Development and Implementation of an ID Card Registration and User Identity Management System for the project beneficiary in Montenegro(UNOPS-MNEMig-2025-S-004)

New clarification added: Question:For the RFP/2025/59214 – Development and Implementation of an ID Card Registration and User Identity Management System (UNOPS-MNEMig-2025-S-004), could you kindly confirm that the proposed solution is expected to be deployed on the Beneficiary’s existing database infrastructure (i.e., their Microsoft SQL Server environment), as this is generally considered best practice to ensure compatibility, security, and cost-efficiency. In the unlikely case that the use of the existing platform would not be feasible, please clarify who would be responsible for providing and financing the required database licenses?Answer:If the bidder uses Microsoft SQL Server Enterprise 2016 or Oracle 11gr2 Enterprise as the RDBMS for its solution, the solution will be deployed on the existing database infrastructure of the Ministry of Interior. In case the bidder uses other databases, the bidder is required to include in their proposal all accompanying software licenses necessary for the operation of the System in accordance with the requirements of this Technical specification, without any limitations such as license duration, number of application servers, data storage capacity and similar constraints. 

New clarification added: Section II: Schedule of Requirements (p.9) “The source code of all System components developed for this project, along with the accompanying technical documentation, must be delivered to MoI in electronic format … Ownership of the source code will be transferred to MoI.” Question 11: Is it permitted to use open-source libraries (Apache/MIT licensed)? How exactly will the intellectual property transfer be documented? ​Answer: Open-source libraries are permitted to use as long as these libraries meet all functional and non-functional requirements set by this RfP. The source code of all System components developed for this project, along with technical documentation that provides detailed descriptions of software development procedures, source code, installation, and configuration of the software solution will be transferred via handover document, which will be prepared and signed as part of System Acceptance procedure.  Section II: Schedule of Requirements (p.19) “Failures and malfunctions causing a complete business process stoppage (total System outage) must be resolved within 3 hours.” Question 12: Does the one-year warranty require 24/7 support availability, or will business hours be sufficient? How should SLA for “3 hours resolution” be ensured during nights/holidays? Answer: Fault (failure and malfunctions) reports will be submitted on working days from 7 a.m. to 5 p.m., and accordingly, fault resolution is expected during that period on those days as well.Section II: Schedule of Requirements (p.9) “The selected supplier is obliged to set up the development/build environment on equipment owned by MoI…”Question 13: What will be the procedure for Contractor’s access to the MoI development/build environment? Will remote VPN/secure channel access be provided, or will work only be possible on-site within MoI premises? What are the security clearance requirements for Contractor’s personnel? Is the option allowed when the development environment is on the developer's side?Answer: The selected bidder may develop application in their own development environment, but all changes and versions of the application’s source code must be committed to the development environment established within the MoI. For any version of the application to be deployed to the test or production environment, it must be built/generated in the MoI’s development environment. The development environment cannot be accessed remotely. When it comes to security criteria, all individuals engaged by the selected bidder on the Project are required to sign a non-disclosure agreement. The selected bidder is also obliged, at the beginning of the project, to provide copies of documents (identity card or passport) of the individuals who will be engaged on the Project, i.e., who will be entering the premises of the Ministry of Interior, so that the necessary security checks can be carried out by the competent authority.

New clarification added: Section II: Schedule of Requirements (p.14)“User authentication in the System must be based on a strong authentication mechanism, such as two-factor authentication. One factor of authentication will involve the use of digital certificates issued by the MoI.” Question 1: How should a new employee (who does not yet possess an ID card with a certificate) authenticate at first login? Is it allowed to use AD/corporate account + OTP until the ID card is issued? Answer: For a new employee, the request for issuing an official ID card is submitted by their supervisor.Section II: Schedule of Requirements (p.12) “Private keys are stored on the official identification cards of the officers of the Signatory Parties to the Agreement, with no possibility of export.”Question 2: Is it expected that each workstation will be equipped with a smart card reader? Do we understand correctly that card readers should be provided by the Beneficiary? Answer: Card readers will be provided by the Beneficiary and their procurement is out of the scope of this Project.Section II: Schedule of Requirements (p.6) “After completing the request, a form is generated, which is printed, signed by the official ID card holder and their immediate supervisor, then scanned and stored in the System. The System should also support the option to submit the request electronically through the workflow to one or more supervisors in the hierarchy for approval.”Question 3: Which approval scenario will be primary for MoI: paper-based or electronic workflow? Should the solution support both simultaneously?Answer: Paper-based workflow will be leveraged at the beginning, but solution should support both workflows simultaneously, as it is defined in the Section 3.4 of the RfP.Question 4: Do we understand correctly that the paper-based scenario should only apply to new employees who do not have an ID card with a signature on it?Answer: Paper-based scenario will be predominantly used in the process of issuance of official ID card with digital certificate to new employees who do not have an ID card with a signature on it.Section II: Schedule of Requirements (p.6) “The RA verifies all required data in accordance with the MoI’s Certificate Authority policies and rules to ensure the completeness and accuracy of the request before forwarding it to the Certificate Authority and the personalization facility.”Question 5: Will RA operator verification be always manual after automatic registry checks, or should fully automated transfer to CA also be supported?Answer: Fully automated transfer to CA should be supported. Section 4 stipulates that for integration purposes, an API must be developed to enable the transmission of prepared data for the personalization of official ID cards. The API should be scalable and allow for automatic data preparation with minimal human intervention. The API must also have the capability to receive data about the personalized official ID card.Question 6: Can the application be enriched with other data at this stage (for example, scans of permits, orders on appointment to a position that the applicant does not have, or photographs)?Answer: Section 4 stipulates that for the purpose of integration and secure data exchange, it is necessary to develop an API with clearly defined rules, enabling the personnel records of the Signatory Parties to send data about employees to the RA in real time. Any data and documents stored in such personnel records databases, which are relevant and needed in the process of issuance/renewal/cancellation of official ID cards should be exchanged with the RA through this API. Section II: Schedule of Requirements (p.9) “The System must support integration with MoI’s Certificate Authority … An API must be developed to enable the transmission of prepared data for the personalization of official ID cards.”Question 7: Does an API for integration with the CA already exist, or is the Contractor expected to develop it from scratch? If so, will CA specifications be provided?Answer: The Contractor is expected to develop it from scratch. Section 4 stipulates that for integration purposes, an API must be developed to enable the transmission of prepared data for the personalization of official ID cards. CA specifications will be provided by the MoI to the Contractor during Detailed business/functional analysis and Software design phase. Question 8: Is direct system-to-system integration expected or will a single state data exchange bus (e.g. xRoad or similar) be used (including for searching for applicant data in state registers?) Answer: Direct system-to-system integration is expected.Section II: Schedule of Requirements (p.5) “The system must log all changes to user data, including the responsible user/operator, as well as the date and time of the modification.”Question 9: What is the required retention period for audit logs? Should logs be stored indefinitely or according to MoI retention policies? Answer: Configurability of the log retention period is expected. Some data is stored permanently. Section 5.6 states that the types of activities recorded in the logs, the level of detail, and the retention period will be defined during the software design phase.Section II: Schedule of Requirements (p.10) “The user interface must be available in Montenegrin.” Question 10: Is it necessary to also support multi-language UI (English, Serbian, Bosnian, Croatian), or is Montenegrin-only sufficient?Answer: Montenegrin user interface is mandatory. Multi-language UI is nice to have, but not mandatory. 

New clarification added: Question: Regarding the integration requirements and MoI’s Certificate Authority, I would like to clarify certain points, as follows:How is the communication with CA currently being managed?Does CA provide an API that will be integrated or consumed by the new system?Answer: The Contractor is expected to develop such an API. Section 4 stipulates that for integration purposes, an API must be developed to enable the transmission of prepared data for the personalization of official ID cards. CA specifications will be provided by the MoI to the Contractor during Detailed business/functional analysis and Software design phase. 

New clarification added: Question:Please inform us does the official ID cards that includes a generated digital certificate are part of the project scope needs to be delivered by the Bidder/Vendor, or the End User already posses them, and what is the current/needed technical specification of those ID cards? Answer: End user already possess official ID cards and their procurement is out of the scope of this Project. Question: Please describe how is planned to be the reading of the ID cards digital signatures?What is the the used technology behind of the implemented PKI/CA infrastructure established by the MoI?Answer: If this refers to reading a digital certificate (x.509) issued on the card, the RA will obtain that data from the CA. Hence, this requirement is foreseen in Section 4 – Integration Requirements, which specifies that an API must be developed to enable the transmission of prepared data for the personalization of official ID cards. When certificates are issued, the CA authority will, through the same or another API, return the personalization result, which will also include the x.509 digital certificate.