13.R&T.RP.563 Questions & Answers 2 - European Defence Agency

Procurement procedure 13.R&T.RP.563QUESTIONS &-ANSWERSQuestion 1:The Contract Notice states the bidder should have “the capacity to protect classified information up to the S-UE/EU-S level, and securely interface to other IT-security communities up to this classification level, if requiredby the approach”. Assuming the protection part I refers to the FSC, what is meant by ‘securely interface toother IT-security communities’? Would the project require secret-secret connections?Answer 2:We mean by “Securely interface” to have the capacity to securely process handle and exchange EUCI at thatlevel with different experts, by always being compliant with EU Council Security Rules to protect EUCI and thespecific security-requirements of the contract that will be included in the Security Aspects Letter of theContract.Question 2:2.1.With reference to ‘Section III.2.3)Technical capacity’. In particular:— commitment from the prospective tenderer and the potential subcontractors already identified that they arecurrently capable to handle classified information at level 'Restreint UE/EU Restricted' at their premises, andconsequently, that they have established in their facilities, as a minimum, an 'administrative area' as defined in AnnexII Title IV of the Council Decision of 31.3.2011 on the security rules for protecting EU classified information(2011/292/EU), and they have nominated a facility security officer (FSO), who will be responsible to its managementfor enforcing the security obligations within such an entity,— commitment from the prospective tenderer and the potential subcontractors already identified that they hold or arein condition to obtain by the deadline for submission of a tender a facility security clearance (FSC) at the level 'SecretUE/EU Secret', and that they will appropriately safeguard the confidentiality of all classified information in theirpossession or coming to their notice in the pre-contractual stage and throughout the duration of the contract and afterthe termination or conclusion of the contract, in accordance with the basic principles and minimum standards ofsecurity laid down in the Council Decision of 31.3.2011 on the security rules for protecting EU classified information(2011/292/EU) and the contract-specific security requirements that will be mentioned in the security aspects letter(SAL) of the future contract,Our security officer has made a comprehensive search of EU websites but can find no definition of the securitystandards you describe above. Nor have the National Defence Security and Assurance Service been able toadvice since they are unaware of these definitions.Answer 2.1:Please, have a look to Directive 2009/81/EC of the European Parliament and of the Council of 13 July 2009 onthe coordination of procedures for the award of certain works contracts, supply contracts and servicecontracts by contracting authorities or entities in the field of defence and security, and amending Directives2004/17/EC and 2004/18/EC. In particular, to article 22.2.2.Our company is accredited to work at national and NATO Secret levels, but without the EU security definitionswe (and many other companies) will not be unable to make the commercial commitment you seek.

Answer 2.2.:Please, for EU security definitions, we invite you to read Council Decision of 31 March 2011 on the securityrules for protecting EU classified information (EUCI) (2011/292/EU).EDA accepts EU Member States’ national clearances as equivalent to EU ones. Nevertheless, in this first stageof the procedure, we are just asking potential tenderers for a commitment that you are currently capable tohandle EUCI at the appropriate level, and that you will be able to safeguard the information at RESTREINTUE/EU RESTRICTED level (since tender specs will be most probably classified at this level).In the next step, after launching the call for tenders, the procedure for getting FSC at level 'Secret UE/EUSecret' will be the described in article 11 of Annex V of the Council Security Rules for protecting EUCI(2011/292/EU)2.3.For example, the NATO system accepts national accreditation and there is an established process for gettingNATO recognition. But what is the criteria and process for the EU? So may I request please:- That these definitions be supplied or their web location provided so that we may access the.- Guidance be provided about the process for companies need to follow to get their security statusrecognized by the EU.Answer 2.3.:These specific questions need to be answered by the NSA/DSA or any other competent security authority ofthe country where potential contractors are registered, as different national procedures may apply.EDA, as contracting authority will only ask for a confirmation to your NSA/DSA, that you hold or are incondition to hold before the date of the awarding of the contract an appropriate FSC to safeguard theclassified information you might be provided with or granted access to, or the EUCI you will have to produceduring the performance of the contract.Question 3:In the case that the all the work will be performed in the main contractor’s premises, shall the otherpartners/subcontractors need to hold a facility security clearance (FSC) at the level Secret UE/EU Secret, andnominate a facility security officer (FSO) as well as an administrative area as defined in Annex II Title IV of theCouncil Decision (2011/292/EU)?Answer 3:In that case, it will suffice that they hold a FSC at that level, but without storage capabilities.Alternatively, there could be two solutions: First- either partners/subcontractors’ personnel involved in thecontract, who are going to perform their job in the main contractor’s premises ,might be consideredpartners/subcontractors themselves, provided that a contract is between the main contractor and themselves.In that case, a PSC instead of a FSC at SECRET UE/EU SECRET shall be in place.Or Second- Partners/subcontractors’ personnel to be involved in the contract, who are going to perform theirjob in the main contractor’s premises, are temporarily given on loan within this project. The individual on loanshall be assigned from the partner/subcontractor to the main contractor using the international visit requestprocedures. It remains the responsibility of the NSA/DSA of the partner/subcontractor to make theappropriate arrangements to ensure the protection of all classified information that might come to the noticeof all partner/subcontractor’s personnel.The statement of having nominated an FSO is compulsory. To have established an administrative area shall beinterpreted that is needed for those partners and subcontractors which are going to receive the classifiedtender specs at level R-UE/EU-R at their premises. Otherwise it is not necessary, although briefing for

protecting the accessed EUCI shall be given by the FSO of the Facility where the R-UE/EU-R is going to beaccessed, and acknowledgement of responsibilities signed by the briefed personnel.Question 4:Are National or NATO security clearances (at a level equivalent to EU Secret) accepted for the presentcontract?Answer 4:EDA also accept EU Member States’ national security clearances at equivalent level to SECRET UE/EU SECRET.Question 5:The Annex IV states that the numbers must be indicated in absolute values and Euros. However, the numberswe manage in our organization (order of magnitude of billions) do not fit into the cell space, and thus are notshown. We cannot expand the cells width as they are protected. Is there any problem with that?Answer 5:In this case you can use a scale, please put *1000 or *1000.000 below the table to relate the figures.