ona SE Tol. : +94 (tt) 24363069 a A eT a ce «Foe sen mets Wazitas fete, 6, distal. studey, a feeel-110 003, GOVERNMENT OF INDIA MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY STANDARDISATION, TESTING & QUALITY CERTIFICATION DIRECTORATE ELECTRONICS NIKETAN, 6, CGO COMPLEX, NEW DELH! - 110 003 eT NoSTQCHeProciGePNIC/21 1220 ‘fers /Date. aungrp0no, Certificate of Approval This is to certify that “e-Tendering (version 1.09.08) and e-Auction (version 1.09.07) application: Government eProcurement ‘System of National Informaties Centre (GePNIC)" developed and mainteined by M/s National Informatics Centre (NIC) India has been tested and audited by STQC and found to be complisnt with all the applicable requirements relating to security and transparency of the following guidelines. Guidelines for compliance to quality requirement of _~— eProcurement Systems dated-=« 32" ‘August 2012 of Department of Electronics and Information Technology (DelTy], Ministry of Communications & information ‘Technology of the Government of india [DefTy Guidelines] which includes © CVC Guidelines for eProcurement application software as covered by the relevant provisions of Annexure-l of DelTy- Guidelines © GFR 2027 as covered by Annexure: Ill of Deity-Guidelines © IT Act 2000 (and its amendment 2008) 2s covered by Annexure-IV of Dely-Guidelines ‘The brief details of e-Procurement System certified are: No. | Component _ [ Description [Testing & Audit conducted 1. | eProcurement System | Government eProcurement System of National Functional Testing Informatics Centre{GePNIC) : © Performance Testing e-Tendering Application Ver 1.08.08 © Application Security ‘Auction Application Ver 1.09.07 Testing | URLs: Refer Annexure A _ 2. | Hosting infrastructure DE: National Date Centre, Ministry of Electronics nd | © Compliance Audit | | Information Technology, Delhi IT Park, © Vulnerability | Shastri Park, Delhi Assessment | DR: National Data Centre, A-Block, BRKR Bhavan, Tank | © Penetration Testing Serer | ‘The validity of certificate is for three year w.e.f 21.12.2020 subject to compliance to STOC guidelines on Surveillance assessment. Nate: In ease of any mejor changes in e-Tendering (version 1.08.08) and e-Auetion (version 1,09,07) application: Government eProcurement System of National Informatics Centre (GePNIC) or hosting infrastructure, twill be recerti For more details, refer STOC Test & aut reports: © Functional Test Report: STAC IT = ERTL (N} /EPS/NIC /FT/7R/05/2019/207 dt 25/03/2019 © Security Test Report : ETOC{CNI/MT/2020-21/682-2™ cele dt 17/08/2020 & ETOC{CNY/17/2020-21/587-2" cycle dt 03/21/2020 © Vulnerability Assessment Report: STOC IT-ERTLNV/ePS/GEPNICWVA/TA/10/2019/216 dt 15/10/2019 & STAC M- ERTLNI/ePS/GePNIC/VA/TR-02/21/2020/184 dt 08/11/2020. © Penetration Test Report: STOC ITERTLINY/EPS/GePNIC/Pr/TA/A1/2019/238 dt 15/21/2018, STAC I ERTUNI/EPS/GEPNI/PT/Batch6/TR/09/2020/157 dt 04/08/2020, STO IT-ERTL(N)/EPS/GEPNIC/PT/BATCH.-6 & S /TR/05/2020/218 «dt 15/06/2020, STAC IT-ERTLNI/EPS/GEPNIC/PT/BATCH-3/7R/04/2020/35 dt 13/04/2020 & STOC IT-ERTUN/EPS/GEPNIC/PT/BATCH- 2/1R/06/2020/55 et 06/04/2020 ‘> Performance Test Report: STOC IT-ERTL (N)/EPS/GePNIC/PR/AR/10/2019/207 dt 03/30/2019 & QA InfoTech eAuction Performance ‘Test Report dt 28/02/2018 © Process Audit CVC & IT Act Compliance and Security Process Aueit Report : STOC IT-ERTLIN}/EPS/GePNIC/Compliance/TR-02 (Amends) /23/2020/197 dt 10/31/2020 Director & ¢ ion Serviceswenweprccure gov ‘wonw.eauctiongov.in https://mahatenders govi8 ittps://pmgsytenders gov.in and 31 participating Mee 1. httpss/pmgsytendersani.icin/ricgea/apn 2. betpsi//emesytendersap govin/nicgep/2pp 3 https://pmgsytendersara.govin/nicgep/20p 4, httos://omgsytendersasm govin/niegen/270 5. httoe://pmgsytendersbih.gov.in/nicgen/spp 6 7. a 8. httpsi//omesytenderscg.ncin/ricgep/anp ttps://emasytendersgos govin/niegep/apa bpsif/emesytendersgu.gov.in/ricgen/app 3. _https//omgsytendershry.nlc.in/nicgea/spp 20. hitps://pmgsytendersho.govin/niegen/=pp 1. https//omasytendersik.gov n/negen/pp 432. hitps://omesvtendersihrgou.n/niegep/sp2 433, https://omgsytenderskar govin/riegen/=z9 1A. https/fomesvterdersker govin/riegen/anp 35, ttps://omgsytenderste.nicIn/nicgen/3pp 36. ttps://omesytendersmp.gov.in/ricgen/@pp 132. https://pmgsytendersmah.gov.n/ricgep/app 38. ttps://omgsytendersman.gov.in/sicgep/an3 439, bttps://omgsytendersmeg.govin/riegen/32p 20, hntos://pmesytendersm’z govin/aicges/spp 21, httos:l/pmgsytendersnal govin/eiczen/20p 22. httos://omesytendersorigovin/niceepfanp 23, ntps:/fomgsytenderspb.govin/nicgep/app 24 tas://amesvtendersrajgovin/niegep/app httpd emasytendersskr.gov.in/riegea/29p 26, https://omesytenderstn govin/riceea/29p 22. ttpsif/omesytenderstsnic.in/nicgep/spp 28. httpse//omasytenderstrp gov in/iezep/epp 28. bttps:/fomesytendersuk gov.inlegen/200 | 30. hts//omesvtendersuz.govin/niceep/=pp | 31._hitps:/omgsytendersw govinricges/2Dp | s httes//mptenders.gv.in is httos/eprocuremichani.ricia ~ P: hitps//eprocurehsi.nicin - 7 fara etes//wetenders gov'in 7 -_ . etes/feprocuregs.nicin ~ [0.__ [ hte: //eprecurebelco in 7 i httess/fetendersché.nic.in iz hetes//epeletenders.nicin 3. https://etendershy.ricin ie httpsy/meripurtenders cov [S.__|https:/meghalayatenders govin 36.__|__hitosu/mlzoramtenders.govin 7. https /nagelandtenders govin — a 18 httos//pudvtenders.gov.in — | is. ‘tps /skkitender gov. | 20. fetps//tntenders gov. z bu. hetps/ etender.up.c inf z a: hits://eprocurentpe ni - 23. fttes//ddtenders.gov.ia/ - 2. httsy//dnhtenders.g0v in 25. |__ hts: //tendersut.gov in) ~ | 26. | __tpsi//eprocuregrse.co.n 7 27. fetes: /eprocuremd.niin — ba. httes:/tendersodisha gavin ~ Bs. Ittps://govtprecurement.delh-goviinBo. Titties fuktenders govin Bt httos://nptenders.govin 2. hntps/Jktenders.gov.in 8 https://assamtenders. gov in [3a ttpsi/defproc.gov.in ead 135. https: /eprocure andarvan gavin 6 https:/tenders adh govin fa. 38. bntps:/feprocurebhel.coin https: //arkhandtenders.g6vin i. faa faa. ntps://etendersikerala.gov.in ‘tps: /feproc.ounjab.govin intos://eproc.rajasthan.govin https //coalindlatenders.nie.in las. httpsi//iocletenders.nicin ittps://éemoeproc.icin ls. inttps://etenders gov.in 6: hites//tripuratenders.g6vin lax. https/earunacaltenders.2ovinaa TT Government of india weedhat oe gar sitet aes Ministry of Electronics and information Technology waaqat. Rem STA Dit — jrectorate waegitret whem car fare ox ELECTRONICS TEST & DEVELOPMENT CENTRE ETDC(CN)/IT/2020-21/682/2™ cycle (Amended-1) 04/41/2020 ETDC(CN)/1T/2020-23/687/2" cycle Certificate of Approval This isto certify that“Government eProcurement System of National Informatics Centre (GePnic)” has been tested in line with “OWASP Top 10 Application Security Risks - 2017". Web site Details: «Site Name: Government eProcurement System of National Inform: © Test URL/Temporary URL: GePNIC - httos://164.100.129.65/niczep/app eAuetion India -https://164.100.78.147 /eAuction/apo/ ‘Audit Performed by: STOC-IT, Chennai ‘e Testing Date: GePNIC - 27/07/2020 to 14/08/2020 ‘eAuction India — 09/10/2020 to 03/11/2020 © Hash value (IMDS) of Application:MIDS Checksum: GePNIC -9c69¢9d524eb7e02e8271d16499/9e21 eAuction India - faecacsfefdefdafs712880311119467 ‘© REPORT NO: ETDC(CN)/IT/2020-21/682/2 Cycle ETOC(CN)/IT/2020-21/687/2 Cycle Centre (GePNIC) Observations: NIL Conclusion: site has been tested against OWASP Top 10 Application Security Risks -2017 and found ne major vulnerabilities and ts safe for hosting.(Refer web application security report for more details) Recommendation: a site may be hosted with appropriate privileges of read or execute permission for the general public. 2, Ensure that “Write / Read “appropriate Permission is provided to folders concerned with the uploading of files. 3, Ensure “Write/Read” permission is provided to the folder containing the database. 44, Ensure appropriate protection for Application logs, user logs and establish necessary clock synchronization with international time sources. 5, The equivalent of the below listed URL to be deployed over TLS Version 1.2 or higher:Refer Annexure ‘A’. 6. Web server and OS level hardening need to be in place for the production server. 7. The application owner(s) must conduct a reaudit in case of any addition/change in the dynamic content of the application AEE. oy, te. d) Redeye (authorised Signatory) i NABL Accredited Laboratory ARES, ‘aree, feat! VSI Estate, Thiruvanmlyur fi ‘Bet = Goo ot / CHENNAL - 600 041. Phones : (044) 24547700 / 01 /02/ 11/12/88 Fax: (044) 24543713 E-mail : cnetde@stqe.gov.in, itchennal@stac.gov.in, cfr@stqc.gov.in Web : http/hwww.stqe.gov.inAnnexure ‘A’ List of eProcurement Portals in which the above build will be deployed S.No eProcurement Portal Link 1 | Central Public Procurement Portal 3 hittps://eprocure.gov.in/eprocure/app 2 | Central Public Procurement Portal 2 httpsi//etenders.gov.in/eprocure/app 3 | Defence eProcurement Portal ‘nttps://deforoc.gov.in 4 | National Rural Road Development Agency (NRRDA) hetas://omasvtenders.gov.in 5 | NRRDA- State Linked Portals (30 States/UTS) bhites://omasytenders* gov.in 6 | Indian Oil Corporation Limited(IOCL) hitos://iocletenders.nic.in 7 | Coal india Limited (CiL) https://coalindiatenders.nic.in 8 | Chennai Petroleum Corporation Limited(CPCL) ‘nttos://cocletenders.ni.in 9 | NTPC Limited(NTPC) hitps://eprocurentoc.nic.in 10 | Bharat Electronics Limited (BEL) tps://eprocurebel.co.in 11 | Bharat Heavy Electricals Limited (BHEL) inttps://eprocurebhel.co.in 12 | Garden Reach Shipbuilders and Engineers Ltd (GRSE) | https://eprocuregrse.co.in 13 | Goa Shipyard Limited(GSL) hetns://eprocuregsi.nic.in 14 | Hindustan Shipyard Limited(HSL) https://eorocurehsLnicin 15 | Mazagon Dock Shipbuilders Limited (MDL) os://eprocurem 16 | Mishra Dhatu Nigam Limited (Midhani) https://eprocuremidhani.nicin 17 | Union Territory of Andaman and Nicobar Islands https://eprocure.andaman.gov.in 18 | Government of Arunachal Pradesh httos://arunachaltenders.gov.in 19 | Government of Assam 3s://assamtenders.gov.in 20 | Government of Chandigarh (U.7) httos://etenders.chd.nic.in 21 | U.T. Administration of Dadra and Nagar Haveli (U.T)__| httos://dnhtenders.gov. 22 | U.T. Administration of Daman and Diu (U-7) httos://ddtenders.gov.in 23 | Government of NCT of Delhi https://govtprocurement.delhi.gov.i 24 | Government of Haryana hitos://etenders.hry.nic.in 25 | Government of Himachal Pradesh ‘https: //hptenders.g0v.i0 26 | Government of Jammu and Kashmir https://iktenders.gov.in 27 | Government of Jharkhand https, /jharkhandtenders.gov.in 28 | Government of Kerala hitps://etenders.kerala.z0v. 29 | Union Territory of Lakshadweep https://tendersutl.gov.in 30 | Government of Maharashtra https://mahatenders.gov.in 31 | Government of Madhya Pradesh hetps://mptenders.gov.in 32 | Government of Manipur htos://manipurtenders.g0v.in 33 | Government of Meghalaya https://meghalayatenders.gov.in 34 | Government of Mizoram hetps://mizoramtenders.gov.in 35 | Government of Nagaland ihttps://nagalandtenders.gov.in 36 | Government of Odisha hitos://tendersodisha.gov.in 37 | Government of Puducherry bttos://pudutenders.gov.in 38 | Government of Punjab hitos://eproc.punjab.2ov.in 39 | Government of Rajasthan https://eproc.rajasthan.gov.in 40 | Government of Sikkim https://sikkimtender.gov.in a Government of Tamil Nadu httos://tntenders.gov.in a2 Government of Tripura ttps://triouratenders.gov.in a Union Territory of Ladakh https://tenders.ladakh.gov.in a4 Government of Uttarakhand bitos://uktenders.gov.in 45 | Government of Uttar Pradesh hitps://etender-up.nic.in 46 | Government of West Bengal ihttps://wbtenders.gov.in 47 | Demo eProcurement https://demoeproc.nicin “43 | eAuction India https:/leauction. gov.in 0 oe Nica