In order to ensure information security, the contractor shall point out any technical weaknesses that may occur as well as any procedural improvements and design weaknesses in the IT landscape of the clients in accordance with the respective descriptions of the six specialist lots. Furthermore, concepts and standards currently used by the clients are to be further developed according to the state of the art. Through an expert analysis of IT security incidents, damage should be avoided and prevented in a targeted manner.

The AOKs are planning to establish a working group within the meaning of § 94 paragraph 1a SGB X - probably in the legal form of a partnership under civil law - through which the operation and procurement of applications of the electronic patient record and possibly also further applications of the telematics infrastructure are to be carried out (the "AML company"). If and as soon as the AML Company has been legally established and has legal capacity, it is entitled - but not obliged - to join the contract as an additional client by written declaration to the contractor. The contractor irrevocably agrees to this accession upon conclusion of the contract.

Special feature of Lot 1: Multiple Framework Agreement (different from the indication for Lots 2 to 6 in point IV.1.3) of this notice)

For Lot 1 - provided that a sufficient number of tenders can be awarded - three framework contract partners are sought. Specific contracts under the framework contract Lot 1 shall be awarded in accordance with the terms of the framework contract. For details, reference is made to para. 3.7 of the framework contract Lot 1. For lots 1 to 5, a framework contract partner is sought.

Special features for lots 5+6: No surcharge combination

Where, in the context of that invitation to tender, a tenderer tenders for both Lot 5 and Lot 6 and that tenderer is scheduled to be awarded in both lots, that tenderer may be awarded only in either Lot 5 or Lot 6. Tenderers who submit a tender for both Lot 5 and Lot 6 shall indicate in the tender form the winning lot to which priority is to be awarded. This also applies to consortia. If a bidder/consortium does not specify the order of award in the tender sheet, the contract shall be awarded with priority to the lot for which no other tender(s) eligible for award has been received. Where both Lot 5 and Lot 6 have received other tenders which may be awarded, the order in which the contracts are awarded shall be based on the numbering of the lots, the smaller numbering lot taking precedence.

If an individual tenderer in Lot 5 or Lot 6 is designated for the award and this tenderer also participates as a member of a consortium, taking into account the requirement of secret competition, the individual tenderer and the consortium may not be awarded the contract in Lot 5 and Lot 6.

Any tenderer who submits a tender both as an individual tenderer and as a member of a consortium shall indicate in the tender sheet whether contracts awarded to him as an individual tenderer or to awards awarded by him as a member of a consortium are to be given priority. In the absence of an entry, priority shall be given to the lot for which no other tender(s) eligible for award has been received. In all other respects, priority shall be given to the tender submitted as an individual tenderer.

The IT operations of the clients include IT systems, management, network and communication components as well as applications that are operated centrally, decentrally or by third parties. The application portfolio is developed both by the AOKs themselves and by external partners. It includes specialist applications for internal use by the specialist departments, interfaces for service provision, web portals for insured persons and interested parties as well as solutions for the automation of tasks. Development is carried out according to both linear and iterative development models. The types of application include in particular:

-Applications

- Webservices,

- Mobile apps for Android and iOS,

- SAP-based statutory health insurance platform oscare,

- Extensions and modules for standard applications (e.g. Microsoft Office, Typo 3, Google Angular), as well as

- Command line based scripts.

In the context of statutory health insurance, the developed applications usually process social data in accordance with § 67 Abs. 1 SGB X. Depending on the procedure, further, special data categories pursuant to Art. 9 Ab. 1 General Data Protection Regulation (GDPR). As independent corporations under public law, the AOKs and their working groups (such as AOK-Bundesverband GbR, ITSCare GbR, gkv informatik, kubusIT GbR, AML-Gesellschaft) may also meet further requirements for data processing from state-specific regulations and specifications.

The subject of the invitation to tender within the scope of Lot 1 are technical tests for all components relevant to IT operations. The technical examinations are divided into four areas:

- verification of configurations,

- scanning of IT components and network areas for vulnerabilities,

- Execution of penetration tests, as well as

- carrying out individual examinations.

Configuration checks are used to identify vulnerabilities resulting from the current configuration. Vulnerability scans are designed to help identify previously undetected vulnerabilities. For this purpose, both an internal and an external network area or individually named IT components must be automatically checked with suitable tools and supplemented manually. Penetration tests are to be carried out according to an established and recognized standard for penetration tests (OSSTMM or comparable), generally as a grey box test. For smaller functional enhancements without significant architecture checks, supplementary penetration tests must be carried out. In addition, password audits must be carried out to identify insecure passwords.

Demarcation:

If a technical examination, for example a penetration test or vulnerability scan, is to be carried out for gematik GmbH as part of an appraisal, this is part of lot 6 "Auditing information security and KRITIS" and must be provided there as a service.

The clients use a broad portfolio of individually adapted standard applications and individual applications. The operation of the IT landscape is mainly carried out by spin-off IT service providers. For the provision of basic services (e.g. data center, platform, network infrastructure or telephony operation), some of them in turn rely on external service providers that do not belong to the AOK community.

The subject of the invitation to tender under Lot 2 is to advise clients on IT security issues and to provide support with the following services:

- Creation and maintenance of recommendations for system hardening (hardening recommendations) and security standards

- Execution of process analyses

- Evaluation of concepts for secure IT operations

- Support in the creation and maintenance of security concepts

- Consulting on IT security.

- Workshops on security-related aspects of an IT component.

Demarcations:

- Excluded are consulting services according to §8a BSIG / (KritisV) and topics on information security resulting from ISO/IEC 27001ff

- Risk and hazard analyses carried out are to be considered purely technically using the specific risk assessment methodology of the contracting authorities.

- The advice, planning, conception and implementation of awareness training and awareness-raising activities are part of Lot 5.

The clients have a broad portfolio of applications. These applications are developed both by the AG itself and by external partners. The applications include specialist applications for internal use by the specialist departments, interfaces for service provision, web portals for insured persons and interested parties or solutions for the automation of tasks. Development is carried out according to both linear and iterative development models. The types of application include in particular:

-Applications

- Webservices

- Mobile apps for Android and iOS

- SAP-based statutory health insurance platform oscare

- extensions and modules for standard applications (e.g. Microsoft Office, Typo 3, Google Angular),

- Command line based scripts.

In the context of statutory health insurance, the developed applications usually process social data in accordance with § 67 Abs. 1 SGB X. Depending on the procedure, further, special data categories pursuant to Art. 9 Ab. 1 General Data Protection Regulation (GDPR). As independent corporations under public law, the AOKs and their working groups (such as AOK-Bundesverband GbR, ITSCare GbR, gkv informatik, kubusIT GbR, AML-Gesellschaft) may also meet further requirements for data processing from state-specific regulations and specifications.

The subject of the invitation to tender under Lot 3 is advice on secure application development. This is divided into six areas:

- Execution of source code audits

- Review of development processes

- Consulting for secure application development

- Preparation and review of threat analyses

- Creation and review of coding guidelines

- Training with a focus on secure application development.

For source code audits, automated as well as manual analyses should be carried out. In addition to static, dynamic and interactive analyses, the use of software components used and their other dependencies, e.g. for known security vulnerabilities and licensing, must also be analyzed. The application development processes for software or parts thereof are to be analyzed in order to determine, among other things, the maturity assessment of the process(s), to carry out a risk assessment and to identify potential for improvement. In consulting on secure application development, current topics and trends as well as new technologies relevant to the clients must be considered. In order to create or review threat analyses, all relevant information must be collected and supplemented in a targeted manner for an individual application in accordance with a standard to be agreed (e.g. Microsoft STRIDE). In addition, the clients must be supported in the risk-based assessment of identified threats. Coding guidelines must be created, reviewed and, if necessary, updated taking into account industry-standard frameworks (e.g. Python Django, PHP Laminas) or libraries (e.g. Java JAXB, C# RestSharp). Target group-oriented training with a focus on secure application development must be carried out to maintain and improve qualifications and to raise awareness.

The clients use a broad portfolio of individually adapted standard applications and individual applications. The operation of the IT landscape is mainly carried out by spin-off IT service providers. For the provision of basic services (e.g. data center, platform, network infrastructure or telephony operation), some of them in turn rely on external service providers that do not belong to the AOK community.

The subject of the invitation to tender within the framework of Lot 4 is the strategic preparation of the clients and the execution of forensic analyses to identify and secure relevant data as well as to prepare evidence that can be used in court.

As part of the strategic preparation, the following services must be provided:

- Review of existing infrastructure

- Forensic workstation configuration

- Guide to initial action in the event of an IT security incident

- Provision of guidelines for preservation of evidence in the event of IT security incidents

- Documentation of the selection of forensic tools

- Review of the incident management process

As part of the incident investigation and investigation, the following services must be provided:

- Operational preparation

-Data collection

- Datenuntersuchung

-Data analysis

- Documentation of the incident

- Recommendation for immediate shutdown or continued operation of the IT system

- Preservation of evidence

- Support of the lawyers of the AG in technical questions

- Technical support of the working group at internal escalation meetings

- Documentation of potential for improvement at the AG in the chain of preservation of evidence for the AG.

Demarcation:

Data recovery and repair in case of defects in storage media are not part of the service.

The clients use a broad portfolio of individually adapted standard applications and individual applications. The operation of the IT landscape is mainly carried out by spin-off IT service providers. For the provision of basic services (e.g. data center, platform, network infrastructure or telephony operation), these IT service providers sometimes rely on external service providers not belonging to the AOK community.

Some of the clients are or will become "operators of a critical infrastructure" according to the Kritis Regulation (KritisV) and are therefore already or in the future subject to the requirements of the BSIG and the Kritis Regulation (KritisV).

The clients are mainly guided by ISO/IEC 27000ff or ISO/IEC 27001 on the basis of IT-Grundschutz.

The subject of the invitation to tender within the framework of Lot 5 is advice on information security and KRITIS in questions of information security and verification in accordance with § 8a Abs. 3 BSIG in the regulatory environment. The following services must be provided:

- Consulting and support for the conception, introduction, operation and further development of an ISMS according to ISO/IEC 27001

- Implementation of training courses incl. optional certification option for the participants

- Conception, consulting, creation, further development and establishment of a B3S according to §8a BSIG (KritisV), as well as accompaniment and support of the application procedure of the B3S at the BSI

- advice and support on all topics of information security resulting from the ISO/IEC 27000ff series of standards,

- Preparation and support of audits resulting from the ISO 27000ff series of standards and/or the verification according to §8a BSIG

- Consulting and support for information security in business processes.

In order to sharpen and deepen employee awareness of IT and information security issues, individual, targeted awareness and prevention campaigns must be planned, created and carried out online or at the respective locations of the clients.

Demarcation:

The following services are not part of the service, but are covered by Lot 6:

- Auditing of management systems according to ISO 27000f

- Verification according to § 8a Abs. 3 BSIG

- Certification, surveillance, recertification audits and pre-audits to verify certification eligibility

- Verification according to § 8a Abs. 3 BSIG and respective audit of the management system as a combination audit

- Approval tests and preparation of safety reports according to the specifications of gematik GmbH.

The AG uses a broad portfolio of individually adapted standard applications and individual applications. The operation of the IT landscape is mainly carried out by spin-off IT service providers. For the provision of basic services (e.g. data center, platform, network infrastructure or telephony operation), these IT service providers sometimes rely on external service providers not belonging to the AOK Association.

The AG are or will partly become "operators of a critical infrastructure" according to the Kritis Regulation (KritisV) and are therefore partly already or in the future subject to the requirements of the BSIG and subsequently the KritisV.

The working group is mainly based on the ISO/IEC 27000ff and ISO/IEC 27001 series of standards based on IT-Grundschutz.

The subject of the invitation to tender within the framework of Lot 6 is the auditing of information security and verification in accordance with § 8a Abs. 3 BSIG in the regulatory environment. The following services must be provided:

- Auditing of management systems according to ISO 27000f

- Verification according to § 8a Abs. 3 BSIG

- Certification, surveillance, recertification audits and pre-audits to verify certification eligibility

- Verification according to § 8a Abs. 3 BSIG and respective audit of the management system as a combination audit

- Approval tests and preparation of safety reports according to the specifications of gematik GmbH.

Demarcation:

The following services are not part of the service, but are covered by Lot 5:

- Consulting and support for the conception, introduction, operation and further development of an ISMS according to ISO/IEC 27001

- Implementation of training courses incl. optional certification option for the participants

- Conception, consulting, creation, further development and establishment of a B3S according to §8a BSIG (KritisV), as well as accompaniment and support of the application procedure of the B3S at the BSI

- Advice and support on all topics of information security resulting from the ISO/IEC 27000ff series of standards

- Preparation and monitoring of audits resulting from the ISO 27000ff series of standards and/or the verification according to §8a BSIG, as well as

- Consulting and support for information security in business processes

- Planning and implementation of awareness and prevention campaigns.