SPC-10798_-_PART_2_-_STATEMENT_OF_REQUIREMENTS.JSON
Editing: General
Introduction About the Australian Taxation Office (ATO) The Australian Taxation Office (ATO) is the Australian Government’s principal revenue collection agency. Its role is to manage and shape tax, excise and superannuation systems that support and fund services for Australians, by: collecting revenue; making it easy for the community to understand and comply with obligations; administering the goods and services tax (GST) on behalf of the Australian states and territories; and administering major aspects of Australia’s superannuation system. The scale of the Australian revenue ecosystem is significant. Over the 2023-24 financial year, the ATO collected over $610.6 billion in net taxes, received over 20.8 million individual current-year income tax returns, resulting in over 10.9 million refunds, and contributing to total refunds paid of $49.5 billion. In addition, the ATO served 11.5 million individuals, 4.2 million small businesses, 910,000 employers and 595,000 super funds. The ATO is located in 22 buildings across Australia and as at 30 June 2024, the ATO had more than 21,000 total employees. Further information about the Australian Taxation Office can be found on its website at www.ato.gov.au. Background The ATO Portfolio & Value Management Branch supports the ATO to prioritise, govern, deliver and navigate change and realise value from programs and projects across the ATO’s Investment Portfolio. The ATO’s Investment Portfolio is in excess of $1B of expenditure and presently includes more than 500 active initiatives. In 2023, the ATO initiated the P3 Modernisation project to support the transition from its existing Project Portfolio Management (PPM) solution, which is nearing end of life, to a new PPM solution. The existing PPM solution is used to manage and oversee all aspects of the ATO Investment Portfolio, as well as enabling effort recording functionality across the ATO to support both project/program and business as usual (BAU) needs. The existing PPM solution is nearing end of life, no longer delivers a contemporary user experience for our staff and does not provide sufficient functionality to support our evolving and maturing ATO Investment Portfolio and needs. The ATO is seeking a new PPM solution that will deliver improved functionality, a more contemporary user experience, and enhanced integration with a range of existing core systems and processes. Alongside the replacement of the PPM solution, we are also aiming to improve how we work, rationalise bespoke system and manual solutions, and future-proof our P3 processes to better support our corporate and government obligations. About this Part This RFT Part 2 – Statement of Requirements details the ATO’s requirements for a PPM solution including scope, Product(s) functional, non-functional and technical specifications (as applicable), and Service requirements. More detail on the PPM solution requirements can be found in RFT Part 5 – Draft Contract and its Schedules and Attachments. What are we looking to procure? The ATO is seeking to transform the way in which it manages projects, programs and Investment Portfolio (P3) through the modernisation of its Project Portfolio Management (PPM) solution. The ATO seeks to procure a suitable Supplier, to provide a PPM solution via commercial off-the-shelf Software (COTS) or Software as a Service (SaaS) product(s) and associated Services. The Supplier will be a systems integrator and will implement and integrate the Product(s) into the ATO environment. The ATO requires the Supplier during the Contract Term to provide and implement the Product(s) (being the COTS or SaaS products). The ATO requires the Supplier to provide system support over the term of the contract and any exercised option periods. The ATO requires the Supplier to implement the Product(s) during the Initial Contract Term of three years and requests the solution be implemented within an agreed timeframe (e.g. 6 - 9 months). It is the ATO’s preference to obtain Software licences directly from the Software vendor. However, if the Tenderer proposes to provide Software licences, once the Services cease, the ATO expects to retain full ownership of all licenses of the Products implemented by the Supplier(s) for a period of at least three years, comprising of an Initial Contract Term of three years and optional extension periods of three (3) + two (2) + two (2) exercised at the ATOs sole discretion. The ATO seeks a PPM solution (being COTS or SaaS products) that can integrate with existing ATO work management systems, financial corporate systems and resource management systems to source and export information. By implementing and integrating the new PPM solution the ATO expects to achieve benefits, including: Created staff capacity from decreased manual processes and effort required to manage projects and programs Increased Portfolio, Program & Project Management maturity Increased end user/staff satisfaction in the use of P3 tools Decreased need for manual registers in P3 Increased usage and uptake of digital reports and dashboards Decreased errors in data and processing The ATO has a range of User Types who will require tailored access to the functionality of the new PPM solution. Annual user volumes are based on the number of current users using the existing PPM solution, however these volumes may increase or decrease over time depending on business needs. User Types and expected annual volumes are listed below: The ATO’s existing PPM solution on average processes more than 188,000 transactions per month, however monthly transaction volumes for the new PPM solution are expected to increase due to improved functionality and features. The monthly transaction volumes may increase or decrease over time depending on business needs. A further breakdown of the key transaction types (not exhaustive) is listed below: The ATO requests licensing pricing be provided on a per user basis as user types and annual user volumes will vary depending on business needs. Where possible the ATOs preference is to licence directly with the Software vendor. Where the Software vendor has an existing contract with the ATO or a Whole of Government contract with the DTA and the requirements are within scope of that contract, the ATO may use that contract to purchase software products and related support services. Tenderer should include software licence or subscription proposals and costs in its Tender, including an initial three (3) year term, and optional extension periods of three (3) + two (2) + two (2), exercised at the ATOs sole discretion. The Supplier’s Products must be able to achieve the ATO’s own Security Approval to Operate (SATO). To attain SATO, the Supplier must provide the ATO with sufficient documentation to allow Security Risk Assessments to be undertaken on the hosting solution. The documentation required may be slightly different depending on the hosting solution (on-premises or cloud-based). Examples of required information/documentation include (but are not limited to): Technical design documentation (Logical Solution Architecture and Physical & Operations Solution Architecture); System Security Plan; Statement of Applicability (SoA); IRAP assessment report; Audit logging plan; Continuous monitoring plan; Security standard operating procedures; and Incident Response, disaster recovery and backup plans. If the Supplier’s proposed solution and Products will be managed on premises, the Supplier must be willing to participate in an IRAP assessment as part of the Cyber Security Assessment process. Integration with the ATO’s Identity and Access Management System. The options available for identity management include Active Directory Federation Service, AzureAD and Microsoft AD and the preferred option will be dependent on the hosting solution proposed by the Supplier for the Products. Security classified information (including data) is OFFICIAL: Sensitive, however due to the aggregated volume of data and the commercial sensitivities, solutions rated to the PROTECTED level will be strongly favoured. This means that the data is considered official information and/or commercial data with confidentiality obligations for any contractors/service providers who are performing work on behalf of the ATO. The Supplier must undergo Cyber Security Vendor Evaluations in accordance with the PSPF Directive to assess third party cyber supply chain risk and must be willing to partake in an annual review for the life of the contract. Description of Required Products and Services ATO Requirements The ATO requires a Supplier who will provide the required Products and Services consisting of a Project Portfolio Management solution that includes provision of Products (being SaaS or COTS tool) and Services to deliver the below capabilities: Initiative management: ability to create and manage a multi-level hierarchy of P3 initiatives (portfolios, programs, and projects). (Refer 5.1.1) Reporting & analytics: ability to create dynamic performance, governance, and conformance reports and dashboards for all P3 initiatives. (Refer 5.1.2) Training and guidance (ongoing): ability to provide on-demand system training and guidance materials. (Refer 4.3.03 & 5.1.3) User roles and permissions: ability to create, manage and assign a range of user role types which contain different levels of permissions granting tailored access to information and functionality. (Refer 5.1.4) Benefits management: ability to record, manage and track financial and non-financial benefits for P3 initiatives. (Refer 5.1.5) Risk management: ability to identify, assess, store and manage risks for P3 initiatives. (Refer 5.1.6) Issue management: ability to identify, assess, store and manage issues for P3 initiatives. (Refer 5.1.7) Financial management: ability to record, manage and track budget, forecasts and actuals including operating, sustainment, and capital expenses for all P3 initiatives. (Refer 5.1.8) Change control: ability to create, manage and record formal change requests for projects and programs. (Refer 5.1.9) Change management: ability to record and manage project and program change impacts for various stakeholder groups. (Refer 5.1.10) Schedule management: ability to create and manage project and program schedules. (Refer 5.1.11) Resource management: ability to plan, schedule, allocate and manage resources for P3 initiatives. (Refer 5.1.12) Effort management: ability to record and manage time spent per day (e.g. effort recording) for users working on P3 initiatives. (Refer 5.1.13) Lessons learned: ability to identify, assess, store and manage lessons learned for P3 initiatives. (Refer 5.1.14) Governance management (including decision management): ability to record and manage a range of P3 information for initiatives. (Refer 5.1.15) Strategy management: ability to align P3 initiatives with strategic organisational goals. (Refer 5.1.16) Prioritisation management: ability to prioritise P3 initiatives using initiative information or an assigned ‘value’ rating. (Refer 5.1.17) Document management: ability to store, organise and retrieve a range of digital documents for P3 initiatives. (Refer 5.1.18) Dependency management: ability to record and manage dependencies between projects and programs. (Refer 5.1.19) Collaboration: ability to allow multiple users to create, edit and review information and reports for initiatives. (Refer 5.1.20) Workflow and approvals: ability to digitise and automate the organisations P3 approval processes. (Refer 5.1.21) Version control: ability to log, track and make visible changes made to an initiative, including who made the change, when the change was made and what change was made. (Refer 5.1.22) Notifications and reminders: ability to configure a range of standard and bespoke notifications and reminders. (Refer 5.1.23) Quality control: ability to detect and notify users of grammatical, spelling and information formatting errors. (Refer 5.1.24) Administration, use and performance monitoring: ability for the ATO to manage, monitor and report on use volume and response time of solution features and configuration items to inform ongoing maintenance needs and assist resolve IT incidents and problems. (Refer 5.1.25) The ATO requires the Supplier: to provide Integration Services to Implement, Support and Configure the Products, and to train ATO Personnel on their use. This includes identity integration, SATO requirements (mandatory) and routines to make data ingestion and extraction as efficient as possible; and to install, configure and train ATO personnel to use the Products provided as part of the required Products and Services to deliver the outcomes described in this Statement of Requirement. Tenderers should include their proposed Implementation Schedule by outlining their proposed Implementation Plan in: Schedule H – Tender Response Form – Implementation Plan; and Part 4b – Tender Response Form – Pricing - The ATO expects the volume of Services required by the Supplier(s) to configure and maintain the Products to reduce over time as ATO personnel build knowledge and operational capability internally to manage the Products. The ATO intends to perform these functions independently without requiring ongoing assistance from the Supplier(s) engaged as part of the implementation process. The Supplier is to advise any additional enabling tooling or technology (e.g. scheduling tools, additional licences or infrastructure) that is required as part of their tender response which will be evaluated by the ATO during the initial evaluation. The Supplier’s Products must be able to securely integrate with existing ATO processes and must be able to meet the broader Commonwealth and ATO's security and architecture requirements. The Products supplied by the Supplier should ideally require minimal configuration to meet the ATO’s functional and non-functional requirements described below. The Tenderer is to provide its proposed hosting solution to achieve best value for money outcomes for the ATO. This includes for example: up-front, perpetual licensing; pay-as-you-consume charging; ATO on-premises deployment; ATO cloud-hosted COTS or SaaS software; or combinations of these arrangements to meet the ATO’s requirements specified in this Statement of Requirements. The ATO has an architectural preference (where possible), that the hosting solution is in the same environment. This Statement of Requirements describes the ATO’s requirements. Tenderers must complete and submit the accompanying Tender Response Forms, providing information on their proposed solution including Products and Services and the extent to which they can meet the ATO’s requirements set out in this Statement of Requirements. Terminology This section describes the terminology used in this Statement of Requirements to indicate the criticality of an ATO requirement, including Product functional and non-functional requirements. The following definitions apply in relation to the priority of the ATO’s requirements described in this Statement of Requirements: Mandatory: Mandatory refers to requirements that are important and central to the outcome and that failure to satisfy any one mandatory requirement will highly likely result in the solution being considered unviable. These requirements are vital for any solution. The ATO is most interested in how Tenderers can meet these mandatory requirements. Desirable: Desirable refers to requirements that are necessary for business operations and should be delivered. These requirements would make a significant contribution to a viable solution but will not carry as much weight into an evaluation as those classed as “Mandatory”. Optional: Optional refers to requirements that are nice to have, but the solution will still function effectively without them. Services Requirements The ATO requires the Supplier to design the solution, install, configure and successfully implement the product. The Supplier must provide the high-level installation, configuration and implementation requirements described in the table below. Service Requirements Supplier resources Training and Documentation Configuration Support Operational Support Personnel Security Product Requirements Functional Requirements This section describes the functional business requirements for the PPM solution. Initiative Management Reporting and Analytics Training and Guidance User Roles and Permissions Benefits Management Risk Management Issue Management Financial Management Change Control Change Management Schedule Management Resource Management Effort Management Lessons Learned Governance Management Strategy Management Prioritisation Management Document Management Dependency Management Collaboration Workflow and Approvals Version Control Notifications and Reminders Quality Controls Administration, Use and Performance Monitoring Non-Functional Requirements This section describes the non-functional requirements for the PPM solution. Data Hosting Encryption Availability, Data Recovery, and Incident Response Time Archive and Data Retention Migration Security User Provisioning (Authorisation) Authentication Event / Audit Logging and Monitoring Appearance Accessibility User Interface Branded Portal Technology Integration Scalability Configuration Performance Applicable Legislation, Guidelines and Standards The Supplier must comply with all applicable requirements including Commonwealth Legislation, Guidelines and Standards in providing the required Products and Services. Schedule N (Applicable Requirements) of RFT Part 5 – Draft Contract lists the Legislation, Guidelines and Standards that will apply in any resultant Contract. Regarding the standards listed in this Appendix, respondents will be required to demonstrate their compliance with relevant Commonwealth Legislation, Guidelines and Standards. Glossary of Terms ATO Minimum Security Requirements Respondents must complete the Security Requirements referred to in requirement 4.3.07.
Save Changes