The purpose of the public procurement is to ensure a comprehensive strengthening of cyber security at the premises I and II of the Regional Hospital Příbram, a.s., within the project "Enhancement and Support of Cyber Security at the Regional Hospital Příbram, a.s." The project responds to the requirements of Act No. 264/2025 Coll., on Cyber Security, and Decree NÚKIB No. 409/2025 Coll. The technical specification of the subject of the procurement corresponds to the target state (the so-called to-be) and serves as a binding framework to ensure compliance with the obligations of the regulated service provider under a regime of higher obligations.

The subject of the procurement includes the acquisition of hardware and software to ensure the cyber security standards of the client.

The fulfillment of the public procurement will include the following deliveries and related services in each relevant part as divided below:
• delivery of core switches
• delivery of distribution switches
• delivery of access switches with PoE
• delivery of EDR/XDR systems for endpoint protection
• delivery and implementation of privileged access management (PAM) system
• delivery and implementation of centralized network access control (NAC) system
• delivery of the necessary and further specified accessories

The public procurement is divided into a total of seven parts:
• Part 1 - Technology for Communication Network Security
• Part 2 - LAN (switching) Infrastructure
• Part 3 - Event Recording and Log Management Technology
• Part 4 - SIEM Incident Detection and Evaluation Technology
• Part 5 - Application Security Software and Cryptographic Algorithms
• Part 6 - Backup Technology
• Part 7 - Software for Identity and Access Management

Each supplier can submit a bid for any part of the procurement, whether for the fulfillment of multiple parts or just for some specific parts of the public procurement.

A detailed description of the fulfillment subject for each part of the public procurement is in Appendix No. 1 of the procurement documentation, which includes a description of individual parts of the public procurement, and further in the draft contract for the fulfillment of the respective part of the public procurement (for parts 1 - 4 and 6 it is Appendix No. 3 of the procurement documentation, and for parts 5 and 7 it is Appendix No. 4 of the procurement documentation).

All parts of the procurement will also include the following activities:
• installation to the extent required by the client, at the location designated by the client
• conducting acceptance tests, including at least functional tests, security tests, and also penetration tests as needed. The results will be delivered in reports with clear acceptance criteria and remedial actions
• ensuring training for administrators and selected users for all supplied technologies (NGFW/IPS, NAC, EDR/XDR, PAM, email gateway, log management/SIEM, Wi-Fi, backup/DR). This will include syllabus, duration, form, and confirmation of training
• handing over a complete documentation package for the fulfillment: technical (HLD/LLD, configuration), operational (runbooks, recovery procedures), security (policies, settings, use-cases, retention and access policies).

For all parts of the public procurement, the client sets the following requirements: Availability, scalability and recovery
• The solution must be dimensioned for 24×7×365, with HA for critical components and scalability (performance/volume of logs/number of endpoints/SSID).
• High availability must be ensured for key systems through HA clusters, or cloud or on-premise redundancy. Systems will be dimensioned for the 24×7×365 mode.
• The solution must support backup and recovery of configurations (NGFW, NAC, SIEM, PAM, EDR, email, controller) and define RPO/RTO for key parts.
Integration, management and supervision
• The solution must have centralized management for each technology domain and integrate via standard interfaces (Syslog/CEF/REST API/LDAP/RADIUS/MFA/SNMP).
• The solution must provide role-based access (RBAC), an audit trail in management, and delegation of rights (NOC vs. SOC vs. system admins).
Compliance, documentation, support and training
• The solution must comply with legal and regulatory requirements (NÚKIB, ZKB and implementing decrees; GDPR for email/DLP/telemetry).
• The solution must be delivered with operational and security documentation (network and security policies, HLD/LLD, operational manuals, runbooks/playbooks).
• The solution must include maintenance & support 24×7×365 for 5 years for all components (updates, patches, supports, spare parts/software recovery).
• All supplied devices and software must come from the authorized sales channel of the manufacturer and must be intended for the Czech Republic
• The supplier will provide training for 4 administrators and 4 selected users for a minimum of 40 hours at the client's location on all supplied components. The training will include operation and maintenance of the solution as well as security aspects of its usage. The supplier will provide syllabus, hours range, and a list of trained individuals.
Acceptance and acceptance tests
The supplier will conduct acceptance tests for all provided components. The tests will include:
• functional tests confirming compliance with all minimum parameters specified in the procurement documentation (performance, throughput, log capacity, number of endpoints/SSID, etc.),
• security tests (e.g. IPS/IDS blocking, NAC response, isolation/rollback in EDR, blocking of IOC/URL)
• depending on the nature of the element, also penetration test of configuration.
The results will be submitted in acceptance reports with measured values, met/unmet criteria, and proposed corrective measures. Acceptance will occur only after the removal of defects classified as significant.
The supplier will deliver along with the subject of the delivery an audit trail of the implementation including at least: installation and configuration logs, change-log of changes made, a list of activated licenses and software versions, logs from acceptance tests, and records of the handover into operation.
The supplier will also provide along with the subject of the delivery all its complete documentation including:
• HLD/LLD, network and security policies,
• configuration extracts of key elements (NGFW, NAC, SIEM/XDR, EDR, PAM, email, switches),
• operational manuals and runbooks/playbooks (incident response, SOAR, DR),
• security settings including retention and access policies and a list of exceptions.

LOT-0007
Part 7 – Software for Identity and Access Management.
The subject of this part of the public procurement is the supply of software for identity and access management under the provisions of §§ 19 and 20 of Decree NÚKIB No. 409/2025 Coll., as amended.
The expansion of the identity management system (e.g., MS AD) with IDM/PAM type tools supporting 802.1X authentication and AAA is required. Centralized administration of permissions, access policy settings, and integration with the network infrastructure is required.
Privileged Access Management (PAM)
• The solution must manage privileged accounts and access (vaulting passwords/keys, approval workflows, session recording, live monitoring).
• The solution must separate administrative sessions (RDP/SSH/HTTPS) through a controlled proxy/connector and connect to AD/LDAP/MFA.
• The solution must provide audit evidence (video + textual trail, non-repudiation) and integrate with SIEM for change correlation.
Privileged Access System (PAM) – VM
The client demands the implementation of a system for privileged access management (Privileged Access Management – PAM) that ensures secure management of administrator accounts, monitoring and recording of privileged user activities, controlling access to systems, network devices, and databases, and enforcing zero trust policies. The solution must be deployed as a virtual appliance capable of servicing up to 30 concurrently connected users and must be delivered along with all necessary components to meet the requirements described below. Ensuring compliance with NÚKIB requirements and logging of all activities is considered key. The solution must include a license for 5 years and support in a 24×7×365 mode.

LOT-0001
Part 1 - Technology for Communication Network Security.
This concerns technology to ensure communication network security under the provisions of § 18 et seq. of Decree NÚKIB No. 409/2025 Coll., as amended.
Deployment of advanced security elements including next-generation firewalls (NGFW) with high throughput, in redundancy (HA) with IPS, URL/DNS filtering, antivirus, and antimalware functions is required. Logical network segmentation including serving as internal firewalls separating individual VLANs and subnets within the hospital premises is to be included. The delivery will also include final penetration tests.
• The solution must deploy next-generation firewalls (NGFW) at the perimeter and for internal segments.
• The solution must be capable of ensuring complete LAN segmentation configuration.
• The solution must be able to enforce L2–L7 policies including IPS/IDS, App Control, URL/DNS filtering, antimalware, and SSL inspection (with exception management).
• The solution must support site-to-site and remote access VPN with MFA for administrative and clinical access.
• The solution must provide automated responses (communication blocking, quarantine moves, dynamic policy updates) based on its own detection as well as external prompts from EDR/NAC/SIEM.
• The solution must be fully compatible with the existing firewalls of the client (local and at external workplaces) and allow complete transfer of existing configurations (firewall rules, IPSEC tunnels, etc.) with zero or minimal service interruption.

Next-generation firewall (NGFW) – hardware appliance – 2 units
The client requests delivery of two identical next-generation firewall (NGFW) devices to ensure perimeter and internal network protection, with high throughput and low latency. The firewall must include features for advanced threat detection, antivirus protection, content filtering, application control, and additional security inspection tools. The devices must be delivered as powerful physical appliances designed for redundant deployment (HA cluster, active-active, on failure of one device, the transition of connected connections occurs without interruptions and follows with full functionality) and centralized management directly on the box. The delivery must include any licenses for the required functionalities described below. A highly available firewall cluster will be redundantly connected to a stack of core switches to ensure uninterrupted operation.
(IPS, AI-based Inline Malware Prevention, Inline CASB Database, DLP, App Control, Adv Malware Protection, URL/DNS/Video Filtering, Anti-spam, Attack Surface Security, Converter Svc, FortiCare Premium)
IPS, Advanced Malware Protection, Application Control, URL, DNS & Video Filtering, Antispam Service, and FortiCare Premium

LOT-0002
Part 2 – LAN (switching) Infrastructure.
Switching infrastructure
The delivery of core switches with 10/25/100 GbE interfaces, power redundancy, and L2/L3 capabilities is required. The switches will be part of a secure MCN (Mission Critical Network) architecture and will support link aggregation (LAG), QoS, and VLAN segmentation. All supplied switches must be from the same manufacturer and fully interconnectable.
Network architecture and segmentation
• The solution must implement a multilayer architecture (core, distribution, and access layer) with logical segmentation into security zones (e.g., clinical IS, administrative zone, IoT/medtech, servers, Wi-Fi, laboratories, guest/host).
• The solution must enforce micro-segmentation (L2/L3) and control communication between zones exclusively via NGFW.
• The solution must ensure high availability (HA) of key elements (core switches, NGFW, log management, email gateway) and redundant power in the network nodes of premises I/II.
• The solution must utilize core L2/L3 switches with 25/100 Gb/s uplinks, redundant power, and low latency.
• The solution must support LACP, QoS, ACL, DHCP/IGMP snooping, 802.1X, port security, and PoE where requested (AP, IP cameras, VoIP) at the distribution/access layer.
• The solution must allow traffic mirroring (SPAN/RSPAN).
• The solution must be fully compatible with the existing operational core switch of the client and allow complete transfer of the existing configuration.
Network Access Control (NAC) – Virtual appliance
The client requests deployment of a centralized network access control system (NAC) as a virtual appliance providing complete visibility, control, and automated response to connected devices, including IoT, BYOD, guests, and unknown endpoints. The solution must support extensive device profiling (agent/agentless), dynamic VLAN steering, role-based segmentation, automated responses for detected risks, and integration with other security systems. The solution must be provided as an application and control layer in the form of a virtual appliance with a license and support for 5 years. The solution must include licenses allowing management of at least 1600 concurrently connected devices (endpoints) in the network. The licenses must contain NAC functionalities described below for a minimum of 5 years, including complete technical support in a 24×7×365 mode.

LOT-0003
Part 3 – Event Recording and Log Management Technology.
This concerns technology for event recording and log management as per the requirements of § 22 of Decree NÚKIB No. 409/2025 Coll., as amended.
The central log management system will receive and store operational and security records from all network devices, servers, and endpoints. Time synchronization (NTP), structured log format, minimum retention period of 18 months, support for event correlation, and export for forensic analysis is required. The delivery of a specialized physical device is preferred. In the case of a solution based on a virtual system, corresponding HW that meets all operational requirements of the offered system must also be part of the delivery.
The delivery assumes the deployment and commissioning of a log management (LM) system ensuring central collection, storage, and visualization of event records (operational, system, error, security, audit, etc.). The LM system manages the storage and any further processing of these logs. The system collects logs primarily from the NGFW firewalls and switches supplied as part of this project. At the same time, there should be an option to add logging from other network devices, e.g., via the syslog protocol.
The system must undertake correlation of the logs. The results will be presented both in the management interface and with the option to send to defined recipients.

LOT-0004
Part 4 – Incident Detection and Evaluation Technology SIEM.
This pertains to technology for detecting cybersecurity events as per Section 21 of the NÚKIB Regulation No. 409/2025 Coll., as amended, and evaluating cybersecurity events according to Section 23 of the same regulation.
The solution includes IDS and SIEM/XDR type tools for detecting and correlating security events, with outputs directed to the Security Operations Center (SOC). Support for real-time evaluation and incident handling in accordance with NÚKIB's requirements is required.
Central log management / SIEM + automation (SOAR)
• The solution must collect, store, and index operational and security logs (network, NGFW, EDR, NAC, AP, servers, OS, applications) in the required daily volume.
• The solution must perform event correlation, utilize threat intelligence/IOC, and generate alerts with prioritization.
• The solution must support SOAR playbooks (automatic steps: endpoint quarantine, firewall policy modification, account deactivation, ticket creation).
• The solution must meet retention and export requirements (audit, incident response), including time synchronization (NTP) and access control (RBAC).
• All log sources and SIEM will be synchronized with at least one NTP server.
Incident response and operational processes
• The solution must provide a unified incident workflow: detection (EDR/NAC/NGFW/e-mail) → correlation (SIEM) → automatic response (SOAR) → escalation (ticketing) → forensic analysis (EDR/PAM/logs).
• The solution must support measurable metrics (MTTD, MTTR), 24x7 notifications, and the creation of post-incident reports (including exports for oversight/audit).
• The solution must enable recovery tests (tabletop, technical DR tests) and penetration/configuration audits as planned.
• SIEM must support RBAC with integration to AD/LDAP.
• SIEM must log changes of permissions/roles and allow their export (e.g., Syslog/CEF/JSON).
Central log management / SIEM system – 1 unit
The contracting authority requires the delivery of a central log evaluation solution from devices on the network. This system must be capable of processing at least 25 GB of logs daily, support real-time threat detection, event correlation, visualization, reporting, and overviews for audit and security management. Support for IOC detection, outbreak analysis, and the ability to deploy as a virtual appliance is required. The delivery must also include hardware on which the system will operate.
LOT-0005
Part 5 – Software for Application Security and Cryptographic Algorithms.
This pertains to software ensuring compliance with application security requirements according to Section 24 of the NÚKIB Regulation No. 409/2025 Coll., regarding security measures for providers of regulated services in the regime of higher obligations, and cryptographic algorithms per Section 25 of the same regulation.
This includes the deployment of application firewalls, EDR agents, and centralized OS update management. Endpoints will be unified to OS W11 (or W10 with the purchase of extended support) and supplemented with AV/AM protection including sandboxing.
Implementation of cryptographic tools for the protection of transmission and storage of sensitive data (e.g., health documentation), including disk encryption, encrypted communication (TLS, IPsec VPN), and security keys for access elements.
Protection of endpoints and clients (EDR/XDR)
• The solution must protect PCs/Laptops/VDI/servers using EDR/XDR agents (pre/post-infection protection, behavioral detection, ML, IOC/IOA).
• The solution must be able to isolate endpoints, terminate malicious processes, perform rollbacks, generate forensic traces, and forward incidents to SIEM/SOAR.
• The solution must provide centralized management and overview (telemetry, hunting, attack timeline) for at least the defined number of stations (see licensing scopes).
Endpoint Protection – Full EDR/XDR solution (1000 endpoints)
EDR/XDR system for protecting endpoints and servers
The contracting authority requires the delivery of an EDR/XDR system for protecting end devices (desktops, laptops, thin clients), servers, and virtualized environments. The solution must be operable both on-premise and in the cloud, providing advanced detection and response to cybersecurity threats at the individual endpoint level, including the ability for event correlation, behavioral analysis, and automated interventions. It must not be a classic antivirus solution, but a modern security platform with predictive analysis and continuous monitoring features.
Support, security oversight, maintenance of the solution in the mode of 24x7x365 for 5 years is required. This will include technical assistance, including regular incident evaluations and recommendations for corrective measures, access to updates, licenses, security patches, and technical consulting.
LOT-0006
Part 6 – Backup Technology.
This pertains to technology for redundancy, backup, and availability of regulated services according to Section 26 of the NÚKIB Regulation No. 409/2025 Coll., as amended.
Backup in a 3-2-1 regime is required, i.e., three copies, two different media, one off-site backup. The contracting authority requests the provision of an off-site backup device including the appropriate software to supplement the existing backup system. The system will be sized for a 24x7x365 regime.