Acquisition

Software can be acquired either through external procurement or in-house development. For the Government of Rwanda most software is acquired through the RISA framework contract. In exceptional cases external procurement and tender processes may be required. Key activities in this stage include:

• Definition of security requirements and specifications [Mandatory] - In this stage the security objectives and requirements are defined as part of the overall software requirements. Definition of security requirements should consider the threat and risk assessment carried out in the initiation phase. They should include the institutions and GOR’s minimum security controls and guidelines. The specifications defined should be included in the scope for in-house development or RFP for external procurement.
• Evaluation of vendor proposals [Mandatory] – where external procurement is involved, evaluation of vendor proposals should also assess security controls proposed by the vendors based on the requirements. This may include assessing vendors' prior experience, demonstration of security features for existing software, or review of the approach proposed to address the security requirements for custom software. Recommendations are incorporated into the Tender Evaluation Report.

Outputs:

• Security specifications for inhouse development or external procurement
• Tender evaluation report including evaluation of security controls or approach