Procurement Framework | Security : Non-Constitutional Proposal

Description

Abstract

Creating a procurement framework for security-oriented service providers within the ArbitrumDAO. The proposal aims to create a streamlined & harmonised approach re. service procurement for security-oriented services.

Motivation

Procurement Frameworks maintain quality control, ensuring consistency in the services procured. These frameworks also promote transparency and fairness, building trust and adhering to legal standards. Moreover, they aid in risk management, safeguarding against various procurement-related risks, and streamline processes for time-saving and operational efficiency.

Rationale

This procurement framework is designed to ensure that only qualified and reliable security service providers are selected, thereby safeguarding the integrity and security of the projects within the Arbitrum Ecosystem. This will aid in ensuring that the security-specific needs of projects building within the Ecosystem are safeguarded to a larger extent & thus serve to safeguard the high standards and reputation of the Arbitrum Ecosystem.

Specifications & Timeline

Specifications & Timeline can be found in the following sections.

Steps to Implement

This AIP will move to a Snapshot vote on the 24th of November 2023. Passing of the Snapshot vote will be deemed as a ratification of the Procurement Framework. There are no associated costs with the implementation of the Procurement Framework.

Overall Cost

No cost for AIP implementation.

EXECUTIVE SUMMARY

• This procurement process is designed to ensure that only the most qualified and reliable security service providers are selected, thereby safeguarding the integrity and security of the projects within the Arbitrum Ecosystem.
• Should the ArbitrumDAO vote for the implementation/ratification of this framework, we wil then be proposing the setup of the Procurement Committee that will facilitate & administer this framework.
• The proposal for the procurement committee will also contain further details on the operational implementations that are to be effected in documenting, record-keeping, and disclosing material in relation to the procurement framework.

The document outlines a comprehensive procurement framework for the Arbitrum Ecosystem, focusing on sourcing and selecting service providers for blockchain security and related services. It comprises several key components:

• Needs Assessment: Identifying and prioritizing the specific requirements of the Arbitrum Ecosystem, including evaluating the current situation and determining market availability for the required services.
• Defining Eligibility Criteria: Establishing standards for technical expertise, reputation, tools and techniques, and financial stability that service providers must meet to be considered.
• Publication of Request for Proposal (RFP): Detailing the scope of work required and the submission guidelines for prospective service providers, along with evaluation criteria and a timeline for the procurement process.
• Proposal Submission: Requiring service providers to submit comprehensive documentation for evaluation, with submissions made via ArbitrumDAO Forums, allowing community feedback and private collection of sensitive information.
• Evaluation of Proposals: This includes initial screening for eligibility, in-depth technical and commercial evaluations, reference checks, and possibly interviews, with a focus on transparency and community involvement.
• Whitelisting, Onboarding & Contracting: Selecting the most suitable service providers, conducting Know-Your-Business processes, facilitating contract negotiations, and finalizing approval of agreements.
• Ongoing Obligations and Ancillary Matters: Monitoring performance, establishing feedback loops, setting renewal criteria, outlining exit strategies, and ensuring thorough documentation and record-keeping using tools like Airtable for transparency.
• Public Disclosure: Making key details of the procurement process and the list of whitelisted providers publicly available, respecting confidentiality agreements.

OVERVIEW

[1] On the 3rd of November, DK (Myself) posted a proposal on the Arbitrum DAO Forums aimed at establishing a framework for security-oriented proposals via a consolidated framework (Consolidate Security Proposals into a RFP Process). By way of a summary, the proposal on the Arbitrum DAO forum discusses establishing a Request for Proposal (RFP) process to consolidate the selection of auditors and security service providers within the Arbitrum ecosystem (for the purposes of this endeavor, we shall be referring to this consolidated framework as the ‘Procurement Framework).

[2] The Snapshot Vote for the establishment of the aforementioned Procurement Framework has since passed (Snapshot 1).

[3] On the 10th of November, Immutablelawyer posted a public consultation period on the Arbitrum Forums (Public Consultation re. 'Consolidate Security Proposals into an RFP Process'). This contained a base-line framework aimed at giving some context to community members & relevant stakeholders intending on participating in the public consultation. The Public Consultation ended on the 22nd of November 2023. Following calls held, submissions received & several discussions with numerous ecosystem participants, we would now like to present the final procurement framework for ratification via Snapshot.

We would like to thank all participants who took their time to provide insight in this endeavor. This was a true testament to the collaborative nature of this ecosystem.

Copy of Proposal in Google Docs: Snapshot Proposal Ratification: Procurement Framework

Procurement Framework for Ratification

1. ‘Needs’ Assessment

• Gather Phase: Collect detailed information on what is needed in the Arbitrum Ecosystem. This involves understanding the specific requirements of the end-users, the goals of relevant stakeholders, and any constraints (budgetary, time, legal, regulatory, procedural etc.). This stage often involves interviews, surveys, or group discussions with stakeholders.
• Analyze Current Situation: Assess the current resources, systems, or services in place. Determine if there are gaps between the current state and the desired state. This analysis should consider whether existing solutions can be upgraded or if new solutions are needed.
• Define the Scope of the Need: Clearly define what is needed to address the gap identified in the current situation analysis. This definition should be as specific as possible, outlining the functionalities, features, quality standards, quantities, and any other relevant attributes that are relevant.
• Prioritize Needs: Not all needs have the same level of urgency or importance. Prioritize the needs based on factors like strategic importance, impact on operations, cost-benefit analysis, risk mitigation, and regulatory compliance.
• Assess Market Availability: Research the market to understand what products or services are available that meet the needs identified above.

1.1. Defining Eligibility Criteria

• Technical Expertise: Prospective Service Providers must demonstrate expertise in blockchain security, including prior experience with smart contracts, the Ethereum network, and Layer 2 solutions like Arbitrum.
• Reputation: A track record of successful security audits, with references and case studies.
• Tools and Techniques: Tools for detecting vulnerabilities, including static and dynamic analysis, and formal verification methods.
• Financial Stability: Proof of financial stability to ensure the longevity and reliability of the service provider.

2. Publication of the Request for Proposal (RFP)

• Scope of Work: Following the conclusion of the ‘Needs Assessment’ in the Procurement Committee will publish a request for submissions. This will be done via the ArbitrumDAO Forums wherein a detailed description of services required, including security audit scope, frequency, and expected deliverables will be provided by the PC.
• Submission Guidelines: Clear instructions on how to apply, including formats and submission channels will be provided for prospective applicants so that the approach is harmonized in nature.
• Evaluation Criteria: Metrics on how prospective service providers [as per ‘Eligibility Critera’].
• Timeline: Submission deadlines and timeline for the evaluation process.

3. Proposal Submission

• Documentation: Applicant service providers must submit comprehensive documentation, including company profiles, client testimonials, and detailed descriptions of methodologies.
• Submissions: Will be effected on a dedicated section of the ArbitrumDAO Forums. This way, the PC can already get a sense of community feedback prior to putting the security service provider through the procurement process. Financial statements will & other ancillary information will not be required to be posted publicly but will be collected through private channels.

4. Evaluation of Proposals

• Initial Screening: Verification of compliance with the minimum eligibility criteria.
• Technical Evaluation: In-depth review of technical capabilities, methodologies, and tools.
• Commercial Evaluation: Assessment of cost-effectiveness and value for money.
• References Check: Verification of the provider’s references and past performance.
• Interviews: The PC may conduct interviews with the top candidates.
• Emphasis should be placed on documenting each step of the procurement process and communicating select steps in a consolidated manner to the community for review & input.
• In this regard, the PC can set up a dedicated notion page wherein the aforementioned details can be inputted, and then linked from the Forum updates posted by the PC.

5. Whitelisting, Onboarding & Contracting

• Selection: The PC will select the most suitable providers to be whitelisted for service-subsidies based on them validly passing the procurement process.
• The PC will facilitate Know-Your-Business processes so as to make sure that all prospectively whitelisted service providers pass standard KYB checks.
• Contract Negotiation: The PC will facilitate & administer the process for the finalization of the contractual provisions regulating the engagement between the service provider chosen by the projects & the project itself. Most importantly, the PC has to ensure that the pricing ‘advertised’ by the service provider for the service requested is consistent with the agreement.
• Approval: Final agreements will be reviewed and approved by the PC before signing.

Ongoing Obligations of the Procurement Committee & Ancillary Matters

[i] Performance Monitoring and Review

• Regular Audits: Random checks by the PC during the audit process so as to ensure compliance with SLAs.
• Feedback Loop: A system for feedback from the projects utilizing the subsidized services. This will be pivotal in ensuring that the PC maintains a certain level of quality assurance so as to consistently assess whether any factors that led to the service provider passing the procurement process have changed.

[ii] Renewal and Exit Procedures

• Renewal Criteria: Every 4 months, the PC will re-evaluate whitelisted service providers by carrying out an assessment re. The Eligibility Criteria so as to make sure that Service Providers are still eligible.
• Exit Strategy: If a Service Provider is removed from the whitelist, the PC will publish an announcement outlining the reasons thereof.

[iii] Documentation and Record Keeping

• Audit Trail: All stages of the procurement process will be documented and records maintained for accountability and transparency.
• The PC will be using Airtable to document every stage of the procurement process.

[iv] Public Disclosure

• Transparency: Key details of the procurement process and the list of whitelisted providers will be made publicly available, respecting confidentiality agreements.

We look forward to your final feedback and potentially seeking the framework in action!

Voting

For: Proceed with this framework, start discussions on PC Leadership Against: Do not move forward with this framework, it needs revision