Country Signing Certificate Authority Managed Services for ePassport Application

The United Nations seeks a supplier to manage the generation and secure storage of country signing key pairs, the self-certification of the country signing key pairs, generation of the CSCA certificate as well as the certification of the document signing public key for the issuance of ICAO document 9303 compliant electronic travel documents. The supplier is also expected to provide and maintain secure access to the CSCA signing services. For each document signing and master list signing key pair generated by third party systems, the United Nations will access the CSCA through the supplier’s secure access mechanism to certify the public key of that signing key pair. A CSCA service will also maintain and regularly issue certificate revocation lists. The intent of this EOI notice is to encourage experienced, reputable companies to express their interest (if already registered as UN vendor) or apply for registration as a UN vendor so that they can be considered for invitation to bid in such solicitations. Please find below the mandatory requiremen and istructionsthat respondants have to consider: Mandatory requirements: 1 All components of the CSCA service must be fully compliant with relevant sections of the International Civil Aviation Organization Document 9303 2 A minimum of eight years experience specifically in ePassport CSCA is required 3 At least three legitimate ePassport CSCA applications must be submitted for references, including a contact name and details 4 The Vendor shall host this service in a highly protected off-line CA infrastructure utilizing a mix of physical, logical and electronic controls. 5 The vendor shall take responsibility for ensuring secure connection with the United Nations and its partners for transmitting the request and response 6 The CSCA shall generate and securely store country key signing pairs. 7 The CSCA shall self-certify the country signing key pairs and generate the CSCA certificate and subsequent link certificates as required 8 The CSCA service shall certify the Public Key generated by the Document Signing module of the third party personalization system 9 The CSCA service shall certify the Public Key generated by the Master List Signing module of a third party system 10 The CSCA must supply the generated UN Country Public Key to the United Nations when it is generated 11 At a minimum, should a Document Signing key pair be deemed compromised, the CSCA must be available to make an unscheduled certification of a new pair within one business day 12 Should the Country Signing pair be deemed compromised and require unscheduled re-issuance, no more than three business days may be allowed to take appropriate measures to ensure the CSCA equipment and connections are secured and a new Country Signing pair be issued, certified and new Document Signing key pairs be certified 13 Tools should be available for the United Nations to audit activity of the CSCA as well as isolate access to document or master list signer signing activities by login account 14 The CSCA must accept and immediately action request to revoke any certificates that have been signed by the CA 15 The CSCA must issue the Certificate Revocation List at least every 90 days as well as within 48 hours of a revoked certificate request 16 Over the term of the managed service, should security flaws with the currently accepted CSCA method of signing eMRTDs be identified, or other necessary changes to the overall scheme are required by international best practices, the service provider is required to make the necessary changes in a timeframe suitable to the international community Instructions: Please be aware that respondants are required to have similar csca services already in place for other countries. For each requirement, respondants are invited to provide 1-3 sentences to describe how they will meet the requirement by using examples from services they currently offer. Descriptions of services to be built will not be acceptable. Respondants may also submit a separate paragraph summarizing the service they offer to give context to their responses to individual requirements. The responses to this EOI should be submitted electronically to the following email address: claudia.salazar@un.org no later than 3 May 2019. Please also note that this request does not constitute a solicitation. The Procurement Division reserves the right to change or cancel this request at any time. It should be noted that by submitting a reply to this EOI does not automatically guarantee or obligate the UN to invite any particular company to participate in the subsequent bidding process. Only those prospective companies that are deemed qualified by UN upon completion of an objective evaluation of their submission to the EOI will be invited to participate in any subsequent tender exercise. Kindly email your duly completed EOI form. All documents for registration must be submitted in clear and legible print. The full technical requirements and details will be provided with a formal solicitation document to be issued at a later stage soon after the closing date for this EOI. It is anticipated that a system contract for the Provision of Digital Certificates and related maintenance services will be established for an initial period of five (5) years, with extension option.