Subscription-only
The core offer is a 36-month SaaS subscription with enterprise support, release notes, and standard documentation.
Procurement Intent
What PWC is actually buying
The tender language points to a subscription-first, rapidly provisioned tenant that PWC can operate directly rather than a bespoke build, private deployment, or managed service.
Rapid activation
Tenant access and administrator provisioning need to land within five business days of purchase order.
Unified workflows
First-party monitoring, TPRM, governance reporting, and admin controls need to work as one platform boundary.
Self-service posture
PWC is expected to configure, integrate, operate, and report from the platform with limited supplier dependency.
Mandatory Fit
Core requirement envelope
The requirement set clusters into capability coverage, governance artifacts, identity controls, and non-functional assurances.
First-party attack surface
- Unlimited domains and subsidiary roll-up
- Continuous internet-facing asset discovery
- Public exposure and vulnerability visibility
- Credential leak, infostealer, and typo-squat monitoring
Third-party risk management
- Unlimited vendors and questionnaire workflows
- Vendor onboarding portal with authenticated access
- Evidence requests, findings, exceptions, and decisions
- Fourth-party visibility where discoverable
Governance and reporting
- Audit logging and configurable templates
- Scheduled governance-ready reports
- PDF, presentation, and CSV exports
- Co-branded reporting and communication outputs
Identity and compliance
- SSO with SAML or OIDC
- RBAC, API access, and lifecycle controls
- Encryption, immutable logs, and exportability
- CIRMP evidence support and AESCSF SP-2 uplift
Preferred Shape
Recommended integrated capability towers
The strongest fit is a single platform boundary with one tenant, one administrative plane, one reporting model, and one support motion.
Tower 1
First-party external attack surface
Domain and subsidiary onboarding, asset discovery, exposure monitoring, risk scoring, and remediation workflow.
Tower 2
Third-party risk management
Vendor intake, questionnaires, evidence exchange, findings, reassessment, and outside-in supplier monitoring.
Tower 3
Governance and evidence generation
Monthly operational reporting, quarterly executive packs, annual CIRMP-aligned evidence generation, and full audit traceability.
Tower 4
Identity, integration, and administration
SSO, RBAC, admin provisioning, APIs, webhooks, lifecycle automation, branding, notifications, and retention controls.
Reference Architecture
Architecture and contract posture
The architecture needs to be Australian-hosted by default, auditable, exportable, and explicit about subcontractors, privacy boundaries, and incident management obligations.
AU
Hosting and service delivery centered in Australia
99.9%
Monthly SaaS availability posture
API
Export and integration boundary via API and webhooks
RBAC
Least-privilege access with auditable change history
Implementation Sequence
Suggested rollout path
The current v1 sequence is structured to get from tenant creation to operational cadence with minimal dependency on bespoke services.
- Phase 1. Provision the tenant, issue administrator access, deliver the onboarding pack, and start the SSO connection.
- Phase 2. Load domains, DNS references, subsidiaries, vendor inventory, user roles, and portal branding.
- Phase 3. Configure attack-surface policies, questionnaire templates, evidence workflows, dashboards, and report schedules.
- Phase 4. Validate the first governance report, first vendor intake cycle, first exposure review cycle, and support paths.
- Phase 5. Move into BAU with monthly KPIs, quarterly executive reviews, annual CIRMP evidence generation, and release communications.