End Point solution.

VoIP and H.323 Compliant.

Solution must be IPv4 and IPv6 ready

Provide High Availability : support both Active-Active and Active-Passive modes

Create a baseline of known/legitimate traffic to identify and prevent deviations and

anomalies.

7

SECTION I – INVITATION TO TENDER DATE: 27th February, 2018 Tender REF No: AFC/004/02/2018

Tender Name: Provision of Firewall Network Security Method of Procurement: Request for Quotation

The Agricultural Finance Corporation invites bids through IFMIS Systems from eligible candidates for the Provision of Firewall Network Security.

A complete tender document will be provided to eligible candidates who are in the Corporation’s IFMIS list of Suppliers’ Portal.

Prices quoted should be net inclusive of all taxes, must be expressed in Kenya shillings and shall remain valid for a period of (120) days from the closing date of the tender.

Bidders are expected to participate through IFMIS. In case of any query, please use the following addresses:

procurement@agrifinance.org

The Managing Director, Agricultural Finance Corporation,

P.O. Box 30367 – 00100 GPO, NAIROBI.

The bids should be received in IFMIS on or before Wednesday, 7th March, 2018 at 12.00 Noon Tenders will be opened through IFMIS immediately thereafter in the presence of the

Tenderers or their representatives who choose to attend the opening at 3rd Floor of Development House, along Moi Avenue, the AFC/ADC Conference Hall, at 2.30pm.

Head of Procurement Agricultural Finance Corporation

8

SECTION II INSTRUCTIONS TO TENDERERS

2.1 Eligible tenderers

2.1.1. This Invitation to tender is open to all tenderers eligible as described in the instructions to tenderers. Successful tenderers shall provide the services for the stipulated duration from the date of commencement (hereinafter referred to as the term) specified in the tender documents.

2.1.2. The Agricultural Finance Corporation’s employees, committee members, board members and their relatives (spouse and children) are not eligible to participate in the tender unless where specially allowed under section 131 of the Act.

2.1.3. Tenderers shall provide the qualification information statement that the tenderer (including all members, of a joint venture and subcontractors) is not associated, or have been associated in the past, directly or indirectly, with a firm or any of its affiliates which have been engaged by the Agricultural Finance Corporation to provide consulting services for the preparation of the design, specifications, and other documents to be used for the procurement of the services under this Invitation for tenders.

2.1.4. Tenderers involved in corrupt or fraudulent practices or debarred from participating in public procurement shall not be eligible.

2.2 Cost of tendering

2.2.1 The Tenderer shall bear all costs associated with the preparation and submission of its tender, and the procuring entity, will in no case be responsible or liable for those costs, regardless of the conduct or outcome of the tendering process.

2.2.2 The Agricultural Finance Corporation shall allow the tenderer to review the tender document free of charge before purchase.

2.3 Contents of tender documents

2.3.1 The tender document comprises of the documents listed below and addenda issued in accordance with clause 6 of these instructions to tenders

i) Instructions to tenderers ii) General Conditions of Contract iii) Special Conditions of Contract iv) Schedule of Requirements v) Details of service vi) Form of tender vii) Contract form viii) Confidential business questionnaire form

9

2.3.2 The Tenderer is expected to examine all instructions, forms, terms, and specifications in the tender documents. Failure to furnish all information required by the tender documents or to submit a tender not substantially responsive to the tender documents in every respect will be at the tenderers risk and may result in the rejection of its tender.

2.4 Clarification of Documents

2.4.1 A prospective candidate making inquiries of the tender document may notify the Procuring entity in writing or by post, fax or email at the entity’s address indicated in the Invitation for tenders. The Agricultural Finance Corporation will respond in writing to any request for clarification of the tender documents, which it receives no later than seven (7) days prior to the deadline for the submission of tenders, prescribed by the Agricultural Finance Corporation. Written copies of the Agricultural Finance Corporation’s response (including an explanation of the query but without identifying the source of inquiry) will be sent to all prospective tenderers who have received the tender documents”

2.4.2 The Agricultural Finance Corporation shall reply to any clarifications sought by the

tenderer within 3 days of receiving the request to enable the tenderer to make timely submission of its tender

2.5 Amendment of documents 2.5.1 At any time prior to the deadline for submission of tenders, the

Agricultural Finance Corporation, for any reason, whether at its own initiative or in response to a clarification requested by a prospective tenderer, may modify the tender documents by issuing an addendum.

2.5.2 All prospective tenderers who have obtained the tender documents will be notified of the amendment by post, fax or email and such amendment will be binding on them.

2.5.3 In order to allow prospective tenderers reasonable time in which to take the

amendment into account in preparing their tenders, the Agricultural Finance Corporation, at its discretion, may extend the deadline for the submission of tenders.

2.6 Language of tender

2.6.1 The tender prepared by the tenderer, as well as all correspondence and documents relating to the tender exchanged by the tenderer and the Agricultural Finance Corporation, shall be written in English language. Any printed literature furnished by the tenderer may be written in another language provided they are accompanied by an accurate English translation of the relevant passages in which case, for purposes of interpretation of the tender, the English translation shall govern.

10

2.7 Documents Comprising the Tender

The tender prepared by the tenderer shall comprise the following components:

(a) A Tender Form and a Price Schedule. (d) Confidential business questionnaire

2.8 Form of Tender 2.8.1 The tenderers shall complete the Form of Tender and the appropriate Price Schedule

furnished in the tender documents, indicating the services to be performed.

2.9 Tender Prices

2.9.1 The tenderer shall indicate on the Price schedule the unit prices where applicable and total tender prices of the services it proposes to provide under the contract.

2.9.1 Prices indicated on the Price Schedule shall be the cost of the services quoted including all customs duties and VAT and other taxes payable:

2.9.2 Prices quoted by the tenderer shall remain fixed during the term of the contract unless otherwise agreed by the parties. A tender submitted with an adjustable price quotation will be treated as non-responsive and will be rejected.

2.9.3 Contract price variations shall not be allowed for contracts not exceeding one year (12 months).

2.9.4 Where contract price variation is allowed, the variation shall not exceed 10% of the original contract price.

2.9.5 Price variation requests shall be processed by the Agricultural Finance Corporation within 30 days of receiving the request.

2.10 Tender Currencies 2.10.1 Prices shall be quoted in Kenya Shillings unless otherwise specified in the

appendix to in Instructions to Tenderers

2.11 Tenderers Eligibility and Qualifications.

2.11.1 The tenderer shall furnish, as part of its tender, documents establishing the tenderers eligibility to tender and its qualifications to perform the contract if its tender is accepted.

2.11.2 The documentary evidence of the tenderers qualifications to perform the contract if its tender is accepted shall establish to the Agricultural Finance Corporation’s satisfaction that the tenderer has the financial and technical capability necessary to perform the contract.

11

2.12 Validity of Tenders

2.12.1 Tenders shall remain valid for 120 days or as specified in the invitation to tender after date of tender opening prescribed by the Procuring entity. A tender valid for a shorter period shall be rejected by the Procuring entity as nonresponsive.

2.12.2 In exceptional circumstances, the Agricultural Finance Corporation may solicit the Tenderer’s consent to an extension of the period of validity. The request and the responses thereto shall be made in writing. A tenderer granting the request will not be required nor permitted to modify its tender.

2.13 Evaluation and comparison of tenders.

2.13.1 The Tender Evaluation Committee will evaluate and compare the tenders through IFMIS to determine those which are substantially responsive.

2.13.2 The comparison shall be of the price including all costs as well as duties and taxes payable on all the materials to be used in the provision of the services.

2.13.3 The Agricultural Finance Corporation’s evaluation of a tender will take into account, in addition to the tender price, the following factors, and as may be indicated in the technical specifications:

(a) Operational plan proposed in the tender;

(b) Deviations in payment schedule from that specified in the Special Conditions of Contract;

(a) Operational Plan.

The Agricultural Finance Corporation requires that the services under the Invitation for Tenders shall be performed at the time specified in the Schedule of Requirements. A tender offering to perform longer than the Agricultural Finance Corporation’s required delivery time will be treated as non-responsive and rejected.

(b) Deviation in payment schedule.

Tenderers shall state their tender price for the payment on a schedule outlined in the special conditions of contract. Tenders will be evaluated on the basis of this base price. Tenderers are, however, permitted to state an alternative payment schedule and indicate the reduction in tender price they wish to offer for such alternative payment schedule. The Agricultural Finance Corporation may consider the alternative payment schedule offered by the selected tenderer.

2.13.4 The Tender Evaluation Committee shall evaluate the tender within 30 days from the date of opening the tender.

2.13.5 Tenders will be evaluated on the basis of their responsiveness to eligibility of requirements as listed below. The following documents are mandatory and must be submitted, failure to which the tender will be rejected:-

12

(a) Certificate of incorporation

(b) Valid Tax Compliance Certificate

(c) VAT/PIN Certificate

(d) Attach Copies of Director(s) National ID Card

(e) Confidential Business Questionnaire dully filled and signed by Company authorized Director(s)

(f) Audited Financial Statement for the last 2 years

(g) Reference from three major clients

(h) Must have a minimum of 5 years experience

(i) Provide MAF for solution locally verifiable for firewall solution

(j) Key Staff with relevant experience; Engineer should have at least CCNA, CCSA or NSE 2 level or equivalent; At least 2 certified security engineers

(k) Proof of address/ Lease (verifiable)

(l) At least tier 2 level partnership with the security vendor

2.14 Contacting the procuring entity

2.14.1 No tenderer shall contact the Agricultural Finance Corporation on any matter relating to its tender, from the time of the tender opening to the time the contract is awarded.

2.14.2 Any effort by a tenderer to influence the Agricultural Finance Corporation in its decisions on tender evaluation tender comparison or contract award may result in the rejection of the tenderers tender.

2.15 Evaluation of the Quotations

2.15.1 Preliminary Evaluation The Preliminary Evaluation’s purpose is to look at mandatory requirements needed to operate as a company; this does not have any score but it is marked Yes/No and if a Firm gets even One (1) No, it is disqualified at that stage. Please submit copies of the following mandatory requirements for Preliminary Evaluation: Preliminary Evaluation Criteria S/No. Criteria Yes No

1. Certificate of Incorporation /Registration Certificate

2. Valid Tax Compliance Certificate

3. Valid PIN/VAT Certificate

13

4. Attach Copies of Director(s) National ID Card 5. Confidential Business Questionnaire dully filled and signed by Company

authorized Director(s)

6. Integrity Declaration Form

7. Non-Debarment Statement Form

Please ensure that you adhere fully to the above requirements because this is an elimination stage. As mentioned above, if you miss even One (1) document you will be eliminated at this stage. 2.15.2 Technical Evaluation In preparing the Technical Proposal, Tenderers are expected to examine the documents constituting this Tender in detail. Material deficiencies in providing the information requested may result in rejection of a Tender.

TENDER No: AFC/004/02/2018

TENDER NAME: Provision of Firewall Network Security The Technical Evaluation will be scored at a maximum of 70 points with a minimum of 70 points. Those firms managing technical score of 49 points and above will proceed to the Financial Evaluation stage.

TECHNICAL EVALUATION CRITERIA

S/No. Criteria Weighting score

Maximum score

1. Financial Audited Accounts Statements for the last 3

years.

10 20

2. Specific experience for Similar Services for the last Five (5) Years; Provide copies of letters of award/LPOs or contract copies from at least Five (5) verifiable Reference sites 3 of which must be FSIs

10 30

3. Must have been in existence for a minimum of Five (5) Years. Will be verified with the Certificate of Incorporation /Registration Certificate.

2 10

4. Provide MAF for solution locally verifiable for firewall

solution

5 10

5. Key Staff with relevant experience; Engineer should have at least CCNA, CCSA or NSE 2 level or equivalent; At least 2 certified security engineers

5 15

6. Proof of address/ Lease (verifiable) 2 5

7. At least tier 2 level partnership with the security vendor 2 10

Maximum Technical Total 100

14

2.15.3 Financial Evaluation

The Financial Evaluation will be scored at maximum of 30 points. You will be required to submit the following mandatory documents for Financial Evaluation:

(i) Fully Quoted Price Schedule (ii) Form of Tender duly filled and signed by Company authorized Director(s)

15

SECTION III GENERAL CONDITIONS OF CONTRACT

3.1 Definitions

In this contract the following terms shall be interpreted as indicated:

a) “The contract” means the agreement entered into between the Agricultural Finance Corporation and the tenderer as recorded in the Contract Form signed by the parties, including all attachments and appendices thereto and all documents incorporated by reference therein.

b) “The Contract Price” means the price payable to the tenderer under the Contract for the full and proper performance of its contractual obligations.

c) “The services” means services to be provided by the contractor including materials and incidentals which the tenderer is required to provide to the Agricultural Finance Corporation under the Contract.

d) “The Procuring Entity” means the organization sourcing for the services under this Contract.

e) “The contractor” means the individual or firm providing the services under this Contract.

f) “GCC” means general conditions of contract contained in this section

g) “SCC” means the special conditions of contract

h) “Day” means calendar day

3.2 Application These General Conditions shall apply to the extent that they are not superceded by provisions of other part of contract.

3.3 Standards

3.3.1 The services provided under this Contract shall conform to the 7 standards mentioned in the Schedule of requirements.

3.5 Patent Right’s The tenderer shall indemnify the Agricultural Finance Corporation against all third-party claims of infringement of patent, trademark, or industrial design tights arising from use of the services under the contract or any part thereof.

3.7 Inspections and Tests

3.7.1 The Agricultural Finance Corporation or its representative shall have the right to inspect and/or to test the services to confirm their conformity to the Contract Specifications. The Agricultural Finance Corporation shall notify the tenderer in

16

writing, in a timely manner, of the identity of any representatives retained for these purposes.

3.7.2 The inspections and tests may be conducted on the premises of the tenderer or its subcontractor(s). If conducted on the premises of the tenderer or its subcontractor(s), all reasonable facilities and assistance, including access to drawings and production data, shall be furnished to the inspectors at no charge to the Agricultural Finance Corporation.

3.7.3 Should any inspected or tested services fail to conform to the Specifications, the Agricultural Finance Corporation may reject the services, and the tenderer shall either replace the rejected services or make alterations necessary to meet specification requirements free of cost to the Agricultural Finance Corporation.

3.7.4 Nothing in paragraph 3.7 shall in any way release the tenderer from any warranty or other obligations under this Contract.

3.8 Payment

3.8.1 The method and conditions of payment to be made to the tenderer under this Contract shall be specified in SCC.

3.9 Prices

Prices charged by the contractor for services performed under the Contract shall not, with the exception of any Price adjustments authorized in SCC, vary from the prices by the tenderer in its tender or in the procuring entity’s request for tender validity extension as the case may be. No variation in or modification to the terms of the contract shall be made except by written amendment signed by the parties.

3.10 Assignment

The tenderer shall not assign, in whole or in part, its obligations to perform under this contract, except with the procuring entity’s prior written consent.

3.11 Termination for Default

The Agricultural Finance Corporation may, without prejudice to any other remedy for breach of Contract, by written notice of default sent to the tenderer, terminate this Contract in whole or in part:

a) If the tenderer fails to provide any or all of the services within the period(s) specified in the Contract, or within any extension thereof granted by the Agricultural Finance Corporation.

b) If the tenderer fails to perform any other obligation(s) under the Contract.

c) If the tenderer, in the judgment of the Agricultural Finance Corporation has engaged in corrupt or fraudulent practices in competing for or in executing the Contract.

17

In the event the Agricultural Finance Corporation terminates the Contract in whole or in part, it may procure, upon such terms and in such manner as it deems appropriate, services similar to those undelivered, and the tenderer shall be liable to the Agricultural Finance Corporation for any excess costs for such similar services.

3.12 Termination of insolvency The Agricultural Finance Corporation may at the anytime terminate the contract by giving written notice to the contractor if the contractor becomes bankrupt or otherwise insolvent. In this event, termination will be without compensation to the contractor, provided that such termination will not produce or affect any right of action or remedy, which has accrued or will accrue thereafter to the Agricultural Finance Corporation.

3.13 Termination for convenience

3.13.1 The Agricultural Finance Corporation by written notice sent to the contractor

may terminate the contract in whole or in part, at any time for its convenience. The notice of termination shall specify that the termination is for the Agricultural Finance Corporation convenience, the extent to which performance of the contractor of the contract is terminated and the date on which such termination becomes effective.

3.13.2 For the remaining part of the contract after termination the Agricultural

Finance Corporation may elect to cancel the services and pay to the contractor on agreed amount for partially completed services.

3.14 Resolution of disputes

The Agricultural Finance Corporation’s and the contractor shall make every effort to resolve amicably by direct informal negotiations any disagreement or dispute arising between them under or in connection with the contract.

If after thirty (30) days from the commencement of such informal negotiations both parties have been unable to resolve amicably a contract dispute either party may require that the dispute be referred for resolution to the formal mechanisms specified in the SCC.

3.15 Governing Language

The contract shall be written in the English Language. All correspondence and other documents pertaining to the contract, which are exchanged by the parties, shall be written in the same language.

3.16 Force Majeure

The contractor shall not be liable for forfeiture of its performance security where applicable, or termination for default if and to the extent that it’s delay in performance or other failure to perform its obligations under the Contract is the result of an event of Force Majeure.

18

3.17 Applicable Law.

The contract shall be interpreted in accordance with the laws of Kenya unless otherwise specified in the SCC.

3.18 Notices Any notices given by one party to the other pursuant to this contract shall be sent to the other party by post or by fax or E-mail and confirmed in writing to the other party’s address specified in the SCC. A notice shall be effective when delivered or on the notices effective date, whichever is later.

SECTION V DESCRIPTION OF SERVICES Notes for Preparing Technical Specifications A set of precise and clear description of the services required is a prerequisite for tenderers to respond realistically and competitively to requirements of the procuring entity without qualifying their tenders, the specifications should require that all goods and services to be incorporated be new, and of the most recent improvements – in design and materials unless otherwise provided for in the contract. Samples of specifications from previous similar procurement are useful in their respect. Care must be taken in describing the services to ensure that they are not restrictive. In the description of services describing the services recognized national or international standards should be used as much as possible. Where other particular standards are used, the description should state the services that meet other authoritative standards and which ensure at least a substantially equal quality than other standards mentioned will also be acceptable. This part will include any deliverables under the service contract.

19

DESCRIPTION OF SERVICES

Technical Compliance

Clauses should be answered with “fully comply” or “partially comply” or “does not comply”

answer. If answered “partially comply” or “fully comply”, vendor must provide

explanations with references to the answer.

Requirement Compliance Bidder’s

Response

1. The NGFW solution must reference its industry leadership for

the last 10 years i.e. Gartner NGFW Quadrant and NSS

Breach Detection labs

2. The NGFW firewall must be capable of supporting

throughput, connection rate, and concurrent connections

requirements of the customer

3. The solution MUST not have any published security

vulnerabilities. Provide reference of recently patched

vulnerabilities affecting the solution if any.

4. Must support ISP redundancy

5. Must be IPV4 and IPV6 Ready

6. Must support clustering for High Availability. Active-Active

and Active passive modes should be supporting

7. Must support Layer 2(bridge) and Layer 3(Routed) modes

8. Must support advanced routing features such as OSPF, RIP,

Policy Based Routing(PBR),

9. Should support an integrated Data Loss Prevention (DLP)

feature without need of additional hardware.

Intrusion Prevention System Features

10. Integrated IPS solution with the industry's best threat

coverage having the following minimum functionality:

One-click activation of IPS without the need of any

additional hardware or additional management

Console

20

Requirement Compliance Bidder’s

Response

Inspect SSL Encrypted Traffic

Should be integrated into the unified management

interface

11. IPS must be based on the following detection mechanisms:

exploit signatures, protocol anomalies, application controls

and behavior-based detection

12. IPS must have options to create profiles for either client or

server based protections, or a combination of both

13. IPS must provide at least two pre-defined profiles/policies

that can be used immediately

14. IPS must have a software based fail-open mechanism,

configurable based on thresholds of security gateways CPU

and memory usage

15. IPS application must have a centralized event correlation and

reporting mechanism

16. IPS must be able to detect and prevent the following threats:

Protocol misuse, malware communications, tunnelling

attempts and generic attack types without predefined

signatures

17. The administrator must be able to define network and host

exclusions from IPS inspection

18. Solution must be allow the administrator to easily block

inbound and/or outbound traffic based on countries, without

the need to manually manage the IP ranges corresponding

to the country

User Identity Acquisition

19. Must be able to acquire user identity by querying Microsoft

Active Directory(AD) based on security events with less than

3% impact on the AD

20. Must have a browser based User Identity authentication

method for non-domain users or assets i.e. captive portal

21

Requirement Compliance Bidder’s

Response

21. Must be able to acquire user identity from Microsoft Active

Directory without any type of agent installed on the domain

controllers

22. Must support Kerberos transparent authentication for single

sign on

23. The following user authentication schemes must be

supported by the security gateway and VPN module: tokens

(i.e. -SecureID), TACACS, RADIUS and digital certificates

Application Control and URL Filtering

24. Solution must support access control for at least 150

predefined /services/protocols

25. Application control database must contain more than 6,000

known applications with categorization by Risk Factor

26. Web filtering must cover more than 20 million URLs which

should protect MRA by restricting access to dangerous Web

sites.

27. Provide strong application and identity controls by allowing

AFC to create policies which identifies, block or limit usage of

thousands of applications, based on user identity.

28. The solution must provide a mechanism to inform or ask

users in real time to educate them or confirm actions based

on the security policy

29. The solution must provide the option to modify the Blocking

Notification and to redirect the user to a remediation page

30. Solution must provide an override mechanism on the

categorization for the URL database

31. Granular web and applications security policies at user and

group level with Identity Awareness integration

Anti-Bot and Anti-virus

32. Vendor must have an integrated Anti-Bot and Anti-Virus

22

Requirement Compliance Bidder’s

Response

application on the next generation firewall

33. Integrated antivirus protection must stops viruses, worms

and other malware at the gateway with the following

features:

Cloud based real-time Security Intelligence Feeds

Stop Incoming Malware Attacks

Prevent Access to Malicious Websites

Integrated Malware Reports and Dashboards

34. Anti-Bot application must use a multi-tiered detection engine,

which includes the reputation of IPs, URLs and DNS

addresses and detect patterns of bot communications

35. The solution should support detection & prevention of

Cryptors & ransmoware viruses and variants (Cryptlocker ,

CryptoWall…) through use of static and/or dynamic analysis

36. The solution should have mechanisms to protect against

spear phishing attacks

37. DNS based attacks:

The solution should have detection and prevention capabilities for C&C DNS hide outs:

Look for C&C traffic patterns, not just at their DNS destination

Reverse engineer malware in order to uncover their DGA (Domain Name Generation)

DNS trap feature as part of our threat prevention, assisting in discovering infected hosts generating C&C communication

The solution should have detection and prevention capabilities for DNS tunneling attacks

38. Anti-virus application must be able to prevent access to

malicious websites

39. Anti-Virus must be able to scan archive files and prevent

access to malicious websites

40. The Anti-Virus should support scanning for links inside emails

41. The Anti-Virus should Scan files that are passing on CIFS

23

Requirement Compliance Bidder’s

Response

protocol

42. Support viewing of infected hosts statistics, malware types

and activities, trends/changes vs. previous week/month,

amount of data sent or received

43. Support Packet capture view data sent using complete per-

session packet capture with SSL inspection

44. Should support identification of over 4.5 Million malware signatures and 300,000 malicious websites

SSL Inspection (Inbound / Outbound)

45. The solution should support Perfect Forward Secrecy (PFS ,

ECDHE cipher suites)

46. Sandboxing should be integrated with SSL Inspection

47. The Solution offers support for SSL Inspection/Decryption

with leading performance across all threat mitigation

technologies

48. The Solution should inspect HTTPS based URL Filtering

without requiring SSL decryption

Sandboxing or Threat Emulation

49. The solution must provide the ability to Protect against zero-

day & unknown malware attacks before static signature

protections have been created

50. Sandboxing must prevent both CPU-level and OS-Level

evasion techniques

51. Must provide Real-Time Prevention-unknown malware

patient-0 in web browsing and email

52. Sandboxing must be able to emulate executable, archive files

,documents, JAVA and flash i.e. 7z, csv, docx, dotm, exe, jar,

pdf, xls, apk, xls, ppt, potx, swf etc

53. Sandboxing must be able to emulate executable, archive files

,documents, JAVA and flash specifically within various

24

Requirement Compliance Bidder’s

Response

protocols : HTTP, HTTPS, FTP, SMTP, CIFS(SMB) and SMTP

TLS

54. Emulation engine should be able to inspect, emulate, prevent

and share the results of the sandboxing event into the anti-

malware infrastructure

55. The solution must enable emulation of file sizes larger than

10 Mb in all types it supports

56. The solution should detect the attack at the exploitation

stage – i.e. before the shell-code is executed and before the

malware is downloaded / executed.

57. The solution should be able to detect ROP and other

exploitation techniques (e.g. privilege escalation) by

monitoring the CPU flow

58. The solution should be able to scan documents containing

URLs

59. The solution should be resilient to capabilities of detection of

a sandbox environment i.e. time delays, Human Emulation,

evasion within flash files

60. The sandbox solution should monitor for abnormalities :

API Calls

File System changes

Kernel Code Injection

Privilege Escalation Attempts

Direct physical CPU interaction

User Access Control Bypass detection

Extraction of Zero-day Malware (File Scrubbing)

61. the solution should Eliminate threats and remove exploitable

content, including active content and embedded objects

62. the solution should be able to Reconstruct files with known

safe elements

25

Requirement Compliance Bidder’s

Response

63. the solution should Maintain flexibility with options to

maintain the original file format and specify the type of

content to be removed

Antispam & Email Security

64. Anti-Spam and Email security application must have real-

time classification and protections based on detected spam

outbreaks which are based on patterns and not content

65. Solution must include a Zero-hour protection mechanism for

new viruses spread through email and spam without relying

solely in heuristic or content inspection

66. Anti-Spam and Email security application must be content

and language agnostic

67. Should block spam and malware at the connection level by

checking the sender’s reputation against a dynamic database

of known malicious IP addresses

68. Beyond blocking attacks at a sender level, it should also

include a highly-rated antivirus engine that scans POP3 and

SMTP mail protocols for wide range of virus and malware

attacks

IPSec VPN

69. Must support Internal CA and External 3rd party CA

70. Must support 3DES, AES-256, Diffie-Helman Groups 1,5,19,

SHA—256, AES-XCBC

71. Must Support Secure connectivity for offices and end users

via sophisticated but easy to manage Site-to-Site VPN and

flexible remote access.

Unlimited Site-to-Site VPNs

Client-Based VPN for Windows 7 to 10 (32-bit and 64-

bit) , Mac OS and Linux

SSL VPN for Android and Apple IOS

26

Requirement Compliance Bidder’s

Response

72. IPSec VPN must support two-factor authentication for

authorized users

73. VPN configuration and client activation on at least one of

each of the following Operating Systems, with Microsoft

Active Directory pass through authentication.

74. The vendor should have an option to provide a fully

integrated secure mobility solution on the next generation

firewall

Security Management

75. Security management applications must be able to co-exist

on the security gateway as an option.

76. Centralised rules management, policy definition, reporting

and alerting

77. Must provide security rule hit count statistics to the

management application.

78. All security applications/features must be managed from the

central console

79. Solution must provide the option to save the entire security

policy or specific part of the policy

80. Solution must have a security policy revision control

mechanism

81. Solution must have a security policy verification mechanism

prior to policy installation

82. Solution must include the ability to centrally distribute and

apply new gateway software versions

83. The Log Viewer should have the ability to easily exclude IP

address from the IPS logs when detected as false positive

84. Must allow security rules to be enforced within time intervals

to be configured with an expiry date/time.

85. Solution must be able to move from security log record to

27

Requirement Compliance Bidder’s

Response

the policy rule with one mouse click.

86. Solution must support adding exceptions to IPS enforcement

from the log record

87. Solution must provide the following system information for

each gateway: OS, CPU usage, memory usage, all disk

partitions and % of free hard disk space

88. Solution must include customizable threshold setting to take

actions when a certain threshold is reached on a gateway.

Actions must include: Log, alert, send an SNMP trap, send an

email and execute a user defined alert

89. Solution must include a tool to correlate events from all the

gateway features and third party devices

90. Solution must include the option to search inside the list of

events, drill down into details for research and forensics.

91. Solution must include customizable predefined hourly, daily,

weekly and monthly reports.

92. Solution must include a browser based access to view in

read-only the security policies, manage firewall logs and

users providing access to managers and auditors without the

need to use the management application

93. Solution must have an option to Deliver real-time

assessment of compliance with major regulations (ISO, PCI-

DSS...)

94. Solution must have an option to Provide actionable

recommendations to improve compliance

95. Vendor must have an option to provide a fully integrated

Governance Risk and Compliance application

96. Vendor must have an option to Check compliance with every

policy change for all Network Security Software Blades

97. Provide for network packet capture (Pcap) when required

28

Requirement Compliance Bidder’s

Response

98. Centralised rules management, policy definition, reporting

and alerting

99. Must provide security rule hit count statistics to the

management application.

100. Accurately identify users and subsequently use “ identity

information” as an attribute for policy control

101. The solution must provide automated Incident Analysis to

provide a comprehensive view of attack flow, root cause,

business impact, and entry point to enable accelerated

remediation

Threat Updates

102. Describe how the solution is updated, patched and

maintained.

103. Must provide the details of the solution’s threat prevention

update mechanism and its ability to handle zero day attacks

across all next generation threat prevention applications

including IPS, Application Control, URL filtering, Anti-Bot and

Anti-Virus

Other Security Features

104. Should support Endpoint Security with all the following

security features without need for additional hardware :

Full Disk Encryption Media Encryption, Port protection, Anti-

Ransomware, Antimalware, Automated Endpoint

Remediation and Forensics, Application Control, IPSEC VPN

and

105. Should support central Management of both network

firewalls, endpoint security

106. Should support securing East-West Traffic within the virtual

environment through virtual based firewall.

107. System should support full integration with enterprise-level

ticketing systems and SIEMs

29

Requirement Compliance Bidder’s

Response

108. The solution must provide public APIs for integration with 3rd

Party solutions

Licensing , Support and Warranty

109. The NGFW security features must be fully licensed for 1 year

110. The security management features must be fully licensed for

1 year

111. Must provide next business day hardware replacement in

case of hardware failure or expedited RMA processing.

- Summarize OEM’s RMA options.

112. Must provide option for Remote Incidence response

assistance in case of targeted attacks

Training

113. Must include Hands on training for 2 of the customer’s staff

Project Schedule

Provide a tentative project schedule indicating the key phases, resources to be assigned and estimated number of days.

Item Number of

Resources Number of Days

1. Low Level Design

2. Configuration of appliances

3. Migration of services (cutover)

4. Testing

5. Documentation

6. Knowledge Transfer

30

Price Schedule

Item QTY Unit Price

in USD

(VAT Ex)

Total Price

in USD

(VAT Ex)

VAT

16%

Total

Price

Next Generation Firewalls with all Next

Generation Threat Extraction features

Related manufacture 1 year

support & warranty

2

Hardware Management Appliance with

all requisite management, logging,

correlation and compliance reporting

features

Related manufacture 1 year

support & warranty

1

Solution Implementation, Testing and

Documentation 1

Training and Certification 2

Solution Specifications

NGFW Firewall and Security Management Requirements

Clauses should be answered with “fully comply” or “partially comply” or “does not

comply” answer. If answered “partially comply” or “fully comply”, vendor must

provide explanations with references to the answer.

Firewall Minimum

Requirements Compliance

Bidder’s

Response

Production Environment Performance

Firewall throughput 5.3 Gbps

IPS throughput 810 Mbps

NGFW throughput (Firewall,

Application Control, IPS) 520 Mbps

31

Firewall Minimum

Requirements Compliance

Bidder’s

Response

Threat prevention throughput2 250 Mbps

Ideal Testing Conditions Performance (RFC 3511, 2544, 2647, 1242)

Firewall throughput, 1518 byte UDP 16 Gbps

Connections per second 125,000

Concurrent connections 3.2 to 6.43 million

VPN throughput, AES-128 1.88 Gbps

IPS throughput 3 Gbps

NGFW throughput (Firewall,

Application Control, IPS) 2.7 Gbps

On-board 100/1000Base-T RJ-45 6 x Copper GbE

Memory 16Gb RAM

Licensed Firewall Features

Firewall, VPN (IPSec),

IPS, Application Control,

URL filtering Anti-Bot,

Anti-Virus, URL Filtering,

Anti-Spam, Sandboxing,

Extraction of Zero-day

malware

Security Management Appliance

Minimum Managed Gateways

License 5

Peak Logs per second 40,000

Storage (HDD) 1 Tb

Memory (RAM) 16 Gb

Built-in Network Interfaces 4 x Copper GbE

Management (Console Port) 1 x RJ45

Licenses

Compliance Reporting,

Logging, Monitoring,

Network Policy

Management

32

SECTION V- STANDARD FORMS Notes on standard forms

1. The tenderer shall complete and submit with its tender the form of tender and price schedules pursuant to instructions to tenderers clause 9 and in accordance with the requirements included in the special conditions of contract.

2. When requested by the appendix to the instructions to tenderers, the tenderer should provide the tender security, either in the form included herein or in another form acceptable to the procuring entity pursuant to instructions to Tenderers clause 12.3

3. The contract form, the price schedules and the schedule of requirements shall be deemed to form part of the contract and should be modifies accordingly at the time of contract award to incorporate corrections or modifications agreed by the tenderer and the procuring entity in accordance with the instructions to tenderers or general conditions of contract.

SECTION VI - STANDARD FORMS

1. Form of tender 2. Price schedules 3. Confidential Questionnaire form 4. Integrity Declaration Form 5. Non-Debarment Statement Form

33

5.1 FORM OF TENDER

Date: ______

Tender No: AFC/004/02/2018

To: Agricultural Finance Corporation

P. O. Box 30367 – 00100

NAIROBI.

Gentlemen and/or Ladies:

1. Having examined the tender documents including Addenda Nos. ………………………………. [Insert numbers].the receipt of which is hereby duly acknowledged, we, the undersigned, offer to provide Firewall Network Security in conformity with the said tender documents for the sum of ……………………………………………………… (total tender amount in words and figures) or such other sums as may be ascertained in accordance with the Schedule of Prices attached herewith and made part of this Tender.

2. We undertake, if our Tender is accepted, to the said service in accordance with the requirement schedule specified in the Schedule of Requirements.

3. We agree to abide by this Tender for a period of …………………… [Number] days from the date fixed for tender opening of the Instructions to tenderers, and it shall remain binding upon us and may be accepted at any time before the expiration of that period.

4. This Tender, together with your written acceptance thereof and your notification of award, shall constitute a Contract, between us subject to signing of the Contract by the parties.

5. We understand that you are not bound to accept the lowest or any tender you may receive.

Dated this day of ___ 2018

[Signature] [In the capacity of]

Duly authorized to sign tender for an on behalf of

34

5.3 CONFIDENTIAL BUSINESS QUESTIONNAIRE

You are requested to give the particulars indicated in Part 1 and either Part 2 (a), 2(b) or 2(c) whichever applied to your type of business.

You are advised that it is a serious offence to give false information on this form.

Part 1 General

Business Name.............................................................................................. Location of Business Premises ....................................................................... Plot No, ............................................Street/Road .......................................... Postal address ..............Tel No. ............................Fax Email ......................... Nature of Business ....................................................................................... Registration Certificate No. ............................................................................ Maximum value of business which you can handle at any one time – Kshs. ...... Name of your bankers ................................................................................... Branch ..........................................................................................................

Part 2 (a) – Sole Proprietor Your name in full……………………….Age…………………………………………. Nationality………………………Country of Origin………………… Citizenship details

Part 2 (b) – Partnership Given details of partners as follows Name Nationality Citizenship details Shares

1. ………………………………………………………………………………………… 2. ………………………………………………………………………………………… 3. …………………………………………………………………………………………

Part 2 (c) – Registered Company Private or Public State the nominal and issued capital of company Nominal Kshs. Issued Kshs. Given details of all directors as follows Name Nationality Citizenship details Shares

1. ………………………………………………………………………………………… 2. ………………………………………………………………………………………… 3. …………………………………………………………………………………………

Date……………………………………….Signature of Candidate………………………..

35

5.4 TENDER SECURITY FORM

Whereas ……… Key Staff with relevant experience; Engineer should have at least CCNA,

CCSA or NSE 2 level or equivalent ………………………………. [Name of the tenderer] (Hereinafter called “the tenderer”) has submitted its tender dated ………………. [Date of submission of tender] for the supply, installation and commissioning of …………………… [Name and/or Description of the equipment] (Hereinafter called “the Tender”) ……………………………………….. KNOW ALL PEOPLE by these presents that WE ……………………… of ………………………. having our registered office at …………………………….. (Hereinafter called “the Bank”), are bound unto …………….. [Name of Procuring Entity} (Hereinafter called “the Procuring entity”) in the sum of …………………….. For which payment well and truly to be made to the said Procuring entity, the Bank binds itself, its successors, and assigns by these presents. Sealed with the Common Seal of the said Bank this day of 20 _____ THE CONDITIONS of this obligation are:-

1. If the tenderer withdraws its Tender during the period of tender validity specified by the tenderer on the Tender Form; or

2. If the tenderer, having been notified of the acceptance of its Tender by the Procuring entity during the period of tender validity: (a) fails or refuses to execute the Contract Form, if required; or (b) fails or refuses to furnish the performance security in accordance

with the Instructions to Tenderers; We undertake to pay to the Procuring entity up to the above amount upon receipt of its first written demand, without the Procuring entity having to substantiate its demand, provided that in its demand the Procuring entity will note that the amount claimed by it is due to it, owing to the occurrence of one or both of the two conditions, specifying the occurred condition or conditions. This tender guarantee will remain in force up to and including thirty (30) days after the period of tender validity, and any demand in respect thereof should reach the Bank not later than the above date. [Signature of the bank]____________________________ (Amend accordingly if provided by Insurance Company)

36

5.5 INTEGRITY DECLARATION FORM

I/We/Messrs …………………………………………………………………………… of ………………………. Street/Avenue, Building, P.O. Box ………………… Code ………. of …………….. (Town) …………… (Nationality)

Phone ………………………… Email ……………………………………………………………………………. Declare that Public procurement is based on a free and fair competitive tendering process which should not be open to abuse.

I/We ……………………………………………………………………………………………………………… Declare that I/We will offer or facilitate, directly or indirectly, any inducement or reward to any public officer, their relations or business associates, in connection with.

Tender Name: ……………………………………………………………………………………………………

Tender No: …………………………………………………………………………………………………………

For/or in the subsequent performance of the contract if I/We am/are successful.

Dated this ……………………………………… Day of ………………………………………………. 20……

Authorized Signature ………………………………… Official Stamp ……………………………………..

Name and Title of Signatory ……………………………………………………………………………………

…………………………………………………………………………………………

37

5.6 NON-DEBARMENT STATEMENT FORM

I/We/Messrs ………………………………………………………………………………… of ……………………….

Street/Avenue, Building, P.O. Box ………………… Code ………. of …………….. (Town)

…………… (Nationality)

Phone ……………………………….. Email ………………………………………………………………………

Declare that I/We/Messrs …………………………………………………………………………….. Are not

debarred from participating in Public procurement by the Public Procurement Regulatory

Authority pursuant to section 41 of the Public Procurement and Asset Disposal Act, 2017.

Dated this ……………………………………… Day of ………………………………………………. 20……

Authorized Signature ………………………………………………………………………………………………

Official Stamp ………………………………………………………………………………………………………

Name and Title of Signatory …………………………………………………………………………………

…………………………………………………………………………………………