Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

Scope of Work For:

LoRaWAN Network

CDP/Innovation & Engineering

23-Mar-2023
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

1. Purpose:
SABIC is looking for a vendor to provide LoRaWAN gateway and network server (network
management platform) to connect IIoT sensors and manage the LoRaWAN network to support
Corporate Digitalization strategy.

The Three-tier Architecture as per IIC-IIRA

LoRaWAN network requires connecting all of the LoRaWAN IIOT sensors and operations in edge tier
and platform tier as shown on the three-tier architecture described by Industrial Internet Consortium.

LoRaWAN network selected shall provide the LoRaWAN gateways and network server to manage and
connect current and future IIoT LoRaWAN sensors, which use LoRa Alliance and CITC connectivity
standards and frameworks, and wireless frequency to securely connect sensors and manage network
devices (Gateways and sensors).

LoRaWAN network capabilities shall address below points:

 LoRaWAN Network Management

 LoRaWAN Sensors connecting and disconnecting.
 LoRaWAN Network Security
 LoRaWAN gateway Security
 LoRaWAN gateway shall support multiple connection protocols including but not limited to
OPC-UA, and MQTT.
 LoRaWAN network server shall be able to provide heat map of fevice Status with ability to
connect/extract this data (Active Status, Uptime, Security Issues, etc)
 LoRaWAN network server shall not be able to do data caching.
 LoRaWAN network server shall be able to provide GeoSpatial representation of IIoT device
implementation
 LoRaWAN network server shall be able to provide devices management functionality for the
GW to deploy updates and provide health check status such as not limited to (device heartbeat,
signal strength, battery life, etc..)
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

The requirement is to have a LoRaWAN network in compliance with SABIC’s internal infrastructure and
network segregation and Cybersecurity requirements.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

2. Detailed Description of Scope of Work:

Vendor shall structure their proposal into six main components as following:

 Company Profile
 LoRaWAN Network Technical Capabilities for the gateways and network server.
 LoRaWAN Network Technical Considerations and Setup
 Services Offering.
 Timeline and Project Implementation Details.
 Commercials

SABIC requirements are mentioned below for each category:

2.1 COMPANY PROFILE

Vendor shall provide a well-crafted company profile with below mentioned information (not limited to):

 Company information
 Highlight products and services
 Unique strengths and track records
 General idea about investors, business partners, and customers
 Ownership and Management Team
 Company History, mission statement and future goals

2.2 TECHNICAL LORAWAN NETWORK CAPABILITIES

The offered platform shall possess (not limited to) below mentioned capabilities:

Topology: On-premise, cloud or hybrid topology dedicated instance capable of analyzing and storing
the IoT data. Explain how the solution handles the flow of information among the different sensors,
devices, gateways and servers.

Programming Languages and Application Development: What choices the platforms makes in their
programming languages, how the platform implement their APIs, and how these choices impact the
IoT solutions’ capacity to implement adequate connectivity, security, and privacy

Event Handling: Methods used to handle events in an IIoT solution and how the workload impact
performance and security.

Application enablement and management: Features that enables business applications in any
deployment model to analyse data and accomplish IIoT-related business functions.

Scalability and Data management: Detail the capabilities that support:

 Device management: The ability to register, configure, and manage LoRaWAN devices,
including updating firmware, resetting devices, and monitoring their status and performance.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

 Network management: The ability to manage and monitor the LoRaWAN network, including
configuring gateways and sensors, setting up network policies, and monitoring network
performance.
 Data management: The ability to manage and store data generated by LoRaWAN devices,
including real-time data, historical data, and device metadata.
 Security management: The ability to provide secure communication between devices and the
LoRaWAN network, including managing authentication, encryption, and access control.
 Application integration: The ability to integrate with other applications, such as on primes /
cloud platforms (IIOT Platform, Osi Pi) or analytics tools, to enable data analysis and
visualization.
 Over-the-Air (OTA) updates: The ability to update firmware and software on LoRaWAN
devices remotely, without the need for physical access.
 Device activation: The ability to activate and deactivate devices on the LoRaWAN network.
 Geolocation: The ability to determine the location of LoRaWAN devices using various
methods, including Time of Flight (ToF), signal strength, and triangulation.
 Analytics and reporting: The ability to analyse data generated by LoRaWAN devices and
generate reports, including performance reports, network utilization reports, and device health
reports.
 Security: Describe what mechanisms are provided by the platform for administrators,
developers, and researchers to secure their IoT solutions on terms of confidentiality
(encryption and authentication), integrity, availability, and access control to prevent, detect
and correct breaches.

LoRaWAN Network Reference Model

2.3 RADIO GATEWAY TECHNICAL CONSIDERATIONS & SETUP

Vendor shall include consideration about system architecture, data, performance, scalability,
availability, and backhaul protocols and deployment and setup. Example of use case for chemical or
petrochemical industries.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

2.4 NETWORK, JOIN AND APPLICATION SERVERS TECHNICAL CONSIDERATIONS & SETUP

Vendor shall include consideration about system architecture, data, performance, scalability,
availability, deployment and setup. Example of use case for chemical or petrochemical industries.

2.5 SERVICES OFFERING

Vendor shall cover and include in their proposal below mentioned service requirements:

 Implementation support and operation, annual health check, on site engineers support.
 User manuals, training presentations, and associated documentation.
 High-Level & Low-Level Edge-To-Enterprise Architecture
 Post-implementation evaluation and high-level plan for translation
 Fully Functional and stable LoRaWAN Gateways
 Fully Functional and stable Network Server
 Any other valuable optional services (Add-ons).

2.6 TIMELINE AND PROJECT IMPLEMENTATION DETAILS

 Vendor to propose project management (governance and delivery) framework model in

compliance to project management methodologies (Waterfall / Agile).
 Project management plan shall include (not limited to) detailed project scope, schedule, risk, and
communication plan / documentation / procedures.
 Vendor shall provide end-to-end Implementation details (documented process workflow /
diagrams)
 Vendor to provide implementation preparation plan including systems integration, dashboards
development, alerts creation and notification user subscriptions.
 Vendor to create user stories, test cases, acceptance criteria for testing and validation (ISRT /
UAT).
 Assignment of dedicated Project Manager throughout the Proof of Concept lifecycle along with
project team details and their skills and capabilities.
 Vendor’s core implementation team must be on-site / flexible to work within KSA time zones.
 Roles and responsibilities of each party (RACI Matrix).
 Progress reporting templates (project steering committee, weekly progress/status, and daily
stand-ups).
 Post-project documentation must be SABIC branded with proper versioning and control.

2.7 COMMERCIALS

Vendor shall provide as part of their commercial proposal (not limited to) below mentioned:

 Pricing structure
 Platform licenses with all categories, levels, licenses details and with different options based on
size and volume.
 Enterprise licenses (unlimited users)
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

 Services Pricing (as per the services section# 2.2 above)

 Monthly rate price for residence engineers with different skills, multiple experience levels. In
addition, options for onsite and offshore

3. Evaluation Criteria
A Hardware Answer
1 Do you have Atex certified Zone 1 LoRaWAN GW?
What is the expected time frame for supplying Atex
2 certified Zone 1 LoRaWAN GW?
What is the supported backhaul link protocols, please
3 list all supported protocols?
Is the GW can be powered over power over Ethernet
4 (POE)?
5 What is the estimated coverage radius for the GW?
B Network Server Answer
6 What is the network server application ?
Does the network server application support on premise
7 or cloud deployment?
Does the network server support device managements
8 (GW & sensors)?
Does the network server support multi-tenancy
9 installation?
C Experience Answer
Did you have any deployment of the GW ins Saudi
10 Arabia?
Did you have any GW deployment in the oil & gas /
11 petrochemical industry?
Did you have any deployment of the Network server ins
12 Saudi Arabia?
Do you have any current physical presence in Saudi
13 Arabia ?
14 Do you have any partners in Saudi Arabia ?
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

4. Responsibility:
Vendor

 Vendor is responsible to provide a fully working platform that covers supplying all required
items and licenses (including third parties license to use, if any). It is the responsibility of the
Vendor to have this clearly considered and indicated in the proposed solution.
 Vendor to adhere to use SABIC industrial practices and standards
 Vendor should cooperate with other third party suppliers that SABIC might foresee the need
to use their solution either hardware or software part of IIoT Platform.

SABIC will

 Provide details of Edge Tier and Enterprise Tier devices and applications relevant for IIoT
devices and platforms
 Facilitate entrance access to SABIC facilities
 Provide cyber security requirements
 Review and approve the implementation final plan
 Identify the pilot location and drive Proof of Concept to cover deployed sensor
 Review and approve post-implementation evaluation
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

5. Standards:
SABIC Engineering Standards (SES)

 X01-E02, Cyber Security, Rev 2. September 2022.

 X08-G01 IIoT Implementation Guidelines Rev 2, October 10th, 2022

Communications, Space & Technology Commission - CITC LPWAN Standards

 RI114_LPWAN

International Telecommunication Union

 ITU-T Y.4480 Standard

LoRaWan Alliance

 TS001-1.0.4 LoRaWAN® L2 1.0.4 Specification

 TS2-1.1.0 LoRaWAN Backend Interfaces Specification

Industrial Internet Consortium (IIC)

 The Industrial Internet of Things Volume G1: Reference Architecture. Version 1.9. June 19th,
2019.
 The Industrial Internet of Things Volume G5: Connectivity Framework. Version 1.0. February
28th, 2017.

Institute of Electrical and Electronics Engineers (IEEE)

 IEEE 2413-2019. IEEE Standard for an Architectural Framework for the Internet of Things
(IoT). October 3rd. 2020

International Society of Automation (ISA)

 ISA 99 Security for Industrial Automation and Control Systems

International Electro technical Commission (IEC)

 ISO/IEC 21823-1, Internet of things (IoT) – Interoperability for IoT systems – Part 1:
Framework, Edition 1.0, February 2019
 ISO/IEC 21823-2, Internet of things (IoT) –Interoperability for IoT systems –Part 2: Transport
interoperability, Edition 1.0, April 2020
 ISO/IEC 30161:2020 Internet of Things (IoT) — Requirements of IoT data exchange platform
for various IoT services
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

6. Local Content requirements:

In this section, suppliers must comply with Local Content requirements:

• Suppliers must comply with the National Products Mandatory List when sourcing
products stated on the list by filling up the attached National Products Mandatory
List Compliance Form. If the Supplier is found to be non- or partially-compliant, the
Supplier will be excluded from the Bid Evaluation.

• Local Content documents to be submitted by the Suppliers as part of the package:

- Audited Local Content Score-Card Certificate. (Applicable on KSA local
suppliers)
- Complete National Products Mandatory List Compliance Form. (Applicable
on all suppliers)
- Complete Local Content Plan. (Applicable on all suppliers)

• Failure to submit the LC documents will result in excluding the supplier from the
Bid Evaluation.

• For more information on how to obtain an Audited LC Score-Card Certificate,

please visit LCGPA website or contact LC@lcgpa.gov.sa
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

7. Minimum cybersecurity requirements

Supplier must fully comply, at its own cost, with all applicable Cybersecurity requirements
including, but not limited to, those set forth in the table below. Some requirements only
apply to Suppliers that process, access, or store SABIC and/or its Affiliate information/data.
Suppliers are responsible for determining what requirements apply to them and ensuring
that they meet all applicable legal requirements.

Response and
MSR ID Requirement Evidence
Description (if any)

IDENTIFY
Policies for information security
MSR-01 Suppliers shall have policies for information security, approved by
their management and communicated to all the people with access to
their information systems.

Inventory of Assets
SABIC and/or its Affiliate information, other Assets associated with
MSR-02 SABIC and/or its Affiliate information processing facilities managed
by the Supplier shall be identified and an inventory of these Assets
shall be drawn up and maintained by the Supplier.

Self-assessments
Suppliers will perform, at minimum, a self-assessment of their
operational resilience and Cybersecurity practices in order to identify
and appropriately manage potential risks. The self-assessment shall
MSR-03 include, at minimum, all the requirements included in this document.
The self-assessment must be repeated at yearly intervals (or when
requested by SABIC and/or its Affiliate(s)).
The Supplier shall develop plans and promptly take steps that are
required to mitigate the risks identified.

Audit reports
If the Supplier is subject to Cybersecurity audits, like ISO 27001, SOC 2
Audit and similar audits, the certificates or the reports will be shared
by the Supplier with SABIC and/or its Affiliate(s) at the request of
MSR-04 SABIC and/or its Affiliate(s).
The Supplier shall promptly rectify on their own any problem and/or
deficiencies identified in the audits. A remediation plan approved and
executed by the Supplier at their own cost shall be in place to correct
the issues reported.

PROTECT
Access control management
Supplier shall have a defined, documented and enforced Access
MSR-05 Management Policy for physical and Logical access to networks,
systems and applications in Supplier Environment that processes,
accesses, or stores SABIC and/or its Affiliate(s) information/data.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

Response and
MSR ID Requirement Evidence
Description (if any)

Physical security perimeter

Supplier shall define and implement the security perimeters of the
MSR-06 Supplier Environment to protect areas that contain either sensitive or
critical information identified by SABIC and/or its Affiliate(s) as such
or information processing facilities.

Information Backup
Backup copies of information, software and system images that
process SABIC and/or its Affiliate(s) information in the Supplier
Environment or support services provided to SABIC will be taken
MSR-07 regularly in accordance with industry best practices.
Recovery testing of Backup media shall be conducted periodically to
demonstrate that recovery procedures are fast and effective and the
data contained in media is readable after its recovery from the Backup
media.

Network controls
Networks in the Supplier Environment shall be managed and
MSR-08 controlled to protect information in systems and applications.
Network controls shall be deployed by means of Firewalls and other
network security technologies acting as network policy enforcement
points.

Implementing Cybersecurity continuity

The Supplier shall establish, document, implement and maintain
MSR-09 processes, procedures and controls in the Supplier Environment, to
ensure that Cybersecurity is maintained in an adverse situation like a
disaster, security breach or other type of event impacting the Supplier
Environment availability or integrity.

Change management
Suppliers which process, access, or store SABIC and/or its Affiliate(s)
information/data shall have an established change management
process in place for making changes to the information systems
MSR-10 used.
Changes and modifications to any connection or configuration
between SABIC and the Supplier or update/upgrade of the
system/platform will be performed only after obtaining SABIC and/or
its Affiliate(s) prior written approval.

Mobile device policy

MSR-11 Supplier shall have a policy and supporting security measures to
manage the risks related to use of mobile devices.

Media protection
Supplier shall protect both paper information and electronic
MSR-12 information or any other media storing SABIC and/or its Affiliate(s)
information/data, by limiting access to information on those media to
the authorized System Users and Sanitize or destroy information
system media before disposal or release for reuse.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

Response and
MSR ID Requirement Evidence
Description (if any)

Personnel security
Supplier shall apply preventive measures confirming the adequacy
and integrity of their System Users involved in the provision of goods
and/or services to SABIC and/or its Affiliate(s). These measures shall,
at minimum, include the verification of their references and identity
and the employees agreement for proper use of information systems.
MSR-13 The Supplier shall report all changes related to System Users with
access to SABIC and/or its Affiliate(s) information systems so that
their access authorization can be updated by SABIC and/or its
Affiliate(s) accordingly.
The Supplier shall have formal procedures for off-boarding
employees and contractors. Off-boarding procedures must include
the return of Assets, and removal of all associated access rights.

System Users training

Supplier must provide and require all System Users to take a yearly
mandatory Cybersecurity awareness training that addresses
acceptable use and good computing practices. Training must address
MSR-14 at least the following topics:
 Cybersecurity Acceptable Use
 internet and social media security
 Social Engineering and Phishing emails
 confidentiality and not sharing credentials (e.g. user/password).

Email service protection

The Supplier shall protect its email service with at least the following:
• analyzing and filtering email messages (specifically regarding
Phishing and spam) using up-to-date email protection techniques
• Multi-Factor Authentication for remote and webmail access to
MSR-15 email service
• email archiving and Backup
• secure management and protection against Advanced Persistent
Threats
• validation of the Supplier email service domains (e.g. using
Sender Policy Framework).

Patching
Supplier technology Assets and systems must be regularly updated
MSR-16 with the operating system (OS), software and applications Patches
provided by their manufacturer according with industry best
practices.

Anti-Malware
Supplier technology Assets must be protected with Anti-Malware
MSR-17 software. Updates must be applied daily, and full system scans must
be performed at least every two weeks. In case of virus/malware
detection, the virus/malware shall be eradicated promptly and the
affected systems restored to a clean status.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

Response and
MSR ID Requirement Evidence
Description (if any)

DETECT
Audit and accountability
Supplier shall create and maintain information system Audit Logs
MSR-18 needed to allow the analysis, investigation, and reporting of
unauthorized, or inappropriate information system activity in the
Supplier Environment and ensure that the actions of individual
information System Users can be attributed to those System Users.

RESPOND
Incident response
MSR-19 Supplier shall have an incident handling process for information
systems in the Supplier Environment, which includes the preparation
to detect, analyze, contain, recover and response to incidents.

Supplier incident reporting

The Supplier must notify and report to SABIC any adverse situation or
Cybersecurity incident that occurs in the Supplier Environment,
affecting any networks, systems or applications that process, access,
or store SABIC and /or its Affiliate(s) information/data. The
MSR-20
notification must be done as soon as practicable, but no later than
twenty-four (24) hours after the Supplier becomes aware of it or
should have become aware of it.
The Supplier shall make the notification to SABIC using the following
channel: Email: CyberSecurityCenter@SABIC.COM
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

8. Definition & Abbreviation

Term Definition
Access A policy that defines the required access control measures to all the information
Management systems and applications to protect the privacy, security, and confidentiality of
Policy information technology resources.

An adversary with sophisticated levels of expertise and significant resources, allowing

Advanced
it through the use of multiple different attack vectors (e.g., cyber, physical, and
Persistent
deception) to generate opportunities to achieve its objectives. The advanced
Threat persistent threat pursues its objectives repeatedly over an extended period of time.

Software that is designed to detect, and remove, block, or contain various forms of
Anti-Malware
malicious software.

In relation to a party, any individual or entity that at any time controls, is controlled by,
or is under common control with, such party, provided that references to SABIC’s
Affiliate shall be limited to any person that is controlled by SABIC and/or Saudi Aramco.
For the purpose of this definition, an entity or person “controls” another person, and
that other person is “controlled” by it, when, either directly or indirectly through one or
more other “controlled” entities, it:
(a) holds a majority of the voting rights in the other person;
Affiliate (b) is a member or shareholder of the other person and has the right to appoint or
remove a majority of that other person’s board of directors or equivalent managing
body;
(c) is a member or shareholder of the other person and, pursuant to an agreement
with other shareholders or members, is able to hold or direct a majority of the voting
rights in the other person; or
(d) has the right to exercise a dominant influence over the other person pursuant to its
constitutional documents or otherwise pursuant to a Contract.

Anything that has value to an organization, including but not limited to, another
Asset organization, person, computing device, information technology (IT) system, IT
network, IT circuit, software, virtual computing platform, and related hardware.

Chronological record of information system activities providing an independently

verifiable trail sufficient to permit reconstruction, review, and examination of sequence
Audit Log
of environments and activities surrounding or leading to operation, procedure, or
event in a transaction from inception to final results.

A backup, or data backup is a copy of computer data taken and stored elsewhere so
Backup
that it may be used to restore the original after a data loss event.

Contract An agreement between parties creating mutual obligations enforceable by law.

The information security requirements needed to support the protection of

Cybersecurity
confidentiality, integrity, and availability of Assets.

It is a policy stipulating constraints and practices that a System User must agree to for
Cybersecurity
access to a corporate network, the internet or other resources. It states what a System
Acceptable Use User can and cannot do when using computers and computing resources.

Assessment conducted by SABIC to ensure that the Supplier is in full compliance with
Cybersecurity
the Supplier Minimum Cybersecurity Requirements included in this document and any
Assessment Contract.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

Term Definition
Hardware and/or software technology that protects network resources from
Firewall unauthorized access. A firewall permits or denies computer traffic between networks
with different security levels based upon a set of rules and other criteria.

Providing an authorized System User the ability to access one or more computer
system resources such as a workstation, network, application, or database through
Logical access automated tools. A Logical access control system requires validation of an individual’s
identity through some mechanism such as a personal identification number,
smartcard, username and password, biometric, or other token.

Method of authenticating a system user whereby at least two factors are verified.
These factors include something the System User has (such as a smart card or
Multi-Factor
dongle), something the System User knows (such as a password, passphrase, or PIN),
Authentication or something the System User has or does (such as fingerprints and other biometric
elements).

A piece of software designed to fix operating system or software programming errors

Patch
and Vulnerabilities

Phishing is a cybercrime in which a target or targets are contacted by email, telephone

or text message by someone posing as a legitimate institution to lure individuals into
Phishing
providing sensitive data such as personally identifiable information, banking and credit
card details, and passwords.

The document, including any attachments thereto, issued by Purchaser to order goods
Purchase Order
and/or services from Supplier.

The action of permanently removing all data and/or licensed software, through
Sanitize overwriting or degaussing methods, from an Asset before that Asset is disposed,
loaned, destroyed, donated, transferred, or surplused.

Saudi Arabian Oil Company, a joint stock company incorporated under the laws of the
Kingdom of Saudi Arabia, having its head office located at P.O. Box 5000, Dhahran,
Saudi Aramco 31311, Kingdom of Saudi Arabia, registered with the Commercial Register under
number 2052101150, and having a share capital of 60,000,000,000 Saudi Riyals fully
paid.

SAUDI BASIC SAUDI BASIC INDUSTRIES CORPORATION, a joint stock company incorporated under
the laws of the Kingdom of Saudi Arabia, having its head office located at P.O. Box 5101,
INDUSTRIES
Riyadh, 11422, Kingdom of Saudi Arabia, registered with the Commercial Register of
CORPORATION Riyadh on 14 Muharram 1397H corresponding to 4 January 1977 under number
(SABIC) 1010010813, and having a share capital of 30,000,000,000 Saudi Riyals fully paid.

Email-validation system that allows domain owners to publish a list of authorized IP

Sender Policy
addresses or subnets to detect and block email spoofing, and reduce the amount of
Framework spam, fraud and Phishing.

SOC is an acronym that now stands for System and Organization Controls (previously
Service Organization Controls) and is a standard of organization’s controls to help
SOC ensure the security, availability, processing integrity, confidentiality and privacy of their
customers data. The SOC control standards were created and overseen by the
American Institute of Certified Public Accountants (AICPA).

A SOC 2 Audit is an audit on controls at a service organization relevant to security,

availability, processing integrity, confidentiality or privacy. There are two types of
attestation reports: A type 2 report on management’s description of a service
SOC 2 Audit
organization’s system and the suitability of the design and operating effectiveness of
controls; and a type 1 report on management’s description of a service organization’s
system and the suitability of the design of controls.
Classification: Internal Use

Version.1
Scope of Work Document (SOW)
July 2015

Term Definition
A manipulation technique that exploits human error to gain private information,
Social access, or valuables. In cybercrime, these “human hacking” scams tend to lure
Engineering unsuspecting System Users into exposing data, spreading malware infections, or
giving access to restricted systems.

Additional Cybersecurity requirements that can be included in the scope requirement

Specific
of the Contracts or Purchase Orders in case the Supplier provides services and/or
Cybersecurity
goods that can increase the Cybersecurity risk for SABIC. Some examples are
Requirements outsourcing, critical data processing and cloud services.

Supplier The legal entity specified in the relevant Purchase Contract as supplying Party.

Supplier collection of computers, data storage devices, workstations, software

Supplier
applications, and networks that support the processing and exchange of electronic
Environment information.

Supplier employees, contractors and others who have access to the Supplier
System Users
information systems.