Shared Services partagés Services Canada Canada

Title – Sujet Secure Portal Reengineering Project – Horizontal Portal COTS Product with Access Control Module

Solicitation No. – N° de l’invitation Date RETURN BIDS TO / 18-75403 December 18, 2018 RETOURNER LES SOUMISSIONS À Client Reference No. – N° référence du client 100341033 C/O Dimeji Temidire Senior Procurement Officer File No. – N° de dossier Bid Receiving N/A Shared Services Canada | Services partagés Time Zone Canada Solicitation Closes – L’invitation prend fin Fuseau horaire 180 Kent St., 13th Floor, 13-107 at – à 2:00 PM Ottawa, ON, K1P 0B6 on – le January 28, 2019 Eastern Daylight Time (EDT) REQUEST FOR PROPOSAL / D.D.P. - R.D.A. DEMANDE DE PROPOSITION Plant-Usine:  Destination:  Other-Autre:  Address Inquiries to : - Adresser toutes questions à: Buyer Id – Id de Proposal To: Shared Services Canada Dimeji Temidire l’acheteur We hereby offer to sell to Her Majesty the Queen Telephone No. – N° de téléphone : in right of Canada, in accordance with the terms 613-618-2048 CCP and conditions set out herein, referred to herein Email Address for Bid Submission - Courriel FAX No. – N° de FAX or attached hereto, the goods, services, and [email protected] construction listed herein and on any attached Not applicable sheets at the price(s) set out thereof. Delivery required - Livraison exigée Delivered Offered – Proposition aux: Services partagés Canada See Herein Livraison propose Nous offrons par la présente de vendre à Sa Majesté la Reine du chef du Canada, aux Destination – of Goods, Services, and Construction: conditions énoncées ou incluses par référence Destination – des biens, services et construction dans la présente et aux annexes ci-jointes, les Ontario, Canada biens, services et construction énumérés ici sur toute feuille ci-annexées, au(x) prix indiqué(s)

Comments - Commentaires

This document contains a Security Vendor/firm Name and address Requirement Raison sociale et adresse du fournisseur/de l’entrepreneur

Issuing Office – Bureau de distribution Shared Services Canada / Services partagés Canada Procurement and Vendor Relationships 180 Kent Street Name and title of person authorized to sign on behalf of Vendor/firm 13th Floor (type or print)- Ottawa, Ontario Nom et titre de la personne autorisée à signer au nom du fournisseur/de K1P 0B5 l’entrepreneur (taper ou écrire en caractères d’imprimerie)

Signature Date

Page 1 of 55 Shared Services partagés Services Canada Canada

SHARED SERVICES CANADA

BID SOLICITATION Secure Portal Reengineering Project – Horizontal Portal COTS Product with Access Control Module

TABLE OF CONTENTS

PART 1 GENERAL INFORMATION ...... 5 1.1 Introduction ...... 5 1.2 Overview ...... 5 1.3 Debriefings ...... 5 PART 2 BIDDER INSTRUCTIONS ...... 6 2.1 Standard Instructions, Clauses and Conditions ...... 6 2.2 Modification and Withdrawal of Bids ...... 6 2.3 Questions and Comments ...... 6 2.4 Non-Disclosure Agreement ...... 7 PART 3 BID PREPARATION INSTRUCTIONS ...... 8 3.1 Bid Preparation Instructions ...... 8 3.2 Section I: Technical Bid ...... 8 3.3 Section II: Financial Bid ...... 10 3.4 Section III: Certifications ...... 10 PART 4 EVALUATION PROCEDURES AND BASIS OF SELECTION ...... 11 4.1 Evaluation Procedures ...... 11 4.2 Technical Evaluation ...... 11 4.3 Financial Evaluation ...... 13 4.4 Basis of Selection ...... 13 PART 5 CERTIFICATIONS ...... 15 5.1 Mandatory Certifications Required Precedent to Contract Award ...... 15 5.2 Additional Certifications Precedent to Contract Award ...... 15 5.3 Software Publisher Certification and Software Publisher Authorization ...... 15 5.4 Former Public Servant ...... 16 5.5 Definitions ...... 16 5.6 Former Public Servant in Receipt of a Pension ...... 16 5.7 Work Force Adjustment Directive ...... 17 5.8 Code of Conduct Certifications – Certifications Required Precedent to Contract Award .... 17 PART 6 security requirements ...... 17 6.1 Security Requirement ...... 17 Before award of a contract, the following conditions must be met:...... 17 PART 7 RESULTING CONTRACT CLAUSES ...... 18 Page 2 of 55

Shared Services partagés Services Canada Canada

7.1 Requirement ...... 18 7.2 Optional Goods and/or Services ...... 19 7.3 Standard Clauses and Conditions ...... 19 7.4 General Conditions: ...... 19 7.5 Security Requirement ...... 19 7.6 Contract Period ...... 20 7.7 Authorities ...... 20 7.8 Basis of Payment ...... 21 7.9 Limitation of Expenditure ...... 21 7.10 Invoicing Instructions ...... 22 7.11 Certifications ...... 22 7.12 Federal Contractors Program for Employment Equity – Default by the Contractor ...... 22 7.13 Applicable Laws ...... 22 7.14 Priority of Documents ...... 22 7.15 Foreign Nationals (Canadian Contractor) ...... 23 7.16 Foreign Nationals (Foreign Contractor) ...... 23 7.17 Insurance Requirements ...... 23 7.18 Limitation of Liability - Information Management/Information Technology ...... 23 7.19 Joint Venture Contractor ...... 24 7.20 Licensed Software ...... 25 7.21 Licensed Software Maintenance and Support ...... 25 7.22 Training ...... 27 7.23 Access to Canada's Property and Facilities...... 27 7.24 Government Property ...... 27 7.25 Implementation ...... 27 7.26 Termination for Convenience ...... 27

List of Annexes to the Resulting Contract:

Annex A: Statement of Work Appendix A: Rated Criteria Annex B: Pricing Tables Annex C: Security Requirements Checklist (SRCL)

Attachments to Part 2 Bidder Instructions

Attachment 2.1 SSC Standard Instruction

List of Attachments to Part 4 (Evaluation Procedures and Basis of Selection)

Attachment 4.1: Bidder Technical Compliance Form Attachment 4.2: Supply Chain Integrity Process

Page 3 of 55

Shared Services partagés Services Canada Canada

Forms:

Form 1: Bid Submission Form Form 2: Vendor Integrity Form Form 3: Software Publisher Certification Form Form 4: Software Publisher Authorization Form

Page 4 of 55

Shared Services partagés Services Canada Canada

PART 1 GENERAL INFORMATION

1.1 Introduction

The bid solicitation is divided into five parts plus attachments and annexes, as follows:

Part 1 General Information: provides a general description of the requirement;

Part 2 Bidder Instructions: provides the instructions, clauses and conditions applicable to the bid solicitation;

Part 3 Bid Preparation Instructions: provides bidders with instructions on how to prepare their bid;

Part 4 Evaluation Procedures and Basis of Selection: indicates how the evaluation will be conducted, the evaluation criteria that must be addressed in the bid, if applicable, and the basis of selection;

Part 5 Resulting Contract Clauses: includes the clauses and conditions that will apply to any resulting contract. The Annexes to the Resulting Contract include the Statement of Requirements, Pricing Tables, and Security Requirements Checklist (SRCL).

1.2 Overview

a) SSC Requirement and Potential Client Users: This solicitation is being issued by Shared Services Canada (SSC). SSC is a federal government department that acts as a shared services organization. Any resulting instrument(s) will be used by SSC to provide shared services to one or more of its Clients. SSC’s “Clients” include SSC itself, those government institutions for whom SSC’s services are mandatory at any point during the life of any resulting instrument(s), and those other organizations for whom SSC’s services are optional at any point during the life of any resulting instrument(s) and that choose to use those services from time to time. In addition to the , SSC may also serve a government of a province or municipality in Canada, a Canadian aid agency, a public health organization, an intergovernmental organization or a foreign government. b) Non-Exclusive Engagement: This procurement process does not preclude SSC from using another method of supply for any of its Clients with the same or similar needs, unless any resulting instrument expressly indicates otherwise. Also, no government of a province or municipality in Canada, Canadian aid agency, public health organization, intergovernmental organization or foreign government is ever required to use any resulting instruments. c) Nature of Requirement: SSC has a requirement on behalf of the (CRA) to acquire and implement a commercial off the shelf software (COTS) which will allow for web access management capabilities in support of the delivery of secure, online digital services to the Canadian public. d) Number of Resulting Contract(s): SSC intends to award one contract to a responding bidder that can provide the intended solution. e) Term of Resulting Contract(s): SSC is currently contemplating a contract period of one (1) year, plus nine (9) option periods of one (1) year each.

1.3 Debriefings

Bidders may request a debriefing on the results of the bid solicitation process. Bidders should make the request to the Contracting Authority within 15 working days of receipt of the results of the bid solicitation process. The debriefing may be provided in writing, by telephone or in person.

Page 5 of 55

Shared Services partagés Services Canada Canada

PART 2 BIDDER INSTRUCTIONS

2.1 Standard Instructions, Clauses and Conditions

a) All instructions, clauses and conditions identified in this document or any of its attachments by number, date and title are either: (i) set out in the Standard Acquisition Clauses and Conditions Manual (https://buyandsell.gc.ca/policy-and-guidelines/standard-acquisition-clauses-and- conditions-manual) issued by Public Services and Procurement Canada; or (ii) set out in SSC’s Standard Instructions for Procurement Documents, attached as Attachment 2.1 to Part 2 of the RFP.

These documents are incorporated by reference and they form part of this document as though they were expressly set out here in full.

b) Section 1 only of PSPC’s Standard Instructions 2003 (2018-05-22) applies to this bid solicitation. c) SSC’s Standard Instructions for Procurement Documents (“SSC’s Standard Instructions”) are incorporated by reference into and form part of the solicitation. If there is a conflict between the provisions of SSC’s Standard Instructions and this document, this document prevails. d) With respect to SSC’s Standard Instructions: (i) There will not be a conference of interested suppliers or a site visit. (ii) Instead of the bid validity period set out in SSC’s Standard Instructions, bids will not expire until they are withdrawn by the bidder or are rejected by SSC. e) By submitting a bid, the Bidder is confirming that it agrees to be bound by all the instructions, clauses and conditions of the solicitation.

2.2 Modification and Withdrawal of Bids

a) Bids can be modified, withdrawn or resubmitted, during the bidding period, up until the solicitation closing date and time. b) A bid withdrawn after the solicitation closing date and time cannot be resubmitted.

2.3 Questions and Comments

Questions and comments about this solicitation can be submitted in accordance with the Section of SSC’s Standard Instructions entitled “Communications” up until the deadline specified in those Standard Instructions (i.e., 10 calendar days before the closing date).

Page 6 of 55

Shared Services partagés Services Canada Canada

2.4 Non-Disclosure Agreement

By submitting a bid, the Bidder agrees to the terms of the non-disclosure agreement below (the “Non- Disclosure Agreement”): a) The Bidder agrees to keep confidential any information it receives from Canada regarding Canada’s assessment of the Bidder’s Supply Chain Security Information (the “Sensitive Information”) including, but not limited to, which aspect of the Supply Chain Security Information is subject to concern, and the reasons for Canada’s concerns. b) Sensitive Information includes, but is not limited to, any documents, instructions, guidelines, data, material, advice or any other information whether received orally, in printed form or otherwise and whether or not that information is labeled as classified, proprietary or sensitive. c) The Bidder agrees that it will not reproduce, copy, divulge, release or disclose, in whole or in part, in whatever way or form any Sensitive Information to any person other than a person employed by the Bidder who has a security clearance commensurate with the level of Sensitive Information being accessed, without the prior written consent of the Contracting Authority. The Bidder agrees to immediately notify the Contracting Authority if any person, other than those permitted by this Article, accesses the Sensitive Information at any time. d) All Sensitive Information will remain the property of Canada and must be returned to the Contracting Authority or destroyed, at the option of the Contracting Authority, if requested by the Contracting Authority, within 30 days. e) The Bidder agrees that a breach of this Non-Disclosure Agreement may result in disqualification of the Bidder at RFP stage, or immediate termination of the resulting Contract. The Bidder also acknowledges that a breach of this Non-Disclosure Agreement may result in a review of the Bidder’s security clearance and review of the Bidder’s status as an eligible bidder for other requirements. f) This Non-Disclosure Agreement remains in force indefinitely.

Page 7 of 55

Shared Services partagés Services Canada Canada

PART 3 BID PREPARATION INSTRUCTIONS

3.1 Bid Preparation Instructions

a) Copy of Bid: Canada requests that bidders provide their bid to the “RETURN BIDS TO” address as specified on the front page of this solicitation in separately bound sections as follows: (i) Section I: Technical Bid (6 hard copies) and 1 soft copy on CD (ii) Section II: Financial Bid (1 hard copy) and 1 soft copy on CD (iii) Section III: Certifications (1 soft copy) electronically. (iv) If there is a discrepancy between the wording of the soft copy and hard copy, the wording of the hard copy prevails (v) Prices must appear in the financial bid only. No prices must be indicated in any other section of the bid. b) Submission of Only One Bid The submission of more than one bid from any bidder is not permitted in response to this solicitation. If a bidder does submit more than one bid, Canada will ask that bidder to withdraw all but one of its bids. If the bidder does not do so, Canada may choose at its discretion which bid to evaluate. c) Joint Venture Except where expressly provided otherwise, at least one member of a joint venture Bidder must meet any given mandatory requirement of this bid solicitation. Joint venture members cannot pool their abilities to satisfy any single mandatory requirement of this bid solicitation. Wherever substantiation of a mandatory requirement is required, the Bidder is requested to indicate which joint venture member satisfies the requirement. Any Bidder with questions regarding the way in which a joint venture bid will be evaluated should raise such questions through the Enquiries process as early as possible during the solicitation period.

Example: A bidder is a joint venture consisting of members X, Y and Z. If a solicitation requires: (a) that the bidder have 3 years of experience providing maintenance services, and (b) that the bidder have 2 years of experience integrating hardware with complex networks, then each of these two requirements can be met by a different member of the joint venture. However, for a single requirement, such as the requirement for 3 years of experience providing maintenance services, the bidder cannot indicate that each of members X, Y and Z has one year of experience, totaling 3 years. Such a response would be declared non-responsive.

3.2 Section I: Technical Bid

a) In their technical bid, bidders must demonstrate their understanding of the requirements contained in the bid solicitation and substantiate how they will meet these requirements. Bidders must demonstrate their capability in a thorough, concise and clear manner for carrying out the work. The technical bid must address clearly and in sufficient depth the points that are subject to the evaluation criteria against which the bid will be evaluated. Simply repeating the statement contained in the bid solicitation is not sufficient. In order to facilitate the evaluation of the bid, Canada requests that bidders address and present topics in the order of the evaluation criteria under the same headings. To avoid duplication, bidders may refer to different sections of their bids by identifying the specific paragraph and page number where the subject topic has already been addressed.

Page 8 of 55

Shared Services partagés Services Canada Canada b) The technical bid consists of the following:

(i) Bid Submission Form: Bidders must to include the Bid Submission Form (see Form 1) with their bids. It provides a common form in which bidders can provide information required for evaluation and contract award, such as a contact name and the Bidder’s Procurement Business Number, etc. Using the form to provide this information is not mandatory, but it is recommended. If Canada determines that the information required by the Bid Submission Form is incomplete or requires correction, Canada will provide the Bidder with an opportunity to do so. (ii) Integrity Check: Bidders are requested to include a completed Form 2 – Integrity Check with their bids. Using the form to provide the information is not mandatory, but it is recommended. If Form 2 is not included with the bid or if Canada determines that the information required by Form 2 is incomplete or requires correction, Canada will provide the Bidder with an opportunity to do so. Upon request, the Bidder must also provide any further information required by the Contracting Authority pursuant to Section 1 of Standard Instructions 2003. (iii) Substantiation of Technical Compliance Form: The technical bid must substantiate the compliance of the Bidder and its proposed [solution and/or products] with the specific articles of the Annex A (Statement of Requirement) identified as mandatory criteria. Bidders must prove that they comply with the mandatories via a response provided in all sections marked M in the Substantiation of Technical Compliance Form, which is the requested format for providing the substantiation. The substantiation must not simply be a repetition of the requirement(s), but must explain and demonstrate how the Bidder will meet the requirements and carry out the required Work. Simply stating that the Bidder or its proposed solution or product complies is not sufficient. Where Canada determines that the substantiation is not complete, the Bidder will be declared non-responsive and disqualified. Bidders are also requested to substantiate the rated criteria as identified in Appendix A (Rated Requirements), via the Substantiation of Technical Compliance Form in the sections marked R, these responses will be marked and evaluated and used to provide the bid submission with an overall score. The substantiation may refer to additional documentation submitted with the bid – bidders are requested to indicate where in the bid the reference material can be found, including the title of the document, and the page and paragraph numbers; where the reference is not sufficiently precise, Canada may request that the Bidder direct Canada to the appropriate location in the documentation. (iv) Training Plan: The Bidder must provide an outline of its proposed draft training plan, which must demonstrate that the Bidder’s proposed training meets all the mandatory requirements for training described in Annex A Statement of Requirements. (v) Implementation Plan: The Bidder must include a proposed draft implementation plan, which demonstrates that the Bidder’s proposed implementation plan meets all the mandatory requirements for implementation described in Annex A Statement of Requirements. (vi) List of Proposed Software: The Bidder must include a complete list identifying both the name and the version number of each component of the Licensed Software required for the proposed Software Solution. (vii) Technical Mandatory Requirements: (Mandatory at Solicitation Closing): 1. The Bidder must describe its solution and identify all the software, hardware and other components that collectively form a solution that satisfies all the mandatory technical criteria set out in Annex A-SOR Mandatory Criteria

Page 9 of 55

Shared Services partagés Services Canada Canada

2. The Bidder must also respond to the individual mandatory technical criteria that are described in Annex A-SOR Mandatory Criteria by demonstrating how its Solution complies with each of the mandatory technical criteria. 3. Supply Chain Integrity Process: Bidders must comply with the Shared Services Supply Chain Integrity Process as described in Attachment 4.2.

3.3 Section II: Financial Bid

a) Pricing: Bidders must submit their financial bid in accordance with Annex B, Pricing Tables and List of Deliverables. b) All Costs to be Included: The financial bid must include all costs for the requirement described in the bid solicitation for the entire Contract Period, including any option years. The identification of all necessary software required to meet the requirements of the bid solicitation and the associated costs of these items is the sole responsibility of the Bidder. c) Blank Prices: Bidders are requested to insert “$0.00” for any item for which it does not intend to charge or for items that are already included in other prices set out in the tables. If the Bidder leaves any price blank, Canada will treat the price as “$0.00” for evaluation purposes and may request that the Bidder confirm that the price is, in fact, $0.00. No bidder will be permitted to add or change a price as part of this confirmation. Any bidder who does not confirm that the price for a blank item is $0.00 will be declared non-responsive. d) Exchange Rate Fluctuation: SSC is not offering exchange rate fluctuation risk mitigation for this requirement. Requests for exchange rate fluctuation risk mitigation will not be considered. All bids including such provision will render the bid non-compliant.

3.4 Section III: Certifications

a) By submitting a bid, the Bidder is automatically providing the following certifications set out in SSC’s Standard Instructions in the section entitled “Deemed Certifications from Each Bidder”:

Equipment and Software is “Off-the-Shelf” Yes System is “Off-the-Shelf” Yes Bidder’s Proposed Resources will be available Yes Bidder has Verified Information about its Yes Proposed Resources Resources who are not employees of the Yes Bidder

b) The Bidder is also required to provide the following certifications described in SSC’s Standard Instructions. Although all these certifications are requested at solicitation closing, if Canada determines that the any certification is missing, incomplete or requires correction, Canada will provide the Bidder with an opportunity to provide the required information:

Federal Contractors Program for Employment Equity Required – please provide the Certification information in the Bid Submission Form Former Public Servants Certification Required – please provide the information in the Bid Submission Form Software Publisher Certification Form (Form 3) Required – please provide the information using the Software

Page 10 of 55

Shared Services partagés Services Canada Canada

Publisher Certification Form provided in the attachments Software Publisher Authorization Form (Form 4) Required – please provide the information using the Software Publisher Authorization Form provided in the attachments

PART 4 EVALUATION PROCEDURES AND BASIS OF SELECTION

4.1 Evaluation Procedures

a) Bids will be assessed in accordance with the entire requirement of the bid solicitation including the technical and financial evaluation criteria. There are several steps in the evaluation process, which are described below. Even though the evaluation and selection will be conducted in steps, the fact that Canada has proceeded to a later step does not mean that Canada has conclusively determined that the Bidder has successfully passed all the previous steps. Canada may conduct steps of the evaluation in parallel. b) An evaluation team composed of representatives of Canada will evaluate the bids. c) In addition to any other time periods established in the bid solicitation: (i) Requests for Clarifications: If Canada seeks clarification or verification from the Bidder about its bid, the Bidder will have 2 working days (or a longer period if specified in writing by the Contracting Authority) to provide the necessary information to Canada. Failure to meet this deadline will result in the bid being declared non-responsive. (ii) Extension of Time: If additional time is required by the Bidder, the Contracting Authority may grant an extension in his or her sole discretion.

4.2 Technical Evaluation

a) Mandatory Technical Evaluation Criteria: Each bid will be reviewed for compliance with the mandatory requirements of the bid solicitation. Any element of the bid solicitation that is identified specifically with the words “must” or “mandatory” or the letter “M” is a mandatory requirement. The mandatory technical evaluation criteria is identified in Annex A –SOR Mandatory Criteria and will be evaluated on a pass/fail basis in accordance with the descriptions provided in Attachment 4.1 (Bidder Technical Compliance Form). b) Point-Rated Technical Criteria: Each bid will be rated by assigning a score to the rated requirements, which are identified in the bid solicitation by the word “rated” or the letter “R” or by reference to a score. Bidders who fail to submit complete bids with all the information requested by this bid solicitation will be rated accordingly. The rated requirements are described in Appendix A - Rated Criteria and will be evaluated and scored in accordance with the descriptions provided in Attachment 4.1 (Bidder Technical Compliance Form). c) Reference Checks: Whether or not to conduct reference checks is discretionary. However, if SSC chooses to conduct reference checks for any given rated or mandatory requirement, it will check the references for that requirement for all bidders who have not, at that point, been found non-responsive.

Page 11 of 55 Shared Services partagés Services Canada Canada d) Proof of Proposal Test for Top-Ranked Bid: (i.) Through the Proof of Proposal (PoP) test, Canada will test the solution proposed in the top- ranked bid (identified after the financial evaluation) to confirm both that it will function as described in the bid and that it meets the technical functionality requirements described in Annex A. The PoP test will take place at a site in the National Capital Region provided by Canada that recreates the technical environment described in Annex A, or the PoP test may take place at a location in Canada selected by the top-ranked Bidder, if that location is agreed to by the Contracting Authority and if the Bidder assumes all responsibility for recreating the technical environment described in Annex A (it is within the Contracting Authority's sole discretion to determine whether the Bidder has accurately recreated this environment for the test). Canada will pay its own travel and salary costs associated with any PoP test. (ii.) After being notified by the Contracting Authority, the Bidder will be given a maximum of 10 working days to start the installation of the proposed solution. The installation must be completed and functional within 20 working days of the Bidder starting the installation (7.5 hrs/day during normal working hours, to be determined by the Contracting Authority). Canada will then conduct the PoP test. Up to 3 representatives of the Bidder may be present during the PoP test. The representative(s) named in the bid to provide technical support during the PoP test should be available by telephone for technical advice and clarification during the PoP test; however, Canada is not required to delay the PoP test if an individual is unavailable. (iii.) Canada will document the results of the PoP Test. If Canada determines that the proposed solution does not meet any mandatory requirement of the bid solicitation, the bid will fail the PoP Test and the bid will be disqualified. Canada may, as a result of the PoP test, reduce the score of the Bidder on any rated requirement, if the PoP test indicates that the score provided to the Bidder on the basis of its written bid is not validated by the PoP test. The Bidder’s score will not be increased as a result of the PoP test. If the Bidder’s score is reduced as a result of the PoP test, Canada will reassess the ranking of all bidders. (iv.) In connection with the PoP testing, the Bidder grants to Canada a limited license to use the Bidder’s proposed software solution for testing and evaluation purposes. (v.) If, during the initial installation of the software for the PoP test, the Bidder discovers that there are missing and/or corrupt files for software components identified in the technical bid, the Bidder must cease the installation process and inform the Contracting Authority. If the Contracting Authority determines that the missing and/or corrupt files are for components identified in the technical bid, the Bidder may be permitted to submit to the Contracting Authority the missing files and/or replacements for the corrupt files on electronic media or by referring to a web site where the files can be downloaded. These files must have been commercially released to the public before the bid closing date. Upon receiving the files on electronic media or downloading them from a corporate web site, the Contracting Authority will verify that (i) the files were commercially released to the public before the bid closing date; (ii) the files do not include new releases or versions of the software; (iii) the files belong to software components identified in the technical bid; and (iv) the software will not need to be recompiled to make use of the files. The Contracting Authority will have the sole discretion to decide if the additional files may be installed for the PoP test. Under no circumstances will files required to correct flaws in the software programming or code be permitted. This process can be used only a single time, and only during the initial installation of the software for the PoP test.

Page 12 of 55 Shared Services partagés Services Canada Canada

4.3 Financial Evaluation

a) The financial evaluation will be conducted by calculating the Total Pricing Points using Annex B completed by the bidders and the rated weightings of each table as specified below in the “Example Calculations and Weight of Each Pricing Table” grids. b) Bidders must enter their prices within the accompanying “ANNEX B Pricing Tables and List of Deliverables fillable spreadsheet”. c) In order for Canada to determine a bidder’s total Pricing Score, the bidders pricing must be compared to the lowest priced bid received by all bidders for each pricing table. This will then be used as the benchmark in calculations to determine a bidder’s Pricing Table Partial Score for that table. In turn, a bidder’s Pricing Table Partial Score will be determined by taking the lowest price submitted from all bidders and dividing it by the pricing submitted by a bidder. d) Fields within which bidders must submit a price have been shaded in yellow. Fields highlighted in green will be used for the calculations specified in sub-article c). e) After each table’s Pricing Table Partial Score is calculated, the score of each table will be totaled to determine the bidder’s Total Pricing Points out of 100%. f) The Total Pricing Points will then be multiplied by 0.4 to determine the bidder’s Pricing Score.

4.4 Basis of Selection

a) A bid must comply with the requirements of the bid solicitation and meet all mandatory technical evaluation criteria to be declared compliant. Once it has been determined that all mandatory criteria has been met the bid will then be evaluated against the point rated and financial criteria. b) Bidders should note that all contract awards are subject to Canada’s internal approvals process, which includes a requirement to approve funding in the amount of any proposed contract. Despite the fact that the Bidder may have been recommended for contract award, a contract will only be awarded if internal approval is granted according to Canada’s internal policies. If approval is not granted, no contract will be awarded. The ratio in which the evaluation will be weighted shall be 60 % for the technical merit and 40 % for the price. c) The bidder with the highest Combined Rating will be recommended to proceed to the Proof of Proposal Test for Top-Ranked Bid phase of the requirement.

Example Calculations and Weight of Each Pricing Table:

Bidder Technical Points out of 1310 Technical Merit Score (60%) A 1010 1010/1310 x 60 = 46.26 B 1250 1250/1310 x 60 = 57.25 C 1100 1100/1310 x 60 = 50.38

Bidders price table 1 Bidders price table 2 Bidders price table 3 Bidders price table 4 Bidder (50%) (10%) (10%) (7.5%) $800,000/800,000 x 50 = $1,400,000/1,500,000 $350,000/375,000 x 10 = $500,000/500,000 x A 50 x 10 = 9.33 9.33 7.5 = 7.5 $800,000/850,000 x 50 = $1,400,000/1,600,000 $350,000/400,000 x 10 = $500,000/520,000 x B 47.06 x 10 = 8.75 8.75 7.5 = 7.21

Page 13 of 55 Shared Services partagés Services Canada Canada

$800,000/900,000 x 50 = $1,400,000/1,400,000 $350,000/350,000 x 10 = $500,000/600,000 x C 44.44 x 10 = 10 10 7.5 = 6.25

Bidders price table 5 Bidders price table 6 Bidders price table 7 Bidder (7.5%) (10%) (5%) $240,000/300,000 x 7.5 $25,000/35,000 x 5 = A $9,800/9,800 x 10 = 10 = 6 3.57 $240,000/240,000 x 7.5 $9,800/12,000 x 10 = B $25,000/25,000 x 5 = 5 = 7.5 8.17

$240,000/275,000 x 7.5 9,800/15,000 x 10 = $25,000/42,000 x 5 = C = 6.55 6.53 2.98

Total Pricing Bidder Pricing Score (40%) Points

A 95.73 95.73 x .4 = 38.29

B 92.44 92.44 x .4 = 36.98

C 86.75 86.75 x .4 = 34.7

Pricing Technical Merit Combined Overall Bidder Score Score (60%) Rating Rating (40%)

A 46.26 38.29 84.55 3rd

B 57.25 36.93 94.18 1st

C 50.38 34.7 85.08 2nd

Page 14 of 55 Shared Services partagés Services Canada Canada

PART 5 CERTIFICATIONS Bidders must provide the required certifications and documentation to be awarded a contract.

The certifications provided by bidders to Canada are subject to verification by Canada at all times. Canada will declare a bid non-responsive, or will declare a contractor in default, if any certification made by the Bidder is found to be untrue, whether made knowingly or unknowingly, during the bid evaluation period or during the contract period.

The Contracting Authority will have the right to ask for additional information to verify the Bidder’s certifications. Failure to comply with this request will also render the bid non-responsive or will constitute a default under the Contract.

5.1 Mandatory Certifications Required Precedent to Contract Award

a) Code of Conduct and Certifications – Related documentation By submitting a bid, the Bidder certifies that the Bidder and its affiliates are in compliance with the provisions as stated in Section 01 Code of Conduct and Certifications – Bid of Standard Instructions 2003. The related documentation therein required will assist Canada in confirming that the certifications are true.

b) Federal Contractors Program for Employment Equity – Bid Certification By submitting a bid, the Bidder certifies that the Bidder, and any of the Bidder’s members if the Bidder is a Joint Venture, is not named on the Federal Contractors Program (FCP) for employment equity “FCP Limited Eligibility to Bid” list (http://www.labour.gc.ca/eng/standards_equity/eq/emp/fcp/list/inelig.shtml) available from Human Resources and Skills Development Canada (HRSDC) – Labour’s website

Canada will have the right to declare a bid non-responsive if the Bidder, or any member of the Bidder if the Bidder is a Joint Venture, appears on the “FCP Limited Eligibility to Bid” list at the time of contract award.

Canada will also have the right to terminate the Contract for default if a Contractor, or any member of the Contractor if the Contractor is a Joint Venture, appears on the “FCP Limited Eligibility to Bid” list during the period of the Contract.

5.2 Additional Certifications Precedent to Contract Award The certifications listed below should be completed and submitted with the bid but may be submitted afterwards. If any of these required certifications is not completed and submitted as requested, the Contracting Authority will so inform the Bidder and provide the Bidder with a time frame within which to meet the requirement. Failure to comply with the request of the Contracting Authority and meet the requirement within that time period will render the bid non-responsive.

5.3 Software Publisher Certification and Software Publisher Authorization a) If the Bidder is the Software Publisher for any of the proprietary software products it bids, Canada requires that the Bidder confirm in writing that it is the Software Publisher. Bidders are requested to use the Software Publisher Certification Form included with the bid solicitation. Although all the contents of the Software Publisher Certification Form are required, using the form itself to provide this information is not mandatory. For bidders who use an alternate form, it is in Canada’s sole discretion to determine whether all the required information has been provided. Alterations to the statements in the form may result in the bid being declared non-responsive.

Page 15 of 55

Shared Services partagés Services Canada Canada

b) Any Bidder that is not the Software Publisher of all the proprietary software products proposed in its bid is required to submit proof of the Software Publisher’s authorization, which must be signed by the Software Publisher (not the Bidder). No Contract will be awarded to a Bidder who is not the Software Publisher of all of the proprietary software it proposes to supply to Canada, unless proof of this authorization has been provided to Canada. If the proprietary software proposed by the Bidder originates with multiple Software Publishers, authorization is required from each Software Publisher. Bidders are requested to use the Software Publisher Authorization Form included with the bid solicitation. Although all the contents of the Software Publisher Authorization Form are required, using the form itself to provide this information is not mandatory. For Bidders/Software Publishers who use an alternate form, it is in Canada’s sole discretion to determine whether all the required information has been provided. Alterations to the statements in the form may result in the bid being declared non-responsive. c) In this bid solicitation, “Software Publisher” means the owner of the copyright in any software products proposed in the bid, who has the right to license (and authorize others to license/sub-license) its software products.

5.4 Former Public Servant

Contracts awarded to former public servants (FPS) in receipt of a pension or of a lump sum payment must bear the closest public scrutiny, and reflect fairness in the spending of public funds. In order to comply with Treasury Board policies and directives on contracts with FPS, bidders must provide the information required below before contract award.

5.5 Definitions For the purposes of this clause, “former public servant" is any former member of a department as defined in the Financial Administration Act, R.S., 1985, c. F-11, a former member of the Canadian Armed Forces or a former member of the Royal Canadian Mounted Police. A former public servant may be:

a) an individual; b) an individual who has incorporated; c) a partnership made of former public servants; or d) A sole proprietorship or entity where the affected individual has a controlling or major interest in the entity

5.6 Former Public Servant in Receipt of a Pension As per the above definitions, is the Bidder a FPS in receipt of a pension? Yes ( ) No ( ) If so, the Bidder must provide the following information, for all FPS in receipt of a pension, as applicable:

a) name of former public servant; b) date of termination of employment or retirement from the Public Service.

By providing this information, Bidders agree that the successful Bidder’s status, with respect to being a former public servant in receipt of a pension, will be reported on departmental websites as part of the published proactive disclosure reports in accordance with Contracting Policy Notice: 2012-2 and the Guidelines on the Proactive Disclosure of Contracts.

Page 16 of 55

Shared Services partagés Services Canada Canada

5.7 Work Force Adjustment Directive Is the Bidder a FPS who received a lump sum payment pursuant to the terms of the Work Force Adjustment Directive? Yes ( ) No ( ) If so, the Bidder must provide the following information:

a) name of former public servant; b) conditions of the lump sum payment incentive; c) date of termination of employment; d) amount of lump sum payment; e) rate of pay on which lump sum payment is based; f) period of lump sum payment including start date, end date and number of weeks; g) number and amount (professional fees) of other contracts subject to the restrictions of a work force adjustment program. For all contracts awarded during the lump sum payment period, the total amount of fees that may be paid to a FPS who received a lump sum payment is $5,000, including Applicable Taxes.

5.8 Code of Conduct Certifications – Certifications Required Precedent to Contract Award

Bidders should provide, with their bids or promptly thereafter, a complete list of names of all individuals who are currently directors of the Bidder. If such a list has not been received by the time the evaluation of bids is completed, the Contracting Authority will inform the Bidder of a time frame within which to provide the information. Bidders must submit the list of directors before contract award, failure to provide such a list within the required time frame will render the bid non-responsive. The Contracting Authority may, at any time, request that a Bidder provide properly completed and Signed Consent Forms (Consent to a Criminal Record Verification form – PWGSC-TPSGC 229) for any or all individuals named in the aforementioned list within a specified delay. Failure to provide such Consent Forms within the delay will result in the bid being declared non-responsive.

PART 6 SECURITY REQUIREMENTS

6.1 Security Requirement

Before award of a contract, the following conditions must be met: the Bidder must hold a valid organization security clearance as indicated in Part 7 - Resulting Contract Clauses; the Bidder's proposed individuals requiring access to classified or protected information, assets or sensitive work site(s) must meet the security requirement as indicated in Part 7 - Resulting Contract Clauses; and In the case of a joint venture bidder, each member of the joint venture must meet the security requirements.

Page 17 of 55

Shared Services partagés Services Canada Canada

PART 7 RESULTING CONTRACT CLAUSES Note to Bidders: These Resulting Contract Clauses are intended to form the basis of any contract resulting from this bid solicitation. Except where specifically set out in these Resulting Contract Clauses, acceptance by Bidders of all the clauses is a mandatory requirement of this bid solicitation. No modification or other terms and conditions included in the bid will apply to the resulting contract, despite the fact that the bid may become part of the resulting contract. Any Bidder submitting a bid containing statements implying that the bid is conditional on modification of these Resulting Contract Clauses (including all documents incorporated by reference) or containing terms and conditions that purport to supersede these Resulting Contract Clauses will be considered non-compliant. Bidders with concerns regarding the provisions of these Resulting Contract Clauses should raise those concerns in accordance with the Enquiries provision of the bid solicitation. If additional legal issues are raised by a bid, Canada reserves the right to address those issues in any contract awarded as a result of this bid solicitation. If the additional provisions are unacceptable to the Bidder, the Bidder may withdraw its bid.

7.1 Requirement a) ______(the “Contractor”) agrees to supply, deliver and install the goods and services described in the Contract, including the Statement of Requirements, in accordance with, and at the prices set out in, the Contract. This includes: i) granting the license to use the Licensed Software described in the Contract; ii) providing the Software Documentation; iii) providing maintenance and support for the Licensed Software during the Software Support Period; iv) providing training, as and when requested by Canada,

b) Client: Under the Contract, the "Client" is Shared Services Canada (“SSC”), an organization with a mandate to provide shared services. This Contract will be used by SSC to provide shared services to its clients, which include SSC itself, those government institutions for whom SSC’s services are mandatory at any point during the Contract Period, and those other organizations for whom SSC’s services are optional at any point during the Contract Period and that choose to use those services from time to time. SSC may choose to use this Contract for some or all of its clients and may use alternative means to provide the same or similar services.

c) Reorganization of Client: The Contractor's obligation to perform the Work will not be affected by (and no additional fees will be payable as a result of) the renaming, reorganization, reconfiguration, or restructuring of any Client. The reorganization, reconfiguration and restructuring of the Client includes the privatization of the Client, its merger with another entity, or its dissolution, where that dissolution is followed by the creation of another entity or entities with mandates similar to the original Client. In connection with any form of reorganization, Canada may designate another department or government body as the Contracting Authority or Technical Authority, as required to reflect the new roles and responsibilities associated with the reorganization. d) National Security Exception: On July 12, 2012, SSC invoked the National Security Exception under the trade agreements in respect of procurements related to email, networks and data centres for Shared Services Canada. As a result, this requirement is subject to the National Security Exception. e) Defined Terms: Words and expressions defined in the General Conditions or Supplemental General Conditions and used in the Contract have the meanings given to them in the General Conditions or Supplemental General Conditions.

Page 18 of 55

Shared Services partagés Services Canada Canada

7.2 Optional Goods and/or Services a) The Contractor grants to Canada the irrevocable option to acquire the goods, services or both described at Annex A of the Contract under the same terms and conditions and at the prices and/or rates stated in the Contract. The option may only be exercised by the Contracting Authority by notice in writing and will be evidenced, for administrative purposes only, through a contract amendment. b) The Contracting Authority may exercise the option at any time before the expiry of the Contract by sending a written notice to the Contractor.

7.3 Standard Clauses and Conditions All clauses and conditions identified in the Contract by number, date and title are set out in the Standard Acquisition Clauses and Conditions Manual (http://buyandsell.gc.ca/policy-and-guidelines/standard- acquisition-clauses-and-conditions-manual) issued by Public Works and Government Services Canada. All references contained within the General Conditions or Supplementary General Conditions to the Minister of Public Works and Government Services will be interpreted as a reference to the minister presiding over Shared Services Canada and all references to the Department of Public Works and Government Services will be interpreted as Shared Services Canada. For purposes of this contract the PWGSC policies referenced within the Standard Acquisitions Clauses and Conditions Manual are adopted as SSC policies.

7.4 General Conditions:

2030 (2018-06-21), General Conditions - Higher Complexity - Goods, apply to and form part of the Contract. These General Conditions are amended as follows: Section 2 of the General Conditions is amended as follows: delete “Pursuant to the Department of Public Works and Government Services Act, S.C. 1996, c.16” a) Supplemental General Conditions: The following Supplemental General Conditions: 4003 (2010-08-16), Supplemental General Conditions - Licensed Software; Section 08 is replaced as follows: The license to use the Licensed Software under the Contract is transferable by Canada under the same conditions of the Contract, to any Device or Client, as applicable, or to any Canadian government department or Crown corporation, as defined in the Financial Administration Act, R.S.C. 1985, c. F-11, as amended from time to time, or to any other party for which Shared Services Canada has been authorized to act under section 8 of the Shared Services Canada Act, L.C. 2012, ch.19, art 711 as long as Canada informs the Contractor of the transfer within thirty (30) days of the transfer occurring. For the purposes of this section, in the circumstances where an Entity License is transferred, such license will be capped at the number of users in the transferring department, corporation, agency or other party before the transfer. 4004 (2013-04-25), Supplemental General Conditions - Maintenance and Support Services for Licensed Software; apply to and form part of the Contract.

7.5 Security Requirement The following security requirement checklist (SCRL) at Annex C applies and forms part of the Contract.

Page 19 of 55

Shared Services partagés Services Canada Canada

The applicable security clauses will be added at a later time.

7.6 Contract Period a) Contract Period: The “Contract Period” is the entire period of time during which the Contractor is obliged to perform the Work, which includes: The “Initial Contract Period”, which begins on the date the Contract is awarded and ends 1 year later; and the period during which the Contract is extended, if Canada chooses to exercise any options set out in the Contract. b) Option to Extend the Contract: The Contractor grants to Canada the irrevocable option to extend the term of the Contract by up to 9 additional 1-year period(s) under the same terms and conditions. The Contractor agrees that, during the extended period of the Contract, it will be paid in accordance with the applicable provisions set out in the Basis of Payment. Canada may exercise this option at any time by sending a written notice to the Contractor before the expiry date of the Contract. The option may only be exercised by the Contracting Authority, and will be evidenced, for administrative purposes only, through a contract amendment.

7.7 Authorities a) Contracting Authority The Contracting Authority for the Contract is: Name: ______Title: ______Address: ______Telephone: ______Facsimile: ______E-mail address: ______The Contracting Authority is responsible for the management of the Contract and any changes to the Contract must be authorized in writing by the Contracting Authority. The Contractor must not perform work in excess of or outside the scope of the Contract based on verbal or written requests or instructions from anybody other than the Contracting Authority. b) Technical Authority The Technical for the Contract is: Name: ______Title: ______Organization: ______Address: ______Telephone: ______Facsimile: ______E-mail address: ______The Technical Authority is responsible for all matters concerning the technical content of the Work under the Contract. Technical matters may be discussed with the Technical Authority; however, the Technical Authority has no authority to authorize changes to the scope of the Work. Changes to the scope of the Work can only be made through a contract amendment issued by the Contracting Authority. c) Contractor's Representative

Page 20 of 55

Shared Services partagés Services Canada Canada

To be completed at contract award

7.8 Basis of Payment i.) Licensed Software, Maintenance and Support: For the license(s) to use the Licensed Software (including delivery, installation, integration and configuration of the Licensed Software and the Software Documentation, in accordance with the Contract, Canada will pay the Contractor the firm price(s) set out in Annex B, DDP destination, including all customs duties, Applicable Taxes extra. The firm prices include the warranty during the Software Warranty Period and maintenance and support during the Software Support Period (including for any additional licenses purchased during the Contract Period). ii.) Optional Additional Software Licenses: For additional licenses, if Canada exercises its option, Canada will pay the Contractor the ceiling price set out in Annex B, FOB destination, including all customs duties, Applicable Taxes extra. iii.) Optional Software Support: If Canada exercises its option to extend the Software Support Period, Canada will pay the Contractor the firm annual price in advance as set out in Annex B, DDP destination, including all customs duties, Applicable Taxes extra. iv.) Training: For training courses, as and when requested by Canada during the Contract Period, Canada will pay the Contractor the firm price per course set out in Annex B, upon completion of the course, Applicable Taxes extra. v.) Competitive Award: The Contractor acknowledges that the Contract has been awarded as a result of a competitive process. No additional charges will be allowed to compensate for errors, oversights, misconceptions or underestimates made by the Contractor when bidding for the Contract. vi.) Purpose of Estimates: All estimated costs contained in the Contract are included solely for the administrative purposes of Canada and do not represent a commitment on the part of Canada to purchase goods or services in these amounts. Any commitment to purchase specific amounts or values of goods or services is described elsewhere in the Contract.

7.9 Limitation of Expenditure

Canada will not pay the Contractor for any design changes, modifications or interpretations of the Work unless they have been approved, in writing, by the Contracting Authority before their incorporation into the Work. a) Method of Payment - Single Payment H1000C (2008-05-12), Single Payment b) Method of Payment - Advance Payment i.) Canada will pay the Contractor in advance for the Software Maintenance and Support services if: ii.) An accurate and complete invoice and any other documents required by the Contract have been submitted in accordance with the invoicing instructions provided in the Contract; iii.) All such documents have been verified by Canada. iv.) Payment in advance does not prevent Canada from exercising any or all potential remedies in relation to this payment or any of the Work, if the Work performed later proves to be unacceptable.

Page 21 of 55

Shared Services partagés Services Canada Canada

7.10 Invoicing Instructions

a) The Contractor must submit invoices in accordance with the information required in the General Conditions. b) The Contractor's invoice must include a separate line item for each subparagraph in the Basis of Payment provision. c) By submitting invoices (other than for any items subject to an advance payment, the Contractor is certifying that the goods and services have been delivered and that all charges are in accordance with the Basis of Payment provision of the Contract, including any charges for work performed by subcontractors. d) The Contractor must provide the original of each invoice to the Technical Authority, and a copy to the Contracting Authority.

7.11 Certifications

Compliance with the certifications provided by the Contractor in its bid is a condition of the Contract and subject to verification by Canada during the entire Contract Period. If the Contractor does not comply with any certification or it is determined that any certification made by the Contractor in its bid is untrue, whether made knowingly or unknowingly, Canada has the right, under the default provision of the Contract, to terminate the Contract for default.

7.12 Federal Contractors Program for Employment Equity – Default by the Contractor

The Contractor understands and agrees that, when an Agreement to Implement Employment Equity (AIEE) exists between the Contractor and HRSDC-Labour, the AIEE must remain valid during the entire period of the Contract. If the AIEE becomes invalid, the name of the Contractor will be added to the “FCP Limited Eligibility to Bid” list. The imposition of such a sanction by HRSDC will constitute the Contractor in default as per the terms of the Contract.

7.13 Applicable Laws The Contract must be interpreted and governed, and the relations between the parties determined, by the laws in force in Ontario.

7.14 Priority of Documents If there is a discrepancy between the wording of any documents that appear on the following list, the wording of the document that first appears on the list has priority over the wording of any document that appears later on the list: a) these Articles of Agreement, including any individual SACC clauses incorporated by reference in these Articles of Agreement b) supplemental general conditions, in the following order: 4003; Supplemental General Conditions (2010-08-16) Licensed Software 4004; Supplemental General Conditions (2013-04-25) Maintenance and Support for Licensed Software c) general conditions – Higher Complexity – Goods 2030 (2018-06-21); d) Annex A, Statement of Requirement; e) Annex B, Pricing Tables and List of Deliverables; f) Annex C, Security Requirements Check List; g) The Contractor's bid dated ______(insert date of bid), as amended ______(insert date(s) of amendment(s) if applicable), not including any software publisher license terms and conditions that may

Page 22 of 55

Shared Services partagés Services Canada Canada

be included in the bid, not including any provisions in the bid with respect to limitations on liability, and not including any terms and conditions incorporated by reference (including by way of a web link) in the bid.

7.15 Foreign Nationals (Canadian Contractor) SACC Manual clause A2000C (2006-06-16) Foreign Nationals (Canadian Contractor)

7.16 Foreign Nationals (Foreign Contractor) SACC Manual clause A2001C (2006-06-16) Foreign Nationals (Foreign Contractor)

7.17 Insurance Requirements SACC Manual clause G1005C (2016-01-28) Insurance – No Specific Requirement

7.18 Limitation of Liability - Information Management/Information Technology This section applies despite any other provision of the Contract and replaces the section of the general conditions entitled "Liability". Any reference in this section to damages caused by the Contractor also includes damages caused by its employees, as well as its subcontractors, agents, and representatives, and any of their employees. This section applies regardless of whether the claim is based in contract, tort, or another cause of action. The Contractor is not liable to Canada with respect to the performance of or failure to perform the Contract, except as described in this section and in any section of the Contract pre- establishing any liquidated damages. The Contractor is only liable for indirect, special or consequential damages to the extent described in this Article, even if it has been made aware of the potential for those damages. a) First Party Liability: The Contractor is fully liable for all damages to Canada, including indirect, special or consequential damages, caused by the Contractor's performance or failure to perform the Contract that relate to: a) any infringement of intellectual property rights to the extent the Contractor breaches the section of the General Conditions entitled "Intellectual Property Infringement and Royalties"; b) physical injury, including death. The Contractor is liable for all direct damages affecting real or tangible personal property owned, possessed, or occupied by Canada. Each of the Parties is liable for all direct damages resulting from its breach of confidentiality under the Contract. Each of the Parties is also liable for all indirect, special or consequential damages in respect of its unauthorized disclosure of the other Party's trade secrets (or trade secrets of a third party provided by one Party to another under the Contract) relating to information technology. The Contractor is liable for all direct damages relating to any encumbrance or claim relating to any portion of the Work for which Canada has made any payment. This does not apply to encumbrances or claims relating to intellectual property rights, which are addressed under subparagraph a) i.) a) above. The Contractor is also liable for any other direct damages to Canada caused by the Contractor in any way relating to the Contract including: any breach of the warranty obligations under the Contract, up to the total amount paid by Canada (including any applicable taxes) for the goods and services affected by the breach of warranty; and any other direct damages, including all identifiable direct costs to Canada associated with re- procuring the Work from another party if the Contract is terminated by Canada either in whole or in part for default, up to an aggregate maximum for this subparagraph vii.) of the greater of the total estimated contract cost (meaning the dollar amount shown on the first page of the Contract in the

Page 23 of 55

Shared Services partagés Services Canada Canada

cell titled "Total Estimated Cost" or shown on each call-up, purchase order or other document used to order goods or services under this instrument), or $1,000,000.00. In any case, the total liability of the Contractor under subparagraph a) vii.) will not exceed the total estimated cost (as defined above) for the Contract or $1,000,000.00, whichever is more. If Canada's records or data are harmed as a result of the Contractor's negligence or willful act, the Contractor's only liability is, at the Contractor's own expense, to restore Canada's records and data using the most recent back-up kept by Canada. Canada is responsible for maintaining an adequate back-up of its records and data. b) Third Party Claims: Regardless of whether a third party makes its claim against Canada or the Contractor, each Party agrees that it is liable for any damages that it causes to any third party in connection with the Contract as set out in a settlement agreement or as finally determined by a court of competent jurisdiction, where the court determines that the Parties are jointly and severally liable or that one Party is solely and directly liable to the third party. The amount of the liability will be the amount set out in the settlement agreement or determined by the court to have been the Party's portion of the damages to the third party. No settlement agreement is binding on a Party unless its authorized representative has approved the agreement in writing. If Canada is required, as a result of joint and several liability, to pay a third party in respect of damages caused by the Contractor, the Contractor must reimburse Canada by the amount finally determined by a court of competent jurisdiction to be the Contractor's portion of the damages to the third party. However, despite Sub-article b) i.), with respect to special, indirect, and consequential damages of third parties covered by this Section, the Contractor is only liable for reimbursing Canada for the Contractor's portion of those damages that Canada is required by a court to pay to a third party as a result of joint and several liability that relate to the infringement of a third party's intellectual property rights; physical injury of a third party, including death; damages affecting a third party's real or tangible personal property; liens or encumbrances on any portion of the Work; or breach of confidentiality. The Parties are only liable to one another for damages to third parties to the extent described in this Sub-article b).

7.19 Joint Venture Contractor a) The Contractor confirms that the name of the joint venture is ______and that it is comprised of the following members: [list all the joint venture members named in the Contractor's original bid]. b) With respect to the relationship among the members of the joint venture Contractor, each member agrees, represents and warrants (as applicable) that: ______has been appointed as the “representative member” of the joint venture Contractor and has fully authority to act as agent for each member regarding all matters relating to the Contract; by giving notice to the representative member, Canada will be considered to have given notice to all the members of the joint venture Contractor; and all payments made by Canada to the representative member will act as a release by all the members. c) All the members agree that Canada may terminate the Contract in its discretion if there is a dispute among the members that, in Canada’s opinion, affects the performance of the Work in any way. d) All the members are jointly and severally or solely liable for the performance of the entire Contract. e) The Contractor acknowledges that any change in the membership of the joint venture (i.e., a change in the number of members or the substitution of another legal entity for an existing member) constitutes an assignment and is subject to the assignment provisions of the General Conditions.

Page 24 of 55

Shared Services partagés Services Canada Canada

f) The Contractor acknowledges that all security and controlled goods requirements in the Contract, if any, apply to each member of the joint venture Contractor. Note to Bidders: This Article will be deleted if the bidder awarded the contract is not a joint venture. If the contractor is a joint venture, this clause will be completed with information provided in its bid.

7.20 Licensed Software a) With respect to the provisions of Supplemental General Conditions 4003: Licensed Software The Licensed Software, which is defined in 4003, includes all the products offered by the Contractor in its bid, and any other software code required for those products to function in accordance with the Software Documentation and the Specifications, including without limitation all of the following products: ______[this information will be completed at contract award using information in the Contractor’s bid] Type of License being Granted Processor/Server/Subscription License Option to Purchase Additional Licenses The Contractor grants to Canada the irrevocable option to purchase additional licenses at the price set out in Annex B on the same terms and conditions as granted under the Contract [including for additional Clients within the scope of the Contract]. This option may be exercised at any time during the Contract Period, as many times as Canada chooses. This option may only be exercised by the Contracting Authority by notice in writing and will be evidenced, for administrative purposes only, by a contract amendment Media on which Licensed Software must be The Client requires the Licensed Software to be delivered - by Delivered Internet Download. Software Warranty Period 12 months

b) On-going Maintenance of Software Code: The Contractor must continue to maintain the version of the Licensed Software (i.e., the version or “build” originally licensed under the Contract) as a commercial product (i.e., the Contractor or the software publisher must be continuing to develop new code in respect of the Licensed Software to maintain its functionality, enhance it, and deal with Software Errors) for at least 2 years from the date the Contract is awarded. After that time, if the Contractor or the software publisher decides to discontinue or no longer maintain the then-current version or “build” of the Licensed Software and, instead, decides to provide upgrades to the Licensed Software as part of the Software Support, the Contractor must provide written notice to Canada at least 12 months in advance of the discontinuation.

7.21 Licensed Software Maintenance and Support a) With respect to the provisions of Supplemental General Conditions 4004: Software Support Period Software Support Period is the Contract Period. Software Support Period when Additional For any additional licenses purchased in accordance with the Licenses added during Contract Period Contract, the Software Support Period currently underway will apply to the additional licenses purchased, so that the Software Support Period ends on the same date for all licences supported under the Contract.

Page 25 of 55

Shared Services partagés Services Canada Canada

Option to Extend Software Support Period The Contractor grants to Canada the irrevocable option(s) to extend the Software Support Period by 5 additional 12-month periods, exercisable at any time during the Contract Period. The Contractor agrees that, during the entire Software Support Period, the prices will be those set out in Annex B. The option(s) may only be exercised by the Contracting Authority by notice in writing and will be evidenced, for administrative purposes only, by a contract amendment. Hours for Providing Support Services The Contractor’s personnel must be available from ___ a.m. until ____ p.m., local time, at the site where the Licensed Programs are installed, Monday through Friday, exclusive of statutory holidays observed by Canada at the site where the service is required. [delete this line if the hours are 8AM to 5PM - those hours are already provided for in 4004. If SSC requires service on weekends or statutory holidays, revise the wording as required.] Contractor must provide On-site Support [Yes/No] [If On-site Support Services are required, say so here. 4004 Services does not automatically require On-site Support Services. If required, you must add a separate price for these services in your Basis of Payment provision, or state that this service is included in one paragraph of the existing Basis of Payment provisions.] Contractor must provide Swift Action [Yes/No] [If SWAT services are required, say so here. 4004 does not Tactical (SWAT) services automatically require SWAT services. If required, you must add a separate price for these services in your Basis of Payment provision, or state that this service is included in one paragraph of the existing Basis of Payment provisions.] Contractor must install Software Error [Yes/No] [specify here if the Contractor must install the Software corrections and Maintenance Releases and Error corrections and/or the Maintenance Releases and upgrades. If upgrades Canada is responsible for this, delete this line, because 4004 already provides for this in Subsection 7(2). Purchasing installation services will of course be more expensive than only obtaining the maintenance release and upgrades. If installation services are available through a separate Task Authorization process described in the Contract, you can say “only if Task Authorization issued”.]

Contact Information for Accessing the In accordance with Section 5 of 4004, the Contractor will make its Contractor's Support Services Support Services available through the following: Toll-free Telephone Access: ______Toll-free Fax Access: ______Email Access: ______The Contractor must respond to all telephone, fax or email communications (with a live service agent) within 60 minutes of the initial time of the Client or User's initial communication. [revise as necessary] [If any of these particular methods of communication are not required by the SSC, you can say "not required". The best way to ensure you receive this information in the bid is to include a line in the Bid Submission Form for it.] [Note to Bidders: This information will be completed at the time of contract award with information supplied by the Contractor. Bidders are requested to provide this information in their bids.] Website In accordance with Section 5 of 4004, the Contractor must make Support Services available over the Internet. To do so, the

Page 26 of 55 Shared Services partagés Services Canada Canada

Contractor must include, as a minimum, frequently asked questions and on-line software diagnostic routines and support tools. Despite the Hours for Providing Support Services, the Contractor's website must be available to Canada's users 24 hours a day, 365 days a year, and must be available 99% of the time. The Contractor’s website address for web support is ______. [Delete if SSC does not require these enhanced web services.] [Note to Bidders: The website address will be completed at the time of contract award with information supplied by the Contractor. Bidders are requested to provide this information in their bids.] Language of Support Services The Support Services must be provided in both French and English, based on the choice of the User requesting support.

7.22 Training a) Providing Training: See Annex B for training required. b) Providing Software Training: The Contractor must provide in-class training for the software products that form part of the Software Solution on an “as-and-when-requested” basis during the Contract Period when a Task Authorization for training is issued in accordance with the Contract. Canada may issue a Task Authorization whenever it has at least 10 people who require training. The training must be provided at various locations across Canada [NCR], as requested in the Task Authorization. The training must be available within 15 working days of the Task Authorization being issued. The training, including both the instruction and the course materials, must be provided in English and French Before providing any training, at least 10 working days in advance of the first training session, the Contractor must submit the course syllabus and schedule, the training materials, and the names and qualifications of the instructions to the Technical Authority for approval.

7.23 Access to Canada's Property and Facilities Canada's property, facilities, equipment, documentation, and personnel are not automatically available to the Contractor. If the Contractor would like access to any of these, it is responsible for making a request to the Technical Authority. Unless expressly stated in the Contract, Canada has no obligation to provide any of these to the Contractor. If Canada chooses, in its discretion, to make its property, facilities, equipment, documentation or personnel available to the Contractor to perform the Work, Canada may require an adjustment to the Basis of Payment and additional security requirements may apply.

7.24 Government Property Canada agrees to supply the Contractor with the items listed below (the “Government Property”). The section of the General Conditions entitled “Government Property” also applies to the use of the Government Property by the Contractor.

7.25 Implementation a) Finalization of Draft Implementation Plan: Within 10 working days of the Contract being awarded, Canada will provide any comments it has regarding the draft implementation plan submitted by the Contractor as part of its bid. The Contractor must update the implementation plan to reflect Canada’s comments within 5 working days and resubmit it to Canada for approval.

7.26 Termination for Convenience

Page 27 of 55

Shared Services partagés Services Canada Canada

With respect to Section 32 of 2030, if applicable, subsection 4 is deleted and replaced with the following subsections 4, 5 and 6:

4. The total of the amounts, to which the Contractor is entitled to be paid under this section, together with any amounts paid, due or becoming due to the Contractor must not exceed the Contract Price.

5. Where the Contracting Authority terminates the entire Contract and the Articles of Agreement include a Minimum Work Guarantee, the total amount to be paid to the Contractor under the Contract will not exceed the greater of

(a) the total amount the Contractor may be paid under this section, together with any amounts paid, becoming due other than payable under the Minimum Revenue Guarantee, or due to the Contractor as of the date of termination, or

(b) the amount payable under the Minimum Work Guarantee, less any amounts paid, due or otherwise becoming due to the Contractor as of the date of termination.

6. The Contractor will have no claim for damages, compensation, loss of profit, allowance arising out of any termination notice given by Canada under this section except to the extent that this section expressly provides. The Contractor agrees to repay immediately to Canada the portion of any advance payment that is unliquidated at the date of the termination.

Page 28 of 55

Annex A – Statement of Requirement Enterprise Portal Software

ANNEX A

STATEMENT OF Requirement

Contents

1 Introduction ...... 30 1.1 Background ...... 30 1.2 Objective ...... 30 1.3 Schedule and Cost...... 30 2 Statement of Requirements ...... 31 2.1 Technical Requirements...... 31 2.2 Mandatory Requirements – General ...... 31 2.2.1 Language and Accessibility Standards ...... 32 2.3 Mandatory Requirements – Technical ...... 33 2.3.1 Platform / Application Hosting ...... 33 2.3.2 Security Controls ...... 33 2.3.3 Identity, Authentication and Access Controls ...... 34 2.3.4 Audit Controls and Logs ...... 34 2.3.5 Portal Product ...... 35 2.3.6 Testing, Performance and Monitoring ...... 37 2.3.7 Backup and Recovery ...... 37 2.3.8 Technical Support Services ...... 38 3 Appendices ...... 41 3.1 Platform Description ...... 41 3.1.1 Platform Details ...... 41 3.2 Identity and Access Management – CA SiteMinderPlatform / Portal View ...... 42 3.3 Glossary / Acronyms ...... 43

29 of 55

1 Introduction The Canada Revenue Agency (CRA) is modernizing its current secure online services, My Account for Individuals, My Business Account, and Represent a Client, by implementing a single, horizontal portal solution.

1.1 Background The Canada Revenue Agency administers tax laws for the Government of Canada (GoC) and for most provinces and territories, and administers various social and economic benefit and incentive programs delivered through the tax system. The Agency is implementing a Service Modernization Strategy in response to the increasing digital expectations. The goals of this strategy include: • A single portal that will provide a modernized secure digital space for individuals, businesses, or representatives; • Apply user-centric design principles to improve the overall service experience; • Apply mobile-first design principles so that digital services are easily accessible on all devices; • Streamline the authentication process to provide ease of access to the secure digital space; • Grant access to people who have authenticated with a trusted partner or another government department; and • Develop additional security features within the secure digital space.

1.2 Objective The objective of this Statement of Requirements is the acquisition and implementation of a Horizontal Portal Product (HPP)1 solution with web access management capabilities, in support of the delivery of secure, online digital services to the Canadian public.

1.3 Schedule and Cost The Agency’s transition to the HPP solution will be a multi-year project with incremental service migrations. This approach will ensure the stability and availability of our online services, and also allow the Agency to manage its financial commitment to align expenditures with the project’s phased implementation plan. The Agency’s planned commitment for this RFP will be the acquisition of HPP License(s) for our test environment on year 1, including maintenance and support. The Agency will only purchase one of the licensing model types from Table 1 Annex B. For year 1 our test environment will consist of 1 server. For further information and server details, see Appendix section 3.1 SSC Hosted Platform Description.

1 The current trend in the enterprise portal space favours the term(s), “User Experience Platform (UXP)” or “Digital Experience Platform (DXP)”. In this document, the term HPP or Horizontal Portal Product will continue to be used when referring to vendor products in this space.

Page 30 of 55

2 Statement of Requirements Bids will be evaluated in accordance with all the mandatory evaluation criteria detailed below. Bids failing to demonstrate compliance to ALL mandatory requirements will be considered non-responsive and the bid will receive no further consideration. Unless otherwise specified, any hyperlinks included in requirements are to provide convenient access to publicly- available web-based documentation from the Government of Canada or from industry sources.

2.1 Technical Requirements In their technical bid, Contractors should demonstrate their understanding of the requirements (Mandatory and Rated) contained in the bid solicitation and explain how they will meet these requirements. Contractors should demonstrate their capability and describe their approach in a thorough, concise and clear manner for carrying out the work. The technical bid should address clearly and in sufficient depth the points that are subject to the evaluation criteria against which the bid will be evaluated. Simply repeating the statement contained in the bid solicitation is not sufficient. In order to facilitate the evaluation of the bid, Canada requests that Contractors address and present topics in the order of the evaluation criteria under the same headings. To avoid duplication, Contractors may refer to different sections of their bids by identifying the specific paragraph and page number where the subject topic has already been addressed.

2.2 Mandatory Requirements – General

Req. Mandatory Requirements – General Number M-1 Solution must include a Horizontal Portal Product (HPP) with access control capability. M-2 Contractor must provide a high-level view of their Solution’s technical architecture, showing components such as servers, databases, and network connections. M-3 Solution must be a commercially-available product at the time of bid closing, meaning that it is released and licensed to the general public and has a published product definition and pricing structure with an ongoing investment in development and support. M-4 Solution must not require any form of external connection to activate any component of the product. Requiring a serial number or other form of license activation string or code is acceptable, but Solution must not require any form of on-going electronic or internet-enabled validation or check for license compliance.

If Solution utilizes a generated serial or license key based on a specific configuration of hardware, software, or network, the key must be generated during working hours and prior to scheduled system upgrades or updates that would affect the license’s validity. M-5 Contractor must provide a training session for 10 technical resources at a facility provided by Contractor in the National Capital Region (NCR). Facility training is required on each of the following topics, with the training session for each topic a minimum of five days in duration: a. Portal architecture and deployment on Contractor’s proposed solution; b. Portal development on Contractor’s proposed solution; c. Advanced level Portal development on Contractor’s proposed solution; and d. Portal administration and support on Contractor’s proposed solution.

Contractor must deliver (in both English and French) all training guides, documentation, and online training aids for all topics.

Page 31 of 55

Req. Mandatory Requirements – General Number M-6 Contractor must identify three project references who can verify that their Solution has been successfully operated for a minimum of two years. 1. References must be from enterprise level installations with over two million registered users. 2. References must relate to projects successfully implemented for clients within the last five years.

Contractor must include the following information for each reference: a. Client organization name; b. Client contact name; c. Contact’s role in project; d. Client contact telephone number; e. Client contact business email address; f. Name of project authority / executive; g. Project name; and h. Brief project description.

Canada reserves the right and at its own discretion, to contact one or all of the references provided. M-7 Contractor must provide its description for each of the following licensing models: • subscription, • server, • and processor.

2.2.1 Language and Accessibility Standards Req. Mandatory Requirements – General Number Language and Accessibility Standards M-8 Solution must provide a function to allow End Users to switch between English and French on any page. M-9 Solution must provide Privileged Users with an editor to create, modify, store, and retrieve English and French content with the full set of characters in: a. Unicode Transformation Format – 8-bit (UTF-8) standard character set; and b. ISO8859-1 character set. M-10 Solution must be able to create and present content that is compliant with these Government of Canada (GoC) standards and guidelines: a. Standard on Web Accessibility; b. Web Content Accessibility Guidelines (WCAG) version 2.0 AA; and c. Web Experience Toolkit (WET).

References: http://www.w3.org/TR/WCAG20/ and https://www.tbs-sct.gc.ca/pol/doc- eng.aspx?id=23601 and https://github.com/wet-boew/wet-boew M-11 Solution must be compliant with these Government of Canada (GoC) standards: a. GoC Standard on Web Usability; b. GoC Standard on Web Interoperability; and c. GoC Standard on Optimizing Websites and Applications for Mobile Devices.

References: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=24227 and http://www.tbs- sct.gc.ca/pol/doc-eng.aspx?id=25875 and http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=27088

Page 32 of 55

2.3 Mandatory Requirements – Technical

2.3.1 Platform / Application Hosting Req. Mandatory Requirements – Technical Number Platform / Application Hosting M-12 Solution must install, deploy, and function on Red Hat Enterprise Linux (RHEL), versions 6.9 and 7.2 or later. M-13 Solution must install, deploy, and function on virtualized environments under RHEL hosted on blade servers using Intel x86-64 processors. M-14 Solution must install, deploy, and function, at a minimum, on a Java Enterprise Edition 7 (Java EE 7) platform. M-15 Solution must install, deploy, and function, on a Java Enterprise Edition (Java EE) application server.

2.3.2 Security Controls Req. Mandatory Requirements – Technical Number Security Controls M-16 Solution must accept and function with browser-based access via HTTPS using Transmission Layer Security (TLS) 1.2 or later. M-17 Solution must accept and function with HTTP Strict Transport Security (HSTS) policy enabled. M-18 Solution must accept and function with secure connections using, at a minimum these protocols: a. HTTPS TLS 1.2 or later; b. Client and Web Server SSL certificate using SHA-256 or later. M-19 Solution must accept and function with configurable Web Services Security on the Web Services for Remote Portlets (WSRP) Consumer and WSRP Producer, including both HTTP and HTTPS (TLS 1.2 or later). M-20 Solution must use a session token that is non-persistent and never written to browser history or cache. M-21 Solution must change session tokens when a user moves from a TLS-protected to a non-TLS-protected session. M-22 Solution session token must expire on the server-side at user logout. M-23 Solution must ensure that for cookies used in authentication and session tracking: a. The cookie expiration time is a configuration parameter; and b. The default expiration time is less than seven days. M-24 Solution must ensure that logout clears user name field, password field, and session cookies on the client-side. M-25 Solution must ensure that logout clears all sessions and session cookies on the server-side. M-26 Solution must prevent false login vulnerabilities that can be utilized by selecting the browser back button after the user logs out.

Page 33 of 55

2.3.3 Identity, Authentication and Access Controls Req. Mandatory Requirements – Technical Number Identity, Authentication and Access Controls M-27 Solution must accept and function with Security Assertion Markup Language (SAML) 2.0 for: a. The exchange of authentication and authorization data between parties; and b. Identity Federation. M-28 Solution must integrate and function with directory services that are compliant with Lightweight Directory Access Protocol (LDAP) version 3. M-29 Solution must accept and function with User ID format that: a. Allows 8 to 16 characters with no spaces; b. May contain up to seven digits; and c. May use these special characters: dot (.), dash (-), underscore (_), and apostrophe ('). M-30 Solution must provide Access Control Mechanism (ACM) capabilities to validate users’ roles, accesses and authorizations. M-31 Solution must provide a service interface through which the Horizontal Portal Product (HPP) and the Access Control Mechanism (ACM) can communicate. M-32 Solution must provide a service interface for the Access Control Mechanism (ACM) to communicate with multiple sources to confirm a user’s roles, accesses and authorizations. M-33 Solution must provide access control at the service level and the content level. M-34 Solution must be configurable to allow a change in the user's roles, accesses, and authorizations within the same session, without users having to log out. M-35 Solution must provide a function that allows customization of the End User interface; specifically customizing information display and service availability according to user Roles, Access, and Authorization. M-36 Solution must provide delegation functions or services to allow those End Users, in an authorized role, to delegate access control functions to other End Users.

Reference: Canada’s Represent a Client overview for current examples of delegation capabilities. http://www.cra-arc.gc.ca/esrvc-srvce/tx/rprsnttvs/vrvw-eng.html

2.3.4 Audit Controls and Logs Req. Mandatory Requirements – Technical Number Audit Controls and Logs M-37 Solution must provide a function that records, stores and protects an audit trail record for the following activities: a. Record changes to Portal software configuration and metadata; b. Record Web Content Management deployment activities; c. Record portlet deployment activities; d. Record successful and unsuccessful Portal sign-on attempts; e. Record create, modify and revoke Portal User and admin accounts; f. Record assignment/changes to Portal permissions and privileges; g. Record assignment/changes of Users to groups and roles; and h. Logging of User login/logout including forced logout and time-out logout.

Page 34 of 55

Req. Mandatory Requirements – Technical Number Audit Controls and Logs M-38 Each audit trail record generated by the Solution must provide, at a minimum, the following details: a. User ID (identification); b. System date and time stamp; c. Action audited; d. Success code; and e. Details related to the action performed. M-39 Solution must provide a logging function that records and stores all user and group management activities including, but not limited to: a. Create a User; b. Edit a User; c. Delete a User; d. Create a group/role; e. Edit a group/role; f. Delete a group/role; g. User accesses changes; and h. User permissions changes. M-40 Solution must log all required diagnostic information relating to start-up and shutdown, errors, warning messages, and HTTP requests. M-41 All data (such as event logs, audit logs, user logins, and session logs) collected by the Solution must remain under the custody and control of Canada.

2.3.5 Portal Product Req. Mandatory Requirements – Technical Number Portal Product M-42 The Contractor must provide Canada with any updates and revisions to the Solution, including at a minimum: a. All bug fixes, software patches, and all other enhancements; b. All upgrades, updates, major and minor releases and renames; c. All extensions and other modifications, including but not limited to drivers, service packs, and service releases; and d. Updates to solution documentation. M-43 Solution must be compliant with Portlet 2.0 and earlier standards, including at a minimum: a. JSR-168 portlets; b. JSR-286 portlets; c. WSRP 2.0 specification; d. JSR-301 Portlet 1.0 Bridge for JSF 1.2; and e. JSR-329 Portlet 2.0 Bridge for JSF 1.2.

Page 35 of 55

Req. Mandatory Requirements – Technical Number Portal Product M-44 Solution must provide a command line scripting function to allow a Privileged User to perform administrative tasks, including but not limited to: a. Deploy portlets, themes and skins; b. Manage portal pages; c. Link together portlets on a page and across pages; d. Manage authorities (permissions and roles) assigned to portal Users and groups in the context of portal resources; e. Manage User groups and group membership; f. Default language selection; g. Configure session inactivity timeout in seconds or minutes; h. Manage custom URL mappings to portal resources; and i. Manage custom unique names for portal resources. M-45 Solution must provide an Application Programming Interface (API) for the deployment of applications. M-46 Solution must provide a feature to allow integration and aggregation of information from multiple back- end sources within the user interface. M-47 Solution must provide an integrated Web Content Management (WCM) service that includes: a. Content (image, text, media) management; b. Versioning; c. Publication workflow that is customizable to include multiple levels of approval; d. Change auditing; and e. Role-based permissions management. M-48 Solution must provide services to expose web content from a third-party content provider through an interface compliant with Content Management Interoperability Services (CMIS) 1.x or later. M-49 Solution must provide functions that allow End Users to personalize the End User interface. An example would be defining a default view of information. M-50 Solution must provide configuration settings that allow Portal Administrators to enable and disable the: a. Personalization function; and b. Integrated collaboration tools. M-51 Solution must allow End User searches for: a. Portal content; and b. Other web content management systems. M-52 Solution must provide a function that will allow a Privileged User: a. To view Portal metrics; and b. To collect and export Portal metrics. M-53 Solution must allow a mixture of both non-AJAX and AJAX-enabled Rich Internet Application (RIA) based portlets on the same page, and portlets must refresh their content without a full page refresh. M-54 Solution must support, function and interoperate with the following Java development tools, technologies and libraries: a. Apache Log4j; b. Java Server Pages (JSP) 2.0 and higher, and Servlet 2.4 and higher; c. JSP Standard Tag Library (JSTL) 1.2 tags or higher; d. Enterprise JavaBeans (EJB); e. Java Message Service (JMS); and f. Java Naming and Directory Interface (JNDI).

Page 36 of 55

Req. Mandatory Requirements – Technical Number Portal Product M-55 Solution must support, function and interoperate with the following web and application technologies: a. Simple Object Access Protocol (SOAP); b. Web Services Description Language (WSDL); c. eXtensible Markup Language (XML); d. Representational State Transfer (REST); e. JavaScript Object Notation (JSON). M-56 Solution must be able to be accessed from and function with, at a minimum, the web browsers / versions recommended by Canada:

http://www.cra-arc.gc.ca/esrvc-srvce/tx/psssrvcs/brwsr-eng.html

2.3.6 Testing, Performance and Monitoring Req. Mandatory Requirements – Technical Number Testing, Performance and Monitoring M-57 Solution must support and interoperate with testing tools through an Application Programming Interface (API). M-58 Solution must support, function and interoperate with application release processes that are deployed into production via multiple testing environments. M-59 Solution must support, function and interoperate with existing server and application monitoring systems, either through Simple Network Management Protocol (SNMP) traps, log monitoring or via integration with a monitoring agent. M-60 Solution must support, function and interoperate with BMC monitoring products: a. BMC Event Manager (BEM) b. BMC Transaction Management - Application Response Time (TM-ART) c. BMC Monitoring Agent d. BMC Patrol M-61 Solution must support, function and interoperate with CA Wily application performance monitoring tool. M-62 Solution must provide enterprise scalability that will achieve, at a minimum these performance goals: a. 85,000 peak logins per hour with an average 30% annual growth; b. 5 second response time.

2.3.7 Backup and Recovery Req. Mandatory Requirements – Technical Number Backup and Recovery M-63 Solution must support online back-ups without having to take the system offline. M-64 Solution must provide rollback and recovery mechanisms that will maintain the integrity of the entire Solution, up to the point that a failure occurred. M-65 Solution must accept and respond to requests from independent load balancers. M-66 Solution must support, deploy and operate in a clustered environment, i.e. a redundant and high availability configuration across two or more independent data centers.

Page 37 of 55

Req. Mandatory Requirements – Technical Number Backup and Recovery M-67 For clustered deployments, Solution must provide mechanisms to perform software upgrades and rollbacks at a server level without the requirement to take all clustered application servers offline, (i.e. user access to Portal is maintained during an upgrade/rollback). M-68 In the event of a failure, Solution must maintain sufficient context such that the User’s session can be re-instantiated on another application server instance. M-69 Solution must deploy, function and interoperate in an operational environment with 99.9% availability (excluding scheduled outages), 24/7, 365 days per year.

2.3.8 Technical Support Services Req. Mandatory Requirements Number Technical Support Services M-70 The Contractor must be responsible for diagnosis of software problems that occur in any of the Solution components. M-71 The Contractor’s technical support services must include a technical hot-line: a. Maintained 24/7, 365 days per year; and b. Accessible by toll-free telephone, fax and email. M-72 The Contractor’s technical support services must provide escalation procedures where service request response time is exceeded. M-73 The Contractor’s technical support services must continue for a minimum of twelve (12) months after the discontinuation of a specific version, release or build.

The Technical Authority Designate must be notified at least six (6) months in advance in writing of any such discontinuation in a specific version, release, or build.

Page 38 of 55

Req. Mandatory Requirements Number Technical Support Services M-74 The Contractor’s technical support services must provide for the following in regard to Problem Escalation and Response Times: a. A detailed outline of their problem escalation procedures in writing to the Technical Authority, within 3 working days of contract award. b. Assign a single point of contact for escalation status reporting purposes and provide that name to the Technical Authority in writing, within 3 working days of contract award. c. Upon notification by the Technical Authority, or a delegate, of a software problem, the Contractor’s technical support services must work continuously until the Solution is returned to operation. d. The Contractor’s technical support services must comply with the status update requirements as outlined in the following Severity Table.

Technical Support Services – Severity Table

SEVERITY 1 - The product is non-operational and has rendered the Solution unusable by CRA; operations are critically impacted and the problem requires immediate attention and resolution.  The Contractor’s technical support services must issue a verbal and email progress report to the Technical Authority every one (1) hour, until the problem is resolved.

SEVERITY 2 – The product is operational, but with severely restricted functionality or degradation.  The Contractor’s technical support services must issue a verbal and email progress report to the Technical Authority every two (2) hours, until the problem is resolved.

SEVERITY 3 – The product or device is operational, with functional limitations or restriction that are not critical to the overall operations.  The Contractor’s technical support services must issue an email progress report to the Technical Authority daily until the problem is resolved.

SEVERITY 4 – The product or device is usable, but a problem has been detected that may impact the Solution. Questions associated with product usage, implementation, performance, or any other inquiries for the support organization also fall under this category.  The Contractor’s technical support services must issue an email progress report to the Technical Authority once to acknowledge the problem and once when the problem is resolved.

Page 39 of 55 Req. Mandatory Requirements Number Technical Support Services M-75 Contractor must provide qualified technical personnel who will work with Canada to prepare and deliver an implementation plan for the Solution.

The Contractor’s qualified technical personnel will be responsible for the following with regards to the implementation plan for the Solution: a. Install, test, and monitor particular facets of technology. b. Configure, execute and optimize technical installations. c. Create and document test plans for performance tests, define metrics for performance tests, execute performance tests and review results. d. Advise staff about the efficient use of resources and best practices for the environment. e. Maintain and control documentation for technology hardware, software and solutions including architecture documents, installation plans, tests plans, optimizations and revision of results. f. Work with stakeholders from SSC and partner areas as required. g. Troubleshoot and respond to user problems both verbally and in writing. h. Provide coaching and skills transfer to SSC staff both verbally and in writing to enable SSC staff to manage and administer the environment. i. Ensure that upon completion, that SSC will have a working solution for testing. j. Confirm that testing will ensure what has been delivered will satisfy the technology requirements as identified in this SOR. k. Consultation with SSC and CRA personnel on any issues with the Solution.

Page 40 of 55 3 Appendices Shared Services Canada (SSC) is responsible for the provision of mandated services to partner organizations in support of the delivery of Government of Canada programs and services. The Horizontal Portal Product (HPP) will be implemented on platform and infrastructure services either hosted by SSC, or by a designated third party that has been approved by SSC to provide platform and infrastructure services to Canada.

3.1 SSC Hosted Platform Description The e-Business Computing Environment (eBCI) platform is designed to host and support Agency business services from initial application testing through to production deployment. This platform provides a high availability (24/7/365) configuration that includes load balancing and redundant components, clustered across two independent data centres for all business-critical applications and services. Additional infrastructure services include monitoring, software distribution, user authentication, access control, and security services.

3.1.1 SSC Hosted Platform Details Servers • Blade Servers – HP BL460c Gen9 • CPU Type – Intel Xeon E5-2697A @ 2.6 GHz • CPU / Cores – 2 sockets w/16 cores per socket (32 CPUs total) • Memory – 512 GB minimum

Environment • OS – Red Hat Enterprise Linux (RHEL) 6.9 / 7.2 • Virtualization – VMWare ESX o WebLogic application servers have a minimum of 4 virtual CPUs • JEE application server – Oracle WebLogic Server (WLS) • HTTP / web server – Apache web server • Database – IBM DB2 on z/OS (primary); Oracle, Postgres, MS SQL on Linux / Solaris / Windows • Storage – Enterprise Storage Area Network • Backup – Tivoli Storage Manager (TSM) • Application Performance / Monitoring – CA Wily / BMC • Identity and Access Management – CA SiteMinder

Page 41 of 55 3.2 SSC Hosted Platform / Portal View The following diagram depicts a proposed implementation of a Horizontal Portal Product hosted under current SSC platform services, within a Government of Canada data center. It is provided here for reference purposes only, and should not be considered a definitive implementation guideline.

Page 42 of 55 3.3 Glossary / Acronyms

ACM Access Control Mechanism. The logical component that serves to receive the access request from the subject, to decide, and to enforce the access decision. NIST SP 800-162 AJAX Asynchronous JavaScript and XML. AJAX incorporates other technologies into developing web applications. Ajax: A New Approach to Web Applications | Adaptive Path Coherence Oracle Coherence is an in-memory distributed data grid solution for clustered applications and application servers. Oracle Coherence COTS Commercial Off-The-Shelf Software. Software that can be purchased, leased or licensed to the general public. CRA The Canada Revenue Agency administers tax laws and administers social and economic benefit and incentive programs delivered through the tax system. Canada Revenue Agency - Canada.ca CSS Cascading Style Sheets is a language for describing the rendering of structured documents (such as HTML and XML) on screen, on paper, in speech, etc. W3C CSS Snapshot 2017 Developer Developer. An individual that builds and creates software and applications. DXP A Digital Experience Platform is a software platform that enables you to build and deliver integrated, optimized user experiences across all digital channels, all audiences and all stages of the user / customer lifecycle. Source: Xtivia – Vivek Agarwal EJB Enterprise JavaBeans (EJB) technology is the server-side component architecture for the JEE platform. Enterprise JavaBeans Technology End User End User. An individual who uses the portal after it has been fully implemented. HPP Horizontal Portal Product. Portal platform software is a packaged software application that is used to create, deploy, and maintain enterprise portal websites. HSTS HTTP Strict Transport Security. This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections. RFC 6797 - HTTP Strict Transport Security (HSTS) HTML HyperText Markup Language. HTML is the Web’s core language for creating content for everyone to use anywhere. W3C Web Platform Working Group (Publication Status) HTTP The Hypertext Transfer Protocol is an application-level protocol for distributed, collaborative, hypermedia information systems. RFC 2616 - HTTP/1.1 ISO/IEC ISO/IEC 8859-1 is an ASCII-based 8-bit single-byte coded graphic character set, (Part 1: Latin alphabet No. 1). 8859-1 ISO/IEC 8859-1:1998 (International Organization for Standardization) ITB Information Technology Branch, Canada Revenue Agency, Government of Canada. JavaScript JavaScript. JavaScript is a prototype-based, multi-paradigm, dynamic language, supporting object-oriented, imperative, and declarative (e.g. functional programming) styles. JavaScript | Mozilla Developer Network (MDN) JCP Java Community Process is the mechanism for developing standard technical specifications for Java technology. The Java Community Process Program JEE Java Enterprise Edition. Java EE is developed using the Java Community Process, with contributions from industry, commercial and open source organizations. Java Platform, Enterprise Edition JSF JavaServer Faces is a standard Java framework for building Web applications. Introduction to JavaServer Faces | JavaServer Faces Technology - Oracle JSP JavaServer Pages technology provides a simplified, fast way to create dynamic web content. JavaServer Pages Technology Log4j Apache Log4j is a popular logging package for Java. It allows app code to be traced and logged during development. Apache Logging Services MVC The Model-View-Controller (MVC) is an architectural software design pattern that separates an application into three main components: the model, the view, and the controller. Java SE Application Design with MVC | MSDN ASP.NET MVC Overview

Page 43 of 55 Portal A portal is a high-traffic website with a wide range of content, services… selecting the content sources and assembling them in a simple-to-navigate and customize interface for presentation to the end user. Gartner IT Glossary Portal Portal Administrators. An individual who is responsible to manage other users, groups, and roles to control access Administrato to the applications and assets available on a portal server and can make changes to the portal. rs Portlet Portlets are web components, like Servlets, specifically designed to be aggregated in the context of a composite page. The Java Community Process Program: Java Specification Requests (Portlet) Privileged Privileged Users. An individual with authority to access more than the usual functions or to make changes to the Users portal. Processor Each processor in the server on which the software is running, see section 3.1.1 Platform Details. SHA-256 SHA-256 is a Secure Hash Algorithm with a hash value of 256 bits. FIPS.180-4.pdf (National Institute of Standards and Technology) Solaris Solaris is an enterprise operating system provided by Oracle. Solaris 11 | Solaris 10 SPARC Scalable Processor Architecture is a reduced instruction set computing (RISC) instruction set architecture (ISA). See Fujitsu SPARC Servers. SPR Secure Portal Reengineering. SPR is part of the CRA's Service Modernization Strategy. Spring MVC Spring Web MVC (or Spring MVC) is the original web framework built on the Servlet API. The Spring Framework provides a programming and configuration model for Java-based enterprise applications. Spring Framework SSC Shared Services Canada provides network, data centers, platform and application hosting, to Government of Canada departments and agencies. Shared Services Canada - Canada.ca Server The server on which the software is running, see section 3.1.1 Platform Details. Struts Apache Struts is a free, open-source, MVC framework for creating Java web applications. Apache Struts project Subscription Allows the use of the software for a specified time period. This includes technical support and access to upgrades and patches released during the term of the subscription. TLS Transport Layer Security. The TLS protocol provides communications security over the Internet. RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 UTF-8 Unicode Transformation Format. FAQ - UTF-8 UXP A User Experience Platform (UXP) is an integrated set of technologies used to provide interaction between a user and a set of applications, processes, content, services or other users. Gartner IT Glossary WCAG The Web Content Accessibility Guidelines covers a wide range of recommendations for making Web content more accessible. Web Content Accessibility Guidelines (WCAG) 2.0 WebLogic Oracle WebLogic Server is an application server for building and deploying enterprise Java EE applications. Oracle WebLogic Server Technical Information WET The Web Experience Toolkit includes reusable components for building and maintaining websites that are accessible, usable, and interoperable. Web Experience Toolkit - Canada.ca XML eXtensible Markup Language. XML is a text format derived from SGML (ISO 8879) and is also used in the exchange of a wide variety of data on the Web. W3C Extensible Markup Language (XML)

Page 44 of 55 Appendix A RATED CRITERIA

The total available points for all rated requirements is 1,310.

Req. Rated Requirements Description Max Evaluation Criteria Number Points R-1 Solution should provide French language help capabilities for 20 10 points per each both developers and administrators, that: item met a. Explains their Solution’s command syntax, error messages, and correct usage; and b. Is indexed and searchable. R-2 Solution should provide English language help capabilities for 20 10 points per each both developers and administrators, that: item met a. Explains their Solution’s command syntax, error messages, and correct usage; and b. Is indexed and searchable. R-3 Solution should provide the following documents in French: 35 5 points per each a. Software installation and configuration; item met b. System administration; c. Portal and portlet development; d. Principles of portal deployment and configuration; e. Portal technical architecture; f. Sizing and performance tuning; and g. API documentation. R-4 Solution should provide the following documents in English: 35 5 points per each a. Software installation and configuration; item met b. System administration; c. Portal and portlet development; d. Principles of portal deployment and configuration; e. Portal technical architecture; f. Sizing and performance tuning; and g. API documentation. R-5 Contractor should provide all documents and any other reference 20 10 points per each material in these formats: item met a. Hypertext Markup Language (HTML); and b. Portable Document Format (PDF). R-6 Solution should provide WET 4.0 or later standards-compliant 30 30 points if met sample templates, pages, portlets and themes. Reference: https://github.com/wet-boew/wet-boew R-7 Solution should facilitate using command line scripting for export 45 5 points for each and import of the full configuration of an environment to/from an item met archive file, including: a. Property files; b. XML configuration files; c. Database (metadata based) configuration settings;

Page 45 of 55 Req. Rated Requirements Description Max Evaluation Criteria Number Points d. Other configuration and content information; e. Sites; f. Pages; g. Portlets configuration; h. Access control entities (e.g. user groups and roles); and i. Web content and web content versioning. R-8 Solution should be available for installation, deployment, and/or 50 20 points if a. met consumption using these deployment/service models: 20 points if b. met a. On-premise deployment; 5 points if c. met b. Cloud deployment; 5 points if d. met c. Software-as-a-Service model; and d. Platform-as-a-Service model. R-9 Solution should provide a feature that allows the same 10 10 points if met deployment units to use different parameters based on test states. For example, a server.name parameter value should be substituted for the appropriate server name value. R-10 Solution should function and interoperate with the OAuth 2.0 20 20 points if met Framework for authorization. R-11 Solution should function and interoperate with the OpenID 20 20 points if met Connect 1.0 protocol. R-12 Solution should support: 20 10 points per each a. Web single sign-on (Web-SSO); and item met b. Web Services Security (WS-Security). R-13 Solution should provide: 100 70 points if a. met a. Attribute-Based Access Control (ABAC); and/or 20 points if b. met b. Role-Based Access Control (RBAC); and/or 10 points if c. met c. Group-Based Access Control (GBAC). R-14 Solution should provide a service interface to the Access Control 50 20 points if a. met Mechanism through a: 20 points if b. met a. Web Service; 10 points if c. met b. JAVA API; c. Proprietary interface. R-15 Solution should have the ability to transform and export audit 20 20 points if met information in real time.

Page 46 of 55 Req. Rated Requirements Description Max Evaluation Criteria Number Points R-16 Solution should provide a graphical user interface (GUI) for 45 5 points for each Privileged Users to manually and/or automatically perform tasks item met such as, but not limited to the following: a. Deploy portlets and themes; b. Manage Portal page actions such as creation, deletion, modification; c. Link together portlets on a page and across pages; d. Manage authorities (permissions and roles) assigned to Portal users and groups in the context of Portal resources; e. Manage User groups and group membership; f. Default language selection; g. Configure session inactivity as well as and maximum session duration in seconds or minutes; h. Manage custom URL mappings to Portal resources; and i. Manage custom unique names for Portal resources. R-17 Solution should provide a feature that allows Privileged Users to 50 50 points if met customize the data / metrics that the Solution collects. R-18 Solution should provide a capability to export Portal metrics data 20 20 points if met on an ad hoc or recurring basis. R-19 Solution should provide a feature that allows Privileged Users to 70 10 points for each track relevant data about how End Users interact with web item met content: a. How often Users view any page, b. How long Users view any page, c. Extent to which Users interact with various widgets, d. What path Users take (entry, navigation, exit points), e. What point they exit/abandon a particular process, f. Measurement of activities or events such as document downloads and views, and g. Use of online help. R-20 Solution should provide a feature to track: 30 10 points for each a. How many of our Users utilized the search engine within item met the service space; b. The search terms entered by Users; and c. How Users engage with the service space as result of their searches. R-21 Solution should provide a feature that will collect and store 20 20 points if met metadata and the End User actions, whenever a service generates a confirmation page. R-22 Solution should provide a feature that allows End User searching 20 20 points if met and viewing of stored metadata. R-23 Solution should provide a feature that allows End Users to 10 10 points if met suspend and renew workflow within a session and after logging out and returning to the Portal.

Page 47 of 55 Req. Rated Requirements Description Max Evaluation Criteria Number Points R-24 Solution should provide a feature that allows Privileged Users to 30 30 points if met create simple ad hoc reports of collected Portal metrics from a list or menu. For example, report monthly number of views of specified pages. R-25 Solution should provide services to refine the analytic data into 30 15 points for each specific segments: item met a. Subsets of sessions; and b. Subsets of Users. R-26 Solution should provide a feature that allows Privileged Users to 30 30 points if met extract and transform Portal metrics. R-27 Solution should provide a feature that allows Privileged Users to 20 20 points if met use scripting with products such as Google Analytics or Adobe Analytics. R-28 Solution should provide a web clipping feature that allows Portal 45 15 points for each Administrators to identify and extract portions of existing web item met pages for display in a portlet. Solution should: a. Accommodate various login mechanisms, including integrating with authenticated web content through single sign-on; b. Accommodate HTTPS; and c. Provide inline rendering. For example, when a User clicks a link in the Web Clipping portlet, the results should display within the same portlet. R-29 Solution should provide a feature that allows Privileged Users to 40 20 points for each create contextual online help and online tutorials for selected item met users. a. Contextual online help b. Online tutorials R-30 Solution should provide a calendar feature that allows: 15 5 points for each a. Prepopulating calendar by Privileged Users; item met b. Personalizing the calendar by Users; and c. Exporting data to external tools. R-31 Solution should provide built-in messaging feature that includes: 30 10 points for each a. Alerts; item met b. Announcements; and c. Messages. R-32 Solution should provide a feature that allows Privileged Users to 20 20 points if met post near real-time surveys of services offered within the service space. R-33 Solution should include a mobile device framework that provides 30 30 points if met automatic selection of alternate layout templates and pages for mobile device access.

Page 48 of 55 Req. Rated Requirements Description Max Evaluation Criteria Number Points R-34 Solution should provide a user interface for monitoring real-time 30 5 points for each performance of HPP applications, as well as producers and item met portlets that applications may use. The interface should: a. Help administrators to identify issues and performance bottlenecks in the environment; b. Use a web-based user interface; c. Monitor HPP components; d. Monitor performance and show critical metrics; e. Send proactive alerts for performance issues; and f. Provide historical monitoring data or charts. R-35 Solution should provide an Eclipse-based Integrated Development 30 30 points if met Environment (IDE) component. R-36 The IDE component of the Solution should provide editors for all 20 5 points for each features of the HPP platform including: item met a. Source code editors for Java, JSPs, XML, HTML, XHTML, and CSS; b. Validation and highlighting of syntax; c. Custom or externally defined namespaces; and d. Highlighting of compile errors. R-37 The IDE component of the Solution should provide a portlet 20 20 points if all items debugger that can: are met; a. Step through code as it is executing on a line-by-line basis; 0 points if any item and is not met b. Set breakpoints to pause execution; and c. Set watches and view the content of variables and object graphs while a program is paused. R-38 The IDE component of the Solution should be compatible with 60 30 points if a. met these version control systems. 20 points if b. met a. Git 10 points if c. met b. Concurrent Versions System (CVS) c. Subversion (SVN) or other version control system R-39 The IDE component of the Solution should leverage existing 20 20 points if met content published by the integrated WCM. R-40 The IDE component of the Solution should be compatible with the 20 10 points for each following build script languages: item met a. ANT; and b. Maven. R-41 Solution should provide developer tools that are compliant with 20 20 points if met Web Content Accessibility Guidelines (WCAG) version 2.0 AA. Reference: http://www.w3.org/TR/WCAG20/ R-42 Solution should provide developer tools that have the ability to 20 20 points if met search components, templates, and forms.

Page 49 of 55 Req. Rated Requirements Description Max Evaluation Criteria Number Points R-43 Solution should provide the capability to spell check forms, 20 10 points for each including visible text and accessible text, for both: item met a. Canadian French; and b. Canadian English.

Page 50 of 55 ANNEX B PRICING TABLES AND LIST OF DELIVERABLES

Table 1 - Firm Requirement - Horizontal Portal Product (HPP) Solution License and Maintenance & Support

Table 2 - Optional Requirement - Horizontal Portal Product (HPP) Solution Licenses for Production Environment

Table 3 - Optional Requirement - Horizontal Portal Product (HPP) Solution Maintenance & Support for Production Environment

Table 4 - Optional Requirement - Horizontal Portal Product (HPP) Solution Licenses for Test Environment

Table 5 - Optional Requirement - Horizontal Portal Product (HPP) Solution Maintenance & Support for Test Environment

Table 6 - Optional Requirement - Technical Services

Table 7 - Optional Training

Prices must be entered in the accompanying ANNEX B Pricing Tables and List of Deliverables fillable spreadsheet (attached).

Page 51 of 55 Shared Services Services partagés Canada Canada

ANNEX C Security Requirement Checklist SRCL

Page 52 of 55 Shared Services Services partagés Canada Canada

Page 53 of 55 Shared Services Services partagés Canada Canada

Page 54 of 55 Shared Services Services partagés Canada Canada

Page 55 of 55