II.2.2) Additional CPV code(s)
64210000
64212000
II.2.3) Place of performance
NUTS code:
UK
Main site or place of performance:
UNITED KINGDOM.
II.2.4) Description of the procurement
The authority intends to award a single supplier contract for the provision of a SMS and voice calls service as part of a multi-factor authentication process. Currently approximately 80 million SMS a year and 2 million voice calls are issued per annum on behalf of HMRC. The service consists of two elements – multi-factor authentication and customer service campaigns.
1) The current scope for the SMS and voice calling as part of the multi-factor authentication service is limited to the following:
(a) to send a 6 digit access code (that expires after 15 minutes) to a customer;
(b) the code can be sent to a landline or mobile via SMS or voice;
(c) the user could be in the UK or abroad (anywhere in the world);
(d) the code is sent using a short code associated with HMRC;
(e) to provide a helpdesk function to investigate issues customers have with receiving the access code;
(f) to provide development/changes at nil cost.
2) The SMS service as part of customer service campaigns include all above multi-factor authentication requirements with the below additional requirements:
(a) ability to have 2-way SMS if needed, where customers can reply to SMS, and ability to view replies and MI;
(b) search Facility, to show all SMS a customer has received;
(c) ability to see if SMS has been opened/read;
(d) a dead number check.
The supplier must check if a number is live or dead before SMS is sent. This must be at a significantly lower cost than the sending of an SMS. If the check fails, this must not prevent the SMS from being sent. Dead numbers will then need to be screened against for future campaigns and removed as necessary.
HMRC requires potential providers to comply with the relevant essential requirements below or equivalent:
(a) ISO-27001 Certification as accredited by UKAS or a comparable body
(b) Cyber Essentials Certification
(c) Cyber Essentials Plus Certification
(d) Pen Testing by CREST approved third party auditor every 3 months for both internal and external system IP’s. Tested to OWASP latest guidelines
(e) Dedicated server architecture either third party or owned, must be UKAS accredited to ISO-27001, ISO14001, ISO-9001, ISO18001
(f) Cyber Risk Insurance
(g) Security Patch Management System.
II.2.5) Award criteria
Quality criterion: Social, environmental and innovative characteristics
/ Weighting: 5
Quality criterion: Technical merit — service requirements
/ Weighting: 35
Quality criterion: Technical merit — management activity
/ Weighting: 10
Cost criterion: Charges and invoicing
/ Weighting: 50
II.2.11) Information about options
Options:
No
II.2.13) Information about European Union funds
The procurement is related to a project and/or programme financed by European Union funds:
No
II.2.14) Additional information
Interested parties, will need to register at the below website, to access HMRC questionnaires and submit tender responses: http://hmrc.supplier-eu.ariba.com/ad/register/SSOActions?type=full
Please email e.procurement@hmrc.gov.uk, amandip.kang@hmrc.gov.uk and bhavina.patel1@hmrc.gov.uk with the information (AN Number) detailed at Section VI.3) in order to access the tender event.