Consultancy for design and implementation of cyber hub essential skills program

Reference Number: 83483856

Date of Publication: 26.02.2025

0. Context

The Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH is a federally owned international cooperation enterprise for sustainable development with worldwide operations. The GIZ Office in Kigali covers GIZ’s portfolio in Rwanda and Burundi. GIZ Rwanda/Burundi implements projects on behalf of the German Federal Ministry for Economic Cooperation and Development, the European Union and other commissioning authorities in the following priority areas: Sustainable Economic Development, Good Governance, Climate, Energy and Sustainable Urban Development, Digitalization and Digital Economy, Mineral Governance, Peace and Security in the Great Lakes Region.

About the GIZ Digital Transformation Center Rwanda 

The Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH is a federally owned international cooperation enterprise for sustainable development with worldwide operations. GIZ has worked in Rwanda for over 30 years. The primary objectives between the Government of Rwanda and the Federal Republic of Germany are poverty reduction and promotion of sustainable development. To achieve these objectives, GIZ Rwanda is active in the sectors of Decentralization and Good Governance, Economic Development and Employment Promotion, Energy, and ICT (Information and Communications Technology).

The DigiCenter is a newly created Digital4Rwanda project unit dedicated at delivering impact driven digital solutions, developing the capacities of the local innovation ecosystem, and replicating/scaling-up digital solutions at regional and continental level. The government of Rwanda understands there are significant digital upskilling needs in the public and private sector. Among the activities proposed in this project are to support the Digital Skills Council, the initiative from MINICT. One of the projects under the Digital skills Council is cyber security hub.

Rwanda has made significant progress in its journey towards becoming a digital economy, driven by a variety of initiatives. As the country expands its ICT infrastructure and connectivity, it has increasingly exposed itself to potential cyber threats and attacks. The CYBER HUB is an initiative aiming to develop talent, provide practical training, and enhance professional skills in cybersecurity and data protection in Rwanda and the region. It envisions a vibrant ecosystem where talent, technology, and collaboration converge. Partnerships between the National Cyber Security Authority, GIZ other stakeholders will be established to operationalize the academy which will significantly impact the cyber security landscape. The rapid digitalization underscores the urgent need to develop a skilled workforce in cybersecurity. By investing in education and training programs, Rwanda seeks to build local talent with employable skills, capable of safeguarding its digital landscape, ensuring that the nation can fully realize its ambitions while protecting its citizens and businesses from the evolving risks of the cyber threat landscape. The Cyber Security Essentials Skills Program is a first step to producing local talent with a strong foundation in cyber security technical and organisational skills.

Program rationale:

This program aims to equip participants with foundational cybersecurity knowledge while also evaluating their skills and potential for specialised training tracks.

Objectives:  

• Equip participants with a strong foundation in technical and organisational cybersecurity skills.
• Foster participants' interest in cybersecurity and assess their suitability for advanced training programs.
• Enhancing the number of Rwandan professionals equipped with fundamental cybersecurity skills within the ecosystem.

Training target group and participants’ profiles:

50 graduands /graduates from a variety of universities in Rwanda

• Graduates in IT, information systems, computer science, networks and communications, software engineering or related fields
• Possess a solid foundation in IT concepts, programming languages and systems administration
• Applicants must be residing in Rwanda
• Proficiency in business English is crucial, encompassing skills in reading, writing, and comprehension

Training basic structure:

• Presentations from trainers: Trainers will lead and conduct sessions that cover content on planned topics.
• Hands-On Labs and Simulations:Participants engage in practical exercises and simulations that replicate real-world scenarios, including configuring security devices, conducting vulnerability assessments, and responding to simulated cyber incidents.
• Scenario-Based Training:Participants analyze case studies and security challenges that reflect authentic industry environments, enhancing their ability to identify and mitigate cybersecurity threats effectively.
• Self-Study:Beyond class hours and lab work, learners are expected to dedicate additional time to self-study, researching and reinforcing the concepts covered during sessions. 50 participants will learn using two groups (A & B) with one being a morning group and another being an afternoon group.
• Assessments and Examinations: Participants will undergo assessments provided by the trainers to assess comprehension of core concepts and skills. Assessments should also provide insights into participants’ readiness for advanced cyber security tracks. This will be reviewed and approved by the National Cyber Security Authority.

1. Tasks to be performed by the contractor

The contractor is responsible for providing the following services:

The bidder will be responsible for training up to 50 individuals in essential cybersecurity skills. This includes evaluating participants' current skill levels, developing a comprehensive training curriculum, delivering the training, and creating a methodology to assess and report the training's effectiveness.

Work package 1: Training design and preparation

Before training begins, the contractor should develop the necessary curriculum and training framework. Both the curriculum and framework will need to be approved by the GIZ team and its partners before starting the training. The following elements should be included:

• A description of the training’s target group
• Training objectives
• Training session plan (schedule or timing for each training session)
• Training curriculum, including content to be covered in each session considering the list of training topics listed below.
• Any additional training materials and exercises for the trainees.
• Inbound assessment to assess current participants’ levels.
• Post training assessment plan to assess the training effectiveness

The training curriculum and content should establish a foundation in the following list of essential topics:

• Introduction to cyber security (include possible cyber security tracks and certifications)
• Cyber security technologies
• Cyber security architecture
• Network and System security
• Secure coding practices
• Vulnerability assessment
• Cyber incident response
• Cyber risk management
• SOC operations
• Cyber security laws and regulations
• Cyber governance and policies
• Cyber security ethics.

Work package 2: Training delivery

• Training sessions: For 20 days, the contractor is responsible for delivering physical training sessions that cover the above list of training topics. Training sessions will be delivered at a physical site in Kigali that will be communicated by GIZ and the National Cyber Security Authority. For an additional 3 days, the contractor will prepare and deliver a final assessment to the trainees from the delivered training content.
• Coordination of the training: The contractor will oversee and ensure the training program runs smoothly (on time agreed with GIZ and its partner NCSA). The contractor will also provide progress reports as required by GIZ and its partners.
• Management of participants:The contractor is responsible for any communication with participants during and after the training. However, the contractor can involve GIZ and NCSA whenever is necessary. The contractor should also track the attendance of participants during every training session.
• Providing training content and materials: The contractor is responsible for developing and providing training content and materials such as training modules/content or books, access to online resources, access to training exercises, presentations, handouts, lab guides, and other materials to enhance participants’ learning experience.  

Work package 3: Training evaluation and participants’ assessment

• Participants’ assessment: The chosen contractor will assess learners (pre assessment and post-assessment) according to the curriculum delivered, providing insights on the effectiveness and impact of the training. Additionally, the post assessment should show learners’ readiness to pursue advanced cybersecurity pathways.
• Certificate of completion: The contractor proposes a design for the certificate of completion, tailored to reflect the program's successful completion and the trainee's performance level. This design will be subject to review and approval by NCSA.
• Final report: The contractor will provide a final report upon completion of the evaluation process. The report should summarize the training outcomes, including participant feedback and recommendations for future training.

Certain milestones, as laid out in the table below, are to be achieved during the contract term:

Period of assignment: from 01.04.2025 until 310.09.2025.

2. Concept

In the tender, the tenderer is required to show how the objectives defined in Chapter 2 (Tasks to be performed) are to be achieved, if applicable under consideration of further method-related requirements (technical-methodological concept). In addition, the tenderer must describe the project management system for service provision.

Note: The numbers in parentheses correspond to the lines of the technical assessment grid.

Technical-methodological concept

Strategy (1.1): The tenderer is required to consider the tasks to be performed with reference to the objectives of the services put out to tender (see Chapter 1 Context) (1.1.1). Following this, the tenderer presents and justifies the explicit strategy with which it intends to provide the services for which it is responsible (see Chapter 2 Tasks to be performed) (1.1.2).

The tenderer is required to present the actors relevant for the services for which it is responsible and describe the cooperation (1.2) with them.

The tenderer is required to present and explain its approach to steering the measures with the project partners (1.3.1) and its contribution to the results-based monitoring system (1.3.2).

The tenderer is required to describe the key processes for the services for which it is responsible and create an operational plan or schedule (1.4.1) that describes how the services according to Chapter 2 (Tasks to be performed by the contractor) are to be provided. In particular, the tenderer is required to describe the necessary work steps and, if applicable, take account of the milestones and contributions of other actors (partner contributions) in accordance with Chapter 2 (Tasks to be performed) (1.4.2).

The tenderer is required to describe its contribution to knowledge management for the partner (1.5.1) and GIZ and to promote scaling-up effects (1.5.2) under learning and innovation.

Project management of the contractor (1.6)

The tenderer is required to explain its approach for coordination with the GIZ project. In particular, the project management requirements specified in Chapter 2 (Tasks to be performed by the contractor) must be explained in detail.

The tenderer is required to draw up a personnel assignment plan with explanatory notes that lists all the experts proposed in the tender; the plan includes information on assignment dates (duration and expert days) and locations of the individual members of the team complete with the allocation of work steps as set out in the schedule.

3. Personnel concept

The tenderer is required to provide personnel who are suited to filling the positions described, on the basis of their CVs (see Chapter 7), the range of tasks involved and the required qualifications.

The below specified qualifications represent the requirements to reach the maximum number of points in the technical assessment.

Team leader

Tasks of the team leader

• Overall responsibility for the advisory packages of the contractor (quality and deadlines)
• Coordinating and ensuring communication with GIZ, partners and others involved in the project.
• Personnel management, in particular identifying the need for short-term assignments within the available budget, as well as planning and steering assignments and supporting local and international short-term experts.
• Regular reporting in accordance with deadlines
• Controlling training and closing projects of varying types and sizes.

Qualifications of the team leader

• Education/training (2.1.1): Master’s degree in one of the following fields: ICT, Project Management, or ICT Education. A degree or certifications in Cybersecurity is an added advantage.
• Language (2.1.2): Excellent business language skills in English
• General professional experience (2.1.3): 8 years of professional experience, especially in training or teaching adults
• Specific professional experience (2.1.4): 5 years of experience in cyber security trainings and/or related tasks
• Leadership/management experience (2.1.5): 5 years of experience leading and managing similar projects

Key expert 1

Tasks of key expert 1

• Prepare training framework and conduct training sessions in cyber security essential skills
• Provide participants with the necessary training materials, including case studies, scenarios and practical exercises to be used
• Perform training evaluation and assessments

Qualifications of key expert 1

• Education/training (2.1.1): Bachelor's degree in cyber security, IT, Computer Science or in a related field. Proof is required
• Language (2.1.2): Excellent business language skills in English
• General professional experience (2.1.3): 5 years of professional experience in training or teaching adults
• Specific professional experience (2.1.4):
• 3 years of experience in cyber security trainings and/or related tasks with Recognized and professional certifications (CISSP, CISM, CEH, CCNA, CompTIA Security+, etc.)
• Proven experience and extensive knowledge with digital forensics, incident response, malwareanalysis risk assessment and management practices.

Soft skills of team members

In addition to their specialist qualifications, the following qualifications are required of team members:

• Team skills
• Initiative
• Communication skills
• Socio-cultural skills
• Efficient, partner- and client-focused working methods
• Interdisciplinary thinking
• The tenderer must provide a clear overview of all proposed short-term experts and their individual qualifications.

4. Costing requirements

Assignment of personnel and travel expenses

Per diem allowances are reimbursed as a lump sum up to the maximum amounts permissible under tax law for each country as set out in the country table in the circular from the German Federal Ministry of Finance on travel expense remuneration (downloadable from the German Federal Ministry of Finance – tax treatment of travel expenses and allowances for international business travel as of 1 January 20242025 (GERMAN ONLY)).

Accommodation allowances are reimbursed as detailed in the specification of inputs below.

With special justification, additional Accommodation costs up to a reasonable amount can be reimbursed against evidence.

All business travel must be agreed in advance by the officer responsible for the project

Sustainability aspects for travel

GIZ has undertaken an obligation to reduce greenhouse gas emissions (CO₂ emissions) caused by travel. When preparing your tender, please incorporate options for reducing emissions, such as selecting the lowest-emission booking class (economy) and using means of transport, airlines and flight routes with a higher CO₂ efficiency. For short distances, travel by train (second class) or e-mobility should be the preferred option.

CO₂ emissions caused by air travel must be offset. GIZ specifies a budget for this, through which the carbon offsets can be settled against evidence.

There are many different providers in the market for emissions certificates, and they have different climate impact ambitions. The Development and Climate Alliance (German only) has published a list of standards (German only). GIZ recommends using the standards specified there.

Specification of inputs

5. Inputs of GIZ or other actors

GIZ and/or other actors are expected to make the following available:

• A training venue equipped with computers, internet access, and essential items like chairs, desks, and projectors.
• List of the trainees (up to 50 participants)

6. Requirements on the format of the tender

The structure of the tender must correspond to the structure of the ToR. In particular, the detailed structure of the concept (Chapter 3) should be organised in accordance with the positively weighted criteria in the assessment grid (not with zero). The tender must be legible (font size 11 or larger) and clearly formulated. It must be drawn up in English.

The complete tender must not exceed 10 pages (excluding CVs). If one of the maximum page lengths is exceeded, the content appearing after the cut-off point will not be included in the assessment. External content (e.g. links to websites) will also not be considered.

The CVs of the personnel proposed in accordance with Chapter 4 of the ToRs must be submitted using the format specified in the terms and conditions for application. The CVs shall not exceed 4 pages each. They must clearly show the position and job the proposed person held in the reference project and for how long. The CVs can also be submitted in English  (language).

Please calculate your financial tender based exactly on the parameters specified in Chapter 5 Quantitative requirements. The contractor is not contractually entitled to use up the days, trips, workshops or budgets in full. The number of days, trips and workshops and the budgets will be contractually agreed as maximum limits. The specifications for pricing are defined in the price schedule.

7. Submission of the offer

Technical Proposal

• Technical Proposal (attached template for technical proposal MUST be used)
• Up to date CVs of proposed experts  
• Self-declaration of eligibility for the award
• Company registration certificate (RDB)
• VAT registration certificate
• Tax clearance certificate
• Company References for the completion of similar assignments

Financial offer:

Financial offer indicates the all-inclusive total contract price, supported by a breakdown of all costs as described in the specification of inputs. The costs must be in RWF and VAT excluded (Price sheet must be used). The Financial offer will be regarded as exclusive of VAT in the case where there is no information about VAT.

Your EoI has to be submitted in 2 separated emails to RW_Quotation@giz.de until latest 11.03.2025:

1. The technical offerhas to be submitted in PDF format and as attachment to the email with the subject: 83483856-Technical offer.  
2. The financial offerhas to be submitted in PDF format and as attachment to the email with the subject: 83483856-Financial offer

If the emails exceed the default email size of 30MB, offers can be exceptionally submitted through https://filetransfer.giz.de/, as indicated. The subject of recipient notification must be edited with the subject “83483856-Technical/Financial offer and the notification message must include the password to access the files.

Offers submitted through any other sharing platform, as google documents or similar will not be considered.

Without the subject mentioned, your offer may not be considered

Offers submitted in hard copy will not be considered.

GIZ reserves all rights.