Telecommunications Tenders

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

Returnable Documents:

I. The bidder must provide assurance/guarantee to the integrity and safe keeping of the information (that it will not amended/corrupted/distributed/permanently stored/copied by the service provider) for the duration of the contract and thereafter. II. CIPC reserves the right to negotiate with the successful bidder on price. III. The Service Provider must ensure that their work is confined to the scope as defined and agreed. IV. Travel between the consultant’s home, place of work to the dti Campus (CIPC) will not be for the account of CIPC, including any other disbursements unless agreed to in writing by CIPC prior to the expense being incurred. V. Government Procurement General Conditions of Contract (GCC) as issued by National Treasury will be applicable on all instances. The general conditions are available on the National Treasury website (www.treasury.gov.za); VI. No advance payment will be made. Payment would be made in terms of the deliverables or other unless otherwise agreed upon by CIPC and the successful bidder. CIPC will pay within the prescribed period according to PFMA. VII. The price quoted by the prospective service provider must include Value Added Tax (VAT). VIII. The successful bidder must at all times comply with CIPC’s policies and procedures as well as maintain a high level of confidentiality of information. IX. The successful bidder must ensure that the information provided by CIPC during the contract period is not transferred/copied/corrupted/amended in whole or in part by or on behalf of another party. X. Further, the successful bidder may not keep the provided information by way of storing/copy/transferring of such information internally or to another party in whole or part relating to companies and/or close corporation. XI. As such all information, documents, programs and reports must be regarded as confidential and may not be made available to any unauthorized person or institution without the written consent of the Commissioner and/or his/her delegate. XII. The service provider will therefore be required to sign a Declaration of Secrecy with CIPC. At the end of the contract period or termination of the contract, all information provided by CIPC will become the property of CIPC and the service provider may not keep any copy /store/reproduce/sell/distribute the whole or any part of the information provided by CIPC unless authorized in terms of the Declaration of Secrecy. XIII. The Service Provider (successful bidder) will be required to sign a Service Level Agreement with CIPC prior to the commencement of the contract; and XIV. Compliance with PFMA regulations in terms of the safeguarding of assets and adequate access control must be guaranteed. Assets include all infrastructure, software, documents, backup media and information that will be hosted at the Offsite ICT Recovery Site. These security measures must be specified in the SLA. XV. As the commencement of this contract is of critical importance, it is imperative that the prospective Service Provider has resources that are available immediately. Failure to commence with this contract immediately from date of notification by CIPC could invalidate the prospective Service Provider’s proposal. “TOR” AI-powered multi-channel transactional chatbot of 25 XVI. The Service Provider shall be required to provide training & skills transfer for the services as per paragraph 3 of this document. XVII. Service Provider shall provide CIPC with all the license documentation that CIPC is entitled to as per the costing of the licenses. XVIII. The Service Provider shall be required to provide training & skills transfer for the services as per paragraph 3 of this document. XIX. Bidders shall be subjected requested to demonstrate all claims made in the proposal. XX. The resources that a bidder supply will be subjected to an assessment result which will determine the suitability of the service provider to implement against the assignment of the ToR. Failure to provide suitable candidates will lead to cancellation of award of the tender. XXI. CIPC reserves the right not to make this appointment XXII. The service provider will sign a confidentiality agreement regarding the protection of CIPC information that is not in the public domain. XXIII. Appointment will be subject to positive security screening results by the State Security Agency. XXIV. All possible steps shall be taken by the contract to ensure full execution of this agreement. XXV. CIPC reserves the right not to make this appointment 14. EVALUATION PROCESS (Criteria) The evaluation process will be done in accordance with the following criteria: • Bids will be evaluated in accordance with the 80/20 preference point system contemplated in the Preferential Procurement Policy • Framework Act (Act ). 14.1.1 EVALUATION PROCESS (Criteria) The evaluation process will be done in accordance with the following criteria: Bids will be evaluated in accordance with the 80/20 preference point system contemplated in the Preferential Procurement Policy Framework Act (Act ). Evaluation (Phases): The evaluation will be completed in 3 phases: • Phase 1: Compliance to minimum requirements • Phase 2: Functional Evaluation • Phase 3: Functional Evaluation 14.1.2 PHASE 1: COMPLIANCE TO MINIMUM REQUIREMENTS AND MANDATORY REQUIREMENTS During Phase 1 all bidders will be evaluated to ensure compliance to minimum document requirements. Without limiting the generality of the CIPC‘s other critical requirements for this Bid, bidder(s) must submit the documents listed in the Table below. All documents must be completed and signed by the duly authorized representative of the prospective bidder(s). During this phase Bidders’ response will be evaluated based on compliance with the listed administration and mandatory bid requirements. All bidders that comply with the minimum requirements will advance to Phase 2. “TOR” AI-powered multi-channel transactional chatbot of 25 BIDDERS TO COMPLETE THE TABLE BELOW Ite Document that must be submitted Compliance Non-submission may result in disqualification m provide No ANSWER: Yes /No 1. Invitation to Bid – SBD 1 Complete and sign the supplied pro forma document. 2. Tax Status – SBD1 Bidders must submit Tax Clearance Certificate (TCC) PIN The TCS PIN will be used for the verification of tax compliance status a Bidder 3. Declaration of Interest –SBD 4 Complete and sign the supplied pro forma document. 4. Declaration of Bidder’s Past Supply Chain Management Practices – Complete and sign the supplied pro forma document. SBD 8 5. Certificate of Independent Bid Determination – SBD 9 Complete and sign the supplied pro forma document. Completion in full of the Request for Proposal documents Bidder to complete and sign documents 6. BIDDERS TO SUBMIT VALID AND COMPLIANT B-BBEE Certificate VALID AND COMPLIANT B-BBEE Certificate (Compulsory) (Compulsory). Latest valid BBBEE certificate- SANAS Accredited or sworn affidavit for EME/QSE signed by the deponent and the FAILURE TO SUBMIT WILL IMMEDIATELY DISQUALIFY YOUR BID Commissioner of Oath FAILURE TO SUBMIT WILL IMMEDIATELY DISQUALIFY YOUR BID. THIS DISQUALIFICATION DOES NOT APPLY TO NON- SOUTH AFRICAN BIDDERS 7. Registration on Central Supplier Database (CSD) Compulsory The Service Provider is encouraged to be registered as a service provider on the Central Note: Important: Bidders to submit valid and compliant B-BBEE Supplier Database (CSD). Visit https://secure.csd.gov.za/ to obtain your. Vendor number. Certificate as well as the CSD report. The BBBEE certificate- SANAS Submit PROOF of registration on the Central Supplier Database (CSD Report) Accredited or sworn affidavit for EME/QSE is the primary verification document to claim points for specific goals for this bid. Failure to SUBMIT SUPPLIER UNIQUE REFERENCE NUMBER submit a compliant B-BBEE certificate will result in disqualification. 8. NB: Pricing Schedule: Submit full details of the Price Proposal in a separate SEALED envelope. Compliance to AND 21- ANNEXURE “A” Price must be carried over to BOTH SBD 3.3 (Pricing Schedule) and SBD FORM1: (Invitation REFER TO TO 5 and 22 TO 24 for Bids). The Total Bid Amount (CEILING AMOUNT) will be used for the evaluation of bids FAILURE TO COMPLY WITH THIS REQUIREMENT SHALL therefore it must be inclusive of all costs for the duration of the contract) IMMEDIATELY DISQUALIFY A BIDDER. FAILURE TO COMPLY WITH THIS REQUIREMENT SHALL IMMEDIATELY DISQUALIFY A BIDDER. 9. IMPORTANT: SUBMISSION OF USB . Bidders must submit a USB with their proposal- 1 copy of the original document . USB to be submitted in pdf format and to be read only REFER TO . All documents to be signed and bidders initial each page . Bidders must check that USB sticks open, are readable, and contain no blank pages, BIDDERS TO READ AND UNDERSTAND THE CONDITIONS STATED documents, or folders. Ensure that each folder created is numbered and avoid clustering IN TO OF THIS TOR folders with many documents rather create separate folders. . No password protected USB allowed. Do not submit CDS FAILURE TO COMPLY WITH THIS REQUIREMENT SHALL . Bidders will be disqualified should the requirements mentioned on and 6 not complied IMMEDIATELY DISQUALIFY A BIDDER. with. . Important: The USB will be used for evaluation purposes up to tender award, so all documents must be included in the USB, including SBD forms, technical proposal mandatory documents etc.. . FAILURE TO COMPLY WITH THIS REQUIREMENT SHALL IMMEDIATELY DISQUALIFY A BIDDER. 10. Note: All prospective bidders will be expected to attend a mandatory FAILURE TO ATTEND THE COMPULSORY BRIEFING SESSION WILL RENDER YOUR briefing session/site visit as determined by the CIPC where BID BEING DISQUALIFIED questions will be addressed by a panel of the CIPC. 11. Mandatory Requirement: OEM Certificates/Partnership letters for 1. The letter or a testimonial or certification must be submitted in order to proceed to the proposed solution. (bidders to submit relevant accreditation the next phase (phase 2). Bidders to ensure that a letter/ testimonial /certification etc. certificate/letter) – addressing this requirement is attached. • The bidders must provide a letter from Solution Vendor Original 2. All bidders are required to comply with this requirement. Equipment Manufacturer (OEM) which indicates that they are 3. Should there be no letter/ testimonial /certification etc attached the bid will accredited for product/Solution/Systems/Technology manufacturer immediately be disqualified. /owner authorising the resale or support of the proposed 4. The letter/ testimonial /certification must be signed dated by authorized representative Product/Solution/System/Technology. 5. It should state expiry date or validity • In the event that the bidder is the owner of the proposed FAILURE TO SUBMIT WILL RENDER YOUR BID BEING DISQUALIFIED Product/Solution/Systems/Technology, a letter must be attached for confirmation. 12. BIDDERS TO INDICATE IF THEY READ AND UNDERSTOOD THE FAILURE TO COMPLY WITH THIS REQUIREMENT SHALL IMMEDIATELY DISQUALIFY A CONDITIONS STATED IN TO OF THIS TOR BIDDER. ALL BIDDERS THAT COMPLY WITH THE MINIMUM REQUIREMENTS WILL ADVANCE TO PHASE 2. “TOR” AI-powered multi-channel transactional chatbot of 25 14.1.3 PHASE 2: FUNCTIONAL EVALUATION AND COMPLIANCE TO SPECIFICATION 1. All bidders that advance to Phase 2 will be evaluated by a panel to determine compliance to the functional requirements of the bid. 2. IMPORTANT: The following documents need to be submitted as part of the proposal and will be used during the evaluation. a. Experience of company (Testimonials need to be provided) b. Resources (CVs of staff who will assist with this project) Kindly take note of the criteria on which the scoring is based. c. Project plan with timelines d. Technical Requirements / Proposal. NB: Bidders must respond systematically, and address separately and clearly marked all requirements, indicate understanding, approach, methodology, technology, systems etc. ❖ Include architectural diagram ❖ OEM certificates ❖ Print screens of reports and wallboard/dashboard Proposals will be evaluated on the following: • Technical functionality and innovation. • Project Team members expertise in AI Chatbot implementation. • Proven experience in AI chatbot and transactional automation solutions. • Capability in multi-channel integration (WhatsApp, social, web, mobile). • Project management methodology and implementation plan. • Skills transfer and sustainability approach. The functional evaluation will be rated out of 100 points and will be determined as follows: No Evaluation Criteria Rating Weight Total 1 2 3 4 5 % 1. EXPERIENCE OF THE COMPANY 30 The bidder must have relevant experience in the implementation of an ai-powered multi- channel transactional chatbot. • Provide at least three references letters, not older than 3 years, with contactable references (on clients’ letterhead) relating to AI powered multichannel chatbot implementation, indicating relevant experience (Preferably cloud based solutions). • Note:At least one (1) referenced implementation must be active/live, and CIPC reserves the right to conduct site visits or solution demonstrations, where deemed necessary. Ratings to be awarded as follows: 1. Score = 1: No letters submitted or irrelevant letters. 2. Score = 2: Relevant Experience of less than 3 years of implementing ai- powered multi-channel transactional chatbot 3. Score = 3: Relevant Experience of 3 years, but less than 4 of implementing ai-powered multi-channel transactional chatbot 4. Score =4: Relevant Experience of 4 years, but less than 5 years of implementing ai-powered multi-channel transactional chatbot 5. Score = 5: Relevant experience of 5 years and above of implementing of ai-powered multi-channel transactional chatbot “TOR” AI-powered multi-channel transactional chatbot of 25 No Evaluation Criteria Rating Weight Total 1 2 3 4 5 % 2. PROPOSED PROJECT TEAM EXPERTISE & INDIVIDUAL RESOURCES (BASED ON 25 THE CV OF RESOURCES/ TEAM WHO WILL WORK DIRECTLY IN THE PROJECT): Bidders must submit detailed CVs and/or profiles for all core team members, clearly indicating: • Role and Responsibilities on the project (e.g., Project Manager, AI/NLU Engineer, Systems Integrator, Data Security Specialist, UX/UI Designer, Change Management Lead, etc.). • Educational Qualifications & certificates (relevant ICT, AI, data science, or engineering degrees, Professional Certifications (e.g., AWS, Azure AI, Google Dialogflow, Microsoft Copilot Studio, Project Management, Cybersecurity, etc). • Practical Experience in implementing similar chatbot or AI automation solutions (especially those with transactional or government integrations). • Minimum 2-year Experience in their relevant field. • Track Record of projects completed in similar environments (include project name, client, and brief description). Ratings to be awarded as follows: 1. Score = 1: Does not meet requirements- Team composition is inappropriate or unqualified for the project: ❖ No relevant experience in AI, chatbot development, or integration. ❖ Missing or incomplete CVs. CVs that lack depth. ❖ Evidence of insufficient capacity or lack of qualified personnel. 2. Scoring of 2: Below requirements - Limited or inconsistent evidence of relevant experience: ❖ Less than 1 year experience, with few team members having directly applicable expertise. ❖ CVs lack clarity or depth. ❖ Unclear or no demonstrated experience in similar chatbot or AI-driven service automation projects. 3. Score =3: Sufficient Expertise of team members ❖ Team demonstrates adequate technical expertise with some relevant experience. ❖ 2 year+ experience on Ai Chatbot, OR ❖ 3 year exposure to projects of comparable scale or complexity. ❖ Team qualifications/certifications are aligned 4. Score = 4: Meets all requirements ❖ Team includes qualified and experienced professionals with relevant AI/chatbot or digital transformation backgrounds. ❖ Most key resources have 3–5 years of relevant experience. ❖ Some public sector or/and large-enterprise experience. ❖ Team composition is well-balanced, especially in relevant specialized skills areas. 5. Score = 5: Exceeds requirements Project team demonstrates exceptional qualifications and experience. All proposed key resources have: ❖ 5+ years of directly relevant experience delivering AI chatbot or automation projects of similar complexity. ❖ Prior experience in public sector or/ & big organizations (high query volumes) Team qualifications/certifications are aligned + strong evidence of collaboration across technical, data, and customer experience disciplines. ❖ Team qualifications/certifications are aligned to requirements “TOR” AI-powered multi-channel transactional chatbot of 25 No Evaluation Criteria Rating Weight Total 1 2 3 4 5 % 3 TECHNICAL SOLUTION CAPABILITY & FUNCTIONAL FIT: 25 Assesses the proposed chatbot’s functionality, architecture, integrations, compliance, and ability to meet CIPC’s operational and transactional requirements: • Core Requirements: • Provides conversational, natural language automated responses • Supports multi-channel deployment - with consistency across web and social media, specifically WhatsApp. • Enables authenticated transactional interactions, e.g checking outstanding balances or compliance status, filing annual reports, etc. • Offers escalation to human agents with full traceability and SLA monitoring. • Integrates seamlessly with CIPC internal systems and APIs for real-time data access. • Includes an AI-assisted knowledge base for chatbot and agent use. • Solid AI/NLU capability and multi-channel coverage. • Demonstrates sound security controls and POPIA compliance. Non- Core Requirements: • Provides reporting and analytics dashboards to track service performance and customer satisfaction. • clear documentation and APIs for future integration. • Supports multi-channel deployment for consistency other social platforms. Ratings to be awarded as follows: 1. Score =1: Below requirements ❖ Proposal is generic, off-the-shelf, or unrelated to the required scope. ❖ The solution has less than 4 or core/ key functional requirements and atleast 1 non- core requirements 2. Score = 2: Does not/ or partially meet requirements ❖ The solution has less than 5 core/ key functional requirements and atleast 1 non- core requirements or vice versa. 3. Score = 3: Meets all requirements ❖ The solution has atleast 7 core/ key functional requirements and/& atleast 2 non- core requirements and/or extra functionalities. 4. Score =4: Fully meets requirements ❖ The solution has atleast All core/ key functional requirements and atleast 3 non- core requirements &/ or 2 other extra functionalities. 5. Score = 5: Exceeds all requirements ❖ The proposed solution fully meets and exceeds all functional, technical, and security requirements: ❖ The solution has atleast All core/ key functional requirements and atleast All non- core requirements plus 3 or more other extra functionalities. “TOR” AI-powered multi-channel transactional chatbot of 25 No Evaluation Criteria Rating Weight Total 1 2 3 4 5 % 4 EVALUATION CRITERION: IMPLEMENTATION APPROACH & PROJECT 10 MANAGEMENT: • Assesses the bidder’s delivery methodology, project governance, resourcing, timelines, risk management, quality assurance, and approach to testing, rollout, and support:- Ratings to be awarded as follows: 1. Score = 1: The bidder fails to demonstrate any structured implementation approach or project management capability: _ ❖ No clear methodology, timeline, or deliverable plan. ❖ Timelines and deliverables are unclear or unrealistic. ❖ Limited indication of governance or accountability ❖ Project dependencies and resourcing not well addressed. 2. Score = 2: The plan addresses most project management aspects, but with limited depth or clarity: - ❖ Milestones and timelines are included but may appear generic. ❖ Risk and QA measures are basic or incomplete. ❖ Limited evidence of structured governance or communication strategy. 3. Score =3: Meets all requirements: ❖ Includes milestones and deliverables. ❖ Adequate project governance and resource allocation. ❖ Risk and quality management processes are well-defined ❖ Sufficient evidence of structured governance or communication strategy. 4. Score = 4: Fully meets requirements The plan covers all key aspects of implementation with clear methodology and achievable timelines: ❖ Includes milestones and deliverables, adequate project governance and resource allocation. ❖ Risk and quality management processes are well-defined ❖ Demonstrates a proven, agile or hybrid project management approach with clear governance and communication structures. 5. Scoring = 5: Exceeds requirements- The implementation plan is comprehensive, realistic, and well-structured, clearly exceeding expectations. ❖ Includes a detailed project plan with milestones, deliverables, and dependencies. ❖ Demonstrates a proven, agile or hybrid project management approach with clear governance and communication structures. ❖ Robust risk management, quality assurance, and testing plans are clearly defined. ❖ Demonstrates readiness for pilot rollout, change management, and post- deployment support. ❖ Shows strong understanding of CIPC’s operating environment and interdependencies with existing systems. 5. SKILLS TRANSFER, SUSTAINABILITY & KNOWLEDGE MANAGEMENT 10 • Skills transfer- ensuring CIPC’s internal teams can fully operate and maintain the solution within the period of implementation. • including training, documentation, and knowledge-sharing frameworks: Ratings to be awarded as follows: 1. Scoring of 1: Below requirements ❖ The bidder fails to include any plan or commitment to skills transfer, training, or sustainability. ❖ No indication of documentation, knowledge management, or capacity building. ❖ Approach is fully vendor-dependent, undermining CIPC’s self-sufficiency goals. 2. Scoring of 2: Does not meet requirements ❖ The bidder provides minimal reference to skills transfer or knowledge sharing. ❖ No clear training or handover plan. ❖ Limited evidence of sustainability measures or CIPC capacity enablement. “TOR” AI-powered multi-channel transactional chatbot of 25 No Evaluation Criteria Rating Weight Total 1 2 3 4 5 % ❖ Relies heavily on continued vendor support without a defined exit or independence strategy. 3. Scoring of 3: The bidder mentions skills transfer activities with some detail or structure. ❖ Training plan is high-level, lacking defined outcomes or evaluation metrics. ❖ Documentation approach is mentioned but not clearly outlined. ❖ Limited detail on sustainability or ongoing capacity building. 4. Scoring of 4: Fully meets requirements: ❖ The bidder provides solid skills transfer and sustainability plan post implementation that covers key areas: training, documentation, support and maintenance. ❖ Includes timelines and responsible parties. ❖ Adequate measures for CIPC staff enablement and maintenance handover. ❖ Knowledge materials are clearly defined 5. Scoring of 5: Exceeds requirements- ❖ The bidder presents a comprehensive, structured, and measurable skills transfer plan aligned with CIPC’s one-year target. ❖ Includes clear training roadmap (technical and non-technical), mentorship, and certification opportunities for CIPC staff. ❖ Provides detailed knowledge management framework (documentation, SOPs, FAQs, maintenance guides ❖ Commits to co-development or shadowing to ensure true hands-on transfer. ❖ Plan includes post-project sustainability mechanisms, such as internal capability retention and refresher training. TOTAL 100 Note: 1. Functionality will count out of 100 points. Bidders must achieve a minimum score of 60 points out of 100 on the functionality evaluation to proceed to the next phase. 2. BIDDERS THAT ACHIEVE LESS THAN 60 POINTS ON FUNCTIONALITY WILL BE DISQUALIFIED FOR FURTHER EVALUATION “TOR” AI-powered multi-channel transactional chatbot of 25 15 PHASE 4: PRICING AND PREFERENTIAL PROCUREMENT POLICY Preferential Procurement Policy The bidders that have successfully progressed will be evaluated in accordance with the 80/20 preference point system contemplated contemplated in the Preferential Procurement Policy Framework Act (Act ) as amended together with Preferential Procurement Regulations, 2022 In terms of Regulation 4(2); 5(2); 6(2) and 7(2) of the Preferential Procurement Regulations, preference points must be awarded for specific goals stated in the tender. For the purposes of this tender the tenderer will be allocated points based on the goals stated in table 1 below as may be supported by proof/ documentation stated in the conditions of this tender: The maximum points for this tender are allocated as follows: POINTS PRICE 80 SPECIFIC GOALS 20 Total points for Price and SPECIFIC GOALS 100 1. Failure on the part of a tenderer to submit proof or documentation required in terms of this tender to claim points for specific goals with the tender, will be interpreted to mean that preference points for specific goals are not claimed. Note: Bidders to submit valid and compliant B-BBEE Certificate as well as the CSD report. The B-BBEE Certificate is used as our primary verification document to claim points for specific goals for this bid. Failure to submit a compliant B-BBEE certificate will result in disqualification 2. The purchaser reserves the right to require of a bidder, either before a bid is adjudicated or at any time subsequently, to substantiate any claim in regard to preferences, in any manner required by the purchaser # Specific goals allocated points Means of verification and Required Evidence Preference Points (80/20) 1 HDI, Race are black persons (ownership)* • B-BBEE Certificate 10 100% black ownership • CSD Registration report = 10 points • CIPC Company Registration and based on percentage pro rata for black ownership less than 100% Important the CSD will be used as our primary eg: 67% = 6.7 points verification documents 2 Gender are women (ownership)* • B-BBEE Certificate 8 100% or more women ownership = 8 points • CSD Registration report and based on percentage pro rata for black ownership less than 100% • CIPC Company Registration eg: 50% = 4.0 points Important the CSD will be used as our primary verification documents 3 Disability are disabled persons (ownership)* • Confirmation of Disability Form as per SARS 2 WHO disability guideline (ITRDD Form) 100% ownership = 2 points • Medical Certificate and based on percentage pro rata for black ownership less than 100% Important the CSD will be used as our primary eg: 50% = 1.0 points verification documents 3. Important: Bidders to submit valid and compliant B-BBEE Certificate as well as the CSD report. The B-BBEE Certificate the primary verification document to claim points for specific goals for this bid. Failure to submit a compliant B-BBEE certificate will result in disqualification. • Provide fixed price quotation for the duration of the contract • Cost must be VAT inclusive and quoted in South African Rand • Costing should be aligned with the project activities / project phases The bidder with the highest score will be recommended as the successful service provider. “TOR” AI-powered multi-channel transactional chatbot of 25 16 ANNEXURE “A” BID PRICING SCHEDULE THIS PAGE TO BE INCLUDED IN THE PRICE FOLDER AS WELL AS IN THE SEALED PRICE ENVELOP TOGETHER WITH ALL OTHER PRICE DOCUMENTS AS LISTED BELOW TABLE 1: No PRICING INSTRUCTIONS: BIDDERS TO COMPLY WITH ALL REQUIREMENTS 1. Applicable Currency: All prices shall be quoted in South African Rand. 2. Completion of Pricing Schedule: Bidders shall complete the pricing schedule in full, inserting all the information required therein. In addition to the pricing schedule in this bid document, bidders may prepare a more detailed pricing schedule should they wish to do so, and include this in their pricing proposal, provided that such additional pricing schedule is in line with the deliverables on the CIPC issued pricing schedule. 3. Applicability of Quoted Prices: • All quoted prices must remain firm for the duration of the contract, unless stipulated otherwise in the special conditions of contract. • The condition must be stated in SBD3.3 • Bidders to note that price validity is one hundred and twenty days (120) days • The service provider must clearly indicate whether the price is firm or subject to the Statutory Wage Increase 4. Total Bid Cost: Prices quoted must include all applicable taxes including VAT, less all unconditional discounts, plus all costs to deliver the services and/or goods. Note: Service providers will be responsible for all costs e.g. transportation for ALL activities associated with this bid. It is therefore the bidder’s responsibility to ensure that all costs are included in the price proposal submitted to CIPC 6. Bid Price Calculation: Bidders to not that estimates of quantities are provided to allow for the calculation of a bid price that allows equal comparison between bidders. 8. Applicable SBD Document to be included in the USB as well as sealed Pricing envelop THIS PRICING SCHEDULE (ANNEXURE H (“A”) SDB 3.3: PRICING SCHEDULE SBD FORM 1: INVITATION TO BIDS FOR A BIDDER MUST ATTACH PRICE BREAKDOWN IN THE BIDDER’S COMPANY LETTERHEAD SIGNED BY AUTHORISED REPRESENTATIVE FAILURE TO COMPLY WITH ALL THE ABOVE REQUIREMENTS FOR PRICING SHALL IMMEDIATELY INVALIDATE THE BID Prospective bidders must submit a comprehensive proposal. The onus is upon the prospective bidders to take into account all costs for the duration and the price must be fixed for the duration of the contract. 1. All prices must be VAT inclusive and quoted in South African Rand (ZAR), with details on price elements that are subjected to escalation (statutory wage increase) and exchange rate fluctuations clearly indicated. 2. Pricing must be based on an estimated two million (2,000,000) customer interactions per month, inclusive of, but not limited to, the following: “TOR” AI-powered multi-channel transactional chatbot of 25 a. End-to-end chatbot configuration and implementation- deployment. b. Full setup and enablement of the WhatsApp channel, including authentication and transactional capabilities. c. Integration with CIPC systems and APIs, where required. d. Ongoing maintenance and support, including bug fixes, upgrades, and performance optimisation; e. Hosting, licensing, subscription, and usage costs (where applicable); f. Security, compliance, and POPIA-related requirements. g. Training, skills transfer, and documentation for CIPC staff; and h. Any other costs necessary to deliver a fully functional, secure, and operational AI-powered chatbot solution. i. Pricing must be all-inclusive, clearly broken down into: i. Once-off implementation costs, and ii. Recurring monthly or annual costs, where applicable. iii. The estimated interaction volumes are provided for costing purposes only and may vary over time. 3. The terms of payment are Net 30 days after receipt of invoice and acceptance of work; 4. The proposal must include supporting documents and the price schedule. TABLE 2 No PRICING Once off fee Year 1 (VAT Year 2 (VAT Year 3 (VAT TOTAL (Vat inclusive) Incl) Incl) incl) 1 End-to-end chatbot configuration and implementation- deployment 2 Full setup and enablement of the WhatsApp channel, including authentication and transactional capabilities 3 Integration with CIPC systems and APIs, where required 4 Ongoing maintenance and support, including bug fixes, upgrades, and performance optimization 5 Hosting, licensing, subscription, and usage costs (where applicable). 6 Security, compliance, and POPIA-related requirements. 7 Training, skills transfer, and documentation for CIPC staff 8 Support (On-site and remote) On-site support as and when requested during the maintenance period (200 hours per year; – Unlimited remote support. CIPC should not be charged extra for transport to CIPC offices. (where applicable) 9 Any other costs necessary to deliver a fully functional, secure, and operational AI-powered chatbot solution. TOTAL PRICE • Cost breakdown must be provided, covering all required aspects in this tender. “TOR” AI-powered multi-channel transactional chatbot of 25 • Configuration of system, integration with CIPC systems, maintenance and support. • On-site support as and when requested during the maintenance period (200 hours per year; – Unlimited remote support. CIPC should not be charged extra for transport to CIPC offices. (where applicable) • Ability to upgrade/scale to allow for additional functionality and/or licences on pay-as-you-go basis. There should be an option to discontinue with a specific service without a lengthy waiting period if required. • CIPC should not be charged extra for transport to CIPC offices during installation or maintenance and support, or for meetings. • The following pricing table needs to be completed: TABLE 3: INSERT TOTAL BID PRICE INCLUSIVE OF ALL TO BE CARRIED TO SBD 3.3 AND SBDFORM 1 TOTAL BID PRICE (CEILING PRICE) FOR THE DURATION OF 5 3 YEARS: NB PRICE MUST BE INCLUSIVE OF ALL REQUIREMENTS OF THE TOR TOTAL YEAR 1 TO 3: (PRICE MUST BE INCLUSIVE OF VAT) TOTAL BID PRICE TO BE CARRIED OVER TO SBD 3.3 AND SBD FORM 1 3 YEARS FAILURE TO COMPLY WITH ALL THE ABOVE REQUIREMENTS FOR COSTING SHALL IMMEDIATELY INVALIDATE THE BID. “TOR” AI-powered multi-channel transactional chatbot of 25 17 BRIEFING SESSION PLEASE NOTE THAT THERE IS A COMPULSORY BRIEFING SESSION SCHEDULED FOR THIS. COMPULSORY BRIEFING SESSION DATE: 19 JANUARY 2026 TIME 11:00 AM ONLINE VIA MS TEAM MEETING LINK - MS TEAMS Meeting ID: 387 414 468 715 04 Passcode: u7Wm2gW6 HTTPS://TEAMS.MICROSOFT.COM/L/MEETUP- JOIN/19%3AMEETING_MMY1NZCXMTYTMDC3YS00YJBHLWI2ZDGTYJY2ODQ1Y2VHMTLI%40THREAD.V2/0?CONTEXT=%7B%22TID%22%3A%2298FCF51F-86E0-475C-9429- B51CD8D1BF46%22%2C%22OID%22%3A%227A1642CD-A497-49EC-92B0-53F40836F5EA%22%7D MANDATORY ONLINE BRIEFING SESSION DURING THIS SESSION A TECHNICAL PANEL OF THE CIPC WILL OUTLINE THE SCOPE OF THE PROJECT AND WILL ADDRESS QUESTIONS FROM PROSPECTIVE BIDDERS. IMPORTANT NOTE TO BIDDERS: - This is a compulsory briefing session, FAILURE TO ATTEND IMMEDIATELY DISQUALIFIES YOUR BID 18 SUBMISSION OF PROPOSALS Sealed proposals will be received at the Tender Box at the main gate, 77 Mentjies Street, Sunnyside, the DTIC campus, Proposals should be addressed to: Manager (Supply Chain Management) Companies and Intellectual Property Registration Office the dtic Campus, 77 Meintjies Street, Sunnyside PRETORIA 18.1 ENQUIRIES A. Supply Chain Enquiries Ms Ntombi Maqhula OR Mr Solomon Motshweni Contact No: (012) 394 3971 /45344 E-mail: Nmaqhula@cipc.co.za OR SMotshweni@cipc.co.za B. Technical Enquiries Ms.Thobile Jiyane – E-mail : TJiyane@cipc.co.za Note : It is the bidder's responsibility to call CIPC if they have any questions that have not been answered via email, as the system may have flagged their email as spam. 18.2 DEADLINE FOR SUBMISSION BIDS OPENING DATE: 11 DECEMBER 2025 BIDS CLOSING TIME: 11: 00 AM COMPULSORY BRIEFING SESSION: 19 JANUARY 2026 @11H00am BIDS CLOSING DATE: 06 FEBRUARY 2026 BIDDERS MUST ENSURE THAT BIDS ARE DELIVERED IN TIME TO THE CORRECT ADDRESS. LATE PROPOSALS WILL NOT BE ACCEPTED FOR CONSIDERATION NB: IT IS THE PROSPECTIVE BIDDERS’ RESPONSIBILITY TO OBTAIN BID DOCUMENTS IN TIME SO AS TO ENSURE THAT RESPONSES REACH CIPC, TIMEOUSLY. CIPC SHALL NOT BE HELD RESPONSIBLE FOR DELAYS IN THE POSTAL SERVICES AND BIDS DEPOSITED IN THE INCORRECT BID BOX. BID PROPOSAL MUST BE HAND DELIVERED TO THE CIPC BID BOX AT THE DTIC MAIN GATE”.AT 77 MEINTJIES STREET, SUNNYSIDE “TOR” AI-powered multi-channel transactional chatbot of 25

Returnable Documents:

Returnable Documents: 2 Advert 4 3 Invitation to Bid CAMBD 1 (Compulsory Returnable Document) 5 - 6 4 Specification / Terms of reference 7 – 41 5 Annexure B – Technical Evaluation 42 – 59 6 Pricing schedules 60 – 79 7 Compulsory Conditions 80 Tax Compliance Status Pin Requirements CAMBD 2 8 81 – 82 (Compulsory Returnable Document) Authority of Signatory (Schedule 1 A) 9 83 – 84 (Compulsory Returnable Document) Compulsory Enterprise Questionnaire (Schedule 1B) 10 85 (Compulsory Returnable Document) 11 Documents of Incorporation (Schedule 1C) (Compulsory Returnable Document) 86 Payment of Municipal Accounts (Schedule 1D) 12 87– 88 (Compulsory Returnable Document) Broad-Based Black Economic Empowerment (B-BBEE) Status Level Certificates (Schedule 1D) (Compulsory Returnable Document) 89 – 90 Work satisfactorily carried out by the tenderer (Schedule 1F) 14 91-92 (Compulsory Returnable Document) 15 Special Condition 93– 96 16 Form of Acceptance & Contract Data 97 – 99 17 General Conditions of Contract 100– 105 18 Declaration of Interest CAMBD 4 (Compulsory Returnable Document) 106 – 109 Declaration For Procurement Above R10 Million (All Applicable Taxes Included 19 110-111 CAMBD 4 (Compulsory Returnable Document) Procurement Points Claim Forms in terms of the Preferential Procurement 20 112– 116 Regulations 2001. CAMBD 6.1 (Compulsory Returnable Document) Contract Rendering of Services CAMBD 7.2 21 117 – 118 (Compulsory Returnable Document) Declaration of Bidder’s Past Supply Chain Management Practices CAMBD 8 22 119– 120 (Compulsory Returnable Document) Certificate of Independent Bid Determination CAMBD 9 23 121 – 123 (Compulsory Returnable Document) CHECK LIST FOR COMPLETENESS OF BID DOCUMENT Reference nr: SCM41/2025/26 2 | P a g e The bidder MUST ENSURE that the following checklist is competed, that the necessary documentation is attached to this bid document and that all declarations are signed:, Completed page containing the details of bidder Yes No, Yes No Specifications & Pricing Schedules - Is the form duly completed and signed?, (CAMBD 2) Are a Tax Compliance status pin attached? Yes No, Yes No (Schedule 1 A) Authority of Signatory - Is the form duly completed and signed?, (Schedule 1B) Enterprise Questionnaire -Is the form duly completed and signed? Yes No, (Schedule 1C) Documents of Incorporation - Is the form duly completed and signed? Yes No, (Schedule 1D) Payment of Municipal Accounts - Is the form duly completed and Yes No signed?, (Schedule 1E) B-BBEE certificate - Is the form duly completed and signed? Is a Yes No certified or an original certificate attached, (Schedule 1F) Schedule of work experience of tenderer- Is the form duly completed Yes No and signed?, Yes No (Schedule 1G) Document/S to Prove the Company Is A Registered ICT Based Entity, (Schedule 1H) Local I.T. Sales and Support Office (WESTERN CAPE) Is the proof Yes No attached?, Schedule 1I) Letter from the “Brand House - Is the proof attached? Yes No, Form of Offer - Is the form duly completed and signed? Yes No, Contract data - Is the form duly completed and signed? Yes No, (CAMBD 4) declaration of interest- Is the form duly completed and signed? Yes No, Yes No (CAMBD 6.1) Preference points claimed- Is the form duly completed and signed?, (CAMBD 8) Signed declaration of bidder's past supply chain management Yes No practices, (CAMBD 9) Prohibition of Restrictive Practices be completed and signed. Yes No, All bids must be submitted in writing on the official forms (not re-typed). Yes No, Bidder must initial every page of this bid document. Yes No CERTIFICATION I, THE UNDERSIGNED (FULL NAME) ............................................................... CERTIFY THAT THE INFORMATION FURNISHED ON THIS CHECK LIST IS TRUE AND CORRECT. Signed ........................................................ Date ................................................. Name ....................................................... Position ................................................. Tenderer ........................................................................................................................................ Reference nr: SCM41/2025/26 3 | P a g e CAPE AGULHAS MUNICIPALITY REQUEST FOR TENDERS MUNICIPAL NOTICE BOARD; MUNICIPAL WEBSITE; NATIONAL TREASURY ADVERTISED ON e-TENDER TENDER NO: SCM41/2025/26 Tenders are hereby ICT SUPPORT SERVICES AND LICENSING FOR A PERIOD OF 3 YEARS invited for: PUBLISHED DATE: 12 December 2025 CLOSING DATE: 13 February 2026 No later than 12H00. Tenders will be opened immediately thereafter, in public at the Cape Agulhas Municipality, CLOSING TIME: 1 Dirkie Uys Street, Bredasdorp. AVAILABILITY OF BID DOCUMENTS: Tender documents are available from Me G Koopman at telephone number 028-425-5500 during office hours or email at geraldinek@capeagulhas.gov.za. Date Available: 12 December 2025 Non-refundable Fee: R 0. 00 BID RULES:, Tenders are to be completed in accordance with the conditions and Tender rules contained in the Tender document., The Tender Document & supporting documents must be placed in a sealed envelope and externally endorsed with: THE TENDER NUMBER; DESCRIPTION & CLOSING DATE OF TENDER., Tender Documents must be deposited in the Tender Box, at Municipal Offices, 1 Dirkie Uys Street, Bredasdorp or posted to reach the Municipal Manager, Cape Agulhas Municipality, PO Box 51, Bredasdorp, 7280., Tenders may only be submitted on the Tender documentation issued by the Municipality., A Tax Compliance status pin as issued by the South African Revenue Service, must be submitted together with the tender., The two-stage bidding process will be followed in evaluating this tender. Firstly, it will be evaluated for functionality and thereafter for price and preference., The Cape Agulhas Municipality does not bind itself to accept the lowest or any tender and reserves the right to accept ant tender, as it may deem expedient., Tenderers are required to be registered on the Accredited Supplier Database (CSD) from the website https://secure.csd.gov.za Suppliers may claim preference points in terms of the 80/20. Price: 80Tenders shall be evaluated in terms of the Cape Specific Goals: (20) Agulhas Municipality Supply Chain Management, B-BBEE Status Level contributor: 10 Policy & Preferential Procurement b) Locality of Supplier: 10 Total Points: 100 Site Meeting / Information Session n/a Validity Period 90 days ANY ENQUIRES REGARDING TECHNICAL ANY ENQUIRES REGARDING THE QUOTING PROCEDURE MAY BE INFORMATION MAY BE DIRECTED TO: DIRECTED TO: Division ICT Division Supply Chain Management Contact Person: Mr Kevin Fourie Contact Person: Ms. G Koopman Tel: e-mail Enquires Only Tel: e-mail Enquires Only E-mail: kevinf@capeagulhas.gov.za E-mail: geraldinek@capeagulhas.gov.za WP RABBETS MUNICIPAL MANAGER PO BOX 51 BREDASDORP 7280 Reference nr: SCM41/2025/26 4 | P a g e CAMBD1 PART A INVITATION TO BID YOU ARE HEREBY INVITED TO BID FOR REQUIREMENTS OF THE CAPE AGULHAS MUNICIPALITY BID NUMBER: SCM41/2025/26 CLOSING DATE: 13 February 2026 CLOSING TIME: 12:00 DESCRIPTION ICT SUPPORT SERVICES AND LICENSING FOR A PERIOD OF 3 YEARS THE SUCCESSFUL BIDDER WILL BE REQUIRED TO FILL IN AND SIGN A WRITTEN CONTRACT FORM (MBD7). BID RESPONSE DOCUMENTS MAY BE DEPOSITED IN THE BID BOX SITUATED AT (STREET ADDRESS CAPE AGULHAS MUNICIALITY 1 DIRKIE UYS STREET BREDASDORP 7280 SUPPLIER INFORMATION NAME OF BIDDER POSTAL ADDRESS STREET ADDRESS TELEPHONE NUMBER CODE NUMBER CELLPHONE NUMBER FACSIMILE NUMBER CODE NUMBER E-MAIL ADDRESS VAT REGISTRATION NUMBER TAX COMPLIANCE STATUS TCS PIN: OR CSD No: B-BBEE STATUS LEVEL B-BBEE STATUS Yes Yes VERIFICATION CERTIFICATE LEVEL SWORN [TICK APPLICABLE BOX] AFFIDAVIT No No [A B-BBEE STATUS LEVEL VERIFICATION CERTIFICATE/ SWORN AFFIDAVIT (FOR EMES & QSEs) MUST BE SUBMITTED IN ORDER TO QUALIFY FOR PREFERENCE POINTS FOR B-BBEE] ARE YOU A ARE YOU THE ACCREDITED FOREIGN BASED REPRESENTATIVE IN SOUTH Yes No SUPPLIER FOR THE Yes No AFRICA FOR THE GOODS GOODS /SERVICES /SERVICES /WORKS OFFERED? [IF YES ENCLOSE PROOF] /WORKS OFFERED? [IF YES, ANSWER PART B:3] TOTAL NUMBER OF ITEMS OFFERED TOTAL BID PRICE R SIGNATURE OF BIDDER .................................... DATE CAPAMUNICIPALITY UNDER WHICH THIS BID IS SIGNED BIDDING PROCEDURE ENQUIRIES MAY BE DIRECTED TO: TECHNICAL INFORMATION MAY BE DIRECTED TO: DEPARTMENT FINANCE: SCM DEPARTMENT ICT CONTACT PERSON Geraldine Koopman CONTACT PERSON Mr Kevin Fourie TELEPHONE NUMBER 028 425 5500 TELEPHONE NUMBER 028 425 5500 E-MAIL ADDRESS geraldinek@capeagulhas.gov.za E-MAIL ADDRESS kevinf@capeagulhas.gov.za Reference nr: SCM41/2025/26 5 | P a g e PART B TERMS AND CONDITIONS FOR BIDDING, BID SUBMISSION: 1.1. BIDS MUST BE DELIVERED BY THE STIPULATED TIME TO THE CORRECT ADDRESS. LATE BIDS WILL NOT BE ACCEPTED FOR CONSIDERATION. 1.2. ALL BIDS MUST BE SUBMITTED ON THE OFFICIAL FORMS PROVIDED– (NOT TO BE RE-TYPED) OR ONLINE 1.3. THIS BID IS SUBJECT TO THE PREFERENTIAL PROCUREMENT POLICY FRAMEWORK ACT AND THE PREFERENTIAL PROCUREMENT REGULATIONS, 2022, THE GENERAL CONDITIONS OF CONTRACT (GCC) AND, IF APPLICABLE, ANY OTHER SPECIAL CONDITIONS OF CONTRACT., TAX COMPLIANCE REQUIREMENTS 2.1 BIDDERS MUST ENSURE COMPLIANCE WITH THEIR TAX OBLIGATIONS. 2.2 BIDDERS ARE REQUIRED TO SUBMIT THEIR UNIQUE PERSONAL IDENTIFICATION NUMBER (PIN) ISSUED BY SARS TO ENABLE THE ORGAN OF STATE TO VIEW THE TAXPAYER’S PROFILE AND TAX STATUS. 2.3 APPLICATION FOR THE TAX COMPLIANCE STATUS (TCS) CERTIFICATE OR PIN MAY ALSO BE MADE VIA E- FILING. IN ORDER TO USE THIS PROVISION, TAXPAYERS WILL NEED TO REGISTER WITH SARS AS E-FILERS THROUGH THE WEBSITE WWW.SARS.GOV.ZA. 2.4 FOREIGN SUPPLIERS MUST COMPLETE THE PRE-AWARD QUESTIONNAIRE IN PART B:3. 2.5 BIDDERS MAY ALSO SUBMIT A PRINTED TCS CERTIFICATE TOGETHER WITH THE BID. 2.6 IN BIDS WHERE CONSORTIA / JOINT VENTURES / SUB-CONTRACTORS ARE INVOLVED; EACH PARTY MUST SUBMIT A SEPARATE TCS CERTIFICATE / PIN / CSD NUMBER. 2.7 WHERE NO TCS IS AVAILABLE BUT THE BIDDER IS REGISTERED ON THE CENTRAL SUPPLIER DATABASE (CSD), A CSD NUMBER MUST BE PROVIDED., QUESTIONNAIRE TO BIDDING FOREIGN SUPPLIERS 3.1. IS THE ENTITY A RESIDENT OF THE REPUBLIC OF SOUTH AFRICA (RSA)? YES NO 3.2. DOES THE ENTITY HAVE A BRANCH IN THE RSA? YES NO 3.3. DOES THE ENTITY HAVE A PERMANENT ESTABLISHMENT IN THE RSA? YES NO 3.4. DOES THE ENTITY HAVE ANY SOURCE OF INCOME IN THE RSA? YES NO 3.5. IS THE ENTITY LIABLE IN THE RSA FOR ANY FORM OF TAXATION? YES NO IF THE ANSWER IS “NO” TO ALL OF THE ABOVE, THEN IT IS NOT A REQUIREMENT TO REGISTER FOR A TAX COMPLIANCE STATUS SYSTEM PIN CODE FROM THE SOUTH AFRICAN REVENUE SERVICE (SARS) AND IF NOT REGISTER AS PER 2.3 ABOVE. NB: FAILURE TO PROVIDE ANY OF THE ABOVE PARTICULARS MAY RENDER THE BID INVALID. NO BIDS WILL BE CONSIDERED FROM PERSONS IN THE SERVICE OF THE STATE. SIGNATURE OF BIDDER: ................................................... CAPAMUNICIPALITY UNDER WHICH THIS BID IS SIGNED: ................................................... DATE: ........................... Reference nr: SCM41/2025/26 6 | P a g e Contents 1 SCHEDULE A – SCOPE OF SERVICES................................................................................................. 9 2 ICT PROFESSIONAL SUPPORT AGREEMENT .................................................................................... 9 3 Support Fees ................................................................................................................................. 11 4 Security ......................................................................................................................................... 12 4.1 Network security, management, monitoring, reporting and notifications services. ........... 12 4.1.1 Network access policy system. ..................................................................................... 12 4.1.2 Cloud Assessment and Monitoring Tool ....................................................................... 16 4.1.3 Cloud Application Activity & Security Monitoring ........................................................ 18 4.2 Compliance ........................................................................................................................... 19 4.2.1 Cyber Security Framework management tool .............................................................. 19 4.3 Dark Web monitoring ........................................................................................................... 22 4.4 Security Audit ........................................................................................................................ 22 4.5 Security Awareness Training & Phishing Simulation Requirements ..................................... 23 4.6 Vulnerability Scanning Tool .................................................................................................. 25 4.7 Penetration Testing ............................................................................................................... 26 4.7.1 PROJECT BACKGROUND ................................................................................................ 26 4.7.2 PURPOSE ....................................................................................................................... 27 4.7.3 SCOPE OF WORK ........................................................................................................... 27 4.7.4 PROJECT DESIGN ........................................................................................................... 29 4.7.5 CONTRACT TERM .......................................................................................................... 30 4.7.6 PROJECT MANAGEMENT ARRANGEMENTS .................................................................. 30 4.8 Security Operations Centre (SOC) ......................................................................................... 30 4.8.1 SPECIFICATION OF REQUIREMENTS .............................................................................. 30 4.8.2 Approach to the delivery of the SOC Managed Service ................................................ 31 4.8.3 Technical Requirements of SOC Solution ...................................................................... 31 4.8.4 Implementation/Project Take-on ................................................................................. 34 4.9 SIEM, Log Management & Security Automation Requirements........................................... 34 4.10 IT Documentation & Knowledge Management Platform Requirements ............................. 35 4.11 Security Component Project Requirements ......................................................................... 35 5 Monitoring, management, and Audit system ............................................................................... 35 SCHEDULE B – TECHNICAL EVALUATION .............................................................................................. 42 1 Organisational requirements ........................................................................................................ 42 1.1 Company requirements ........................................................................................................ 42 1.2 Support staff requirements .................................................................................................. 43 Reference nr: SCM41/2025/26 7 | P a g e 2 Network Access & Security Assessment Tool ............................................................................... 45 3 Cloud Application Activity & Security Monitoring ........................................................................ 46 4 Dark Web Monitoring ................................................................................................................... 48 5 Security Awareness Training & Phishing Simulation Requirements ............................................. 48 6 Penetration Testing functional requirements............................................................................... 50 7 Security Operations Centre (SOC) ................................................................................................. 51 8 SIEM, Log Management & Security Automation Requirements................................................... 52 9 IT Documentation & Knowledge Management Platform Requirements ..................................... 53 SCHEDULE C – FUNCTIONAL REQUIREMENTS ...................................................................................... 56 1 Project approach and technical evaluation .................................................................................. 56 2 The scoring of the tenderer’s experience will be as follows. ........................................................ 59 3 Functionality Criteria evaluation ................................................................................................... 59 SCHEDULE D - PRICING .......................................................................................................................... 60 1 Support Fees ................................................................................................................................. 61 2 Network access policy system. ..................................................................................................... 64 3 Cloud assessment and monitoring tool ........................................................................................ 65 4 Cloud Application Activity & Security Monitoring ........................................................................ 66 5 Compliance ................................................................................................................................... 67 5.1 Cyber Security Framework management tool ...................................................................... 67 6 Dark Web monitoring ................................................................................................................... 68 7 Security Audit ................................................................................................................................ 69 8 Security Awareness Training & Phishing Simulation Requirements ............................................. 70 9 Vulnerability Scanning Tool .......................................................................................................... 71 10 Penetration Testing ................................................................................................................... 72 11 SIEM, Log Management & Security Automation Requirements............................................... 73 12 IT Documentation & Knowledge Management Platform Requirements ................................. 74 13 Security Operations Centre (SOC) ............................................................................................. 75 14 Monitoring, management, and Audit system ........................................................................... 76 15 Pricing Summarized .................................................................................................................. 79 Reference nr: SCM41/2025/26 8 | P a g e ICT SUPPORT SERVICES AND LICENSING, SCHEDULE A – SCOPE OF SERVICES, This tender is based on rates for the period of 36-months., Pricing will be used for evaluation purposes and is estimated based on current ICT network environment., ICT PROFESSIONAL SUPPORT AGREEMENT Cape Agulhas Municipality is awaiting bids on the supplying of ICT Systems / Software and services. These services are inclusive of a range of various ICT related services, and the successful bidder will become the ICT service provider as defined in this document for a term of 36 months starting 1 March 2026. 1.1 SCOPE OF SERVICES – Services, Software & Support must include:, On-site support – including Cyber Security support, 24-hour response time, Hardware Infrastructure, Software Infrastructure (operating systems and the operation of core server/desktop productivity applications on quotation basis)., Access and Authorization (user account and password help, application-level access problem determination, desktop/client security configuration support. E mail and Internet access support in liaison/conjunction with the relevant ISP or any other Service Provider, Local area network design, Wide area network design, Campus area network design, Metropolitan area network design, Other types of network design as may be required., Network Infrastructure – Check and verify basic network connectivity. Cabling, router and switch configurations are excluded., Installation, setup and deployment of new equipment, systems and services., The successful Tenderer must take responsibility for carry-in and carryout of equipment that do not have on-site warranty against the SLA should it be required., Scheduled meetings/reports with nominated ICT personnel to review the SLA performance and usage., Governance Services should include but not be limited the review of, and establishment of policies and procedures inclusive of the following existing: o ICT policies and procedures o ICT Audits – Governance and security audits o ICT Disaster recovery plans o Enterprise Architecture o ICT Maintenance plan o ICT Strategy and implementation plans o Cyber security policies, procedures, strategies and plan development o Public Key Certificates o Mail certificates. o Web certificates o Wild card certificates Reference nr: SCM41/2025/26 9 | P a g e In order to adhere to the Municipalities` policy “ICT Service Level Agreement Management Policy - External Service Provider” the Municipality views end user desktop and server support as a critical component to a client’s business. To achieve and maintain service delivery we have set a generic impact level analysis approach to our support. DEFINITIONS OF IMPACT LEVELS: Impact Level 1 Multiple users are directly affected. Loss of function has a serious and immediate negative impact on the business. Furthermore, no temporary and workable alternative is available to carry on the disrupted activity. Impact Level 2 Limited (two or less) users are directly affected. A temporary and workable alternative is available to carry on the disrupted activity. The disruption of activity/function may have some operational impact, but it is not highly critical. Impact Level 3 New computer, server or system setup to replace an older but still operational. It is a known fact that a system, or component, or software upgrade is required, but the computer is still functional. Setup of computer peripherals, which has no critical impact on the daily activities of users. SERVICE RESPONSE TO EACH IMPACT LEVEL: Response to Impact Level 1 Upon receipt of service call to Help Desk, its staff must attempt to resolve the reported problem over the phone. If the problem is not resolved immediately by the Help Desk, its staff must then immediately contact the Desktop Support Service staff via e mail and cell phone. The assignee of this service call will respond telephonically within one hour or less depending on the degree of emergency. Once the service assignee has assessed the situation, he/she will proceed to attempt remote procedure assistance. Should the situation still remain unresolved the tenderer will send a suitable technician to the site. If the problem is not resolved by the assignee within four hours, the Help Desk staff will escalate the call to the next level by alerting the Coordinator of Desktop Support Service to the situation and the possible need for assistance and/or consultation. The targeted time for problem resolution is regarded as extremely urgent but dependent on mitigating circumstances like client approval, spare parts, equipment availability etc. Response to Impact Level 2 The first response by an assignee from the Desktop Support Service staff must occur within the 4-hour window after the initial service call to the Help Desk, if the problem is not resolved over the phone immediately by the Help Desk staff. The maximum time targeted for problem resolution is within 24 hours (or 3 workdays) by the assignee after the initial service call to the Help Desk. If the problem is not resolved by the assignee within the allowed maximum time, the Help Desk staff must escalate the call to the next level by alerting the Coordinator of the Desktop Support Service to the situation and the possible need for assistance and/or consultation. Reference nr: SCM41/2025/26 10 | P a g e Response to Impact Level 3, The first response by an assignee from the Desktop Support Service must occur within 4 hours after the initial service call to the Help Desk., Subject to the client’s approval, equipment and spare part availability, the specific targeted maximum time for problem resolution or service request is 5 working days (40 hours)., An e-mail reminder must be sent to the assignee of the Desktop Support Staff and its Coordinator at the end of day one after the initial service call to the Help Desk, regardless of if the problem or service request has been taken care of. The customer will be kept duly informed by the account manager of the status quo., If the problem or service request has not been addressed in 5 working days after the initial service call to the Help Desk, this open ticket must be escalated to the attention of the Director of the successful company for his/her action. OTHER INFORMATION:, Hours of operation of the Help Desk must be at least: 8:00 A.M. to 5:00 P.M., Monday to Friday., For after hour emergencies including weekends the Municipality must be provided with contact names and cell numbers., Users must be able to contact the Help Desk via telephone, voice mail, e-mail or ticketing system in person at any time including after hours., Such service calls should be automatically queued and handled in the sequence of their occurrence., The Help Desk must be responsible for assigning each unresolved service call ticket to a staff member of the Desktop Support Service and for logging and tracking of each assignment., The assignee of each service call ticket must inform the user through phone or e-mail of the status of the problem resolution. Server crash and software reloads must be done on a quotation basis and in accordance with the Municipalities` procurement policies., IT Support Call Logging procedure –must be clearly identified and communicated to the Municipality. A username (which must be provided) is required when logging a call via email. Login details must be given to Municipal users via email, WhatsApp and/or SMS., Support Fees ICT Support may be required from time to time covering the Scope of work and any other ICT related professional, security, audit or Governance support services, evaluations, or implementation plans. In lieu of these requirements rates are required for these services. Ad hoc projects may be required from time to time to which to following will then apply: (ii) The successful Tenderer must submit a quotation for approval before commencement of any chargeable service linked to the tendered amounts as per section above. Reference nr: SCM41/2025/26 11 | P a g e, Security 4.1 Network security, management, monitoring, reporting and notifications services. 4.1.1 Network access policy system. Cape Agulhas Municipality is awaiting a proposal on ICT security services, including best efforts detection, investigation, monitoring and remediation of misuse and abuse of network resources occurring behind the corporate firewall based upon agreement and implementation of a set of best practices security Policies and Procedures. These monitoring Policies and Procedures should include but may not necessarily be limited to the following: Access Control Policies, Authorization of new Devices to be Added to Restricted Networks Restricted networks should be tightly controlled to conform to strict network change management policies and procedures. Implementing security controls and applying consistent policies can help protect the organization from these security threats. We need to receive an alert with recommended actions to be taken when new devices have been added to any network segment designated as restricted., Investigate Suspicious Logons by Users Computer user login attempts by a particular user that are made outside of normal time frame patterns or from an unusual location indicates behaviour consistent with unauthorized user access or malicious software. When this event is detected, we need to receive an email alert warning of the suspicious activity with recommended actions to be taken. It is possible that an account may have been compromised., Investigate Suspicious Logons to Computers Attempts to access a computer using login credentials not normally associated with that particular computer could point to unauthorized user access or use of malicious software. When this event is detected, we need to receive an email alert warning of the suspicious activity with recommended actions to be taken. In such an instance it is possible that an account may have been compromised., Strictly Control the Addition of Printers Network printers are vulnerable to security risks just like computers. Connecting to and printing from an unauthorized printer can lead to information loss. Anytime a new printer is found on the network, we need to receive an alert notifying us with recommended actions to be taken to ensure that it is authorized to prevent any potential threat., Restrict Access to Computers with specified roles viz, financial to Authorized Users Computers in the network that are used to transmit, process, or store accounting/financial information and other sensitive financial records should only be accessed by authorized users. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. However, we still need to know when unauthorized users attempt to access sensitive systems and login to one of these machines. We need to receive an email alert when unauthorized user attempts to login to one of these accounting/financial computers with recommended actions to be taken., Restrict Access to IT Admin Only Restricted Computers to IT Administrators Domain controllers, web servers, database servers, and mail servers should only be accessed by users who are IT Administrators. These devices are critical to the normal operation of the business. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. We need to receive an alert with recommended actions when a user who is not an IT Administrator attempts a login to a computer designated for only IT Administrator access., Restrict Access to Business Owner Type Computers to Authorized Users Computers in the network that are designated as "Business Owner Type Computers" may only be accessed by authorized users. These devices often contain confidential, privileged, and other private and sensitive records and should only be accessed by authorized users. Trying to prevent users from accessing these resources through group policies, restricted logons and other network "hardening" is best practice. We need receive an email alert with recommended actions when unauthorized users attempt to login to one of these computers that are designated as a "Business Owner Computer." Reference nr: SCM41/2025/26 12 | P a g e, Restrict Access to Systems in the Cardholder Data Environment (CDE) to Authorized Users Cardholder Data Environment (CDE) system components that access, use, or maintain Cardholder Data. Only workforce members or business associates who have been authorized to have access to specified Cardholder Data, in accordance with the requirements set forth may access and work with the associated Cardholder Data. We need to receive email alerts with recommended actions to be taken when suspicious or potentially unauthorized users log into computer designated as containing Cardholder Data., Restrict IT Administrative Access to a Minimum Administrator access rights to computers and other IT resources should be limited to users who have been authorized to this level of system access to perform their role. The Administrator account is the most powerful account on the network, holding the "keys" to the business infrastructure. We need to receive an alert with recommended actions to be taken after a user account has been provided with Administrator rights on the network or a new user has been created with administrator rights. This is to ensure we can verify authenticity of the user access level and minimize Administrator level access to the minimum number of people necessary., Restrict Users that are Not Authorized to Log into Multiple Computer Systems Computer users, in general, are assigned a specific machine for use in performing their business duties. We need to identify users who should only log into a single computer. When a single desktop user logs into multiple computers, their behaviour is viewed as suspicious and should be investigated further. We need to start receiving email alerts with recommended actions to be taken when tagged users log into more than one computer., Strictly Control the Addition of New Local Computer Administrators An important part of securing our network is managing the users and groups that have administrative access. When a user account is added to a computer and this account is assigned administrator rights, we need to receive an email alert with recommended actions., Strictly Control the Addition of New Users to the Domain The addition of new users to the network should be strictly controlled. An important part of securing our network is managing the addition of new users. Any time a new user account has been identified as being added to the network, verify that the new account was authorized. We need to receive an email alert with recommenced actions when a new user account has been added to the network., Strictly Control the Removal of Users from the Domain The removal of users from the network is to be strictly controlled. Any time a user account has been identified as being removed from the network, we need to receive an email alert with recommended action when a user account has been removed from the network., Strictly Control the Creation of New User Profiles User profiles are created when users access systems for the first time. The appearance of new user profiles indicates successful access to systems. Monitoring the creation of new profiles allows detection of access. Any time a new user profile has been identified as being added to the network we need to receive an email alert with recommended action. Computer Policies, Changes on Locked Down Computers should be Strictly Controlled. There are some computers in a network where we want to be alerted of any changes to the system that are significant. These can be important systems like Domain Controllers, Exchange Servers, or servers where we have strict change management. We need to receive email alerts with recommended actions of computers designated as "locked down" meaning they should not be tampered with., Install Critical Patches for DMZ Computers within 30 Days Computers in the DMZ are highly susceptible to malicious attacks and software if left vulnerable due to critical patches not being applied on a timely basis. We need to receive an email alert with recommendations when a threat to a DMZ Computer, results from critical patches not being installed. Reference nr: SCM41/2025/26 13 | P a g e, Install Critical Patches on Network Computers within 30 Days Computers on the network are highly susceptible to malicious attacks and software if left vulnerable due to critical patches not being applied on a timely basis. A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes security vulnerabilities and other bugs to improve the usability or performance of the program. We need to receive an email alert arising from vulnerabilities that are a result of critical patches not being timely installed., Restrict Internet Access for Computers that are Not Authorized to Access the Internet Directly Computers on a network should be prevented from having direct access to the Internet. These can be important systems like accounting systems, systems storing PII, or Cardholder Data, or computers used to perform other sensitive business functions. We need to receive an email alert with recommended actions if at any time designated computers can access the Internet directly and not via the authorized network and Firewall., Strictly Control the Clearing of System and Audit Logs The clearing of logs can be used a forensic countermeasure and should be strictly controlled. Only authorized personnel with a justifiable reason should ever clear event logs manually. Any clearing of an event log should be verified to determine if it was authorized. We need to receive an email alert with recommended action when any system or audit log is cleared., Enable automatic screen lock on computers with sensitive information. Automatic screen lock should be enabled on all computers containing sensitive information to prevent unauthorized access. We need to receive an email alert with recommended action if there are devices with sensitive information that does not have the Automatic screen lock enabled., Enable automatic screen lock for users with access to sensitive information. Automatic screen lock should be enabled on all computers accessed by users who have access to sensitive information. We need to receive an email alert with recommended action if there are users that have access to sensitive information that does not have the Automatic screen lock enabled on their device. Data Security Policies, Only store Personally Identifiable Information (PII) on systems marked as sensitive. Personally Identifiable Information (PII) should only be stored on systems specifically marked as containing sensitive information. These systems should have additional safeguards and controls to prevent unauthorized access. We need to receive an email alert with recommended action if there are any devices that are marked sensitive without the additional safeguards and controls in place. We need to receive an email alert with recommended action if there are any devices that are not marked as sensitive but has PII data stored on it., Only store cardholder data on designated systems Cardholder Data should only be stored on systems specifically marked as part of the Cardholder Data Environment (CDE). These systems should have additional safeguards and controls to prevent unauthorized access. We need to receive an email alert with recommended action if there are any devices that are marked sensitive without the additional safeguards and controls in place. We need to receive an email alert with recommended action if there are any devices that are not marked as sensitive but has Card Holder data stored on it., Detect malicious software and potential security breaches (Breach Detection System) We currently have Sophos Central Intercept X Advanced for Endpoint. However, as an additional layer of security we require an independent scan to detect any possible malicious software and potential security breaches. If any detections are detected, we need to receive an email alert with recommended action. Network Security Policies, Detect Network Changes to Internal Networks Monitoring changes to a private network assist in identifying potential security concerns. Anytime a new device is connected to or disconnected from a network, we need to receive an email alert with recommendation notifying us of the potential rogue device connection or possible theft of equipment. Reference nr: SCM41/2025/26 14 | P a g e, Detect Network Changes to Internal Wireless Networks Monitoring changes to a private wireless network assist in identifying potential security concerns. Anytime a new device is connected to or disconnected from a wireless network, we need to receive an email alert with recommendation notifying us of the potential rogue device connection or potential theft of equipment. Identified "guest" wireless networks should not generate alerts., Only Connect to Authorized Wireless Networks Connections to "unauthorized" wireless networks may lead to data loss from unwanted information disclosure. Any time a user connects to a network using an "unauthorized" wireless connection, we need to receive an email alert with recommendation., Remediate High Severity Internal Vulnerabilities Immediately (CVSS > 7.0) Any identified Internal Vulnerabilities assigned a CVSS Score of 7.0, or higher, represent potential high severity threats and should be remediated immediately. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe. When high severity internal vulnerabilities are found, we need to be notified with an email alert with recommendation to resolve., Remediate Medium Severity Internal Vulnerabilities (CVSS > 4.0) Any identified Internal Vulnerabilities assigned a CVSS Score of 4.0, or higher, represent potential medium severity threats and should be remediated as soon as possible. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe. When medium severity internal vulnerabilities are found, we need to be notified with an email alert with recommendation to resolve., Strictly control DNS on Locked Down Networks Changes in DNS entries in networks that are locked down should be strictly controlled. Additions may indicate unauthorized devices connecting to the network. Other changes may indicate other issues including theft and should be investigated. We need to be notified with an email alert with recommendation to resolve., Strictly control changes to Group Policy Group Policies are used to configure computer and user settings. Due to their ability to affect the security settings throughout the network, any changes to Group Policy Objects (GPOs) should be strictly controlled. We need to be notified with an email alert with recommendation to resolve., Strictly control changes to the Default Domain Policy The Default Domain Policy is applied to all computers and users in the domain by default. New computers and users will be assigned the Default Domain Policy until they are assigned specific policies. Any changes to the Default Domain Policy should be strictly controlled to prevent introducing security vulnerabilities. We need to be notified with an email alert with recommendation to resolve. Reference nr: SCM41/2025/26 15 | P a g e 4.1.2 Cloud Assessment and Monitoring Tool Cape Agulhas Municipality is awaiting a proposal on Microsoft Cloud assessment and monitoring system as a service. This is required to manage and assess risk across our entire Microsoft Cloud Environment. 1 The system should assess and document at least the following components:, Microsoft 365 Cloud Services o Office 365 o Teams o SharePoint o OneDrive (no need to scan file content) o Outlook/Exchange (no need scan email content), Microsoft Azure Cloud Services o Azure Active Directory 2 Reporting Reporting is required on at least the following areas is required through this system., Assessments on Azure AD The Azure AD Detail Report must go through the entire Azure Active Directory environment and document all organizations, domains and support services that are turned on for the AD environment. Every detail must be presented in line-item fashion in an editable report document including installed special applications, web URLs to those apps, organizational contacts, distribution lists, proxy addresses, Microsoft service plans and SKUs being used, groups, users, permissions, devices and more. The report must be organized by section with a table of contents to help us locate the specific findings of interest and problem areas must be highlighted in red, making it easy to spot individual problems to be rectified., SharePoint assessments The SharePoint Assessment Report must be a detailed assessment that shows the total number of sites started under management, how many active SharePoint sites there are, what storage requirements there are and include daily trends in the number of sites and storage usage. It should then take the site collections and breaks down all the individual sites so that we can understand what is being published in each, how they are organized, and even what groups they contain. Among other things, the report must help us understand growth trends and better predicts backup needs., One Drive Usage reports The OneDrive Assessment Report must provide a high-level summary report of all OneDrive usage. This overview report must give us a solid handle on how the OneDrive platform is growing and look for spikes in that growth that need to be managed. It also need to look for spikes in activity that may need to be investigated. The report must provide trends over of 30-, 60-, and 90-day increments to give us a solid indicator of storage and bandwidth utilization., Outlook Mail Activity reports The Outlook Mail Activity Report must provide deep dive information about Office 365 usage. The Outlook Mail Activity Report must provide a high-level summary of what emails are being sent and received by our top 10 active senders and active receivers for the reporting period. This report is meant to be run month- over-month to identify the power users who may need more capacity and which mailboxes are not being read at all and likely represent recently inactive users that need to be cleaned up. Reference nr: SCM41/2025/26 16 | P a g e, Microsoft Teams assessments The Microsoft Teams Assessment Report must provide detail about each team in the system, including who the owners are, what channels they have and what kind of user identity audits have been conducted on the channels. There must be individual entries that can be used for audits of the member settings, the guest settings, the message settings, the fun settings and the tab settings. This information must include other types of misconfigurations that might cause security problems, such as having guest members that may have the ability to remove and delete channels., Microsoft Cloud Security Assessments The Microsoft Cloud Security Assessment report must bring together all the security aspects of Microsoft Cloud under one umbrella. It should not only include our own Microsoft Control Score and Secure Score from Microsoft but also show our trending against the average score of our peers., Microsoft Cloud Configuration Change reports The Microsoft Cloud Configuration Change Report must be a very detailed technical report that identifies entity and configuration changes. The changes must be grouped by properties, showing the old values vs. the new values, and then the changes must be grouped together into bands. This report must give us the ability to look at a group of changes together, as well as see how all the properties have changed for that time-period., Cloud Risk report The Cloud Risk Report must span over all the Microsoft Cloud components. It must include an overall Risk Score, an overall Issues Score, as well as a summary list of issues discovered. The issues must come from both the Microsoft controls as well as other best practices. It must identify specific risks that are due to misconfigurations as well as risks created from turning on or off specific running components., Cloud Management plan The Cloud Management Plan must take issues identified in the Risk Report, organizes them by severity and includes specific recommendations on how to remediate them. The report’s information must be pulled directly from the Microsoft controls from multiple Cloud components, including SharePoint, OneDrive, Teams, Azure AD itself. It must also identify other types of issues related to misconfigurations and operations., Compensating Control Worksheets The report is required to present the details associated with security exceptions and how Compensating Controls will be or have been implemented to mitigate risks in the cloud environment. This is required to explain and document why various discovered items are possible false positives. The Compensating Controls Worksheet does not alleviate the need for safeguards but must allow for describing of alternative means of mitigating the identified security risk as reference. Reference nr: SCM41/2025/26 17 | P a g e 4.1.3 Cloud Application Activity & Security Monitoring The Municipality requires a comprehensive cloud application activity and security monitoring service to provide continuous visibility, alerts, and reporting across their cloud environment. The service should detect, investigate, and report on unauthorized, anomalous, or risky activity related to user accounts, privileged roles, authentication events, and sensitive data handling. The following features must form part of the solution. User & Identity Monitoring It must have the ability to tracks user account creation, login activity, privileged account changes, and account credentials usage across cloud applications. The platform must collect behavioural telemetry to detect anomalies and unauthorized access. Threat Detection It must provide for pattern-based detection and machine learning to identify threats such as compromised credentials, impossible travel logins, external device access, shadow accounts and risky file activity. Automated Remediation The solution must make provision for automated responses: locking compromised accounts, terminating risky file shares, and enforcing policy driven actions to stop threats swiftly. Event Logging & Application Monitoring It must have the ability to monitor SaaS application usage and logging across integrations with major platforms (e.g., Microsoft 365, Google Workspace, Salesforce, Okta). Enables visibility into events across organisational SaaS estate. Reporting & Visibility It must provide dashboards and reporting aligned to user behaviour, risk posture and threat events. Enables demonstration of security value and oversight of cloud application security posture. Integration & Extensibility It must integrate with major SaaS platforms, identity systems, RMM/PSA tools (including that on offer in section 4; Monitoring, management, and Audit system, of this tender request), and security stacks. It must support workflow integration and centralised investigation and response. Architecture requirements The solution must be provided as a cloud service, accessible anywhere, to make provision for scalability, continuous updates, and centralised management of SaaS application security. Reference nr: SCM41/2025/26 18 | P a g e 4.2 Compliance 4.2.1 Cyber Security Framework management tool Cape Agulhas Municipalities’ Information Security approach serves as a comprehensive framework aimed at safeguarding our digital landscape and preserving the integrity of sensitive information. Aligned with the principles of Enterprise Architecture (EA), our approach ensures a cohesive integration of information security practices within our broader ICT Strategy. In line with this Cyber Security Framework (CSF) approach the Municipality wish to obtain a Cyber Security Framework Management Tool to include from a CSF perspective at least NIST CSF, NIST 800-171, CIS Controls V8, and others. The system must show a clear alignment of best practices, and other standards to the likes of at least ISO 27001, ITIL and COBIT. The system must also show alignment between the CSF and POPIA., Standards The System and Support Services related to this must allow for at least the following standards:, CIS Controls v8, Cyber Insurance Readiness, Essential 8, ISO 27001 & 27002, NIST CSF 2.0, System functional requirements The system must provide for a logical workflow for assessment purposes of compliance against the standard or set of standards chosen by the Municipality, considering the standards above., Standards Assessment Progress, Control Assessment Progress, Task summary of completed and outstanding actions., Show a list of tasks with details as to what it entails, with links to correspondent section in workflow., Controls and Standards selected. Each Control have a set of requirements to comply thereto. The online system and portal provided must cater for a set of requirements that each Control must adhere to. These requirements must clearly be defined to facilitate in the compliance of the relevant Standard., Controls section, Here the standards selected must be shown, information included must at least be:, Identifiable key or ID, Name of each Control Brief Description thereof., Alignment to relevant Standard/requirement ID must be shown. ii. Provide in this section the ability to add own controls., Requirements Section, Each requirement standard as aligned to the control must provide information and guidance to include the following: Reference nr: SCM41/2025/26 19 | P a g e

8.1. These Special Conditions of Contract shall supplement the General Conditions of Contract. Whenever there is a conflict, the provisions herein shall prevail over those in the General Conditions of Contract and SLA entered. 8.2. The successful bidder (transactional advisor) will be required to enter into a service level agreement (SLA) with the City before commencement with any work. 8.3. This bid and all contracts emanating there from this bid will be subject to the General Conditions of Contract (GCC). The Special Conditions are supplementary to those of the General Conditions of Contract. Where, however, the Special Conditions of Contract conflict with General Conditions of Contract, the Special Conditions of the Contract prevail. 8.4. Shortlisted bidders may be invited for a presentation. 8.5. The successful bidder will be expected to develop and submit the technical methodology that must outline the approach and plan of the successful bidder in implementing the deliverables of this bid. The technical methodology will form part of the basis for service level agreement content and project charter. The technical methodology must be agreed upon and approved by the City’s technical team before any commencement with the work. 8.6. No service may be provided without an official purchase order. 8.7. Failure to comply with any of the conditions and special conditions may lead to termination of the contract. 8.8. In the case of a joint venture or consortium bid for the tender, an agreement of the parties should be submitted, and relevant documents submitted. A team constituted for the sake of submission should be maintained when the bidding is successful. 8.9. Following appointment, the successful service provider shall submit a letter to the City of Tshwane confirming the composition of the team members as per bid submission or equivalent team members with similar credentials, failure shall lead to immediate termination. 8.10. A successful bidder will receive a written notification of appointment through email from the COT Supply Chain Management, and no payment or compensation is required from the bidder. The City will not be liable for misrepresentation as result of solicitation of inducement or bribe. 8.11. All Bidders must continuously monitor amendments that may be made on the City the e-Tender website for the above bid. The City will not be held liable/responsible if Tenderers do not view responses to questions/queries/comments which were posted on the e-Tender portal and the City’s website. 8.12. The expected team should jointly be led by a Professional Commercial Legal Advisor or an Economics/Finance Advisor. The technical team should be led by the professional registered Electrical/Mechanical Engineer with ECSA and Professional Project Manager/ Registered with the South African Council for the Project and Construction Management Profession (PrCPM). 8.13. The following are proposed and expected Transactional Advisors team members. NUMBER PROFESSIONAL LEGAL AND FINANCIAL SERVICE 1 Commercial legal/Law professional 2 Economics/ Finance professional (SAICA. SAIPA, CIMA) 3 PROFESSIONAL TECHNICAL TEAM 4 Professional Project Management (SACPCMP) 5 Professional Town Planning (SACPLAN) 6 Professional Architectural (SACAP) 7 Professional Civil/Structural Engineer (ECSA) 8 Professional Electrical Engineer (ECSA) 9 Professional Mechanical Engineer (ECSA) 10 Professional Quantity Surveyor (SACQS) 11 Professional Property Valuer (SACPVP) Professional Environmental Specialist (Registered EAP/ Pr. Sci. Nat) The Environmental Assessment Practitioners Association of South Africa (EAPASA) The Council for Natural Scientific Professions (SACNASP) 13 Heritage Specialist 14 MFMA Procurement Specialist 8.14. An experienced bidder in providing professional advice on local government guided by municipal legislation, especially on contract management, will have added advantage. 9. DURATION OF APPOINTMENT OF TRANSACTION ADVISOR 9.1. The deliverables set out under these terms of reference will be guided by the proposed period and will be part of the agreement between the City and the successful Transactional Advisor. In addition, the Transaction Advisor is required to provide a project plan with timeframes (Technological methodology) as part of their proposal to be submitted before commencement with any work to the CoT’s project team. Details of these milestones and mandatory deliverables, and schedule must be agreed with the successful TA before commencement of any work. And will be enforced through service level agreement to be signed with the successful bidder. 9.2. The TA’s appointment will commence as soon as the contract has been signed and end once financial close is reached with the successful bidder, it is expected that the duration of advisory services (TA) required by the city will be for period of three years (36 months). 10. INFORMATION Additional information as may be deemed appropriate must be submitted. 11. ADDING VALUE It is expected that potential service providers will critique the brief with the purpose of adding value where possible in the proposal to be submitted. Thus, the onus is on the service provider to add value to the brief in terms of their special competencies. 12. COST OF SUBMISSION OF PROPOSAL The City is not responsible for any costs incurred by the service providers in the process of developing the proposals. The submitted budget (tendered prices) for this service must incorporate all expenses to be incurred by the service provider. 13. OWNERSHIP OF INTELLECTUAL PROPERTY RIGHTS The ownership of all Intellectual Property Rights associated with this work will be vested within the City, for its exclusive use, or for use by the City of Tshwane Group Property, Energy and Electricity Business Unit, Group Financial services and Group Legal Services. Whereas any other stakeholder requires the City’s prior consent to use all work developed within the assignment.