Cyber security monitoring & managed detection and response (mdr) services for sacaa’s trend micro croc (3-Year contract)

Closing date: 24 June 2026 at 11:00. Clarification queries deadline: 17 June 2026 (submit to [email protected]). Bid validity period: 180 days from closing date. No briefing session.

All enquiries must be submitted in writing to: [email protected]. For office park access codes: Betty Monyeki (082 885 4270) or Cynthia Motaung (083 461 6534). Bidding procedure/technical enquiries: Ntombizodwa Duma (011 545 1262, [email protected]). Submission address: BID BOX MARKED 2, SACAA Bid Committee, South African Civil Aviation Authority, Byls Bridge Office Park, Olievenhoutbosch Road & Jean Ave, Centurion, 0157.

Submit bids in a three-envelope system: Envelope 1 (mandatory documents), Envelope 2 (technical proposal - 1 original + 1 copy), Envelope 3 (pricing schedule - 1 original + 1 copy). Deposit all envelopes in the BID BOX MARKED 2 at SACAA Head Office, Byls Bridge Office Park, Olievenhoutbosch Road & Jean Ave, Centurion, 0157 by 11:00 on 24 June 2026. Late bids or submissions to incorrect boxes will be disqualified. No electronic submissions (email, fax, etc.) accepted. Amendments must be submitted with the original bid in a separate envelope marked 'Amendment to bid' before the deadline. Prior access code arrangement is required for office park entry: contact Betty Monyeki (082 885 4270) or Cynthia Motaung (083 461 6534). Bids must be neatly bound; no USBs/memory sticks accepted. All documents must be in English. Bid validity period: 180 days from closing date.

Evaluation follows a 3-phase process: Phase 1 (Mandatory SCM Compliance): Verify completeness of SBD1, SBD3, SBD4, SBD6.1, CSD registration, tax compliance (TCS PIN or CSD number), B-BBEE certificate/affidavit, and no state-employed directors. Non-compliance disqualifies the bid. Phase 2 (Functionality - 100 points, min 70 required to advance): Company References (20-40 points: 3+ contactable CROC/MDR references from last 4 years), Methodology (10-20 points: incident response, threat hunting, escalation, industry standards alignment), Ability to Support Proposed Infrastructure (40 points: 1x CISM, 1x CEH, 4x ISC2 Cybersecurity, 4x Trend Micro Platform Advanced certifications; min 10 employees, no dual roles). Phase 3 (80/20 Preference Points): 80 points for price (lowest bid = 80, others scaled via formula Ps = 80(1 - (Pt-Pmin)/Pmin)), 20 points for B-BBEE (Level 1=20, Level 2=18, Level 3=14, Level 4=12, Level 5=8, Level 6=6, Level 7=4, Level 8=2, Non-Compliant=0). SACAA reserves the right to award to empowerment companies or joint ventures with empowerment partners.

Provide 24/7/365 Cyber Risk Operations Center (CROC) services using SACAA’s existing Trend Micro ecosystem (Trend Vision One platform). Services include: Managed Detection and Response (MDR): 24/7 monitoring across endpoint, server, email, network, identity, cloud; AI/ML-based correlation; IoC/IoA sweeping; MITRE ATT&CK aligned detection; full investigations (attack vector, lateral movement, dwell time); response actions (endpoint isolation, process termination, memory dumps, remote shell, email quarantine, URL/IP/file hash blocking); threat hunting (indicator-based, behavioural, MITRE TTP, anomaly detection); severity escalation (Urgent: 24h updates, Critical: 1h notification, Major: correlation required, Minor: logged). Platform Administration: Daily health checks; policy creation/tuning; troubleshooting ingestion gaps; weekly/monthly/on-demand reporting; up to 10 SOAR playbooks annually; quarterly posture reviews. All platform admin personnel must be South Africa-based. Managed Risk (CREM): Enterprise-wide risk scoring; high-risk device/user/workload identification; weekly remediation guidance; posture tracking; executive reporting. Security Awareness Training: Monthly phishing simulations; quarterly training modules; behaviour-based user risk scoring; completion/risk improvement reporting. Incident Response: Logging, categorisation, prioritisation (per SACAA Priority Matrix), evidence collection, attack chain reconstruction, containment recommendations, post-incident reviews. Monitored Environment: Ingest and correlate telemetry from SACAA’s Azure, cloud, and on-prem systems (e.g., API Connections, App Services, Cosmos DB, Key Vaults, Virtual Machines, Networks) into Trend Vision One (SIEM, analytics, SOAR). Additional Credit Requirements: Provide extra ingestion and retention credits for 6-month data retention. Third-party SIEMs may only complement, not replace, Trend Vision One.

Bidders must submit a comprehensive, fully documented methodology outlining their approach to: Incident Response (alignment with industry standards, capability), Threat Hunting, Escalation Methodology. This section is worth 10-20 points in the functionality evaluation.

Submit pricing in ZAR only, using the official SBD3 form (not re-typed). Include: Ceiling price (total estimated cost for all phases, inclusive of VAT); hourly and daily rates for all personnel; cost per phase with man-days; travel expenses (actual costs only, proof required; >40km round trips reimbursed for non-monitoring staff); other expenses (e.g., accommodation, reproduction) with proof. Specify if rates are firm for the contract period or subject to adjustment (e.g., CPI). Deviation from the prescribed format may disqualify the bid. Offer must remain valid for 180 days from closing date.

Pricing must be in South African Rands (ZAR), firm for the contract period (3 years), and inclusive of VAT. Submit a detailed price schedule (SBD3) with: Ceiling price for total estimated time/completion of all phases; hourly/daily rates for all personnel involved; cost per phase and man-days; travel expenses (actual costs only, proof required; >40km round trips reimbursed for non-monitoring staff); other expenses (e.g., accommodation, reproduction) with proof. Deviation from the prescribed pricing schedule format may disqualify the bid. Payment terms: Certified invoices required for all expenses. Contract validity: 180 days from closing date. SACAA reserves the right to reject non-responsive or incomplete price lists.

Mandatory: Registration on Central Supplier Database (CSD) with valid supplier number. Tax Compliance: Submit TCS PIN (from SARS) or CSD number. For consortia/joint ventures/sub-contractors, each party must submit separate TCS/CSD proof. Foreign bidders: Confirm RSA tax liability if applicable; if no RSA presence, TCS PIN not required. B-BBEE: Submit verification certificate or sworn affidavit (EMEs/QSEs). Non-compliance = 0 points for Specific Goals. Disqualification: Bidders with directors/members/partners employed by the state; listed in Tender Defaulters Register or Restricted Suppliers List; collusion or corrupt practices (SBD4 declaration required). Mandatory Documents: SBD1 (Invitation to Bid - completed/signed), SBD3 (Pricing Schedule - completed), SBD4 (Bidder’s Disclosure - completed/signed), SBD6.1 (Preferential Procurement Points - completed/signed). Failure to submit any mandatory document renders the bid non-responsive.

Environmental requirements are limited to cybersecurity threat detection: Provider must deliver indicator-based threat hunting, behavioural and Indicator of Attack (IOA) hunting, MITRE TTP (Tactics, Techniques, Procedures) hunting, and anomaly/environmental drift detection as part of the MDR service.

Contract duration: 3 years. Dispute resolution: Negotiation (10 days) → Mediation (15 days, via Arbitration Foundation of Southern Africa) → Arbitration (15 days, expedited, via AFSA). Arbitration held in Centurion, South Africa, in English, under South African law. Arbitrator’s award is final and binding; can be made an order of court. Parties may seek interim court relief (interdict/mandamus) for urgent matters. SACAA reserves rights to: amend bid conditions/validity/specifications or extend closing date; reject lowest bid; award to empowerment companies or joint ventures; award in part/whole or withdraw without reasons; conduct site visits. Bid validity: 180 days from closing date. Withdrawal or failure to fulfill contract may result in liability for additional costs or set-off against monies due. SACAA’s interpretation of bid documents is final in case of discrepancies.

Bidders are evaluated under the Preferential Procurement Policy Framework Act, 2000 and Regulations, 2022. Phase 1: Mandatory SCM compliance (CSD registration, tax compliance, B-BBEE proof, SBD forms). Phase 2: Functionality (100 points, min 70 to advance): Company References (20-40 points for 3-5+ CROC/MDR references from last 4 years), Methodology (10-20 points for incident response, threat hunting, escalation, industry standards), Ability to Support Infrastructure (40 points for certifications: 1x CISM, 1x CEH, 4x ISC2 Cybersecurity, 4x Trend Micro Platform Advanced; min 10 employees). Phase 3: 80/20 Preference Points: 80 for price (Ps = 80(1 - (Pt-Pmin)/Pmin)), 20 for B-BBEE (Level 1=20 to Non-Compliant=0). SACAA may award to empowerment companies or joint ventures with empowerment partners.