SELECTION OF CONSULTING FIRMS BY THE WORLD BANK GROUP
REQUEST FOR EXPRESSION OF INTEREST (EOI)
Electronic Submissions through WBGeProcure RFx Now
Assignment Title: Bhutan: Advisory Support on National Cyber Security Strategy Development and CII Protection
As part of ongoing advisory engagements, the World Bank has been expanding its support to the Royal Government of Bhutan on accelerating inclusive digital transformation. One strategic area of engagement has been on cyber security, where the government has expressed keen interest for the Bank’s assistance to build a solid foundation for mitigating the risks that come with Bhutan’s ambitious plans to advance digital transformation. The Bhutan Computer Incident Response Team (BtCIRT) was established in 2016 as part of the Department of Information Technology and Telecom (DITT) within the Ministry of Information and Communication (MoIC). Functions of DITT including BtCIRT transitioned to the new Government Technology Agency (GTA) as part of a Civil Service Reform Bill that became effective in December 2022. Good efforts to strengthen cyber security have been made by BtCIRT over the years, but it remains a small department consisting of a few staff and with limited institutional capacity.
National cyber security strategy
In 2015, Bhutan recognized the importance of cyber security in an ICT roadmap that was developed with support from the World Bank. The roadmap led to an assessment of the country’s cyber security environment in 2015 using the Cybersecurity Capacity Maturity Model for Nations (CMM). The CMM revealed that Bhutan scored at the “start-up” stage for all but 1 of the 21 factors. One recommendation of the CMM report called for the development of a national cybersecurity strategy (NCS).
In 2018, BtCIRT launched the development of a five-year NCS with external advisory support, building on a framework developed by the International Telecommunications Union (ITU) for developing a national cybersecurity strategy. Several stakeholder consultations were carried out after which an initial draft was finalized. The draft was circulated widely for comments across a broad range of stakeholders. After a break due to the pandemic, the BtCIRT conducted a further round of stakeholder consultations in 2021,which resulted in the current revised draft NCS.
A review of the current draft by the World Bank suggests the draft could benefit from several improvements. This includes enhancing the cybersecurity background and main drivers for developing the strategy, updating the diagnostic work carried out in 2015, resequencing some of the activities based on a prioritization exercise, and augmenting the sections related to critical information infrastructure, among others. For example, the draft NCS contains twenty-one (21) initiatives within its seven (7) goals, each with multiple activities. The World Bank review of the draft NCS underscored the importance of prioritizing the initiatives identified within that document, especially given anticipated resource constraints.
A revised NCS will benefit from a more in-depth assessment of the level of maturity in some priority areas, including updating progress in some areas examined in the 2015 CMM. The draft NCS also does not identify the specific areas of cyber security risk that need to be addressed, although it recognizes the value of a risk assessment as input into the strategy. Finally, the NCS, and the cybersecurity environment, does not currently include a substantial governance framework, although the NCS does include some elements of governance. Addressing these areas will strengthen a revised strategy.
Critical information infrastructure (CII)
Protection of Bhutan’s critical information infrastructure (CII) is identified as one key objective under the NCS. The Information, Communication, and Media Act 2018 states “the Ministry may, in consultation with the Authority, declare any ICT and media infrastructure as Critical Information Infrastructure (CII).”
BtCIRT began the process of identifying CIIs in 2020, but this process is yet to complete. An internal working group was formed within the Ministry of Information and Communication that carried out a review of various methodologies and international experience for the identification of CIIs. In addition, a special task force was formed with representatives from various critical agencies and sectors. As a result, a few key draft documents were prepared by March 2021, including a draft framework to identify CIIs; draft identification of thresholds; a provisional list of CIIs; and a preliminary list of assets in three select sectors (ICT, power & finance).
The identification of CIIs was never finalized, and a consensus was not reached for the aforementioned draft documents among the stakeholders involved. This was due to various factors, including a halt in the process caused by the COVID-19 pandemic, lack of knowledge and expertise among the taskforce to derive to a common decision, institutional complexities and the need to consolidate information and inputs from various stakeholders to establish the criteria/threshold. For example, the energy sector, has different stakeholders such as Druk Green Power Corporation, Bhutan Electricity Authority and Bhutan Power Corporation with different systems, assets, infrastructure; similarly in the telecom sector, with the government and telcos owning and operating abroad range of assets and infrastructure.
II. Objectives of this Consultancy
The objectives of this consultancy are to provide advisory support to BtCIRT in advancing two key areas:
i) Developing a final draft of the national cyber security strategy, and development of an action plan for implementation.
ii) Identification of CIIs, and development of an action plan for subsequent steps to develop a robust CII protection program.
The World Bank Group intends to finance the assignment / services described below under the following:
Eligibility restrictions apply:
- [Please type list of restrictions]
The World Bank Group invites eligible firms to indicate their interest in providing the services. Interested firms must provide information indicating that they are qualified to perform the services (brochures, description of similar assignments, experience in similar conditions, availability of appropriate skills among staff, etc. for firms; CV and cover letter for individuals). Please note that the total size of all attachments should be less than 5MB. Firms may associate to enhance their qualifications unless otherwise stated in the solicitation documents. Where a group of firms associate to submit an EOI, they must indicate which is the lead firm. If shortlisted, the firm identified in the EOI as the lead firm will be invited to the request for proposal (RFP) phase.
Expressions of Interest should be submitted, in English, electronically through WBGeProcure RFx Now
Following this invitation for EOI, a shortlist of qualified firms will be formally invited to submit proposals. Shortlisting and selection will be subject to the availability of funding.
Only those firms which have been shortlisted will be invited to participate in the RFP phase. No notification or debrief will be provided to firms which have not been shortlisted.
If you encounter technical difficulties while uploading documents, please send an e-mail to the Help Desk at firstname.lastname@example.org prior to the submission deadline.