Cooperative Development Authority Tender

Description Technical Specifications: 1. Firewall 1.1 Inclusion Of 1 Firewall License: Head Office (renewal) 1.1.1 License Id Number: L0014781141 1.1.2 Base Firewall 1.1.2.1 General Management 1.1.2.2 Zone-based Firewall Features 1.1.2.3 Firewall, Networking And Routing 1.1.2.4 Base Traffic Shaping Quotas 1.1.2.5 Secure Wireless 1.1.2.6 Authentication 1.1.2.7 User Self Service Protocol 1.1.2.8 Base Vpn Options 1.1.2.9 Single Ipsec And Ssl Vpn Client Software 1.1.3 Network Protections Features 1.1.3.1 Intrusion Prevention (ips) 1.1.3.2 Advanced Threat Protection And Security Heart Beat 1.1.3.3 Remote Ethernet Device (red) Vpn 1.1.3.4 Clientless Vpn 1.1.4 Web Protection 1.1.4.1 Web Protection And Control 1.1.4.2 Cloud Application Visibility 1.1.4.3 Application Protection And Control 1.1.4.4 Web And App Traffic Shaping 1.1.4.5 Second Independent Malware Detection Engine For Dual-scanning 1.1.5 Sandstorm Protection Subscription 1.1.5.1 Sandstorm Cloud Sandbox Protection 1.1.5.2 Logging And Reporting *end-point Solution / Antivirus Inclusion Of 200 End-point/antivirus Licenses License Id Number: D589395977 Integrated Management: - Must Have A Unified Console For Managing Multiple Products Such As Advanced Endpoint Protection, Email Gateway, Server Security, Mobile Control Etc. - All Settings For These Products Must Be Configured From A Central Dashboard Without The Need To Access Additional Consoles. Multi-factor Authentication: - Mfa Must Be Enabled By Default Upon Creation Of Central Management Account. - Must Have The Option To Set Mfa: All Admins Need Mfa, Select Admins Who Will Need Mfa, Or No Mfa Needed. - Must Have An Option To Have Mfa Using Email, Sms, Google Authenticator, And Native Authenticator (by Proposed Solution) Multi-platform Management: - Windows, Mac, And Linux Machines Must Be Managed From One Management Console. Updating Bandwidth Consumption: " - Updating Of Endpoints Should Have The Ability To Set Pre-configured Available Bandwidth Used For Both Software Updating And Threat Definition Updates: 1) 64 Kb/s 2) 128 Kb/s 3) 256 Kb/s 4) 512 Kb/s 5) 1024 Kb/s 6) Unlimited" - Must Have The Option To Set Up A Local Cache Updating Server Within The On-premise Network Environment To Minimize Large Software Engine Update. Relay Must Communicate All Policy And Reporting Data To The Central. - Must Have The Option To Set Up A Relay On The Same Server As The Local Cache For Devices That Are Not Internet Facing. - Must Have An Option For Update Management Policy To Customize The Day And Time When Product Updates Become Available To All Or Selected Devices. Scheduled Must Not Affect Security Updates, Such As Identities Used To Protect Devices Against New Threats." Deployment Options: - Deploying The Endpoint Agent Must Support The Following Methodology: 1) Email Setup Link 2) Via Ad Startup/shutdown Script 3) Ad Login Script 4) Sccm 5) Include The Endpoint Agent Installation To A Gold Image" Siem Integration: - Must Have The Capability To Extract Events And Alerts Information From The Cloud Dashboard To A Local Siem. Api For Endpoint Management: - Must Have Apis Offered As Restful Http Endpoints Over The Public Internet. - Apis Must Have The Capability To Query Tenants, Enumerate And Manage Endpoints And Servers, And Query Alerts And Manage Them Programmatically. Role Management: " - Must Provide Admins The Capability To Assign Predefined Administrative Roles To Users Who Need Access To The Admin Console. 1) Super Admin 2) Admin 3) Help Desk 4) Read-only" " - Access To Management Dashboard Must Support Updated Versions Of: 1) Google Chrome. 2) Microsoft Edge. 3) Mozilla Firefox. 4) Apple Safari (mac)" Microsoft Ad Synchronization: - Must Have The Capability To Only Allow Outbound Synchronization Of Users/groups From The Local Active Directory Servers To The Cloud Dashboard For Policy Management. Microsoft Azure Ad Authentication: - Must Have The Capability To Log In To The Admin Dashboard And Self Service Portal Using Azure Ad Login - Must Have The Capability To Automatically Login To The Admin Dashboard/self Service Portal If Already Authenticated In The Web Browser With Azure Ad Login From A Different Application/service. Policies: - Selected Policies Should Be Able To Be Applied To Either Users Or Devices. - Policies Must Have The Capability To Be Disabled Automatically Or Expire Based On A Scheduled Time And Date. Enhanced Tamper Protection: - Must Have The Capability To Prevent Local Administrative Users Or Malicious Processes From Disabling The Endpoint Protection. - Must Be Able To Export Tamper Protection Passwords In Csv Or Pdf Formats. " - Must Have The Capability To Prevent The Following Actions On The Endpoint Protection Solution: 1) Stopping Services From The Services Ui 2) Kill Services From The Task Manager Ui 3) Change Service Configuration From The Services Ui 4) Stop Services/edit Service Configuration From The Command Line 5) Uninstall 6) Reinstall 7) Kill Processes From The Task Manager Ui (desired) 8) Delete Or Modify Protected Files Or Folders 9) Delete Or Modify Protected Registry Keys" Threat Protection: - Must Protect Against Multiple Threats, Both Known And Unknown, And Provide A Trusted And Integrated Approach To Threat Management At The Endpoint. - Must Protect Endpoint Systems Against Viruses, Spyware, Trojans, Rootkits, And Worms On Workstations And Laptops Regardless Of Their Nature Or The Concealment Mechanisms Used. - Must Protect Against Threats Related To Executable Files, As Well As Document Files Containing Active Elements Such As Macros Or Scripts. It Must Protect Against Exploits Resulting From Discovery (whether Published Or Not) Of Security Flaws In Systems Or Software. - Must Have The Capability To 'lookup' Files In Real-time To Verify If They Are Malicious. This Feature Checks Suspicious Files Against The Latest Malware In The Vendor's Threat Intelligence Database In The Cloud. - Must Have The Capability To Detect Low Reputation Files And Have An Action To Prompt User Or Log Only. Must Be Able To Configure Reputation Level To Either Recommended Or Strict. - Must Have The Capability To Do Real-time Scanning Of Local Files And Network Shares The Moment The User Tries To Access Them. The Feature Must Include Real Time Scanning For Remote Files. Access Must Be Denied Unless The File Is Healthy. - Must Have The Capability To Do Real-time Scanning Of End-users Internet Access. It Must Monitor And Classify The Internet Websites According To Their Level Of Risk, And Make This Technology Available To Endpoint Systems. A Site Known To Host Malicious Code Or Phishing Sites Must Be Proactively Blocked By The Solution To Prevent Any Risk Of Infection Or Attack Against A Flaw Of The Browser Used. The Solution Must Carry Out Checks Against A Database Of Compromised Websites That Are Constantly Being Updated With New Sites Identified Per Day. - Must Protect Managed Systems From Malicious Websites In Real-time, Whether End-users Work Within The Company Or Outside The Company's Secure Network - At Home Or Through Public Wi-fi. All Browsers On The Market Must Be Supported (internet Explorer, Firefox, Safari, Opera, Chrome, Etc.) Anti-rootkit Detection: - Must Identify A Rootkit When Reviewing An Element Without Overloading The Endpoint System. Rootkits Must Be Proactively Detected. Suspicious Behavior Detection: - Must Be Able To Protect Against Unidentified Viruses And Suspicious Behavior. - Must Have Both Pre-execution Behavior Analysis And Runtime Behavior Analysis. - Must Be Able To Identify And Block Malicious Programs Before Execution. - Must Be Able To Dynamically Analyze The Behavior Of Programs Running On The System And Detect Then Block Activity That Appears To Be Malicious. This May Include Changes To The Registry That Could Allow A Virus To Run Automatically When The Computer Is Restarted. - Must Provide Protection Against Buffer Overflow Attacks Scanning: - Must Provide A Scheduled Scanner To Run Depending On The Selected Frequency Or By Manually Triggering Through Windows Explorer To Scan The Specified Directories (local, Remote Or Removable), With Analysis Parameters Used, Which May Be Different From The Ones Selected For Real-time Protection. Advanced Deep Learning Mechanism: - The System Shall Be Light Speed Scanning; Within 20 Milliseconds, The Model Shall Able To Extract Millions Of Features From A File, Conduct Deep Analysis, And Determine If A File Is Benign Or Malicious. This Entire Process Happens Before The File Executes. - Must Be Able To Prevent Both Known And Never-seen-before Malware, Likewise Must Be Able To Block Malware Before It Executes. - Must Protect The System Even With Offline And Will Not Rely On Signatures. - Must Classify Files As Malicious, Potentially Unwanted Apps (pua) Or Benign. Deep Learning Must Also Focus On Windows Portable Executables. - Able To Perform New Zero Days Threat Scanning Offline (without Internet). - Must Be Smarter - Should Be Able To Process Data Through Multiple Analysis Layers, Each Layer Making The Model Considerably More Powerful. - Must Be Scalable - Should Be Able To Process Significantly More Input, Can Accurately Predict Threats While Continuing To Stay Up-to-date. - Must Lighter - Model Footprint Shall Be Small, Less Than 20mb On The Endpoint, With Almost Zero Impact On Performance. - The Deep Learning Model Shall Be Trail And Evaluate Models End-to-end Using Advanced Developed Packages Like Keras, Tensorflow, And Scikit-learn. Exploit Prevention/mitigation Must Detect And Stop The Following Known Exploits: " - Enforcement Of Data Execution Protection (dep) Prevents Abuse Of Buffer Overflows" - Mandatory Address Space Layout Randomization (aslr) Prevents Predictable Code Locations - Bottom-up Aslr Improved Code Location Randomization - Null Page (null Dereference Protection) Stops Exploits That Jump Via Page 0 - Heap Spray Allocation Reserving Or Pre-allocating Commonly Used Memory Addresses, So They Cannot Be Used To House Payloads. - Dynamic Heap Spray Stops Attacks That Spray Suspicious Sequences On The Heap - Stack Pivot Stops Abuse Of The Stack Pointer - Stack Exec (memprot) Stops Attacker’s Code On The Stack - Stack-based Rop Mitigations (caller) Stops Standard Return-oriented Programming Attacks - Branch-based Rop Mitigations (hardware Augmented) Stops Advanced Return-oriented Programming Attacks - Structured Exception Handler Overwrite Protection (sehop) Stops Abuse Of The Exception Handler - Import Address Table Access Filtering (iaf) (hardware Augmented) Stops Attackers That Lookup Api Addresses In The Iat - Loadlibrary Api Calls Prevents Loading Of Libraries From Unc Paths - Reflective Dll Injection Prevents Loading Of A Library From Memory Into A Host Process - Shellcode Monitoring Detecting The Adversarial Deployment Of Shellcode Involves Multiple Techniques To Address Things Like Fragmented Shellcode, Encrypted Payloads, And Null Free Encoding - Vbscript God Mode Have The Ability To Detect The Manipulating Of The Safe Mode Flag On Vbscript In The Web Browser - Wow64 Must Have The Ability To Prohibit The Program Code From Directly Switching From 32-bit To 64-bit Mode (e.g., Using Rop) While Still Enabling The Wow64 Layer To Perform This Transition. - Syscall Stops Attackers That Attempt To Bypass Security Hooks - Hollow Process Protection Stops Attacks That Use Legitimate Processes To Hide Hostile Code - Dll Hijacking Gives Priority To System Libraries For Downloaded Applications - Application Lockdown Will Automatically Terminate A Protected Application Based On Its Behavior; For Example, When An Office Application Is Leveraged To Launch Powershell, Access The Wmi, Run A Macro To Install Arbitrary Code Or Manipulate Critical System Areas; The Solution Must Block The Malicious Action – Even When The Attack Doesn’t Spawn A Child Process. - Java Lockdown Prevents Attacks That Abuse Java To Launch Windows Executables - Squiblydoo Applocker Bypass Prevents Regsvr32 From Running Remote Scripts And Code - Cve-2013-5331 & Cve-2014-4113 Via Metasploit In-memory Payloads: Meterpreter & Mimikatz" - Dynamic Shellcode Protection Detects And Blocks Behavior Of Stagers - Efs Guard Protection Against Encrypting File System Attacks - Ctf Guard Protects Against A Vulnerability In The "ctf" Windows Component - Apisetguard Prevents Applications From Side-loading A Malicious Dll Posing As An Apiset Stub Dll Advanced Exploit Mitigation: - Must Be Able To Protect Against A Range Of Exploits Or "active Adversary" Threats Such As The Following: 1) Credential Theft Theft Of Passwords And Hash Information From Memory, Registry, Or Hard Disk. 2) Apc Violation Attacks Using Application Procedure Calls (apc) To Run Malicious Codes. 3) Privilege Escalation Attacks Escalating A Low-privilege Process To Higher Privileges To Access Systems. 4) Code Cave Utilisation Malicious Code That's Been Inserted Into Another, Legitimate Application. 5) Application Verifier Exploits Attacks That Exploit The Application Verifier In Order To Run Unauthorized Software At Startup. " - Must Be Able To Mitigate Exploits In Vulnerable Applications To Protect The Following: A. Web Browsers B. Web Browser Plugins C. Java Applications D. Media Applications E. Office Applications " Malicious Traffic Detection (mtd): - Must Be Able To Detect Communications Between Endpoint Computers And Command And Control Servers Involved In A Botnet Or Other Malware Attacks. Intrusion Prevention System (ips): - Must Be Able To Prevent Malicious Network Traffic With Packet Inspection (ips). - Must Be Able To Scan Traffic At The Lowest Level And Block Threats Before Harming The Operating System Or Applications. Anti-ransomware Protection: - Must Have The Ability For The Encrypted Files To Be Rolled Back To A Pre-encrypted State. - Both Anti-exploit And Ransomware Protection Does Not Need To Have A Cloud Lookup To Perform The Detection. - Should A Ransomware Infection Managed To Get In, Detailed Historical Tracking Of Where The Infection Originated And How It Propagated Will Be Reported Courtesy Of The Threat Cases (rca). - Must Be Able To Protect From Ransomware That Encrypts The Master Boot Record And From Attacks That Wipe The Hard Disk. - Must Be Capable Of Local And Remote Detection. For Instance, Local Detection Is Triggered When The Ransomware Is Local To The Server While Remote Detection Is Triggered When The Ransomware Is Remote To The Server, But Attack Files Contained On The Server, Such As A Share. Amsi Protection: - Must Be Able To Protect Against Malicious Code (for Example, Powershell Scripts) Using The Microsoft Antimalware Scan Interface (amsi). - Must Be Able To Scan Code Forwarded Via Amsi Before It Runs, And The Applications Used To Run The Code Are Notified Of Threats. If A Threat Is Detected, An Event Is Logged. - Must Have The Ability To Prevent The Removal Of Amsi Registration On Computers Data Loss Prevention (dlp): - Dlp Functionality Must Run On The Same Agent As The Endpoint Protection And All Functions Mentioned. - Must Be Able To Monitor And Restrict The Transfer Of Files Containing Sensitive Data. - Must Have The Capability To Create Custom Dlp Policies Or Policies From Templates. - Must Have Dlp Policy Templates That Cover Standard Data Protection For Different Regions. " - Must Have The Option To Add Custom Dlp Rule: 1) Content Rule 2) File Rule" - Dlp Content Rule Must Have The Condition Required For Content Scanning According To File Content And Destination. Actions Must Have Options To Either Allow File Transfer, Allow Transfer If User Confirms, Or Block Transfer. - Dlp Content Rule Must Have The Option To Set Exclusions Based On File Name And File Type. - Dlp Content Rule Must Have The Option To Set Condition Based On Content Control List (ccl). Must Have The Capability To Add Custom Ccl And Use Filters By Region (e.g., Australia, Europe, India, Singapore, Uk, Usa, Global, Universal), Filter By Source (custom, Intelligence Source (native To Solution)), Filter By Type (e.g., Personally Identifiable Information (pii), Hipaa, Pci-dss, Financial Data, Document Classification, Health Care) - Dlp File Rule Must Have The Condition Required To Check The Destination Of File And Options For When File Type Matches And When File Name Matches. Actions Must Have Options To Either Allow File Transfer, Allow Transfer If User Confirms, Or Block Transfer. "must Be Able To Scan Different File Types: Archive, Media Container, Office Password Protected, Mail, Design, Plain Text, Object Code, Information Rights Management, Medical Image Formats, Image, Script/markup, Document, Executable, Container, Spreadsheet, Encryption (native To Proposed Solution), Virtualization Container, Disk Container, Video, Audio, Database, Encryption, Presentation, Interactive Media, And Science/engineering." " - Dlp File Rule Must Have The Option To Set The Following Destination: Email Client, Internet Browser, Instant Messaging, Internet Browser-external Processes, Voice Over Ip, And Storage." Peripheral Control: " - Must Have The Capability To Control Peripheral Devices Such As Peripherals Under The Following Categories: Bluetooth, Secure Removable Storage, Floppy Drive, Infrared, Modem, Optical Drive, Removable Storage, Wireless, Media Transfer Protocol (mtp), And Picture Transfer Protocol (ptp)." - Must Have The Capability To Add Device Exemptions Either By Model Id Or Instance Id. - Must Be Able To Set A Customized Desktop Message To Appear At The End Of A Standard Notification In Order To Notify The User Of Policy Violation. Application Control: - Must Have The Capability To Limit The Applications Needed For Specific User Groups. - Must Be Able To Detect And Block Application Categories That May Not Be Suitable For Use In An Enterprise Environment. Must Have An Option For Detect Controlled Applications During Scheduled And On-demand Scans - Must Have Out Of The Box Application Categories And Built-in Number Of Signatures Per Category To Choose From Such As Archive Tool (9) Asset Management Tool (14) Browser Plug-in (39) Business Intelligence Tool (44) Digital Imaging (31) Distributed Computing (8) Document Viewer (47) Download Manager (62) Email/pim Client (30) Erp Software (21) File Sharing Application (95) Ftp Client (15) Game (351) Instant Messaging (138) Internet Browser (96 Jailbreak Software (3) Mapping Application (6) Media Conversion Tool (15) Media Player (142) Mobile Synchronization (37) Network Monitoring/ Vulnerability Tool (60) Office Suite (48) Online Storage (82) Proxy/vpn Tool (120) System Tool (215) Voice Over Ip (38) - Must Have A Customized Desktop Messaging Feature To The End Of A Standard Notification To Notify The User Of Policy Violation Web Control: - Must Be Able To Block Risky Downloads, Protect Against Data Loss, Prevent Users From Accessing Web Sites That Are Inappropriate For Work, And Generate Logs Of Blocked Visited Site. - Must Have Security Options To Configure Access To Ads, Uncategorized Sites, Or Dangerous Downloads. - Must Provide The Administrator The Ability To Define "acceptable Web Usage" Settings With Built-in Web Categories (i.e., Productivity-related Categories, Social Networking, Adult And Potentially Inappropriate Categories, Categories Likely To Cause Excessive Bandwidth Usage, Business-relevant Site Categories) In Order To Control The Sites On Which Users Are Allowed To Visit. Admin Must Have Control Access To Websites That Have Been Identified And Classified In Their Own Categories. - Must Have The Option To Allow, Warn, And Block. - Must Have A Data Loss Protection Option That Allows The Administrator To Control Access To Web-based Email And File Downloads, With Choices Of Blocking The Data, Allowing Data Sharing, Or Customizing This Choice. Root Cause Analysis: - Must Have The Capability To Identify What Happened, Where A Breach Originated, What Files Were Impacted, And Provides Guidance On How To Strengthen An Organization’s Security Posture - Must Be Able To Record Chain Of Events That Occurred After An Infection Has Been Detected, Enabling You To Determine The Origin Of The Infection, Any Resulting Damage To Assets, Potentially Exposed Data, And The Chain Of Events Leading Up To The Halting Of The Infection. - Shall Provide A Summary Of The Event Via A Graphical Representation: What Was The Exploit Discovered, Where The Beacon Event Occurred (an Asset), When It Occurred, How The Infection Succeeded. - The Graphical Representation Can Be Filtered To Show Full Graph Or Direct Path - Shall Provide Recommendations To Address The Problem: Things To Look For Post-attack. Eg. Aside From Files Being Restored From Encrypted Ones, Check Browser Settings To Ensure No Vulnerabilities Were Created As A Result Of The Infections. - Activity Record Allows Administrators To Add Notes To The Case. All Case-related Notes Will Be Listed In This Column. - There Are Also Buttons To Enable The Admin To Modify The Status Of The Case (new, In Progress, Closed) And To Set Priority (low, Medium, High). When Closing The Threat Case, The Administrator Can Add Notes To It. - Shall Provide A Tabular View Of Everything Affected During The Attack. Items Can Be Filtered Based On Type — E.g., Files, Processes, Registry Keys. The Administrator Can View Information About Each Item, E.g., Filename (victim File Or Malware Agent), Process Id, Start/stop Timestamp Of The Event. - Shall Indicate The Beginning Of The Root Cause, Charting Out The Series Of Events Resulting From The Attack As A Collection Of Nodes. Each Node Contains Specific Information About Files, Processes, Registry Keys, Etc. Involved At That Stage. The Beacon Event (marked With A Blue Dot) Will Be Identified In The Chain, But Any Events Executed By The Process Identified As The Beacon Event Will Also Be Shown. Advance System Clean: - Must Be Able To Cleanup Threats Detected By Endpoint Protection And Exploit Prevention. Must Also Be Able To Clean Threats For Pe Files. - Must Be Able To Delete Malware Detected Alerts From List When Cleanup Succeeds. - Must Be Able To Clean Ip Pe (portable Executable) Files Such As Applications, Libraries, And System Files, Even If Automatic Cleanup Is Turned Off. Synchronized Security: - Must Be Able To Work With Other Security Products Of The Vendor To Share Information And Respond To Incidents. Endpoint + Email Gateway: - Must Be Able To Automatically Isolate Compromised Mailboxes, And Clean Up Infected Computers Sending Outbound Spam And Malware. Endpoint + Firewall: - Must Be Able To Automatically Isolate Infected Endpoints On The Public And Local Area Networks. - Must Be Able To Identify All Apps On The Network. - Must Be Able To Link Threats To Individual Users And Computers. Endpoint + Wireless Access Point: - Must Be Able To Restrict Internet Access For Infected Endpoints Connected To Wi-fi Automatically. Deliverables: - Provision Of 1 Firewall License For The Head Office (renewal) With License Id Number: L0014781141 For A 1-year Period, To Be Delivered 30 Days Prior To The Expiration Date Or On December 17, 2024. - Base Firewall Features - Network Protection Features - Web Protection Features - Sandstorm Protection Subscription - Logging And Reporting Capabilities - Provision Of 200 Endpoint/antivirus Licenses With License Id Number: D589395977 - Integrated Management System - Multi-factor Authentication Setup - Multi-platform Management Capabilities - Configurable Updating Bandwidth Consumption - Deployment Options And Siem Integration - Api For Endpoint Management - Role Management And Microsoft Ad Synchronization - Microsoft Azure Ad Authentication Setup - Policy Management And Enhanced Tamper Protection - Comprehensive Threat Protection And Anti-rootkit Detection - Suspicious Behavior Detection And Scanning Capabilities - Advanced Deep Learning Mechanism - Exploit Prevention/mitigation And Advanced Exploit Mitigation - Malicious Traffic Detection (mtd) And Intrusion Prevention System (ips) - Anti-ransomware Protection And Amsi Protection - Data Loss Prevention (dlp) And Peripheral Control - Application Control And Web Control - Root Cause Analysis And Advanced System Clean - Synchronized Security Features - Other Inclusions: - 24/7 Customer Support - Remote Deployment Services - Installation And Configuration For 20 Nodes During Business Hours (9 Am To 5 Pm) - One-day Customized Technical Training. Budget And Funding: - The Total Budget Allocated For This Procurement Is Seven Hundred Fifteen Thousand Pesos (php 755,000.00) Eligibility Of The Contractor: - Philgeps Registered. - In The It Business For At Least 3 Years. - Minimum 3 Years Of Experience With Government Projects. Warranties Of The Contractor: - The Contractor Warrants Strict Conformity To The Terms And Conditions Of This Tor. - The Contractor Shall Secure And Maintain All Necessary Registrations, Licenses, And Permits. - No Assignment, Transfer, Pledge, Or Sub-contracting Of Any Part Or Interest Is Allowed. Delivery Period: - The Service Provider Must Deliver All The Required Services Within 30 Days Prior To Expiration Date Or On December 17, 2024, Upon Receipt Of The Notice To Proceed (ntp). Terms Of Payment: - Payment Will Be Made According To The Following Schedule: - 100% Of The Contract Amount Upon Signing Of The Contract, Issuance Of The Notice Of Award, Notice To Proceed, And Upon Successful Delivery, Conduct Of Training And Acceptance Of All Deliverables Listed Above. - Payment Will Be Made Upon Provision Of Licenses, Subject To Required Final Withholding Vat (5%) And Expanded Withholding Tax (2%). - Payment Shall Be Processed Within A Reasonable Time Upon Submission Of Documentary Requirements, Including Sales Invoice/billings And Certificate Of Acceptance Issued By Cda Ictd. - No Advance Payment Will Be Made As Per Section 88 Of Pd 1445. Confidentiality: - The Service Provider Shall Maintain The Confidentiality Of All Data And Information Related To The Cooperative Development Authority (cda) And Its Operations. Pre-termination Of Contract: - The Contractor Shall Be Liable For Additional Liquidated Damages Equivalent To 1% Of The Contract Price In Case Of Pre-termination. - The Dbm Reserves The Right To Blacklist The Contractor In Case Of Pre-termination. Contact Information: Mr. Ronaldo G. Rivera Information Technology Officer Ii Information And Communications Technology Division (ictd) Cooperative Development Authority