How-To
| RFI-15434 Provision of Biometric Liveness Detection Solutions that can support the strategic objectives of the myID app. | ||
|---|---|---|
| Steps to complete SoR Response Form | Notes | |
| 1.0 | In Column D - Select Response compliance for each criteria using the drop down menu | |
| 2.0 | Column E - Add response to criteria and include an explanation on how you meet the criteria | |
| 3.0 | Complete and Return the Security documents: FOCI Form | |
| The Tenderer should identify in the Part 3a RFI Response Form – Technical, each instance where either it, or its offer, only partially complies, or does not comply, with an item or paragraph in the Part 2 – Statement of Requirements: | ||
| Where an item or paragraph is of an informative nature only, the Respondent should select “Partially complies” if it only partially understands and accepts it, or “Does not comply” if it does not understand and accept it, otherwise the Respondent will be taken to have understood and accepted it. | ||
| Should you wish to supply additional information that will not fit into the Excel document, please supply them as attachments to the response and indicate what attachment is relevant to the Statement of Requirement. |
SoR Response
| # | Description | Criticality | Response Compliance | Vendor Comments | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Biometric Capture and Liveness Detection | |||||||||||||||
| LV-1 | The solution MUST capture biometric images of sufficient quality for biometric comparison, complying with ISO/IEC 29794-5 when generating the image quality profile of the acquired image. | Mandatory | Partially Compliant | ||||||||||||
| LV-2 | The solution MUST implement automated image-quality controls within its biometric capability and provide clear user-interface guidance to direct a user to capture an image that meets the required image quality profile. | Mandatory | Non-Compliant | ||||||||||||
| LV-3 | The solution MUST employ presentation attack detection (PAD) to determine whether the acquired image originates from a living human subject present at the point of capture. | Mandatory | |||||||||||||
| LV-4 | The solution MUST complete image capture and presentation attack detection (PAD) as part of a single continuous process before the image is submitted to the ATO system for online biometric verification to prevent exploitation via separation of acquisition and PAD. | Mandatory | |||||||||||||
| LV-5 | The solution MUST ensure PAD technology meets at least Evaluation Assurance Level 2 (Level B) as defined by ISO/IEC 30107-3:2023 and the Digital ID (Accreditation) Data Standards. | Mandatory | |||||||||||||
| LV-6 | The solution MUST have been tested or validated by a qualified third-party biometric testing entity experienced in ISO/IEC 30107 to evidence the PAD meets Evaluation Assurance Level 2 (Level B) requirements. | Mandatory | |||||||||||||
| Technical Verifaction and Biometric Binding | |||||||||||||||
| TV-1 | When performing technical verification of a foreign ePassport, the solution MUST: a. Comply with the relevant sections of ICAO Doc 9303 for remote Public Key Infrastructure (PKI) verification; and b. Check any published certificate revocation lists (CRLs) or equivalent mechanisms to determine if the ePassport has been cancelled. | Mandatory | |||||||||||||
| TV-2 | When conducting online biometric binding, the solution MUST: • Complete binding within a single continuous workflow; • Include liveness detection as part of presentation attack (PAD); • Execute PAD at the point of capture; • Complete capture and PAD prior to submission for biometric binding; and • Use PAD technology that incorporates data from both the data capture subsystem and system-level monitoring consistent with ISO/IEC 30107-1 | Mandatory | |||||||||||||
| TV-3 | The solution MUST demonstrate, with a minimum 90% confidence interval, that its biometric matching algorithm achieves a False Match Rate (FMR) of no more than 0.01% and a False Non-Match Rate (FNMR) of no more than 3%, in accordance with ISO/IEC TS 19795-9:2019. | Mandatory | |||||||||||||
| Scalability | |||||||||||||||
| S-1 | The solution MUST be scalable to ensure performance requirements are met under variable and increasing usage patterns. | Mandatory | |||||||||||||
| S-2 | The solution MUST support SaaS solution. | Mandatory | |||||||||||||
| Performance | |||||||||||||||
| P-1 | The solution MUST support peak loads of 10,000 verifications per hour with a 95th percentile response time ≤ 1000 ms. | Mandatory | |||||||||||||
| P-2 | The Tenderer MUST provide: (i) Licensed Software performance metrics and test regimes used; (ii) Licensed Software infrastructure design specifications and (iii) A Software Capacity Plan and supplier strategies for scaling. | Mandatory | |||||||||||||
| Availability | |||||||||||||||
| A-1 | The solution MUST achieve or exceed 99.95% availability. (Note: ATO provides cloud infrastructure where applicable.) | Mandatory | |||||||||||||
| Hosting | |||||||||||||||
| H-1 | The solution MUST be a cloud-hosted Software as a Service (SaaS) offering, delivered via a secure, scalable, and vendor-managed environment. | Mandatory | |||||||||||||
| H-2 | If cloud-based, the Tenderer MUST describe connectivity with current AWS technologies and services, connectivity methods (e.g., AWS PrivateLink) and resources required from ATO to support connectivity. | Mandatory | |||||||||||||
| Integration | |||||||||||||||
| IN-1 | The solution MUST support the Microsoft MAUI development environment and provide bindings for client API access. | Mandatory | |||||||||||||
| IN-2 | The solution MUST support operation through standard web browsers in addition to mobile platforms. This includes providing a seamless and secure user experience for individuals completing liveness verification via browser-based channels (e.g., Chrome, Safari, Edge, Firefox). | Mandatory | |||||||||||||
| IN-3 | Where the solution is not hosted within an ATO Software Service, the solution MUST not require server affinity. | Mandatory | |||||||||||||
| IN-4 | The solution MUST support silent automated deployments, including infrastructure setup (IaaS), where ATO is responsible for deployment. | Mandatory | |||||||||||||
| IN-5 | The Tenderer SHOULD provide two short case studies demonstrating delivery of similar services in high-volume, large-scale deployments, including references. | Desireable |
Compliance
| # | Description | Criticality | Response Compliance | Vendor Comments | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Security and Confidentiality | |||||||||||||||
| SC-1 | The solution MUST be able to show evidence of ability to comply to PSPF, ISM, Essential 8 requirements and other security requirements as defined in Digital ID ACT 2024. | Mandatory | Partially Compliant | ||||||||||||
| SC-2 | The solution MUST be able to demonstrate ability to comply with the Australian Privacy Principles. | Mandatory | Non-Compliant | ||||||||||||
| SC-3 | The solution SHOULD secure all collected, held or used data (Personal Information, ATO Data, ATO Material, and inter-agency information) in use and at rest using ASD-approved cryptographic algorithms consistent with the Australian Government ISM or NIST. | Desirable | |||||||||||||
| SC-4 | The solution SHOULD include controls to ensure integrity of data generated within the client software or provided to the Facial Verification Service. | Desirable | |||||||||||||
| SC-5 | The solution/service MUST NOT transfer Personal Information outside Australia. | Mandatory | |||||||||||||
| SC-6 | The solution MUST be capable of meeting relevant ISM controls to allow the ATO’s Information Security Advisor to issue certification at the PROTECTED level. | Mandatory | |||||||||||||
| SC-7 | All Personal and ATO data MUST be hosted and stored in Australia and comply with Australian data sovereignty laws and the Data Hosting Certification Framework. | Mandatory | |||||||||||||
| SC-8 | The Tenderer SHOULD list all products used in delivery of Licensed Software, their function, whether third-party, and any access those products have to user data. | Desirable | |||||||||||||
| Operations, Support and Maintenance | |||||||||||||||
| Operations | |||||||||||||||
| OP-1 | The Tenderer MUST Provide secure, isolated non-production (production environments) coupled with 24x7 monitoring. | Mandatory | |||||||||||||
| OP-2 | The solution SHOULD enable dynamic, automated test environments with integration testing. | Desirable | |||||||||||||
| OP-3 | The provider MUST maintain data sovereignty and provide internal real-time service status visibility. | Mandatory | |||||||||||||
| OP-4 | The solution MUST continuously monitor access and privileged activities. | Mandatory | |||||||||||||
| OP-5 | The Tenderer MUST provide assurance that system access is limited to approved IP ranges that are regionally localised. | Mandatory | |||||||||||||
| OP-6 | The solution SHOULD provide mechanisms to detect early indicators of stress or coercion among personnel interacting with sensitive systems. | Desirable | |||||||||||||
| OP-7 | The solution MUST deliver real-time alerts for high-risk or policy-violating behaviors, including biometric failures. | Mandatory | |||||||||||||
| OP-8 | The solution SHOULD support tiered alerting based on risk severity and detect abnormal access or potential data loss incidents. | Desirable | |||||||||||||
| OP-9 | The solution MUST provide Australian-based NV1-cleared support, maintain compliance with ISM timelines, deliver governance reporting, and enable secure incident management via an iRAP-certified portal. | Mandatory | |||||||||||||
| OP-10 | The Tenderer MUST offer dedicated helpdesk, roadmap for fraud prevention, knowledge transfer, and demonstrate experience with government identity systems and security certifications as well as SLA mgt and governance. | Mandatory | |||||||||||||
| Vendor Implementation, Support & Maintenance | |||||||||||||||
| VISM-1 | The Tenderer MUST provide solution-specific support and troubleshooting via a formal helpdesk function. | Mandatory | |||||||||||||
| VISM-2 | The Tenderer MUST provide documented processes, manuals and operational instructions to support the solution. | Mandatory | |||||||||||||
| VISM-3 | The Tenderer MUST provide ongoing support to ensure software is kept up to date with regular patching and updates. | Mandatory | |||||||||||||
| VISM-4 | The solution MUST provide ongoing platform maintenance services. | Mandatory | |||||||||||||
| VISM-5 | The Tenderer SHOULD provide roadmaps and planned updates in fraud prevention and identity technology. | Desirable | |||||||||||||
| VISM-6 | The Tenderer SHOULD demonstrate proven experience in successful implementation of similar systems in other Government Agencies. | Desirable | |||||||||||||
| VISM-7 | The Tenderer SHOULD describe emerging technologies and recommendations based on vendor research. | Desirable | |||||||||||||
| Maintainability | |||||||||||||||
| M-1 | The Tenderer MUST keep Licensed Software up-to-date through maintenance and patches (including security patches) for the Licensed Software and any third-party components. | Mandatory | |||||||||||||
| Reporting and Monitoring | |||||||||||||||
| RM-1 | The solution MUST centrally log system activity, including security setting modifications, verification activities, and support shipping logs to ATO’s logging system. | Mandatory | |||||||||||||
| RM-2 | The solution MUST provide configurable metrics, dashboards and drill-down visualisations (e.g., capture time statistics, failure to enrol/acquire rates). | Mandatory | |||||||||||||
| RM-3 | The solution MUST provide ATO with appropriate access to view logs (requests, response payloads and processing status) for troubleshooting. | Mandatory | |||||||||||||
| RM-4 | The Tenderer MUST describe monitoring capability or integration options. | Mandatory | |||||||||||||
| User Experience and Accessibility | |||||||||||||||
| UX-1 | The solution MUST support Mobile First and Responsive Web Design methodologies. | Mandatory | |||||||||||||
| UX-2 | The Tenderer MUST provide UI standards, UI screen designs, and UX documentation including user flow mappings. | Mandatory | |||||||||||||
| UX-3 | The solution MUST conform to WCAG 2.1 Level AA for mobile and web browser experiences. | Mandatory | |||||||||||||
| UX-4 | The solution MUST provide the ATO with the ability to customise user experience elements. | Mandatory |