Enterprise Data Loss Prevention Solution Procurement - Fairness Monitor Final Report

Submission date:
September 26, 2022

Submitted to:
Director, Fairness Monitoring Program

Submitted by:
P1 Consulting Inc.

Table of contents

• 1. Introduction
• 2. Attestation of assurance
• 3. Project requirement
• 4. Fairness monitoring engagement and observations
• 5. Request for proposal
• 6. Reference documents

1. Introduction

P1 Consulting Inc. was engaged on March 25, 2021 as a fairness monitor (FM) to observe the procurement process for the Enterprise Data Loss Prevention (E-DLP) for the Canada Revenue Agency (CRA) and Canada Border Services Agency (CBSA), issued by Shared Services Canada (SSC) as a result of solicitation number: BPM008529 / Event 4. The pre-qualification of Suppliers eligible to participate in the request for proposal (RFP) stage of the procurement pre-dates our engagement, and was completed by SSC in accordance with SSC’s Cyber Security Procurement Vehicle Invitation to Qualify (CSPV ITQ BPM006672).

P1 Consulting is an independent third party with respect to this activity. We reviewed all of the information provided and observed all relevant activities as indicated within this report.

We hereby submit the final report, covering the activities of the FM, commencing from the start of our engagement, continuing through the evaluation consensus meetings to the completion of the evaluation of the proof of proposals on August 8, 2022. This report includes our attestation of assurance, a summary of the scope and objectives of our assignment, and relevant observations from the activities undertaken.

2. Attestation of assurance

The fairness monitor hereby provides the following unqualified assurance statement that concerns the Enterprise Data Loss Prevention for the Canada Revenue Agency and Canada Border Services Agency.

It is our professional opinion that the procurement process which we observed or monitored was carried out in a fair, open and transparent manner.

3. Project requirement

CRA and CBSA house vast amounts of sensitive and protected information. A data breach, whether malicious or accidental, could be incredibly damaging. While policy, access restrictions, and need-to-know help protect data, when someone has access to the data as part of their role, the task of protecting it becomes much more difficult. This is where the need for an E-DLP solution fits in. The CRA and CBSA require an E-DLP solution that provides comprehensive coverage of files and data, while integrating with existing security tools. Contract award will be for 1 contract for a contract period of 4 years, plus 3 option periods of 1 year each.

4. Fairness monitoring engagement and observations

P1 Consulting was engaged as an FM to observe the procurement, and to attest to the fairness, openness and transparency of this monitored activity.

In accordance with the terms of our engagement, we familiarized ourselves with the relevant documents and observed the procurement activities, identifying fairness-related matters to the contracting and technical authorities if/when applicable and ensuring that responses and actions were reasonable, appropriate and fair. We reviewed all of the information provided and observed all relevant activities from our engagement date onwards.

To date, in our role as FM, P1 Consulting observed that the following was implemented throughout the procurement:

• Clarity of the procurement documents and processes;
• Avoidance of conflicts of interests through the implementation of mechanisms;
• Proper processes related to the protection of the bidders’ confidential information;
• Application of diligence throughout the procurement and evaluation processes; and
• Adherence to the procurement documents.

5. Request for proposal

P1 Consulting observed the procurement process for the E-DLP for the CRA and CBSA. As part of our engagement, we undertook the following activities:

• Review of the request for proposal:

  The FM reviewed the final RFP from a fairness perspective. Any fairness-related concerns were adequately addressed by the contracting authority (CA).

• Review of evaluation criteria and procedures:

  The FM reviewed the evaluation criteria and procedures for the RFP to ensure that the evaluation would be completed in a manner that was fair, open and transparent.

• Issuance of the request for proposal:

  The RFP was distributed to pre-qualified suppliers through the P2P portal on June 14, 2021.

• Review of amendments:

  There were 3 amendments related to the procurement process issued during the RFP open period. The FM reviewed all amendments from a fairness perspective.

• Review of request for proposal closing:

  P1 Consulting received confirmation from the CA that no late submissions were received following the closing deadline of July 16, 2021 at 5:00 PM EST. A total of 6 bids were received and handled in accordance with the closing requirements and deadline stated in the RFP.

• Evaluation team replacement

  On August 4, 2021 the evaluation process was initiated, and proceeded to the mandatory requirements evaluation. On, September 13, 2021, it was determined by the CA and the technical authority (TA) that the evaluation team would need to be replaced. Action was taken by the CA and TA to proceed with replacement of the evaluation team with new members. The evaluation process was restarted with this new evaluation team. This approach was determined by the FM to be acceptable from a fairness perspective.

• Evaluation directive meeting:

  On December 11, 2021 and December 16, 2021, the FM attended meetings with the new evaluation team and the CA to discuss the evaluation. The meeting addressed the roles and responsibilities of evaluators, the evaluation process and evaluation guidelines and included the evaluation scoring sheets and conflict of interest (COI) and non-disclosure agreement (NDA) for evaluator sign-off. All members of the evaluation team attended the meeting in preparation for their role in the evaluation and signed the COI and NDA forms prior to initiating their evaluation of proposals. Within the session fairness-related comments were provided, and appropriate action was taken by the CA and evaluation team.

• Evaluation of mandatory requirements and point-rated requirements:

  The evaluation team undertook an individual evaluation of the mandatory requirements for each proposal and convened to discuss their findings at mandatory consensus meetings that took place between the period of February 2, 2022 and February 10, 2022. As a result of the evaluation team discussions clarification questions were issued to all 6 bidders on February 15, 2022 and responses were received by the deadline of February 25, 2022. These clarification communications and the resultant responses from bidders were reviewed by the FM and any fairness-related comments were adequately addressed by the CA. In accordance with the RFP the applicable bidder responses were shared with the evaluation team for their individual consideration. The evaluation team reconvened on March 8, 2022 and March 10, 2022 to discuss their assessment of the clarification information received. After completion of the mandatory requirements evaluation 4 bidders were found to be compliant with all 57 mandatory requirements. The remaining 2 bidders were not found to be compliant with all mandatory requirements and in accordance with the RFP were identified as non-responsive and did not proceed to the point-rated requirements evaluation phase.

  The evaluation team undertook an individual evaluation of the point-rated requirements for each qualifying proposal and convened to discuss their findings at point-rated consensus meetings that took place between the period of April 14, 2022 and May 17, 2022. All 4 proposals achieved the minimum score established within the RFP required to proceed to the financial evaluation phase. The FM reviewed the final technical evaluation spreadsheets and observed that the overall evaluation of mandatory and point-rated requirements was conducted in a fair and consistent manner.

• Financial evaluation and final evaluation results:

  On June 7, 2022 the CA provided the initial outcome of the financial evaluation to the FM. Clarifications were issued by the CA to 2 bidders related to their financial submission on June 10, 2022, which were reviewed by the FM prior to distribution. Following the clarification process the CA provided the final financial results for FM review. It was determined that 2 of the 4 proposals were responsive to the financial evaluation requirements. The FM reviewed the final financial evaluation documents and any fairness-related concerns were adequately addressed by the CA.

• Proof of proposal testing:

  In accordance with the RFP, proof of proposal (PoP) testing was undertaken with the highest scoring bidder in order to validate the bidder’s proposal and proposed solution related to the mandatory and point-rated requirements. In the PoP phase all 57 mandatory requirements and 10 of the 76 point-rated requirements were tested in a series of meetings that took place between July 5, 2022 and August 9, 2022. The highest scoring bidder was confirmed to be fully compliant with the mandatory requirements and met the minimum points requirement for the point-rated requirement. As a result, the CA proceeded to the contracting phase with this bidder. The FM observed that the PoP activities were conducted in a manner consistent with the RFP.

6. Reference documents

All documents related to the procurement are available from the project office.