1.    PROJECT BACKGROUND

The OECS Commission and the Governments of Grenada, Dominica, Saint Lucia, and St. Vincent and the Grenadines are implementing a digital transformation project, financed by the World Bank Group. The Caribbean Digital Transformation Project (called “project” going forth) comprises four components that address key bottlenecks and harness opportunities to develop the Eastern Caribbean Digital Economy as a driver of growth, job creation and improved service delivery. It aims to ensure that every individual and business within the region is empowered with the access to broadband, digital financial services and skills needed to actively participate in an increasingly digital marketplace and society. It leverages public sector modernization and digitization to improve service delivery and to drive creation of a digital culture across the region. To support the improved management of digital risks, the project will bolster cybersecurity policy, capacity, and planning tools in the region. It will facilitate technology adoption to improve productivity of flagship industries and create demand for digitally enabled jobs. It aims to foster regional integration and cooperation to capture the economies of scale and scope required to increase impact and value for money of the project interventions and to create a more competitive, seamless regional digital market to attract investment and provide room for growth of digital firms.

Component 1.3 of the project focuses on Cybersecurity, Data Protection and Privacy:  Legal and Regulatory Environment, Institutions and Capacity. This sub-component, under the technical leadership of the Caribbean Community Implementing Agency for Crime and Security (IMPACS), aims to build trust in online transactions and strengthen the security and resilience of digital infrastructure and systems. It will promote cybersecurity awareness and capacity building as well as create an enabling environment and institutions needed to protect the public and private sector from cyber vulnerabilities. The project will utilize a combination of regional and national level approaches to share knowledge, resources and respond to shared threats. 

2.    SCOPE OF SERVICES

Within the objectives of the project, the Organization of Eastern Caribbean States (OECS) Commission intends to engage the Consultant (defined below) to develop cybersecurity policy guidelines and framework for the region and the beneficiary countries, including:

3. Develop a cybersecurity roadmap which identifies priorities and formulates general objectives for the Eastern Caribbean region.
4. Define one national implementation plan for each of the beneficiary countries (Grenada, Dominica, Saint Lucia, and St. Vincent and the Grenadines) outlining an actionable approach to implement the roadmap defined at the regional level. 

The outputs must (i) reflect the common and respective needs, requirements, and objectives of Grenada, Dominica, Saint Lucia, and Saint Vincent and the Grenadines (“beneficiary countries”) and (ii) promote regional harmonization and international good practices and be aligned with national and regional security strategies. The Consultant must also consult with various national and regional stakeholders.

The scope of services of the Consultant is as follows:-

Task 1 Conduct an assessment of the regional cybersecurity maturity and risk landscapes and identify key priorities and objectives using internationally recognized methodological frameworks:

• Develop a detailed plan to successfully carry out the mission, including the proposed approach and methodology based on internationally recognised frameworks.
•  Prepare all relevant logistical information and requirements for stakeholder consultation and data collection processes, including stakeholder engagement models, a list of ideal organizations to participate in workshops, necessary facilities, etc.
• With the support of OECS, identify all relevant stakeholders who will participate in the consultation process.
• Conduct contextual documentary research, based on publicly available literature and relevant documents shared by the government, to understand the country's cybersecurity context. Prepare data requests, such as questionnaires or interview questions, to be used during stakeholder consultations and data collection.
• In close collaboration with OECS and with their support, conduct consultations (in person and/or virtual) with key stakeholders from the public and private sectors, civil society, and academia. Gather all necessary data for the analysis and review of the country's cybersecurity risk and capacity.
• Implement all possible quality control measures to ensure the quality, reliability, and validity of the data collected during the stakeholder consultation workshop. Address any potential gaps that may have arisen during the on-site data collection process through further documentary research or remote follow-up sessions with stakeholders.
• Analyse the collected information and produce a draft report analysing the cybersecurity maturity and a risk landscapes, providing general recommendations that will enable the beneficiary countries to strengthen their cybersecurity capacity and competence in managing cybersecurity-related risks
• Facilitate a validation workshop to present and validate the findings and recommendations from the draft report.
• Produce final report that incorporate the feedback received during the validation workshop

Task 2: Draft a OECS Regional Cybersecurity Roadmap outlining the main priorities and identifying shared cybersecurity objectives in the region and design a toolkit to facilitate adaptation in beneficiary countries

• Based on the report mentioned in Task 1, identify the priorities and strategic objectives to be included in the Regional Cybersecurity Roadmap. Consult relevant stakeholders to validate the priorities and strategic objectives.
• Using internationally recognised good practices (such as the Guide to Developing a National Cybersecurity Strategy), develop the OECS Regional Cybersecurity Roadmap outlining the main priority as well as shared cybersecurity objectives for countries in the region.
• Engage in additional stakeholder consultations and develop the final version of the roadmap for approval of OECS and beneficiary governments.

Develop a toolkit to support beneficiary countries in adopting the OECS regional cybersecurity roadmap in their national cybersecurity posture, including a standardized action plan template.

Task 3: For each of the beneficiary countries (Grenada, Dominica, Saint Lucia, and St. Vincent and the Grenadines), develop national strategies and action plans to implement the OECS regional cybersecurity roadmap

• With the facilitation and support of beneficiary governments, engage a wide range of national stakeholders, including government agencies, private sector organizations, academia, civil society, and international partners, across the whole adaptation process.
• Taking into account the OECS regional cybersecurity roadmap and toolkit, develop national cybersecurity strategies for each of the beneficiary countries to tailor objectives to the national cybersecurity landscape, regulatory environment, and institutional framework of the beneficiary country.
• For each of the beneficiary countries and based on OECS toolkit mentioned in activity 2, develop an action plan to implement the priorities and strategic objectives raised in the OECS regional Cybersecurity roadmap. This plan will include budgeted and prioritized initiatives aimed at implementing and operationalizing the roadmap. Consult relevant stakeholders to validate the document and develop the final version of the action plan for government approval.

Task 4: Facilitate a workshop (5 days) to present and disseminate the deliverables and support the training of key personnel

With the support of OECS and beneficiary countries, develop modules based on cybersecurity principles and best practices, emphasizing the policy aspects and procedures of the OECS Regional Cybersecurity Strategy and national action plans, and other relevant legal and governance resources

Conduct awareness sessions to familiarize participants with key cybersecurity concepts and raise awareness about risks and best practices.

Provide hands-on training on cybersecurity policy development, offering tools and concrete examples based on national experience.

Facilitate discussions and experience-sharing sessions, as well as interactive discussions to encourage collaborative learning.

3.    ASSUMPTIONS UNDERLYING THE PROJECT

The following assumptions are made for the success of the project:

• Member States will cooperate and participate in project activities and provide information and feedback in a timely manner, as well as support in the organization of virtual and physical consultations and workshops.
• Adequate in-country consultations are undertaken by the Consultant with national entities.
• Travel-related restrictions due to the COVID-19 pandemic should not hinder access to key personnel, primarily through virtual means.

The Consultant is responsible for alternative arrangements, such as virtual consultations where physical travel is not possible, to execute the project’s activities.

4.    CONSULTANT REQUIREMENTS AND QUALIFICATIONS

The firm selected will need to demonstrate:

• Having strong skills and experience in cybersecurity and Information and Communication Technologies (ICT), particularly in the following areas: governance, legislation, risk management, protection of critical information infrastructure, incident response, and cybersecurity skills development, with at least 5 years of relevant experience.
• Extensive knowledge of cybersecurity policy, strategy and operations in a government context.
• An appropriate methodology and experience of applying related research tools.
• Having carried out at least two (2) similar assignments preferably in the region.
• Demonstrating an understanding of key frameworks, methodologies, and best practices in cybersecurity, including: Guide for the development of a national cybersecurity strategy, CMM (Capability Maturity Model), NIST CSF (National Institute of Standards and Technology Cybersecurity Framework), ISO 2700x, etc.
• Prior experience working with the public sector is preferred.
• Experience in a developing country context is considered an advantage.

Qualifications of the Consultant’s Team

The firm shall propose a core team comprising of at minimum a team leader, (2) technical experts, plus any additional support staff deemed necessary to deliver the assignment. All team members must be fluent in English.

The consulting firm must provide a staffing plan with names, roles, and CVs for the core project team as part of the proposal.

5.    ASSIGNMENT DURATION, DELIVERABLES AND PAYMENT SCHEDULE

The estimated duration of the assignment is one (1) year.  The expected deliverables, and indicative timeline and payment schedule are set out below:

The Consultant must consult with a number of national and regional stakeholders including, but not limited to:

• Attorneys General Chambers
• Ministries of Legal Affairs
• Ministries with responsibility for ICT
• Parliamentary Counsels and parliamentarians
• Law Commissions, Legislative Drafting Departments and members of the legal fraternity
• National Telecommunications Regulatory Commission
• CARICOM IMPACS
• OECS Commission
• CARICOM Secretariat
• Organisation of American States
• Caribbean Telecommunications Union
• Eastern Caribbean Telecommunications Authority (ECTEL)

6.    Reporting

The Consultant will report to IMPACS and OECS.  The Consultant must prepare succinct and relevant documentation and submit monthly and quarterly reports on project status. The quarterly reports must provide details on the status of achievements, challenges, risks, and recommendations for project implementation. They will be used for mid-course corrections based on the nature and scope of the project. These will convey results, alternative solutions, and major decisions that need to be made. Across the whole duration of the assignment the Consultant will work with the Steering Committee previously established by OECS to supervise the implementation of this assignment.