Preference to be given to Make In India cyber security products, DoT

The Security Assurance Wing, Department of Telecommunications, Ministry of Communications has issued a circular on March 16, 2021 that MeitY’s direction on public procurement of preference to Make in India for cyber security products be implemented. All central government departments, PSUs and government organisations must ensure that preference is given in the public procurement made by them.

MeitY has received several complaints from cyber security product companies that Procuring Agencies are mentioning restrictive and discriminatory conditions (e.g. turnover, Gartner quadrant or other certifications ) in their tender which is restrictive for the indigenous supplier to participate in bids.

India has been cited as the second-most attacked country in Asia Pacific region. The 2020 threat landscape was largely shaped by the pandemic. It reshaped what is considered critical infrastructure today, and attackers took note. Cyberattacks on healthcare, manufacturing, and energy doubled from the year prior, with threat actors targeting organisations that could not afford downtime due to risks of disrupting medical efforts or critical supply chains. A recent IBM research study says that manufacturing and energy were the most attacked industries in 2020, second only to the finance and insurance sector. Attackers took advantage of the nearly 50% increase in vulnerabilities in industrial control systems (ICS), which manufacturing and energy depend on.

Relevant excerpts from  the notification
The revised Public Procurement (Preference to Make in India) Order 2019 is in furtherance to the Public Procurement (Preference to Make in India) Order No 1(10)2017-CLES dated 02.07.2018 for cyber security products.

Definition of Cyber Security Product
For the purpose of this notification, Cyber Security Product means a product or appliance or software manufactured/produced for the purpose of protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction, and also for the purpose of cyber forensics and cyber incident response.

Definition of ‘local supplier’ or domestically manufactured/ produced Cyber Security Products

• For the purpose of this notification, the ‘local supplier’ is defined as: A company incorporated and registered in India as governed by the applicable Act (Companies Act, 1.1.P Act, Partnership Act etc.) or startup that meet the definition as prescribed by DPIIT, Ministry of Commerce and Industry Government of India under the notification G.S.R. 364 (E) dated 11th April 2018 and recognized under Startup India initiative of DPIIT. DPIIT has since revised the definition of startup vide G.S.R 127(E) dated 19th February 2019 which is applicable in this notification. AND
• Revenue from the product(s) in the India and revenue from Intellectual Property (IP) licensing shall accrue to the aforesaid company/Startup in India. The entity claiming benefits under the Public Procurement Order 2017 in addition to being an Indian registered/ incorporated entity, and supplying products should satisfy the conditions of IP ownership as :
• Domestically manufactured/product Cyber Security product means a product, whose intellectual property is owned by the Indian Company/Startup (as defined above) such that it has rights to:
  • Use and commercialize without third party consents; and
  • Distribute; and
  • Modify

• Products with multiple sub-components can be covered under this notification. The minimum local content of cyber security product shall ordinarily be 60% of total cost of the product. Total licensing/royalty fee paid by the manufacturer to third party for such product shall not exceed 20% of the total cost of the product.
• The Indian Company/Startup shall demonstrate ownership of intellectual property associated with the product, in addition to trademarks applicable, if any. IP ownership rights would need to be substantiated by adequate proof, such as
• adequate documentation evidencing ownership OR (b) IP registrations.

Exclusion

• Dealers, Distributors. Implementation/ support services agencies of products, who have limited rights to IP to enable transfer of rights to use, distribute and modify.
• Digital content is not considered product e.g. audio, videos, e-books, computer based training platforms etc.

Definition of domestically developed/manufactured/produced Cyber Security product and Indian Company should be applied in conjunction with conditions 3 and 4 outlined above and read along with the aforesaid exclusion criteria, to suppliers of products to identify Indian Product Company/Startup.

Product List
In furtherance to this notification, the cyber security product companies are required to comply with the clause 3 and 4 of this notification and shall produce self-declaration as per the prescribed format given in Annexure II. Procurement agencies/bodies are responsible for technical evaluation of the security product(s) and its validation for compliance with this order. Furthermore, GeM will enlist the security products under the Head ‘Domestic Cyber security Products’ on the GeM Portal.

Verification of ‘local supplier’ of domestically manufactured/ produced Cyber Security Products

• The local supplier at the time of tender, bidding or solicitation shall provide self-declaration that the item offered meets the definition of ‘local supplier’ of domestically developed/manufactured/produced Cyber Security Products, as per pam 4 above. Format of self- certification is available in Annexure II.
• In cases of procurement for a value in excess of Rs. 10 crore, the local supplier shall provide a certificate from the statutory auditor or cost auditor of the company (in the case of companies) that the item offered meets the definition of ‘local supplier’ of domestically manufactured/ produced Cyber Security Products, as per pant 4 above.
• In case a complaint is received by the procuring agency or the concerned Ministry/ Department against the claim of a bidder regarding supply of domestically manufactured/ produced Cyber Security Product, the same shall be referred to STQC, an attached office of MeitY.

CT Bureau