← Back to Proposal

RWS Scope of Work - Complete Requirements

Full extraction of all requirements from the RWS Scope of Work (Appendix B1) for Extended Detection and Response (XDR) with Managed XDR services.

300+
Total Requirements
7,500
Endpoint Licenses
3+1+1
Year Contract
Jun 2026
Go-Live Target

Compliance Status:

Compliant
Partially Compliant
Non-Compliant

Table of Contents

1. Contract Structure (Section 5.1)

RefRequirementComplianceNotes
5.1Contract period: Initial 3 years with two optional 1-year extensions (3+1+1)
5.1.1End-to-end XDR platform with MXDR managed services
5.1.1Total 7,500 endpoint licenses required
5.1.2Phased implementation approach with batch onboarding
5.1.3License and subscription activation upon RWS written authorization only
5.1.3MXDR services commence immediately upon any asset onboarding
5.1.4Stipulated Commissioning Date: On or before 1st June 2026
5.1.4Full onboarding and operational: By 31st December 2026

2. Protection Modules (Section 5.1.2)

2.1 Mandatory Modules (5.1.2.1)

RefRequirementComplianceNotes
5.1.2.1.aCore EPP/EDR/XDR coverage for all physical servers
5.1.2.1.bCore EPP/EDR/XDR coverage for laptops and workstations
5.1.2.1.cCore EPP/EDR/XDR coverage for virtual machines and VDI
5.1.2.1.dContainer protection for Kubernetes, AKS, ACK environments
5.1.2.1.eCloud workload protection for Azure and Microsoft 365
5.1.2.1.fVulnerability management capabilitiesAssessment via Defender Vulnerability Management. Attack simulation via built-in BAS (SafeBreach/AttackIQ). Virtual patching via Exploit Protection mitigations (DEP, ASLR, CFG), ASR rules, and Block Vulnerable Applications feature.
5.1.2.1.gAI for Security features
5.1.2.1.hIntegration with existing security tools

2.2 Optional Modules (5.1.2.2)

RefRequirementComplianceNotes
5.1.2.2.aAdditional cloud protection (AliCloud, SaaS applications)Supported as optional add-on without re-architecture
5.1.2.2.bMobile device protection (iOS, Android)Supported as optional add-on without re-architecture
5.1.2.2.cIoT/OT/Robotics securitySupported as optional add-on without re-architecture
5.1.2.2.dEmail protection and securitySupported as optional add-on without re-architecture
5.1.2.2.eNetwork detection and response (NDR)Supported as optional add-on without re-architecture
5.1.2.2.fIdentity threat protectionSupported as optional add-on without re-architecture
5.1.2.2.gAI/GenAI securitySupported as optional add-on without re-architecture

3. Agent & Management (Section 5.4.2.1-5.4.2.2)

3.1 General Agent Requirements (5.4.2.1)

RefRequirementComplianceNotes
5.4.2.1.1Single lightweight unified agent for all endpoint types
5.4.2.1.2Role-based access control (RBAC) with user access reviews
5.4.2.1.3RESTful API for programmatic access
5.4.2.1.4Custom IOC watchlists capability
5.4.2.1.5Silent/unattended installation support
5.4.2.1.6Ring-based staged rollout capability
5.4.2.1.7Anti-tampering protection
5.4.2.1.8Self-healing capabilities
5.4.2.1.9Offline protection when disconnected
5.4.2.1.10Network isolation capability
5.4.2.1.11Support for Windows Server 2016 and later
5.4.2.1.12Support for Windows 10/11
5.4.2.1.13Support for Red Hat Enterprise Linux 8+
5.4.2.1.14Support for Ubuntu 20.04+
5.4.2.1.15Support for macOS (where applicable)
5.4.2.1.16Centralized cloud-based management console
5.4.2.1.17Multi-tenant architecture support
5.4.2.1.18Policy inheritance and override capabilities
5.4.2.1.19Audit logging of all administrative actions
5.4.2.1.20Bandwidth throttling for agent updates
5.4.2.1.21Proxy support for agent communications

3.2 Agent Deployment (5.4.2.2)

RefRequirementComplianceNotes
5.4.2.2.1Single universal installer package
5.4.2.2.2Full functionality across all workload types
5.4.2.2.3No multi-stage installations required
5.4.2.2.4SCCM/Intune deployment support
5.4.2.2.5GPO deployment support

4. EPP Technical Requirements (Section 5.4.2.3)

4.1 Policy and Administration (5.4.2.3.1)

RefRequirementComplianceNotes
5.4.2.3.1.1Logical device segmentation by business unit/location
5.4.2.3.1.2Policy versioning with rollback capabilityNative version comparison and one-click rollback not available. Similar functionality via export to JSON, store in git, restore by re-import. Audit trail via Unified Audit Log.
5.4.2.3.1.3Segregation of duties between IT and Security teams
5.4.2.3.1.4Detection/monitor-only mode for testing

4.2 Threat Prevention (5.4.2.3.2)

RefRequirementComplianceNotes
5.4.2.3.2.1Real-time malware prevention using signatures
5.4.2.3.2.2Machine learning-based detection
5.4.2.3.2.3Behavioral analysis engine
5.4.2.3.2.4Ransomware detection with one-click restoreRansomware blocking via ASR rules and behavioral detection. One-click restore not native to MDE. File restoration via Windows Volume Shadow Copy, OneDrive/SharePoint versioning.
5.4.2.3.2.5Fileless attack detection
5.4.2.3.2.6Zero-day threat detection
5.4.2.3.2.7Rootkit detection and prevention
5.4.2.3.2.8Memory exploit prevention
5.4.2.3.2.9Device control for USB devices
5.4.2.3.2.10Device control for Bluetooth devices
5.4.2.3.2.11Virtual patching capability

4.3 Performance Requirements (5.4.2.3.3)

RefRequirementComplianceNotes
5.4.2.3.3.1CPU usage 5% or less during on-access scanning
5.4.2.3.3.2RAM usage 250MB or less under normal operation
5.4.2.3.3.3VDI support for persistent and non-persistent environments
5.4.2.3.3.4Emergency safe mode for troubleshootingCPU throttling configurable for scans. No automatic emergency safe mode. Remediation via MDE Client Analyzer, Passive Mode, manual Intune adjustment.

4.4 Telemetry and Reporting (5.4.2.3.4)

RefRequirementComplianceNotes
5.4.2.3.4.1Structured JSON event format
5.4.2.3.4.2Syslog export capabilitySyslog and LEEF may require Sentinel configuration or third-party connector.
5.4.2.3.4.3CEF/LEEF format support
5.4.2.3.4.4REST API for log export
5.4.2.3.4.5SIEM mapping documentation
5.4.2.3.4.6Compliance reports for ISO, PCI-DSS, PDPAISO and PCI via Microsoft Compliance Manager. PDPA reporting custom built by Armor.

4.5 Operational Tools (5.4.2.3.5)

RefRequirementComplianceNotes
5.4.2.3.5.1Secure local quarantine with admin-controlled restore
5.4.2.3.5.2Troubleshooting tools (diagnostics, agent repair, API)
5.4.2.3.5.3Offline update packages and air-gap workflowsLinux supports mirror server for offline updates. Windows supports WSUS. True air-gapped environments have reduced EDR functionality as MDE is cloud-based.
5.4.2.3.5.4Detailed release notes with every update
5.4.2.3.5.5Safe file/metadata submission with privacy controls
5.4.2.3.5.6Immutable audit logs with 90-day retention
5.4.2.3.5.7Self-service on-demand scanning

5. EDR Technical Requirements (Section 5.4.2.4)

5.1 Telemetry Collection (5.4.2.4.1)

RefRequirementComplianceNotes
5.4.2.4.1.1Windows artifact collection (60+ artifact types)
5.4.2.4.1.2Linux artifact collection
5.4.2.4.1.3Process execution telemetry with full command line
5.4.2.4.1.4File system activity monitoring
5.4.2.4.1.5Network connection telemetry
5.4.2.4.1.6DNS query logging
5.4.2.4.1.7Authentication event capture
5.4.2.4.1.8Registry modification tracking (Windows)
5.4.2.4.1.9Module/DLL loading activity
5.4.2.4.1.10Local buffering during network outages
5.4.2.4.1.1190-day hot storage retention minimum
5.4.2.4.1.12Data resync upon connectivity restoration

5.2 Detection and Analysis (5.4.2.4.2)

RefRequirementComplianceNotes
5.4.2.4.2.1Living-off-the-land (LOTL) technique detection
5.4.2.4.2.2Multi-stage attack chain correlation
5.4.2.4.2.3Credential abuse detection
5.4.2.4.2.4MITRE ATT&CK framework mapping
5.4.2.4.2.5Dynamic risk scoring per alert
5.4.2.4.2.6Behavioral analytics engine
5.4.2.4.2.7Custom detection rule creationIOC/IOA natively supported. YARA requires Sentinel with YARA-capable data sources.
5.4.2.4.2.8Continuous rule updates from vendor threat intel

5.3 Investigation and Hunting (5.4.2.4.3)

RefRequirementComplianceNotes
5.4.2.4.3.1Visual process trees and timelines
5.4.2.4.3.2Entity pivot investigation capability
5.4.2.4.3.3Saved and scheduled hunt queries
5.4.2.4.3.4Case management with SLA trackingCovered by Armor Nexus
5.4.2.4.3.5Remote forensic bundle collection
5.4.2.4.3.6Advanced query language (SQL/KQL-like)
5.4.2.4.3.7Query sharing between analysts

5.4 Response and Containment (5.4.2.4.4)

RefRequirementComplianceNotes
5.4.2.4.4.1Remote network isolation of endpoints
5.4.2.4.4.2Remote process termination
5.4.2.4.4.3Hash-based file blocking
5.4.2.4.4.4Scripted remediation with dry-run modeNo native dry-run mode. Armor will validate scripts in test environments where required.
5.4.2.4.4.5Ransomware rollback capabilityRelies on Windows Volume Shadow Copy, OneDrive/SharePoint versioning. No agent-based automatic rollback.
5.4.2.4.4.6Live response shell access
5.4.2.4.4.7OT/ICS read-only collection modeRequires Microsoft Defender for IoT add-on. Available as optional module.
5.4.2.4.4.8File quarantine capability
5.4.2.4.4.9File deletion capability
5.4.2.4.4.10Custom script execution across endpoints
5.4.2.4.4.11Immutable audit trail for all response actions

5.5 Performance and Scale (5.4.2.4.5)

RefRequirementComplianceNotes
5.4.2.4.5.1Support 10,000+ endpoints per tenant
5.4.2.4.5.260-second maximum ingest latency
5.4.2.4.5.330-second isolation execution time
5.4.2.4.5.45-second query response for 7-day searches
5.4.2.4.5.599.9% API uptime SLA
5.4.2.4.5.6Horizontal scaling capability

5.6 Noise Reduction & Case Handling (5.4.2.4.6)

RefRequirementComplianceNotes
5.4.2.4.6.1Alert noise reduction workflows
5.4.2.4.6.2Legal hold and evidence retentionPer-case legal hold requires Microsoft Purview eDiscovery or external evidence management.
5.4.2.4.6.3Secure tenant data segregation
5.4.2.4.6.4Published telemetry schema
5.4.2.4.6.5Endpoint identity spoofing detection
5.4.2.4.6.6Per-host process baselining
5.4.2.4.6.7Query concurrency/rate limits disclosure
5.4.2.4.6.8Signed remediation scripts with code reviewScript signing not enforced. Armor will implement operational procedures for signing and code review where required.
5.4.2.4.6.9Memory capture with encryption/integrity
5.4.2.4.6.10Registry/plist backup before remediationBackup possible via Live Response. No automatic backup before destructive remediation.
5.4.2.4.6.11Hash-based evidence cataloguing

6. XDR Technical Requirements (Section 5.4.2.5)

6.1 Data Ingestion (5.4.2.5.1)

RefRequirementComplianceNotes
5.4.2.5.1.1Multi-domain ingestion: endpoint, firewall, DNS, email, identity, cloud, OT/IoT
5.4.2.5.1.2Endpoint telemetry latency: 15 seconds or less
5.4.2.5.1.3Identity/email telemetry latency: 60 seconds or less
5.4.2.5.1.4Cloud telemetry latency: 120 seconds or less
5.4.2.5.1.5Schema normalization to OCSF-like format
5.4.2.5.1.6Pre-built integrations for major security vendors

6.2 Context and Enrichment (5.4.2.5.2)

RefRequirementComplianceNotes
5.4.2.5.2.1Entity resolution across users, devices, and IPs
5.4.2.5.2.2Asset inventory with criticality scoring
5.4.2.5.2.3CMDB and vulnerability data enrichment

6.3 Detection and Analytics (5.4.2.5.3)

RefRequirementComplianceNotes
5.4.2.5.3.1Temporal correlation engine
5.4.2.5.3.2ML-based cross-domain pattern detection
5.4.2.5.3.3Attack path stitching across domains
5.4.2.5.3.4User and Entity Behavior Analytics (UEBA) baselining
5.4.2.5.3.521 TTP detection categories minimum
5.4.2.5.3.6Explainable AI (XAI) for detection reasoningVia Microsoft Copilot for Security and Armor Nexus AIP
5.4.2.5.3.7Anomaly detection from baselines
5.4.2.5.3.8Automatic MITRE ATT&CK mapping

6.4 Incident Response (5.4.2.5.4)

RefRequirementComplianceNotes
5.4.2.5.4.1Visual playbook editor
5.4.2.5.4.2Cross-domain orchestration: endpoint actions
5.4.2.5.4.3Cross-domain orchestration: firewall rule push
5.4.2.5.4.4Cross-domain orchestration: IdP session revocation
5.4.2.5.4.5Cross-domain orchestration: email quarantine
5.4.2.5.4.6Cross-domain orchestration: SaaS app actions
5.4.2.5.4.7Cross-domain orchestration: cloud resource isolation
5.4.2.5.4.8Pre-built playbooks with containment objectives
5.4.2.5.4.9Incident lifecycle management
5.4.2.5.4.10SLA timers and tracking
5.4.2.5.4.11Evidentiary bundle creation
5.4.2.5.4.12Unified incident timeline across domains
5.4.2.5.4.13Single-console investigation interface
5.4.2.5.4.14Automated response action logging

6.5 Dashboards and Reporting (5.4.2.5.5)

RefRequirementComplianceNotes
5.4.2.5.5.1Role-based dashboards: SOC analysts
5.4.2.5.5.2Role-based dashboards: leadership/executive
5.4.2.5.5.3Role-based dashboards: compliance
5.4.2.5.5.4MTTD/MTTR visualization
5.4.2.5.5.5MITRE ATT&CK coverage gap analysis
5.4.2.5.5.6PII minimization in reports

6.6 Threat Intelligence (5.4.2.5.7)

RefRequirementComplianceNotes
5.4.2.5.7.1STIX 2.x format support
5.4.2.5.7.2TAXII 2.x protocol support
5.4.2.5.7.3MISP integrationArmor can build custom connectors where required
5.4.2.5.7.4OpenCTI integrationArmor can build custom connectors where required
5.4.2.5.7.5IOC scoring and deduplication
5.4.2.5.7.6Retro-hunt on new threat intel
5.4.2.5.7.7YARA rule supportRequires Sentinel with YARA-capable data sources

6.7 Search and Query (5.4.2.5.10)

RefRequirementComplianceNotes
5.4.2.5.10.1Pipeline query language
5.4.2.5.10.2Schema-on-read capability
5.4.2.5.10.3Hot-tier query latency: 24h data in 3 seconds
5.4.2.5.10.4Hot-tier query latency: 7d data in 7 seconds
5.4.2.5.10.5Hot-tier query latency: 30d data in 15 seconds
5.4.2.5.10.6Support 50 concurrent analyst queries
5.4.2.5.10.7Live/streaming queries
5.4.2.5.10.8Graph queries for attack path visualization
5.4.2.5.10.9Saved query library
5.4.2.5.10.10Scheduled query execution
5.4.2.5.10.11Query result export (CSV, JSON)
5.4.2.5.10.12Cross-source unified search
5.4.2.5.10.13API access to query capabilities

7. MXDR Service Requirements (Section 5.4.2.6)

7.1 Service Operations (5.4.2.6.1)

RefRequirementComplianceNotes
5.4.2.6.1.124x7x365 monitoring coverage
5.4.2.6.1.2In-tenant operation with MFA
5.4.2.6.1.3Least-privilege access model
5.4.2.6.1.4Just-in-time (JIT) access provisioning
5.4.2.6.1.5Singapore-based L2/L3 escalation within 2 hours
5.4.2.6.1.6Data source health monitoring
5.4.2.6.1.7100% alert triage coverage

7.2 Threat Hunting (5.4.2.6.3)

RefRequirementComplianceNotes
5.4.2.6.3.1Daily scheduled proactive hunts
5.4.2.6.3.2Retro-hunts within 24h of new TTP intelligence
5.4.2.6.3.3Detection engineering backlog management
5.4.2.6.3.4MITRE ATT&CK coverage heatmap
5.4.2.6.3.5Quarterly playbook testing
5.4.2.6.3.6Hunt success KPI tracking
5.4.2.6.3.7Intel-driven hunting
5.4.2.6.3.8Hypothesis-driven hunting

7.3 Forensics and Containment (5.4.2.6.4)

RefRequirementComplianceNotes
5.4.2.6.4.1Remote forensic collection with chain-of-custody
5.4.2.6.4.2Pre-approved containment actions
5.4.2.6.4.3Change window coordination
5.4.2.6.4.4Immutable action audit logs
5.4.2.6.4.5Evidence preservation procedures

7.4 Incident Management (5.4.2.6.5)

RefRequirementComplianceNotes
5.4.2.6.5.1Hourly P1 incident updates until containment
5.4.2.6.5.2Daily critical incident summaries
5.4.2.6.5.3Weekly security reports
5.4.2.6.5.4Monthly security reports
5.4.2.6.5.5Quarterly security reports
5.4.2.6.5.6Post-incident hardening recommendations

7.5 Service Quality (5.4.2.6.8)

RefRequirementComplianceNotes
5.4.2.6.8.140% noise reduction target
5.4.2.6.8.299.99% service availability
5.4.2.6.8.3Live SLA/case portal access
5.4.2.6.8.4Surge capacity with auto-routing
5.4.2.6.8.5Vulnerability intelligence correlation
5.4.2.6.8.6Weekly vulnerability reports
5.4.2.6.8.7Real-time dashboard for RWS access
5.4.2.6.8.8Monthly executive reporting
5.4.2.6.8.9Quarterly Business Reviews (QBRs)
5.4.2.6.8.10RACI matrix documentation
5.4.2.6.8.11Detailed MTTD/MTTR tracking
5.4.2.6.8.12Incident-to-alert ratio tracking
5.4.2.6.8.13False positive rate tracking

7.6 Personnel Requirements (5.4.2.6.9-14)

RefRequirementComplianceNotes
5.4.2.6.9.1Singapore-based in-house SOC (no outsourcing)Singapore is the primary location for serving APAC with engineering and incident response staff. Armor's global presence may route some work to other locations.
5.4.2.6.9.2L1 analyst certifications (BTL1 or equivalent)
5.4.2.6.9.3L2 analyst certifications (BTL2/GCIH or equivalent)
5.4.2.6.9.4L3 analyst certifications (BTL3/GCFA/OSCP or equivalent)
5.4.2.6.9.5Dedicated Technical Account Manager (TAM)
5.4.2.6.9.6Background checks for all personnel
5.4.2.6.9.7NDA requirements for all personnel
5.4.2.6.9.8Backup SOC in separate geographic region
5.4.2.6.9.9Tiered SOC structure (L1/L2/L3)
5.4.2.6.9.10Clear escalation paths between tiers
5.4.2.6.9.11Minimum 40 hours annual training per analyst
5.4.2.6.9.12Proof of certifications available for audit
5.4.2.6.9.13Casino regulatory licensing where required
5.4.2.6.9.14Age 21+ for casino property access
5.4.2.6.9.15No criminal history for assigned staff
5.4.2.6.9.16Professional conduct requirements
5.4.2.6.9.17Role-based, time-bound access with full audit trails
5.4.2.6.9.18Immutable analyst action logging

8. Timeline & Deliverables (Section 6)

8.1 Project Timeline (6.1)

MilestoneTimeline
Project Kick-offT (Award Date)
Completion of DesignT + 4 weeks
Completion of Cloud/On-Prem DeploymentT + 8 weeks
Completion of SIT with Sign-OffT + 10 weeks
Completion of UAT with Sign-OffT + 12 weeks
Completion of ORT with Sign-OffT + 14 weeks
System Commissioning with Sign-OffT + 15 weeks ("C")
Performance Guarantee PeriodC + 3 to 6 months
Warranty PeriodSystem Acceptance + 9 months

8.2 Project Management Deliverables (6.3.1)

RefRequirementComplianceNotes
6.3.1.1Project Plan
6.3.1.2Project Deliverables & Schedule
6.3.1.3Statement of Work (Project Scope)
6.3.1.4Project Risk, Issue and Change Logs
6.3.1.5Deployment Plan

8.3 Requirement Deliverables (6.3.2)

RefRequirementComplianceNotes
6.3.2.1Functional Requirements Specifications
6.3.2.2Non-Functional Requirements Specifications
6.3.2.3Integration Requirements Specifications

8.4 Analysis and Design Deliverables (6.3.3)

RefRequirementComplianceNotes
6.3.3.1Architecture & Technical Specifications & Diagram
6.3.3.2Application, UI & Report Design Specifications
6.3.3.3Tuning Report
6.3.3.4Logical Database Model
6.3.3.5Data Conversion and Migration Design

8.5 Installation & Configuration Deliverables (6.3.4)

RefRequirementComplianceNotes
6.3.4.1Environment Configuration Baseline
6.3.4.2Deployment Guide
6.3.4.3Operations Guide
6.3.4.4Backup, Failover & Recovery Guide
6.3.4.5Housekeeping Configuration Baseline
6.3.4.6Source code (if applicable)

8.6 Testing Deliverables (6.3.5)

RefRequirementComplianceNotes
6.3.5.1SIT Test Strategy/Plan, Scenarios, Cases, RTM, Defect Logs, Summary
6.3.5.2UAT Test Strategy/Plan, Scenarios, Cases, RTM, Defect Logs, Summary
6.3.5.3Performance Test Strategy/Plan, Scenarios, Cases, Defect Logs, Summary
6.3.5.4High Availability (HA) Test Plans, Scenarios, Cases, Defect Logs, Summary
6.3.5.5Disaster Recovery (DR) Test Plans, Scenarios, Cases, Defect Logs, Summary
6.3.5.6ORT Test Plans, Scenarios, Cases, Defect Logs, Summary

8.7 Training Deliverables (6.3.6)

RefRequirementComplianceNotes
6.3.6.1Training Slides
6.3.6.2Training Hand-outs
6.3.6.3Quick Start Guides (How-To)
6.3.6.4Frequently Asked Questions (FAQ)

8.8 Managed Security Services Deliverables (6.3.10)

RefRequirementComplianceNotes
6.3.10.1Monthly and Quarterly Security Monitoring Reports
6.3.10.2Incident Reports (per incident)
6.3.10.3Threat Hunting Reports (as conducted)
6.3.10.4Role and Access Review Reports (periodically)
6.3.10.5Use Case Review and Improvement Recommendations
6.3.10.6Configuration Baseline Review and Recommendations
6.3.10.7Security Landscape Review Reports
6.3.10.8System Platform Health and Performance Reports
6.3.10.9Customized Dashboards and Alert Definitions
6.3.10.10Incident Response Playbooks and Runbooks
6.3.10.11Recommendations for Security Posture Improvement

9. Acceptance Tests (Section 11)

RefRequirementComplianceNotes
11.2Submit comprehensive test plan, acceptance criteria, procedure 1 week prior to testing
11.4Provide all tools and testing equipment at Supplier's cost
11.8.1Installation Test: Walk-through with RWS to check installation quality
11.9System Integration Test (SIT): All components end-to-end verification
11.9.5SIT Exit Criteria: All scenarios executed, no Medium/High defects outstandingPerformance observations will be reported but not guaranteed as SLO commitments
11.10User Acceptance Test (UAT): Business user verification
11.10.6UAT Exit Criteria: All scenarios executed, no Medium/High defects outstandingPerformance observations will be reported but not guaranteed as SLO commitments
11.11Operational Readiness Test (ORT): Production environment verification
11.11.5ORT Exit Criteria: All acceptance criteria met, no Medium/High defectsPerformance observations will be reported but not guaranteed as SLO commitments
11.12Performance Test: Demonstrate conformance to Section 17.10 requirements
11.13Failover Test: Verify failover and failback with minimum interruption
11.14HA and DR Tests: High Availability and Disaster Recovery verification
11.15Support RWS-initiated security validation/assurance activities

10. Warranty & Maintenance (Sections 15-16)

10.1 Warranty Requirements (Section 15)

RefRequirementComplianceNotes
15.3Warranty Period: 9 calendar months from System Acceptance Date
15.4.1Adhere to SLA during Warranty Period
15.4.2Responsible for satisfactory operation at no additional cost
15.4.3Render replacements, investigations, services at no cost
15.4.4Corrective maintenance, troubleshooting, defect isolation
15.5.1Normal patches within 5 working days
15.5.2Critical patches within 24 hours

10.2 Maintenance Requirements (Section 16)

RefRequirementComplianceNotes
16.1Maintenance includes platform software, configuration updates, managed-service sustainment
16.2Maintenance for duration of Contract Period (3+1+1 years)
16.4.1Maintenance in accordance with SLA
16.4.2Maintain properly skilled, trained, qualified staff
16.5.2.2Support Hours: 0830 to 1800, Monday to Friday
16.5.2.3After-hours support for P2+ incidents
16.5.3.1Support during disaster recovery exercises
16.5.3.3Deliver software updates and documentation promptly

11. SLA Requirements (Section 17)

11.1 Service Level Objectives (17.4)

RefRequirementComplianceNotes
17.4.1Platform Availability: 99.9% monthly (excluding maintenance)
17.4.2Ingestion Latency: 10 seconds averagePerformance observations will be reported but not guaranteed as SLO commitments
17.4.3Action Execution: 30 secondsPerformance observations will be reported but not guaranteed as SLO commitments
17.4.4False-Positive Rate: 2% monthly maximum

11.2 Cybersecurity Incident Response SLAs (17.6.2)

SeverityIdentificationAnalysisContainmentEradicationPreliminary ReportFinal Report
P1 Critical15 min1 hour4 hours36 hours24 hours (hourly flash)3 business days
P2 High30 min2 hours24 hours2 days48 hours (2-hourly flash)5 business days
P3 Medium3 hours8 hours2 days4 days5 days7 business days
P4 Low1 day--10 daysPeriodic summariesPeriodic summaries

11.3 Threat Hunting SLAs (17.7)

RefRequirementComplianceNotes
17.7.2Ad-hoc request acknowledgment: 4 hours
17.7.3.1Critical IoC sweep completion: 4 hours
17.7.3.1Standard IoC sweep completion: 24 hours
17.7.4Complex hypothesis-driven hunt: 72 hours
17.7.5Proactive intel-led hunt initiation: 24 hours
17.7.5.2Retro-hunt minimum 30-90 days of telemetry
17.7.6Hunt report delivery: 24 hours post-completion

11.4 System Availability and Performance (17.10-17.12)

RefRequirementComplianceNotes
17.10.2Redundancies for high availability (failover clustering, load balancing)
17.10.3Dual data center failover between primary and secondary sites
17.10.499.9% availability per calendar month
17.10.524x7 operation availability
17.10.6Minimal performance impact during backup/housekeeping
17.12.1Response time: 3 seconds for 80%, 5 seconds for 90% of transactionsPerformance observations will be reported but not guaranteed as SLO commitments
17.12.1Maximum response time: 15 secondsPerformance observations will be reported but not guaranteed as SLO commitments
17.12.3Static reports: 15 seconds or less
17.12.4Parameter-based reports: 30 seconds or less

12. Security Requirements (Section 18)

12.1 Application Security (18.4)

RefRequirementComplianceNotes
18.4.1Software security framework for code development/customization
18.4.2Follow OWASP SAMM or equivalent framework
18.4.3Scan for vulnerabilities and rectify before deployment
18.4.4Use fixed TCP/UDP ports
18.4.5Use secure protocols (SSH, SFTP)
18.4.6Store credentials as hashed or encrypted
18.4.7No remote access or backdoors without RWS approval
18.4.8Document remote support implementation and security measures
18.4.9No functions that change security configuration of operating environment
18.4.10Submit architecture and dataflow diagrams for approval
18.4.11Comply with RWS change control process
18.4.12Control measures to prevent malicious code introduction
18.4.13Harden UAT, production, DR environments to RWS standards
18.4.14Implement sufficient security controls for CIA protection

12.2 Access Management (18.5)

RefRequirementComplianceNotes
18.5.2Authorization at operating system and application level
18.5.3Support Microsoft Active Directory authentication
18.5.4Support automated user account provisioning via AD sync
18.5.5Least privilege and segregation of duties design
18.5.6Clear segregation of roles for Privileged Users
18.5.7Role-based user account configuration
18.5.8User account management: create, modify, disable, delete, search
18.5.9Interface with RWS Access Right Management System
18.5.11Restrict security admin role to essential functions
18.5.12Menu display based on user security profile
18.5.13Multi-factor authentication for administrative accounts
18.5.14Provide base role and functional matrix
18.5.15Proper approval and tracking for all system access
18.5.16Secure communication during authentication and communication
18.5.17URL access control for different roles (web-based)
18.5.18Inactive session auto logout

12.3 Audit and Logging (18.6)

RefRequirementComplianceNotes
18.6.2.1Audit trail: User login/logout activities
18.6.2.2Audit trail: Privileged user and admin activities
18.6.2.3Audit trail: Failed login attempts
18.6.2.4Audit trail: Data updates (create/modify/delete)
18.6.2.5Audit trail: Confidential/sensitive data maintenance
18.6.2.6Audit trail: Exceptional transactions
18.6.2.7Audit trail: Account and role changes
18.6.2.8Audit trail: Audit log access attempts
18.6.3Protect audit trails from unauthorized modification/deletion

12.4 Encryption Standards (18.8)

RefRequirementComplianceNotes
18.8.1AES with 256-bit keys minimum
18.8.1RSA with 2048-bit keys minimum
18.8.1SHA-256 hashing
18.8.2.1TLS version 1.2 minimum
18.8.2.2AES with GCM or CCM mode preferred
18.8.2.3SSH version 2
18.8.2.4No clear text password storage
18.8.3WPA2 with AES for wireless
18.8.4Avoid unknown proprietary encryption
18.8.5X.509 version 3 digital certificates

13. Integration Requirements (Section 20)

RefRequirementComplianceNotes
20.1.1Active Directory single sign-on integration
20.1.2Develop authentication APIs for AD log-in
20.1.3Testing with simulated users and basic penetration tests
20.2.1IDAS integration via web services or batch file
20.2.1.1IDAS: User Profile creation/maintenance
20.2.1.2IDAS: User to Role list generation
20.2.1.3IDAS: Role to Function list generation
20.2.1.4IDAS: Active user list generation
20.2.1.5IDAS: Privilege account list generation
20.3Flexibility to integrate with existing/new 3rd party systems
21.1Migrate existing configurations to new system (rules, settings, dashboards, integrations, alerts)
21.2Redirect alerts from existing system if onboarding delayed

14. Technology Stacks (Section 22)

14.1 Platform Requirements (22.1-22.4)

RefRequirementComplianceNotes
22.1.1Deploy on RWS IT-supported platforms
22.1.1Align with RWS technology stacks
22.1.1Written RWS approval before deployment
22.2.1OS/DB within vendor mainstream support for 2+ years from commissioning
22.2.2Not within 2 years of published EOS date at commissioning
22.3.1All software within active support lifecycle
22.4.1Ongoing compliance warranty for contract term
22.4.2Upgrade/replace components approaching EOS at Supplier cost

14.2 RWS Standard Technology Stack (22.6.1)

CategoryRWS Standard
Operating SystemsWindows Server 2022+, RHEL 9+
DatabaseAzure SQL Database, Azure SQL Managed Instance
Cloud PlatformMicrosoft Azure
ContainerAKS
BackupAzure Backup
AutomationAzure Functions, Azure Logic Apps
Directory ServicesMicrosoft Entra ID
Log ManagementAzure Log Analytics
MonitoringAzure Monitor
StorageAzure Storage Accounts
Load BalancerAzure Application Gateway
Client BrowserEdge, Chrome (internal); Edge, Chrome, Firefox, Safari (external)
Client OSWindows, iOS, Android

15. Key Performance Indicators (Appendix B3)

15.1 Platform Health & Detection Effectiveness

KPITargetComplianceNotes
Endpoint Sensor Health & Coverage98%+ of licensed endpoints online and reporting
Telemetry & Log Ingestion Coverage95%+ of defined sources actively ingesting, 95% parsing success
System Availability & Performance99.5%+ uptime, 60s alert latency, 10s average query
Detection Rule Effectiveness95% execution, TPR 90%+, FPR 10%-, quarterly tuning

15.2 SOC Operations & Response Performance

KPITargetComplianceNotes
Mean Time to Detect (MTTD)15 minutes or less
Mean Time to Acknowledge (MTTA)15 minutes or less
Mean Time to Respond (MTTR)60 minutes (High/Critical)
Incidents Closed Within SLA90%+
Triage FPR/TPRFPR 15%-, TPR 85%+
Escalation Rate20%- to Tier 2/3
Proactive Threat Hunts2+ per month
New Use Cases from Hunts1+ per quarter

15.3 Service Delivery & Continuous Improvement

KPITargetComplianceNotes
Overall SLA Compliance98%+
Critical SLA Breaches0 per month
Customer Satisfaction (CSAT)4+/5
Critical Issues Raised5- per quarter
Log Source Onboarding Time10 working days per source
Ticket Resolution Within SLA95%+
Reports Delivered On Schedule100%
MTTD/MTTR Improvement10%+ QoQ for 2 consecutive quarters

16. Functional Requirements: EPP (Appendix E)

16.1 Core Antivirus & Anti-Malware

RefRequirementComplianceNotes
EPP-1.1Static and dynamic ML analysis for malware detection (trojans, ransomware, spyware, viruses)
EPP-1.2Not solely reliant on signature-based detection
EPP-1.3Real-time on-access scanning on execution, creation, modification
EPP-1.4On-demand scanning (full or quick) on single or groups of endpoints
EPP-1.5Auto-quarantine malicious files to secure encrypted holding area
EPP-1.6Clear audit log for every detection (path, hash, process, action, timestamp)

16.2 Exploit Prevention

RefRequirementComplianceNotes
EPP-2.1Dedicated module for memory corruption vulnerability prevention
EPP-2.2Protect MS Office, web browsers, PDF readers, media players, Java runtimes
EPP-2.3Detect/block shellcode injection (process hollowing, atom bombing, DLL sideloading)

16.3 Behavioral Prevention (IoAs)

RefRequirementComplianceNotes
EPP-3.1Real-time process behavior analysis
EPP-3.2.1Detect fileless attacks (PowerShell, WMI, WSH)
EPP-3.2.2Detect ransomware encryption behavior
EPP-3.2.3Detect credential access and dumping (LSASS, etc.)
EPP-3.2.4Detect lateral movement (WMIexec, PsExec, RDP)
EPP-3.2.5Detect persistence mechanisms (registry, services, scheduled tasks)
EPP-3.3Custom IOA rule creation

16.4 Device Control

RefRequirementComplianceNotes
EPP-4.1Granular policy for removable media and peripherals
EPP-4.2Control by device class, vendor ID, product ID, serial number
EPP-4.3Options: read-only, write-only, block-all, full read/write
EPP-4.4Log all device access attempts

16.5 Host Firewall & Management

RefRequirementComplianceNotes
EPP-5.1Host-based firewall for Windows and macOS
EPP-5.2Centrally managed firewall rules
EPP-5.3Rules by app path, hash, direction, IP, port, protocol
EPP-5.4Pre-configured rule sets for common services
EPP-6.1Single web-based management console
EPP-6.2Different policy sets for endpoint groups
EPP-6.3Real-time and historical reporting
EPP-6.4Pre-built compliance reports (NIST, CIS)

16.6 Performance & Resilience

RefRequirementComplianceNotes
EPP-7.1Minimal predictable performance impact
EPP-7.2Max 5% CPU during on-access scan
EPP-7.3Max 250MB memory under normal operation
EPP-7.4No noticeable boot/logon delay
EPP-7.5Granular scheduling of resource-intensive activities
EPP-7.6Low-power mode on battery
EPP-9.1Self-protecting anti-tampering (even with local admin)
EPP-9.2No tampering via OS tools, registry, GPO, PowerShell
EPP-9.3Kernel-level protection, works in Safe Mode
EPP-9.4Autonomous self-healing
EPP-9.5Protection active offline, in Safe Mode, under attacker control
EPP-9.6Cryptographic integrity enforcement
EPP-9.7Real-time alerts on tampering attempts

17. Functional Requirements: EDR (Appendix E)

17.1 Data Collection and Telemetry

RefRequirementComplianceNotes
EDR-1.1Continuous chronological timeline recording (not reliant on Windows Event Logs)
EDR-1.2.1Process execution data (name, path, hash, args, parent/child, user, integrity)
EDR-1.2.2File system activity (create, read, write, move, delete, attributes)
EDR-1.2.3Network connections (source/dest IP, ports, protocol, domain, process)
EDR-1.2.4Registry modifications (keys, values)
EDR-1.2.5Module/DLL loading activity
EDR-1.2.6User logon/authentication events
EDR-1.390-day minimum hot searchable retention
EDR-1.4Local caching and resilient transmission on reconnect

17.2 Detection and Response

RefRequirementComplianceNotes
EDR-2.1Correlate telemetry into IOA-based alerts
EDR-2.2Auto-map to MITRE ATT&CK tactic/technique/sub-technique
EDR-2.3Dynamic severity scoring (Critical/High/Medium/Low)
EDR-2.4Pre-tuned detection rules, continuously updated
EDR-2.5Custom detection rule creation
EDR-3.1Advanced query language (SQL/KQL-like)
EDR-3.2Save, schedule, share queries
EDR-3.3Graphical investigation tool with attack chain mapping
EDR-3.4Pivot from alerts to raw telemetry
EDR-3.5Timeline view of related activity

17.3 Response Capabilities

RefRequirementComplianceNotes
EDR-4.1Remote response from management console
EDR-4.2.1Remote shell access
EDR-4.2.2Kill running processes
EDR-4.2.3Delete or quarantine files
EDR-4.2.4Network isolation (full or selective)
EDR-4.2.5Upload and execute custom scripts across endpoints
EDR-4.3Immutable audit trail for all response actions

17.4 Integration

RefRequirementComplianceNotes
EDR-5.1Documented RESTful API for SIEM, SOAR, ITSM integration
EDR-5.2API retrieval of alerts, endpoints, investigation data
EDR-5.3API-initiated response actions
EDR-5.4External threat intel ingestion (STIX/TAXII)

18. Functional Requirements: XDR (Appendix E)

18.1 Data Integration

RefRequirementComplianceNotes
XDR-1.1Native integration beyond endpoint (no custom parsing)
XDR-1.2.1Pre-built integrations: Cloud Platform
XDR-1.2.2Pre-built integrations: Identity and Access Management
XDR-1.2.3Pre-built integrations: Email Solution
XDR-1.2.4Pre-built integrations: Network Infrastructure
XDR-1.2.5Pre-built integrations: EDR Tools
XDR-1.3Normalize all data to unified queryable schema

18.2 Cross-Domain Correlation

RefRequirementComplianceNotes
XDR-2.1Auto-analyze across endpoint, cloud, identity, email, network
XDR-2.2Auto-stitch related events into unified incident
XDR-2.3ML/behavioral analytics for baseline deviation detection
XDR-2.4MITRE ATT&CK mapping across kill chain

18.3 Unified Investigation

RefRequirementComplianceNotes
XDR-3.1Single unified view for all incidents
XDR-3.2Unified timeline merging all domains
XDR-3.3Single query language across all normalized data
XDR-3.4Pivot from identity to endpoint to cloud within console

18.4 Automated Response

RefRequirementComplianceNotes
XDR-4.1.1Playbook: Force logoff and password reset on compromised identity
XDR-4.1.2Playbook: Revoke cloud session/permissions
XDR-4.1.3Playbook: Push firewall block rules
XDR-4.1.4Built-in orchestration engine (no separate SOAR required)
XDR-4.2Central audit trail for all automated actions

18.5 API and Ecosystem

RefRequirementComplianceNotes
XDR-5.1Documented RESTful API for all core functions
XDR-5.2OAuth 2.0 authentication
XDR-5.3JSON, CEF, OCSF format support
XDR-5.4Pre-built integrations for SIEM, SOAR, ITSM

19. Functional Requirements: MXDR (Appendix E)

19.1 Service Foundation

RefRequirementComplianceNotes
MXDR-1.124x7x365 managed service with SOC primary responsibility
MXDR-1.2Detailed RACI matrix for all operational phases
MXDR-1.3.1Analysts hold GCIH, GCFA, GNFA, GCFE, OSCP, CISSP or equivalent
MXDR-1.3.2Minimum 40 hours annual training per analyst
MXDR-1.3.3Tiered teams (T1/T2/T3) with clear escalation
MXDR-1.3.4Dedicated TAM with deep RWS environment knowledge

19.2 Platform Integration

RefRequirementComplianceNotes
MXDR-2.1.1Native multi-tenant sensors for EDR, CWPP, identity
MXDR-2.1.2.1Third-party ingestion: Network infrastructure (firewalls, proxies, flow, DNS, NDR)
MXDR-2.1.2.2Third-party ingestion: Cloud environments (audit logs, config, posture)
MXDR-2.1.2.3Third-party ingestion: Email security systems
MXDR-2.1.2.4Third-party ingestion: IAM (auth events, audit, directory)
MXDR-2.1.2.5Third-party ingestion: Application sources (web, DB, SaaS)
MXDR-2.2.1Real-time cross-source correlation
MXDR-2.2.290-day minimum retention, 365-day option
MXDR-2.2.3Auto MITRE ATT&CK mapping

19.3 Detection and Analysis

RefRequirementComplianceNotes
MXDR-3.1.1Monitor and triage 100% of alerts
MXDR-3.1.2Proprietary and open-source threat intel feeds
MXDR-3.2.1Continuous hypothesis-driven hunting
MXDR-3.2.2.1Intel-driven hunting (industry TTPs)
MXDR-3.2.2.2Analytics-driven hunting (anomalies)
MXDR-3.2.2.3Suspicion-driven hunting (weak signals)
MXDR-3.2.3Document all hunting activities
MXDR-3.3.1Full kill-chain analysis mapped to MITRE
MXDR-3.3.2Determine scope (endpoints, users, cloud, data)
MXDR-3.3.3Confidence level with evidence

19.4 Response and Remediation

RefRequirementComplianceNotes
MXDR-4.1.1Develop pre-approved response playbook during onboarding
MXDR-4.1.2Define actions for ransomware, credential compromise, exfiltration
MXDR-4.1.3Granular action specifications (commands, tools, sequences)
MXDR-4.2.1Immediate execution of pre-approved actions without sign-off
MXDR-4.2.224/7 hotline and secure messaging for escalation
MXDR-4.3.1Comprehensive Incident Report within 24 hours of containment
MXDR-4.3.2Post-incident review for high-severity incidents
MXDR-4.3.3Supply IOCs and custom rules (YARA, SIGMA)

19.5 Reporting and Compliance

RefRequirementComplianceNotes
MXDR-5.1.1Certifications per Section 9
MXDR-5.1.2Role-based, time-bound, logged analyst access
MXDR-5.2.1Real-time dashboard (MTTD, MTTR, incidents, SLA)
MXDR-5.2.2Monthly executive report
MXDR-5.2.3Quarterly Business Reviews (QBRs)

19.6 Onboarding and Offboarding

RefRequirementComplianceNotes
MXDR-6.1.1Documented phased onboarding plan with milestones
MXDR-6.1.2Day 0-2 coverage for critical data sources
MXDR-6.1.3Assist with sensor/agent deployment and configuration
MXDR-6.2.1Formal training for RWS IT Security Team
MXDR-6.2.2Complete documentation of technologies, integrations, SOPs
MXDR-6.3.1Permanent data purge or return upon termination
MXDR-6.3.2Orderly transition assistance with data export

19.7 Technology Flexibility

RefRequirementComplianceNotes
MXDR-7.1.1Full documented API access
MXDR-7.1.2OCSF support for data normalization
MXDR-7.1.3.1Custom detection rule creation and tuning
MXDR-7.1.3.2RWS-specific baselines and allow-lists
MXDR-7.1.4.1Effective service with existing EDR/NDR vendors
MXDR-7.1.4.2Robust integrations with 2+ vendors per category

19.8 Strategic Services

RefRequirementComplianceNotes
MXDR-8.1.1Contextual vulnerability prioritization with threat intel correlation
MXDR-8.1.2Security misconfiguration identification and alerting
MXDR-8.1.3.1Periodic security posture assessments
MXDR-8.1.3.2Prioritized actionable recommendations

20. Certification Requirements (Section 9)

PartyRequirementComplianceNotes
Partner/SI (Day-1)Valid ISO/IEC 27001 ISMS certification
MXDR Provider (Day-2)Valid SOC 2 Type II or ISO/IEC 27001 certification
MXDR Provider (Day-2)Valid CSRO license (Singapore)
Technology PlatformSOC 2 Type II certification
Technology PlatformISO/IEC 27001 certification
All PartiesProvide complete certification documents and audit reports
All PartiesFurnish documents to RWS upon request
All PartiesMaintain valid certifications for entire contract period
All PartiesImmediately notify RWS of any certification status changes

Critical Milestones