We refer to the RFP for “Supply, installation and configuration of a Privilege Access Management Tool for the Bank of Mauritius”, launched on 18th August 2025.
Following queries raised from potential bidders, the responses of the Bank are as follows:
|
Query Serial No. |
Current Specification |
Query (In terms of Clarification or Modification or Addition of New clause) |
Clarifications |
|
|---|---|---|---|---|
|
1 |
|
For accuracy in our quotation, please confirm the exact number of users to be quoted for the PAM solution. |
As per users Table on page 16 in RFP |
|
|
2 |
Item 21: Proposed solution must be agentless. |
Please confirm the required approach: agent-based, agentless, or hybrid. |
The approach should be agentless |
|
|
3 |
Item 2: Solution must be on-premises (mandatory). |
Is the primary requirement - mandatory - on-premises only (with optional support for cloud), or is multi-deployment (on premises and/or cloud) mandatory? |
The PAM solution should be on-premise, but should be able to support public and private cloud access |
|
|
4 |
Item 38: Training for 6 staff |
Please confirm the expected training scope: |
Bidder to propose |
|
|
5 |
Item 11: Solution must include MFA. |
We understand the Bank uses RCDevs MFA. Should the PAM solution include built-in MFA in addition to RCDevs, or integrate seamlessly with the existing RCDevs MFA? |
Bidder to propose the best option |
|
|
6 |
Item 3:All hardware must be included in the proposal: |
As you know we offer the solution both as a virtual appliance, and as a hardware appliance. This is currently for the Bastion only, the hardware appliance for the Access Manager is on the roadmap, probably for next year. The question is: is hardware desired, or will the virtual appliance be enough? I would think virtual is ok since they also ask IaaS, PaaS, and SaaS in requirement 33, but it would be good to know from your side. |
The Bank will not provide virtual machine. Bidder should cater for the hardware and virtual machines if appliance not available. |
|
|
7 |
Item 17: Identify and automatically eliminate hardcoded and embedded application credentials. |
We can replace hardcoded credentials using AAPM, but we do not automatically detect and replace. Please advise? |
This is a mandatory requirement |
|
|
8 |
Item 30:Dynamic assignment of just-in-time privileges: |
We only work with approval workflow for this. Technically we can do just in time, but this is with IDaaS (Trustelem) which is cloud-based platform, but request is only on-prem. Please advise? |
The PAM solution should be on-premise |
|
|
9 |
Item 31:Ability to block password access to designated resources: |
I am not sure I understand the question. Can you ask to elaborate this question? |
The PAM solution should offer fine-grained access control that can restrict or block password access to particular resources. |
|
|
10 |
Item 32:Should allow request from the corporate network, another approved source, or from approved third party: |
What do they mean by this? Can you ask to elaborate more on this question? |
The PAM solution should restrict access requests, so they are only allowed from corporate networks, approved sources, or designated third-party locations. |
|
|
11 |
Item 34:Self-service option for users |
we don’t offer that (unless with IDaaS, which they don’t want since it’s not on-prem). But we’d argue it’s not needed as users are typically authenticating with their AD or other IdP. If the Bank of Mauritius wants to use this for requesting access for example, we can integrate with ITSM or IAG systems. |
This is a mandatory requirement |
|
|
12 |
Also advise on the below sizing table, I know you have provided some details on the RFP document, but still if you can fill out the below and send to us, that will help in quoting accurately |
|
|
|
|
Session Manager & Password Manager |
Included |
|
|
|
|
Access Manager (for external vendors or employees who need to access it from home) |
Number of users |
|
Please refer to section 6.3.6 in the RFP document |
|
|
Resources to protect (server, switch, routers, databases, network equipment) |
Number of resources to protect |
|
Please refer to section 6.3.6 in the RFP document |
|
|
Number of Bastion Users |
Number of Bastion Users |
|
Please refer to section 6.3.6 in the RFP document |
|
|
Installation |
Virtual or appliances |
|
Please refer to section 6.3.6 in the RFP document |
|
|
Licensing |
Perpetual + Maintenance or Subscription |
|
As per Section 6.3.5 The vendor shall propose architecture and deployment options for its selected PAM solution, including licensing model, product support, performance estimation, scalability and High |
|
|
High availability option (redundant bastions, required if more than 2 nodes) |
YES or NO |
|
As per Section 6.3.5 The vendor shall propose architecture and deployment options for its selected PAM solution, including licensing model, product support, performance estimation, scalability and High |
|
|
Number of sites |
How many sites? |
|
As per Section 6.3.5 and 6.3.6 |
|
|
AAPM |
Yes or No |
|
Bidder to propose |
|
|
MFA (Number of Users) |
Yes or No |
|
Please refer to section 6.3.6 in the RFP document |
|
|
Maintenance Contract |
Duration (1 Year or 3 Years) |
|
Yes, as per Section 7.1.8 Part VIII: Technical Support & Capacity Building: |
|
|
BRONZE contract: 9am-7pm (CET) 5 days / 7 |
YES or NO |
|||
|
GOLD contract: 24/24 - 365 days a year
|
YES or NO
|
|||
|
13 |
|
We kindly request an extension of two weeks for the submission of our proposal. |
No Extension will be granted. |
|
Bank of Mauritius
29th August 2025
| Available as : |  |