Leping

210319 Open Cyber Range projektileping 7.2-20,21,91.asice

Digiallkirjad

Allkirjade kehtivust ei ole kontrollitud.

ANDRES SUTT 36711110210 2021-03-05 16:02:46

SIGRID HARJO PNOEE-47610242716 2021-03-10 08:09:34

KALLE LAANET 36509250023 2021-03-19 12:52:10

Kolmepoolne_Open_Cyber_Range_leping.pdf

PROJEKTILEPING nr ___________

Majandus- ja Kommunikatsiooniministeerium, registrikood 70003158, asukoht Suur-

Ameerika 1, 10122 Tallinn, mida esindab ettevõtlus- ja infotehnoloogiaminister Andres Sutt,

kes tegutseb põhimääruse alusel (edaspidi ka Programmioperaator),

Ettevõtluse Arendamise Sihtasutus, registrikood 90006006, asukoht Lasnamäe 2, 11412

Tallinn, mida esindab juhatuse liige Sigrid Harjo, kes tegutseb põhikirja alusel (edaspidi

Programmi elluviija),

ja

Kaitseministeerium, registrikood 70004502, asukoht Sakala 1, 15094 Tallinn, mida esindab

kaitseminister Kalle Laanet, kes tegutseb põhimääruse alusel (edaspidi Projekti elluviija),

edaspidi eraldi Pool ja koos Pooled,

arvestades, et Majandus- ja Kommunikatsiooniministeerium (edaspidi MKM) on Vabariigi

Valitsuse 05.07.2018. a määruse nr 55 „Aastatel 2014–2021 Euroopa Majanduspiirkonna

finantsmehhanismist ja Norra finantsmehhanismist vahendite taotlemise ja kasutamise

tingimused ja kord“ § 2 lõike 1 punkti 1 alusel programmi „Konkurentsivõime“ (edaspidi

„Green ICT“) Programmioperaator,

arvestades, et Ettevõtluse Arendamise Sihtasutus (edaspidi EAS) täidab Norra

finantsmehhanismist 2014–2021 ja riigieelarvest rahastatava programmi „Green ICT“ elluviija

ülesandeid MKMi ja EASi vahel 16.10.2018. a sõlmitud lepingu nr 24.4-6/17-0524/8622

alusel,

arvestades, et 25.02.2021. a kiitis Programmioperaator programmi koostöökomisjoni

protokollilise otsusega heaks Projekti elluviija projekti „Open Cyber Range“,

sõlmivad käesoleva projektilepingu (edaspidi Leping) järgnevas:

1. ÜLDSÄTTED

1.1. Lepingu eesmärgiks on reguleerida Poolte õigusi ja kohustusi Eesti-Norra

koostööprogrammi „Green ICT“ vahenditest kaasrahastatud projekti „Open Cyber Range“

(edaspidi Projekt) elluviimisel.

1.2. Projekti eelarve on kokku 3 331 765 eurot, sh 2 832 000 eurot rahastatakse Norra

finantsmehhanismist 2014–2021 ja 499 765 eurot Eesti riigi kaasfinantseeringust.

1.3. Programmioperaator eraldab Projekti elluviijale projekti teostamiseks programmi „Green

ICT“ vahenditest toetust maksimaalselt summas 3 331 765 eurot, kattes sellega Projekti

abikõlblikud kulud 100% ulatuses, sh 85% ulatuses Norra finantsmehhanismist ja 15%

ulatuses Eesti riigi kaasfinantseeringust.

1.4. Kui Projekti elluviija kasutab projekti teostamisel partnereid, on Projekti partneri kulude

hüvitamisel toetuse määr 100% üksnes eeldusel, et Projekti partneri tegevus Projektis on

mittemajandusliku iseloomuga, mistõttu ei loeta makstavat toetust riigiabiks.

2

1.5. Projekti abikõlblikkuse perioodi alguskuupäev on 01.03.2021.

1.6. Projekti abikõlblikkuse perioodi lõppkuupäev on 29.02.2024.

1.7. Poolte esindajad Lepingu täitmisega seotud küsimustes on:

1.7.1. Programmioperaator – väliskoostöö valdkonna juht Tanel Tomson, tel. 639 7642,

e-post [email protected].

1.7.2. Programmi elluviija – koordinaator Anari Lilleoja (edaspidi kontaktisik), tel. 524

6477, e-post [email protected].

1.7.3. Projekti elluviija – Projekti teostamise eest vastutav isik, küberpoliitika osakonna

juhataja, Andri Rebane, tel. 717 0140, e-post [email protected].

1.8. Poolte esindajate muutumisest teavitatakse Pooli e-posti teel.

2. LEPINGU DOKUMENDID

2.1 Lepingu täitmisel juhindutakse Vabariigi Valitsuse 05.07.2018. a määruse nr 55 „Aastatel

2014–2021 Euroopa Majanduspiirkonna finantsmehhanismist ja Norra

finantsmehhanismist vahendite taotlemise ja kasutamise tingimused ja kord“ §-s 4

määratletud õigusraamistikust ja muudest alljärgnevatest dokumentidest (edaspidi Lepingu

dokumendid), kusjuures Lepingu dokumentide vahel vastuolude esinemisel on nende

pädevusjärjekord kõige tähtsamast alates järgmine:

2.1.1. Euroopa Liidu ja Norra Kuningriigi vahel 28.05.2016. a sõlmitud leping Norra

finantsmehhanismi kohta aastateks 2014–2021;

2.1.2. Norra Välisministeeriumi poolt 23.09.2016 vastu võetud „Norra finantsmehhanismi

rakendusmäärus“ (edaspidi rakendusmäärus)1;

2.1.3. Eesti Vabariigi ja Norra Kuningriigi vahel 09.05.2017 sõlmitud Norra

finantsmehhanismi rakendamist aastatel 2014–2021 käsitlev vastastikuse mõistmise

memorandum;

2.1.4. Eesti Vabariigi Rahandusministeeriumi ja Norra Kuningriigi vahel 26.04.2018 sõlmitud

programmileping ning selle lisad;

2.1.5. Vabariigi Valitsuse 05.07.2018 määrus nr 55 „Aastatel 2014–2021 Euroopa

Majanduspiirkonna finantsmehhanismist ja Norra finantsmehhanismist vahendite

taotlemise ja kasutamise tingimused ja kord“;

2.1.6. Leping koos lisadega;

2.1.7. Programmioperaatori poolt kokku kutsutud programmi koostöökomisjoni 25.02.2021

protokolliline otsus Projekti elluviija esitatud taotluse programmi „Green ICT“

eesmärkidele vastavaks tunnistamise kohta (Lepingu Lisa 1);

2.1.8. Projekti elluviija poolt 22.12.2020 esitatud taotlus koos eelarvega (Lepingu Lisa 2).

2.2. Viide Lepingule hõlmab ka viidet Lepingu dokumentidele, kui Lepingu konkreetsest

punkti sõnastusest või sisust ei tulene teisiti.

2.3. Lepingu dokumentides reguleerimata küsimustes lähtutakse Eesti Vabariigis kehtivatest

õigusaktidest.

1 https://eeagrants.org/resources/regulation-implementation-norway-grants-2014-2021

3

3. PROJEKTI ELLUVIIJA ÕIGUSED JA KOHUSTUSED NING KULUDE

ABIKÕLBLIKKUS

3.1. Projekti elluviija on õigustatud:

3.1.1. saama kontaktisikult tehnilist abi (informatsiooni- ja nõuandeteenused), mis on seotud

Lepinguliste kohustuste täitmisega. Kontaktisikuga on võimalik ühendust saada telefoni

või e-posti teel;

3.1.2. tegema Projekti eelarves muudatusi, mis on väiksemad kui 20% Projekti eelarves (vt

Lepingu Lisa 2) konkreetsele tegevusele ettenähtud eelarverea mahust, tingimusel, et

toetuse summa ei suurene ning Projektis ettenähtud eesmärgid ja tegevused ei muutu.

3.2. Projekti elluviija on kohustatud:

3.2.1. viima Projekti ellu taotluses, taotluse programmi eesmärkidele vastavaks tunnistamise

otsuses ning Lepingus fikseeritud tähtaegade ja tingimuste kohaselt;

3.2.2. kasutama toetust vastavuses taotluse, taotluse programmi eesmärkidele vastavaks

tunnistamise otsuse, Lepingu ja Lepingu dokumentidega;

3.2.3. tagama, et Projekti raames tehtud kulud vastavad rakendusmääruses sätestatud kulude

abikõlblikkuse tingimustele;

3.2.4. maksma toetuse tagasi tagasinõudmise otsuses näidatud summas ja tähtpäevaks;

3.2.5. vastama Programmioperaatori ja Programmi elluviija poolt esitatud küsimustele

Projekti elluviija, Projekti partnerite ja Projekti teostamise kohta;

3.2.6. esitama Programmi elluviijale tähtaegselt kogu nõutud informatsiooni ja

vahefinantsaruanded;

3.2.7. tagama, et Projekti elluviija eelarves on olemas Projekti abikõlblike kulude

hüvitamiseks vajalik Eesti riigi kaasfinantseeringu summa;

3.2.8. tagama, et Projekti elluviija ja partnerite raamatupidamises on toetatava Projekti kulud

ja neid kajastavad kulu- ja maksedokumendid muudest Projekti elluviija ja partnerite

kuludest ning kulu- ja maksedokumentidest selgelt eristatavad eraldiseisva

raamatupidamissüsteemiga või -koodidega ning vastavad üldtunnustatud

raamatupidamistavale;

3.2.9. säilitama taotluse, toetuse ja Projekti teostamisega seonduvat

originaaldokumentatsiooni vähemalt 28. veebruarini 2031. a;

3.2.10. võimaldama järelevalvet teostavale isikule juurdepääsu Projekti teostamisega seotud

ruumidesse ja territooriumidele, mida Projekti elluviija või partner omab, rendib või mis

tahes muul moel kasutab;

3.2.11. osutama auditi ja järelevalve kiireks läbiviimiseks viivitamatut ja igakülgset abi ning

andma kontrollija käsutusse kõik soovitud andmed ja dokumendid 3 (kolme) tööpäeva

jooksul arvates vastava teate saamisest;

4

3.2.12. viivitamata kirjalikult informeerima Programmioperaatorit kõigist esitatud andmetes

toimunud muudatustest või asjaoludest, mis mõjutavad või võivad mõjutada Projekti

elluviija ja/või partneri kohustuste täitmist, sealhulgas nime, aadressi ja seaduslike või

volitatud esindajate muutumisest, ümberkujundamisest, pankrotimenetluse alustamisest

või likvideerija määramisest, tegevuse lõpetamisest ka siis, kui eelnimetatud

muudatused on registreeritud äriregistris või avalikustatud massiteabevahendite kaudu;

3.2.13. viivitamata Programmioperaatorit kirjalikult informeerima Projekti teostamise käigus

ilmnenud Projekti negatiivse tulemuse suurest tõenäosusest või vältimatusest ning

Projekti edasise jätkamise kaheldavast otstarbekusest;

3.2.14. tagama Projekti kulude vastavuse kohalduvate õigusaktide ja Lepingu dokumentide

nõuetele ning täitma kõiki asjakohaseid kohalikke, siseriiklikke ja Euroopa Liidu

õigusakte;

3.2.15. tagama, et Projekti elluviija ja partneri raamatupidamise sise-eeskirjad ja auditeerimise

kord võimaldavad Projekti kohta deklareeritud kulude ja tulude otsest võrdlust vastavate

raamatupidamisaruannete ja tõendavate dokumentidega;

3.2.16. toetuse kasutamisel näitama kooskõlas rakendusmääruse lisas 32 sätestatud

tingimustega avalikkusele, et tegemist on Norra finantsmehhanismidest rahastatud

Projektiga, sh:

3.2.16.1. koostama kommunikatsiooniplaani, rakendama kommunikatsiooniplaanis

kirjeldatud tegevusi ning andma finantsvahearuannetes ülevaate

kommunikatsioonitegevustest;

3.2.16.2. korraldama projekti tutvustamiseks vähemalt kolm teavitamisüritust;

3.2.16.3. lisama Projekti elluviija veebilehele info projekti elluviimise ja toetuse saamise

kohta ning Norway Grants logod (logod on kättesaadavad FMO kodulehel

https://eeagrants.org/resources/norway-grants-logo-package);

3.2.17. Projekti elluviija ja partner peavad Projekti raames kaupu või teenuseid ostes järgima

oma asukohamaa riigi riigihangete regulatsioonis ja EL direktiivides hankijale

sätestatud kohustusi;

3.2.18. teostama kõik Projekti raames tehtud kulude maksed Projekti elluviija või partneri

pangakontolt;

3.2.19. esitama Projekti vahefinantsaruanded e-toetuste infosüsteemis hiljemalt järgnevateks

kuupäevadeks:

3.2.19.1. 31.07.2021 (kulud 01.03.2021–30.06.2021);

3.2.19.2. 30.11.2021 (kulud 01.07.2021–31.10.2021);

3.2.19.3. 31.03.2022 (kulud 01.11.2021–28.02.2022);

3.2.19.4. 31.07.2022 (kulud 01.03.2022–30.06.2022);

3.2.19.5. 30.11.2022 (kulud 01.07.2022–31.10.2022);

3.2.19.6. 31.03.2023 (kulud 01.11.2022–28.02.2023);

3.2.19.7. 31.07.2023 (kulud 01.03.2023–30.06.2023);

3.2.19.8. 30.11.2023 (kulud 01.07.2023–31.10.2023);

3.2.19.9. 31.03.2024 (kulud 01.11.2023–29.02.2024);

2 https://eeagrants.org/resources/regulation-implementation-norway-grants-2014-2021-annex-3-information-and-

communication

5

3.2.20. esitama Projekti lõpparuande ja maksetaotluse e-toetuste infosüsteemi hiljemalt

30.04.2024;

3.2.21. taotlema Programmioperaatorilt kontaktisiku kaudu Lepingu muutmist, kui soovitakse

muuta:

3.2.21.1. Projekti tegevusi, mille tulemusena suureneb ühe või mitme eelarverea

maksumus kokku rohkem kui 20%;

3.2.21.2. Projekti partnereid;

3.2.21.3. Projekti toetuse summa jagunemist Projekti elluviija/partnerite lõikes, juhul kui

vähemalt ühe Projekti elluviija/partneri toetuse summa suureneb;

3.2.21.4. Projekti tegevuste elluviimise alguskuupäeva;

3.2.21.5. Projekti tegevuste elluviimise lõppkuupäeva;

3.2.21.6. Projekti eesmärke mõjutavaid tegevusi või muud Lepingus toodut.

3.2.22. tagama partnerluslepingust ning muudest asjakohastest allikatest tulenevate kohustuste

täitmise Projekti partnerite poolt ning vastutama partneri poolsete rikkumiste eest.

3.3. Kulude abikõlblikkus

3.3.1. Kulude abikõlblikkuse osas lähtutakse rakendusmääruse 8. peatükis sätestatust.

3.3.2. Abikõlblikud on kulud, mis on põhjendatud, mõistlikud, õigusaktidega kooskõlas ja

otseselt vajalikud toetatavate tegevuste elluviimiseks ja Projekti eesmärkide

saavutamiseks. Projekti kulud peavad olema kooskõlas säästlikkuse, tulemuslikkuse ja

tõhususe põhimõtetega.

3.3.3. Abikõlblikud on järgmised kulud:

3.3.3.1. Projekti heaks tööle määratud isikute töötasu ja puhkusehüvitis ning seadusest

tulenevad maksud ja maksed. Töötasud peavad olema kooskõlas Projekti

elluviija ja partneri asutusesisese palgatasemega vastavasisulise töö eest. Töötaja

puhkusehüvitis on abikõlblik proportsionaalselt Projekti heaks töötatud ajaga;

3.3.3.2. võlaõigusliku lepingu alusel makstav tasu, mida maksustatakse sarnaselt

töötasuga ning tasult makstavad riiklikud maksud;

3.3.3.3. Projektis osalevate töötajate välislähetuse päevaraha vastavalt kehtivale

seadusandlusele;

3.3.3.4. Projektis osalevate töötajate välislähetuse sõidu- ja majutuskulu vastavalt

reisikulu standardiseeritud ühikuhindadele järgmistel tingimustel:

3.3.3.4.1. sõidukulu standardiseeritud ühikuhind marsruudil Eesti-Norra-Eesti või Norra-

Eesti-Norra on 285 eurot ühe reisija kohta;

3.3.3.4.2. majutuskulu standardiseeritud ühikuhind on 135 eurot/öö ühe reisija kohta ning

Eestis 100 eurot/öö ühe reisija kohta (põhjendatud juhtudel hüvitatakse

majutuskulu lisaks üks öö enne ja üks öö pärast sihtriigis ettenähtud ürituse,

kohtumise või muu sündmuse toimumist, kui Projekti elluviija esitab

vahefinantsaruandes sellekohase põhjenduse);

3.3.3.4.3. sõidu- ja majutuskulude tekkimise tõendamiseks esitab Projekti elluviija

vahefinantsaruandes kokkuvõtte toimunud välislähetusest, sh info reisi

toimumisaja, osalejate, eesmärgi, tegevuste ja saavutatud tulemuse kohta;

3.3.3.4.4. Projekti elluviija ei pea kulu tõendamiseks esitama kulu- ja maksedokumente

(arved, maksekorraldused, pardakaardid, transpordivahendi piletid, kütusetšekid

jms);

6

3.3.3.4.5. vajadusel on Projekti elluviija kohustatud esitama täiendavaid dokumente või

andma lisaselgitusi reisi programmi, osalejate jms kohta;

3.3.3.5. uute või kasutatud seadmete puhul üksnes see osa kulumist, mis vastab Projekti

kestusele ja tegelikule Projekti eesmärkidel kasutuse määrale;

3.3.3.6. tarbekaupade ja tarvikute kulu, tingimusel et need on eristatavad ja Projektile

eraldatud;

3.3.3.7. muude Projekti elluviija poolt Projekti elluviimise eesmärgil sõlmitud

lepingutega kaasnevad kulud, tingimusel et sõlmimine vastab kohaldatavatele

riigihanke ja Lepingu tingimustele;

3.3.3.8. kaudsed kulud kuni 15% otsestest personalikuludest (punkt 3.3.3.1);

3.3.3.9. välispartneri kulude tõendamiseks piisab, kui Projekti elluviija esitab

välispartneri asukoha riigis tegutseva sõltumatu ja sertifitseeritud audiitori poolt

kinnitatud aruande, millest nähtub, et partneri poolt on Projektis tehtud kulud

vastavalt Lepingus sätestatud tingimustele, kohalikule seadusandlusele ja

üldtunnustatud raamatupidamistavale.

3.3.4. Mitteabikõlblikud on järgmised kulud:

3.3.4.1. intress võlalt, võla teenindamise tasud ja viivised;

3.3.4.2. finantstehingute tasud ja muud finantskulud;

3.3.4.3. eraldised kahjumi või võimalike tulevaste kohustuste katmiseks;

3.3.4.4. valuutakursi muutuste kahjum;

3.3.4.5. kinnisasja ostmise kulu;

3.3.4.6. kulud, mis kaetakse muudest allikatest;

3.3.4.7. trahvid, rahalised karistused ja kohtuvaidluste kulud;

3.3.4.8. ülemäärased või põhjendamatud kulud.

3.3.5. Kulud on abikõlblikud alates Projekti abikõlblikkuse perioodi alguskuupäevast kuni

Projekti abikõlblikkuse perioodi lõppkuupäevani. Kulud loetakse tekkinuks, kui kulu

aluseks olev arve on esitatud, tasutud ning töö tehakse, kaup saadakse kätte või teenus

osutatakse Projekti abikõlblikkuse perioodil. Erandina võib kulud lugeda abikõlblikeks,

kui arve on esitatud abikõlblikkuse perioodi viimasel kuul ning tasutud 30

kalendripäeva jooksul abikõlblikkuse perioodi lõppkuupäevast ja kulude tekkimise

aluseks olevad tegevused toimusid Projekti abikõlblikkuse perioodil.

3.3.6 Kõik abikõlblikud otsekulud peavad olema läbipaistvad ja dokumentaalselt tõendatud

vastavate kuludokumentidega ning olema tasutud Projekti elluviija ja/või partneri

pangakontolt.

4. PROGRAMMIOPERAATORI JA PROGRAMMI ELLUVIIJA ÕIGUSED JA

KOHUSTUSED NING TOETUSE TAGASINÕUDMINE

4.1. Programmi elluviija on õigustatud:

4.1.1. teostama igal ajaperioodil tööpäeviti kohapealset kontrolli ja/või auditit toetuse ja/või

kaasfinantseeringu kasutamist kajastavate kulu- ja maksedokumentide ja teostatud

tööde osas;

4.1.2. kontrollima toetuse ning kaasfinantseeringu kasutamist;

4.1.3. kontrollima Projekti elluviija ja/või partneri(te) tegevust Lepingust tulenevate

kohustuste täitmisel;

7

4.1.4. nõudma Projekti tegevuste ja kulude kohta mistahes täiendavate andmete ja

dokumentide esitamist.

4.2. Programmioperaator on õigustatud:

4.2.1. keelduma Lepingu muutmisest juhul, kui soovitav muudatus mõjutab oluliselt Projekti

eesmärke ja mõju;

4.2.2. ütlema Lepingu üles ja/või lõpetama toetuse väljamaksmise ning nõudma toetuse osalist

või täielikku tagastamist, kui esineb vähemalt üks järgmistest asjaoludest:

4.2.2.1. ilmneb asjaolu, mille korral taotlust ei oleks programmi eesmärkidega vastavaks

tunnistatud;

4.2.2.2. Projekti elluviija ja/või partner rikuvad Lepingust tulenevat kohustust, mh

kasutavad toetust mitteabikõlblike kulude hüvitamiseks, ei kasuta toetust ettenähtud

tingimustel või ei järgi Projekti elluviimise tähtaegu;

4.2.2.3. Projekti elluviija ja/või partner rikuvad neile asjakohasest seadusest tulenevat

kohustust;

4.2.2.4. Projekti elluviija avaldust Lepingu muutmise kohta ei rahuldata ja Projekti elluviijal

ei ole toetuse kasutamist ettenähtud tingimustel võimalik jätkata;

4.2.2.5. Norra välisministeerium nõuab toetuse tagasi;

4.2.2.6. partnerlusleping öeldakse üles, mistõttu ei ole võimalik Projekti esitatud mahus ellu

viia;

4.2.2.7. Projekti elluviija esitab avalduse toetusest loobumise kohta;

4.2.3. otsustama Projekti programmi eesmärkidega vastavaks tunnistamise otsuse kehtetuks

tunnistamise ja Lepingu lõpetamise 20 tööpäeva jooksul alates toetusest loobumise

avalduse saamisest.

4.3. Programmi elluviija on kohustatud:

4.3.1. kontrollima Projekti vahefinantsaruandeid ning koheselt informeerima

Programmioperaatorit võimalikest rikkumistest;

4.3.2. heaks kiitma või tagasi lükkama Projekti elluviija esitatud aruanded ja maksetaotluse

20 tööpäeva jooksul nende laekumisest ning viivitamata teavitama Projekti elluviijat

aruannete ja väljamakse taotluse heakskiitmise või tagasi lükkamise otsusest;

4.3.3. hoidma konfidentsiaalsena informatsiooni, mis on teatavaks saanud toetuse taotluse

menetlemise käigus, v.a õigusaktides sätestatud juhtudel, kui on lubatud

konfidentsiaalsuse kohustusest kõrvale kalduda.

4.4. Programmioperaator on kohustatud:

4.4.1. esitama Riigi Tugiteenuste Keskusele taotluse toetuse väljamaksmiseks Projekti

elluviijale peale Projekti vastava perioodi aruande ja maksetaotluse kinnitamist

Programmi elluviija poolt, kui Programmioperaatoril ja Programmi elluviijal ei ole

pretensioone finantseeritavate tegevuste ning tehtud kulude asjakohasuse kohta;

4.4.2. teavitama Projekti elluviijat toetuse kasutamist reguleerivates dokumentides tehtud

muudatustest;

8

4.4.3. tegema pärast Lepingu sõlmimist oma veebilehel kättesaadavaks järgmise

informatsiooni: Projekti elluviija ja partneri(te) nimi, Projekti nimi, Projekti kestus,

toetuse summa, Projekti kogumaht;

4.4.4. hoidma konfidentsiaalsena informatsiooni, mis on teatavaks saanud toetuse taotluse

menetlemise käigus, v.a õigusaktides sätestatud juhtudel, kui on lubatud

konfidentsiaalsuse kohustusest kõrvale kalduda.

4.5. Toetuse tagasinõudmisel:

4.5.1. lähtutakse perioodi 2014–2020 struktuuritoetuse seaduse §-s 45 sätestatud

finantskorrektsiooni alustest ja Vabariigi Valitsuse 1. septembri 2014. a määrusest

nr 143 „Perioodi 2014–2020 struktuuritoetusest hüvitatavate kulude abikõlblikuks

lugemise, toetuse maksmise ning finantskorrektsioonide tegemise tingimused ja kord”;

4.5.2. tuleb Projekti elluviijal tagasinõutav toetus tagasi maksta 60 päeva jooksul pärast

toetuse tagasinõudmise otsuse teatavaks tegemist.

5. LÕPPSÄTTED

5.1. Leping jõustub selle allkirjastamisest ja kehtib kuni Poolte poolt kõigi oma kohustuste

nõuetekohase täitmiseni.

5.2. Lepingut võib muuta Poolte kirjalikul kokkuleppel. Muudatused jõustuvad pärast

allakirjutamist mõlema Poole poolt või Poolte poolt määratud tähtajal.

5.3. Kõik Lepingust tulenevad erimeelsused püütakse lahendada läbirääkimiste teel. Juhul, kui

läbirääkimised ei anna tulemusi, lahendatakse vaidlus õigusaktidega sätestatud korras.

5.4. Lepingus reguleerimata küsimustes juhinduvad Pooled Eesti Vabariigis kehtivatest

õigusaktidest ning Lepingu punktis 2 nimetatud Lepingu dokumentidest vastavalt nende

pädevusjärjekorrale.

POOLTE REKVISIIDID JA ALLKIRJAD:

Programmioperaator:

Majandus- ja Kommunikatsiooniministeerium

Registrikood 70003158

Suur-Ameerika 1

10122 Tallinn

Telefon 625 6342

E-post [email protected]

______________________

Andres Sutt

Programmi elluviija:

Ettevõtluse Arendamise Sihtasutus

Registrikood 90006006

Lasnamäe 2

9

11412 Tallinn

Telefon 627 9700

E-post [email protected]

______________________

Sigrid Harjo

Projekti elluviija:

Kaitseministeerium

Registrikood 70004502

Sakala 1

15094 Tallinn

Telefon 717 0022

E-post [email protected]

______________________

Kalle Laanet

Lisa_1_CC_Decision_on_PDP_Open_Cyber_Rang....asice

Digiallkirjad

Allkirjade kehtivust ei ole kontrollitud.

TANEL TOMSON PNOEE-37608070320 2021-02-25 15:11:01

Decision_on_PDP_Open_Cyber_Range_25022021.docx

Decision of the Cooperation Committee of programme “Green ICT” regarding the appraisal of the predefined project “Open Cyber Range”

Date: 25.02.2021

Cooperation Committee members:
Ms Anu Kull, Ministry of Economic Affairs and Communications
Ms Keit Kaadu, Ministry of Economic Affairs and Communications
Mr Magnar Ødelien, Innovation Norway
Ms Sille Kraam, Ministry of Economic Affairs and Communications
Mr Tanel Tomson, Ministry of Economic Affairs and Communications

Background
According to condition set in Annex I of the Programme Agreement there is an obligation of the Programme Operator to carry out an external and independent appraisal of the predefined project, in order to verify its quality and contribution to the objectives of the Programme as well as compliance with EU and national legislation.
Estonian Ministry of Economic Affairs as Programme Operator has asked the Information System Authority (hereinafter ISA) to go through the description and budget of the predefined Project “Open Cyber Range” in order to assess the suitability of the project with set requirements and give their independent opinion on planned project.
ISA has come to the following conclusion:
According to ISA, this is a necessary project to enable the training of important IT competences. Based on the information provided for the assessment, there is no reason to argue that the implementation of the project would be unrealistic.
ISA points out that, if necessary, project promoter could consider to increase the number of people trained in the project.

Decision of the Cooperation Committee
Programme Operator has sent the summary of the independent conclusion and proposal to finance the pre-defined project “Open Cyber Range” to members of the Cooperation Committee on 18.02.2021.
As there were no objections, the Cooperation Committee has made the following decision:

Relying on the conclusion of the independent expert we decide to finance the pre-defined project “Open Cyber Range” in amount of 3 331 765 euros as part of the programme EE-Innovation (“Green ICT”). We will closely monitor the reaching of project targets. Estonian Ministry of Economic Affairs and Communications (Programme Operator) will conclude a trilateral project contract with Enterprise Estonia (Implementing Agency) and Ministry of Defence (Project Promoter) to agree all the specific terms for using the grant and implementing the pre-defined project “Open Cyber Range”.

Final version of project description and budget are enclosed.

Minutes taken by
Tanel Tomson

EE-Innovation - PDP 1 Open Range Cyber Annex I budget.xlsx

EE-Innovation - PDP 1 Open Range Cyber Project Application.docx

Annex I
Pre-defined project

Project title:
Open Cyber Range (OCR)1
Project Promoter:
Estonian Ministry of Defence
Project Partner(s):
Tallinn University of Technology (TalTech), Foundation CR14 (CR14)
Donor project partner(s):
Norwegian University of Science and Technology
Total maximum eligible project cost:
3 331 765€
Project grant rate:
100%
Project grant amount:
3 331 765€
Estimated duration:
36 months

Challenges in the cybersecurity education and training and introducing new technologies:
Challenge 1: Security of ICT products starts from the design of the product, the education of cybersecurity is already incorporated to curricula of computer sciences via different courses like “Secure Programming Techniques”. However, OCR supports cybersecurity education and training by enabling creation of interactive courses and exercises, where the skill of students can be tested in live environments with monitoring and scoring when needed.
For this OCR solution library will contain learning materials, pre-built environments and ethical hacking tools for both defensive and offensive activities to simulate real life situations. All this can be implemented in a course or a training to provide imminent feedback for the students of their progress, work effectiveness and overall competence in cybersecurity.
This measure will support educating a smarter and security-minded workforce that will contribute to creating sustainable, secure and quality solutions for the industry. Companies and start-ups are encouraged to develop and introduce new content to the education and training curriculum to promote their services for wider audience.
Development of new product and services are not supported by the programme, rather a facility will be provided to SME-s to create, develop, test and validate their products and services.
Target group: industry, universities and other academic institutions.
Challenge 2: Most sophisticated cyberattacks in the world are being conducted against critical information infrastructure (Stuxnet, Energetic Bear etc.), these attacks might cause widespread blackouts, interruptions in water supply, heating and other services that modern world depends on.
Under the OCR project capabilities will be developed to simulate wide range of networks and environments where experts can model and apply different security measures (prepare and prevent), allow red teams (also known as white hat hackers) to penetrate their simulated environments (detect and response) and rehearse their cybersecurity procedures (mitigate, recover and cooperate) to provide comprehensive critical information infrastructure protection. Enterprise own networks can be virtualized and simulated to create more realistic environment.
Concepts like IoT and Industry 4.0 are covered by this challenge, OCR will provide tools and measures to support new technology and companies to emerge that support creating secure and innovative solutions for billions of interconnected devices and production lines.
Target group: critical information infrastructure companies, start-ups
Challenge 3: Academic and industry researchers create vast amount of tools, applications and other pieces of software (artefacts) that need to be experimented, validated and tested throughout their development cycle. OCR will provide a solution library of simulated networks and environments that can be used for these purposes. Also these same artefacts can be later, when they reach enough maturity, added to the solution library for other OCR participants to use and develop.
Organizations can provide expertise of students, researchers, developers and testers through OCR for industry to experiment, validate and test new technologies. Using the new technologies for educational means will give additional feedback to the producer and rises the quality of ICT products.
Also industry partners that provide stress-testing, pen-testing and red team services can be used for assuring security of the newly created technologies. Developing these types of services listed is not part of the project, however using these services on OCR will enable higher efficiency on making sure the products and services developed are better and more secure than their competitors.
Target group: industry, start-ups and academic institutions
Challenge 4: Academic organizations and industry will be able to introduce ready to deploy software and technologies to the OCR solution library that will allow them to rapidly create enterprise environments to pilot and demonstrate the capabilities of their products.
This measure differentiates from the measure 2 as these products will be ready for deployment in production systems and are considered to be mature enough to deploy in activities where the product itself assures the quality of activity, for example the product is used for educational purposes and measuring the skill of a student.
For this measure the OCR participant will build (part of) their enterprise on OCR to evaluate if the product will meet their needs in an enterprise-like environment, e.g. the product is scaling up for the use, is compliant with industry standards or other enterprise specific elements, conditions and requirements.
To achieve this template environments and commonly used artefacts (virtual machines, scripts, scenarios, etc.) will be developed in the project and provided to the OCR users. This enables to rapidly deploy common environments that SME-s need to customize based on their or their customer needs.
Target group: industry and start-ups
Activities to be funded in the project
• First initial operating environment will be created, this includes hardware, software and security equipment to operate the OCR capability, as well as civil works to install and set up the OCR for the next activities;
• Secondly project specific support elements will be developed, this includes specifications for API-s, security and data protection requirements, documentation guidelines, KPIs, OCR collaboration tools, define common scenario language, how hybrid solutions can be added (e.g. 5G, IoT, ICS systems) etc:
• Third activity will be research, development and implementation of the OCR environment, including management system, digital library, simulations, monitoring, scoring and evaluation, feedback module, social aspect module and potential federation with other similar capabilities. This activity includes also security testing of the environment.
• The last activity will provide actual content within the OCR environment for the customers to use and reuse, this includes sample software, virtual machines, attack simulations, scenarios, test environments and other artifacts. Also a testing facility will be created to test, experiment and validate new solutions. Some custom malicious content will be created that can be used in OCR environment.

Expected outcomes and effect on the target group:
• Expanded capabilities for education and training, by moving from static class courses to dynamic training and exercises that can simulate the enterprise network. Training capability will be supported by partners for OCR.
• Innovation, by allowing industry and academia to share newly created software and tools through Solution Library for fast delivery and testing in OCR community and participants.
• Better security, by allowing students and trusted third party pen-testers and red teams to evaluate the solutions used in an enterprise network on a safe environment.
• Cost effectiveness, by providing tools and solutions that are not part of traditional enterprise network, like Internet simulation, user simulation, virtual equipment etc and would be otherwise expensive to use.
• Faster delivery, by providing pre-packaged, pre-configured and easy-to-deploy tools and software that can be installed in simulated enterprise network.
• Intensified cooperation, by binding similar minded users to OCR community that share common goals for better and secure solutions both from developer and user side.
For the first three years the predictions to involve SME-s are moderate (as indicated 15), as the initial operating capability will be achieved in 2020 and first SME-s can be engaged in 2021, but they are able to use just a subset of planned services/capabilities until the full operating capability has been achieved. When more capabilities come online also more SME-s can be engaged to meet their requirements. After the full operating capability has been achieved it is foreseen that up to 10 SME-s could operate simultaneously.
In early 2019 Estonian MoD supported a cybersecurity accelerator CyberNorth2 that was a joint project between Estonian Defence Industry Association and Estonian private investors to support new start-ups in cybersecurity. Out of this programme 8 start-ups emerged (with their financial body established in Estonia) that would have benefitted from OCR capabilities while developing their products and services.
However, it is noteworthy that not all of these ventures succeed and it is estimated that there is about 50% success rate for start-up companies to survive the first year and find enough customers or investors to keep their business running.
There are no changes planned in the legislation to execute the OCR project, Estonian government has necessary support measures to successfully execute the project, these include ability to agree on cooperation and governance models for OCR, operate an existing support system for emerging companies (Start-Up Estonia), ability to issue special start-up visas for emerging companies etc.

Key performance indicators:
No
Core Indicator Name
Additional description
Indicator
(by 2022)
1.
Number of SMEs supported
Number of SMEs supported to test new products/services/processes in the Open Cyber Range
30
2.
Number of new products/technologies developed
New products developed and introduced to the OCR:
• cybersecurity training and exercise services (that include developing threat actors, scenarios, indicators, vulnerabilities, custom malware etc. that can be sold separately as a product);
• cybersecurity products (that include components of innovative technologies in fields like Industry 4.0, ICS, IoT, 5G, AI and other emerging technology topics) etc.
Baselines for these services and products come from different security standards and frameworks, e.g.:
NICE Cybersecurity Workforce Framework (https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework)
MITRE ATT&CK Framework (https://attack.mitre.org/wiki/Main_Page)
MITRE STIX 2.0 (https://oasis-open.github.io/cti-documentation/stix/intro)
10
3.
Number of professional staff trained
Staff that has participated on the cybersecurity trainings and exercises that have been developed in the OCR format.
100

For the OCR project there is no single beneficiary, previous experience has shown that a Cyber Range is a capability that can fully utilized only by very large entities (for example US military), for smaller nations, universities and private sector it is feasible to share a common capability for cost effectiveness and knowledge transfer. Thus a common project promoter is needed who will be responsible for engaging partners, leading the project and promoting the capability. A vast amount of knowledge, procedures and also technology can be transferred from the Estonian Cyber Range for the benefit of the OCR project.
Estonia has operated the Cyber Range since 2012 and altogether about 10M€ has been invested to existing capability, however this capability is now and in the future for government-to-government activities while OCR will be open for wider audience. On the existing Cyber Range world’s largest multinational cybersecurity exercises take place – Locked Shields and Cyber Coalition providing training capabilities for more than thousand trainees simultaneously.
The current funding of the Estonian Cyber Range covers the governmental requirements for training and experimentation, however making the capability available for industry and academia requires a dedicated environment with modified toolset to meet their requirements.
The main funding gaps lie in:
1. Creating an underlying physical and logical environment based on the COTS technology that will provide environment for the OCR to operate;
2. Developing both technical and procedural OCR specific concepts, methods, rules of engagements and tools to support resolving the challenges mentioned in the beginning of the document;
3. Researching and developing OCR specific tools e.g. automation of the deployment, providing situational awareness, simulation of user activity and Internet, sanitation and integrity of the environment etc.;
4. Creating sample scenarios, trainings, exercises, test and experimentation environments to support participants introducing their ideas, concepts and products to the OCR and to provide overview of the OCR capabilities;
5. Integration and/or federation with other Cyber Range, Cyber Lab and/or relevant capabilities (non-enterprise environments such as ICS, IoT, medical equipment, legacy systems etc.) from OCR will benefit.

Cooperation between Estonia and Norway
Estonian MoD will be responsible for the execution of the project, while some of the responsibilities of project management will be shared with organizations governed by the MoD, these include Foundation CR143 and Estonian Defence Investments Agency4.
Bilateral dimension is executed in the development of the OCR project while Estonian and Norwegian counterparts conduct common R&D to develop OCR components, develop common tools, promote the capability in both countries etc. NTNU has also involved local municipality to the project to find common interest.
Within the OCR project NTNU will provide the knowledge and experience from operating their academic Cyber Range, also NTNU has specific strengths in cybersecurity disciplines that are not covered on Estonian side, more specifically social aspects, feedback loop and evaluation.
Estonian MoD, TalTech and NTNU had preliminary meetings in May 2018 to define project scope and there are 18 Work Packages defined to be executed in the next three years. In almost all of these Work Packages all participants are included while the lead of the Work Packages will be shared based on the best knowledge of the topic between participants. The content of Work Packages and exact responsibilities shall be reviewed once the project is agreed, overall it is foreseen that the partner costs are divided 50:50 during the project execution.
Estonian MoD and NTNU have signed a Memorandum of Understanding (MoU) in May 2018 regarding co-operation on cyber defence exercises, training, development and research activities and OCR project will be formalized as one of the co-operation activity under this MoU. Dedicated contract (technical agreement) will be signed to define participant responsibilities, work shares, financial aspects etc.
Intellectual Property Rights model considered for this project foresees sharing the intellectual property as much as possible between project partners.

Link to national policies and strategies
Estonia has issued its third cybersecurity strategy5 in early 2019, among other topics a commitment to develop the OCR platform is described in activity area 2.1 (Supporting and promoting cybersecurity R&D and research-based enterprise), allowing to offer solutions to sectoral (start-up) companies and universities for carrying out R&D activities, testing and products and training.
This is supported by other activities under the support for innovation generation and export potential, but also ensuring an environment conducive to the inception and development of start-ups and leveraging productive cooperation between private sector, state and academia. The OCR project checks out all three priority categories.
In Estonian MoD a cybersecurity policy has been introduced6 in 2017 that includes Cyber Ranges (National, NATO, Open and Classified) as part of the core capability to support cybersecurity capability development, training and exercises, not just in the governance area of MoD, but nation-wide as this is the only governmental Cyber Range capability operated in Estonia. Also the cybersecurity policy include cybersecurity knowledge transfer and export from MoD to rest of the nation, allies and partners.
MoD’s policy is also to promote Estonian defence industry that includes a cyber-cluster, companies included to this cluster are not defence companies per se, rather they are providing dual-use solutions that the Defence Forces have adopted (for example these include cybersecurity of autonomous vehicles). Same channels can be used to promote SME-s using OCR capabilities once their products and services are mature.

Measures and expected deliverables:
Measure 1 (30%): procure and set up the initial operational capability of the OCR environment based on the COTS products that forms the core of the OCR (computing, storage, networking etc.). This measure will deliver the baseline upon OCR specific research, tools etc. will be applied.
Measure 2 (10%): develop and implement OCR specific requirements such as specifications for APIs, minimal security requirements, requirements for federating technical capabilities, guidelines for documentation, KPIs etc.
Measure 3 (30%): research and develop automation tools for activity deployment, testing capability of the deployed activities, simulation services to support activities, situational awareness tools for different use cases, sanitation technology to clean the OCR between activities, integrity platform to detect unauthorized changes etc.
Measure 4 (10%): populate OCR library with sample software, virtual machines, attack simulations, scenarios, trainings, exercises, test environments and other artefacts, document the use of forenamed items. This is a prerequisite for SMEs to be able to utilize the OCR, an initial set of the library will be populated by the project participants, and however SMEs are encouraged to contribute to this library while using the OCR capability they are not included in the development period of the OCR.
Measure 5 (10%): develop connections and make available additional external capabilities that supplement OCR capabilities and support OCR activities, this is achieved through integration and/or federation of other capabilities, this might include public cloud services for additional computing power, specialized Cyber Ranges/Labs for specific task (ICS, IoT etc.)
Measure 6 (10%): project management costs to cover one full time project manager for the duration of the project and other project management related costs.

Operations and Maintenance:
The initial operations will be supported by the Estonian Ministry of Defence in co-operation with project partners. During the project period when the capability and its operations mature, an operations and maintenance model will be developed to support the capability after the project period, this will include manning, financial provisions etc.
Estonian Ministry of Defence is planning to support the OCR capability with manning throughout and beyond the project lifecycle through the Foundation CR14. To maintain the hardware and software a business model will be created to charge SMEs for the use of capability, this allows also to operate the capability for users that have a sustainable business model themselves. Alternatives include requesting financing from national budget and opening the concept for wider sponsoring model from larger enterprises.

Risk overview:
1. Operational requirements change throughout the implementation of the OCR that leads to difficulty to support requested requirements.
a. Probability: Likely;
b. Impact: Moderate;
c. Response: Contracts with universities will be implemented in a way that allows changing the necessary requirements if needed.
2. Procurements for hardware and/or software fail or will be delayed that leads to difficulty to support requested activities.
a. Probability: Unlikely;
b. Impact: Major;
c. Response: Existing solutions from current Cyber Range capability will be provided in a smaller scale until procurements have succeeded.
3. Universities are not able to deliver requested functionalities for OCR that leads to limited capability.
a. Probability: Possible;
b. Impact: Major;
c. Response: Funding model will be changed to outsource the missing functionalities to industry. This can be achieved while universities find the partners to deliver the functionalities or project promoter will launch a public tender.
4. Lack of interest from industry that leads to underuse of the OCR capability.
a. Probability: Possible;
b. Impact: Moderate;
c. Response: Engage additional entities (Start-up Estonia, start-up accelerators etc.) to promote the capability, promote capability in conferences, meetups, seminars etc. Provide additional operational support from governmental agencies (e.g. datasets that can be used only on OCR to solve specific problems).

Terms and acronyms
Abbreviation
Content
API
Application Programming Interface
Activity
Event conducted on the OCR, this includes trainings, exercises, testing, evaluation, validation and other similar activities.
Artefact
By-products produced during the development of software, trainings, exercises etc., e.g., use cases, class diagrams, and other Unified Modelling Language models, requirements and design documents
COTS
Commercial-Off-The-Shelf
ICS
Industrial Control System
ICT
Information and communications technology
IoT
Internet-of-Things
IPR
Intellectual Property Rights
KPI
Key Performance Indicator
Library
An environment to store, document and make available items used in OCR
OCR
Open Cyber Range
SME
Small and medium-sized enterprises

Otsus_PDP_Open_Cyber_Rang_25022021.docx

„Green ICT“ programmi koostöökomitee otsus, mis käsitleb eelnevalt kindlaks määratud projekti "Open Cyber Range" hindamist

Kuupäev: 25.02.2021

Koostöökomitee liikmed:
Anu Kull, Majandus- ja Kommunikatsiooniministeerium
Keit Kaadu, Majandus- ja Kommunikatsiooniministeerium
Magnar Ødelien, Innovation Norway
Sille Kraam, Majandus- ja Kommunikatsiooniministeerium
Tanel Tomson, Majandus- ja Kommunikatsiooniministeerium

Taust
Programmilepingu I lisas sätestatud tingimuse kohaselt on programmioperaator kohustatud teostama eelnevalt kindlaks määratud projekti välise ja sõltumatu hindamise, et kontrollida programmi kvaliteeti ja panust programmi eesmärkide saavutamisse ning ELi ja siseriiklike õigusaktide järgimist.
Eesti Majandus- ja Kommunikatsiooniministeerium kui programmioperaator on palunud Riigi Infosüsteemi Ametil tutvuda eelnevalt kindlaks määratud projekti "Open Cyber Range" kirjelduse ja eelarvega, et hinnata projekti sobivust kehtestatud nõuetega ja anda oma sõltumatu hinnang planeeritud projekti kohta.
Riigi Infosüsteemi Amet jõudis järgmisele järeldusele:
RIA hinnangul on tegemist vajaliku projektiga, mis võimaldab treenida olulisi IT kompetentse. RIA hinnangul ei ole hinnangu saamiseks esitatud infole tuginedes alust väita, et projekti rakendamine oleks ebarealistlik.
RIA juhib tähelepanu, et vajadusel võiks suurendada projekti raames koolitatud inimeste arvu.
Koostöökomitee otsus
Programmioperaator on 18.02.2021 saatnud koostöökomitee liikmetele kokkuvõtte eksperdi antud hinnangust ning teinud ettepaneku rahastada eelnevalt kindlaks määratud projekti "Open Cyber Range“.
Kuna ükski koostöökomitee liige ei väljendanud vastuseisu ettepanekule, otsustas koostöökomitee:

Tuginedes sõltumatu eksperdi järeldustele, otsustame rahastada eelnevalt kindlaks määratud projekti "Open Cyber Range" summas 3 331 765 eurot programmi "EE-Innovation" (“Green ICT”) raames. Jälgime hoolega projekti tulemuseks planeeritud sihtarvude täitmist. Majandus- ja Kommunikatsiooniministeerium (programmioperaator) sõlmib EASiga (rakendusasutus) ja Kaitseministeeriumiga (projekti elluviija) kolmepoolse projektilepingu, et detailselt kokku leppida eelnevalt kindlaks määratud projekti "Open Cyber Range" rakendamise tingimused.

Projekti kirjelduse ja eelarve lõplik versioon on lisatud.

Protokollis
Tanel Tomson

Lisa_2_EE-Innovation_PDP_1_Open_Cyber_Rang.....pdf

Annex I

Pre-defined project

Project title: Open Cyber Range (OCR)1

Project Promoter: Estonian Ministry of Defence

Project Partner(s): Tallinn University of Technology (TalTech),

Foundation CR14 (CR14)

Donor project partner(s): Norwegian University of Science and

Technology

Total maximum eligible project cost: 3 331 765€

Project grant rate: 100%

Project grant amount: 3 331 765€

Estimated duration: 36 months

Challenges in the cybersecurity education and training and introducing new technologies:

Challenge 1: Security of ICT products starts from the design of the product, the education of

cybersecurity is already incorporated to curricula of computer sciences via different courses like

1 Refer to the terms and acronyms sections at the end of the document

Open Cyber Range is a virtual environment that is used for cybersecurity training and

cybertechnology development. It provides tools that help strengthen the stability, security and

performance of cyberinfrastructures and IT systems leading to secure and trustworthy products

and well-educated personnel.

Cyber Ranges function like shooting or kinetic ranges, facilitating training and exercises. Thus,

IT professionals employed by various organizations train, develop and test Cyber Range

technologies to ensure consistent operations and readiness for real world threats.

Main objectives of this project are to create a platform for (new) cybersecurity companies to

develop, test and validate their innovative products, create a launch pad for new products to

emerge to the market, promote security thinking in private sector and educate better workforce

for the private companies.

The platform will include tools and products that are not part of standard cloud service

(automation tools, simulations, red and blue team tools, situational awareness, hybrid systems

etc.), thus there is added value to SME-s to develop and test the products in OCR – faster setup

of testing and validation environment, reduced initial cost for the environment, community

support from academia and government, mentors and test-clients from other SME-s, government

and academia etc.

“Secure Programming Techniques”. However, OCR supports cybersecurity education and training

by enabling creation of interactive courses and exercises, where the skill of students can be tested

in live environments with monitoring and scoring when needed.

For this OCR solution library will contain learning materials, pre-built environments and ethical

hacking tools for both defensive and offensive activities to simulate real life situations. All this can

be implemented in a course or a training to provide imminent feedback for the students of their

progress, work effectiveness and overall competence in cybersecurity.

This measure will support educating a smarter and security-minded workforce that will contribute

to creating sustainable, secure and quality solutions for the industry. Companies and start-ups are

encouraged to develop and introduce new content to the education and training curriculum to

promote their services for wider audience.

Development of new product and services are not supported by the programme, rather a facility

will be provided to SME-s to create, develop, test and validate their products and services.

Target group: industry, universities and other academic institutions.

Challenge 2: Most sophisticated cyberattacks in the world are being conducted against critical

information infrastructure (Stuxnet, Energetic Bear etc.), these attacks might cause widespread

blackouts, interruptions in water supply, heating and other services that modern world depends on.

Under the OCR project capabilities will be developed to simulate wide range of networks and

environments where experts can model and apply different security measures (prepare and prevent),

allow red teams (also known as white hat hackers) to penetrate their simulated environments (detect

and response) and rehearse their cybersecurity procedures (mitigate, recover and cooperate) to

provide comprehensive critical information infrastructure protection. Enterprise own networks can

be virtualized and simulated to create more realistic environment.

Concepts like IoT and Industry 4.0 are covered by this challenge, OCR will provide tools and

measures to support new technology and companies to emerge that support creating secure and

innovative solutions for billions of interconnected devices and production lines.

Target group: critical information infrastructure companies, start-ups

Challenge 3: Academic and industry researchers create vast amount of tools, applications and other

pieces of software (artefacts) that need to be experimented, validated and tested throughout their

development cycle. OCR will provide a solution library of simulated networks and environments

that can be used for these purposes. Also these same artefacts can be later, when they reach enough

maturity, added to the solution library for other OCR participants to use and develop.

Organizations can provide expertise of students, researchers, developers and testers through OCR

for industry to experiment, validate and test new technologies. Using the new technologies for

educational means will give additional feedback to the producer and rises the quality of ICT

products.

Also industry partners that provide stress-testing, pen-testing and red team services can be used for

assuring security of the newly created technologies. Developing these types of services listed is not

part of the project, however using these services on OCR will enable higher efficiency on making

sure the products and services developed are better and more secure than their competitors.

Target group: industry, start-ups and academic institutions

Challenge 4: Academic organizations and industry will be able to introduce ready to deploy

software and technologies to the OCR solution library that will allow them to rapidly create

enterprise environments to pilot and demonstrate the capabilities of their products.

This measure differentiates from the measure 2 as these products will be ready for deployment in

production systems and are considered to be mature enough to deploy in activities where the

product itself assures the quality of activity, for example the product is used for educational

purposes and measuring the skill of a student.

For this measure the OCR participant will build (part of) their enterprise on OCR to evaluate if the

product will meet their needs in an enterprise-like environment, e.g. the product is scaling up for

the use, is compliant with industry standards or other enterprise specific elements, conditions and

requirements.

To achieve this template environments and commonly used artefacts (virtual machines, scripts,

scenarios, etc.) will be developed in the project and provided to the OCR users. This enables to

rapidly deploy common environments that SME-s need to customize based on their or their

customer needs.

Target group: industry and start-ups

Activities to be funded in the project

 First initial operating environment will be created, this includes hardware, software and

security equipment to operate the OCR capability, as well as civil works to install and set

up the OCR for the next activities;

 Secondly project specific support elements will be developed, this includes specifications

for API-s, security and data protection requirements, documentation guidelines, KPIs,

OCR collaboration tools, define common scenario language, how hybrid solutions can be

added (e.g. 5G, IoT, ICS systems) etc:

 Third activity will be research, development and implementation of the OCR environment,

including management system, digital library, simulations, monitoring, scoring and

evaluation, feedback module, social aspect module and potential federation with other

similar capabilities. This activity includes also security testing of the environment.

 The last activity will provide actual content within the OCR environment for the customers

to use and reuse, this includes sample software, virtual machines, attack simulations,

scenarios, test environments and other artifacts. Also a testing facility will be created to

test, experiment and validate new solutions. Some custom malicious content will be created

that can be used in OCR environment.

Expected outcomes and effect on the target group:

 Expanded capabilities for education and training, by moving from static class courses

to dynamic training and exercises that can simulate the enterprise network. Training

capability will be supported by partners for OCR.

 Innovation, by allowing industry and academia to share newly created software and tools

through Solution Library for fast delivery and testing in OCR community and participants.

 Better security, by allowing students and trusted third party pen-testers and red teams to

evaluate the solutions used in an enterprise network on a safe environment.

 Cost effectiveness, by providing tools and solutions that are not part of traditional

enterprise network, like Internet simulation, user simulation, virtual equipment etc and

would be otherwise expensive to use.

 Faster delivery, by providing pre-packaged, pre-configured and easy-to-deploy tools and

software that can be installed in simulated enterprise network.

 Intensified cooperation, by binding similar minded users to OCR community that share

common goals for better and secure solutions both from developer and user side.

For the first three years the predictions to involve SME-s are moderate (as indicated 15), as the

initial operating capability will be achieved in 2020 and first SME-s can be engaged in 2021, but

they are able to use just a subset of planned services/capabilities until the full operating capability

has been achieved. When more capabilities come online also more SME-s can be engaged to meet

their requirements. After the full operating capability has been achieved it is foreseen that up to 10

SME-s could operate simultaneously.

In early 2019 Estonian MoD supported a cybersecurity accelerator CyberNorth2 that was a joint

project between Estonian Defence Industry Association and Estonian private investors to support

new start-ups in cybersecurity. Out of this programme 8 start-ups emerged (with their financial

body established in Estonia) that would have benefitted from OCR capabilities while developing

their products and services.

However, it is noteworthy that not all of these ventures succeed and it is estimated that there is

about 50% success rate for start-up companies to survive the first year and find enough customers

or investors to keep their business running.

There are no changes planned in the legislation to execute the OCR project, Estonian government

has necessary support measures to successfully execute the project, these include ability to agree

on cooperation and governance models for OCR, operate an existing support system for emerging

companies (Start-Up Estonia), ability to issue special start-up visas for emerging companies etc.

Key performance indicators:

No Core Indicator Name Additional description Indicator

(by 2022)

1. Number of SMEs

supported

Number of SMEs supported to test new

products/services/processes in the Open

Cyber Range

30

2. Number of new

products/technologies

developed

New products developed and introduced to the

OCR:

 cybersecurity training and exercise

services (that include developing

threat actors, scenarios, indicators,

vulnerabilities, custom malware etc.

that can be sold separately as a

product);

 cybersecurity products (that include

components of innovative

technologies in fields like Industry

4.0, ICS, IoT, 5G, AI and other

emerging technology topics) etc.

Baselines for these services and products

come from different security standards and

frameworks, e.g.:

10

2 https://startupwiseguys.com/cybernorth/

NICE Cybersecurity Workforce Framework

(https://www.nist.gov/itl/applied-

cybersecurity/nice/resources/nice-

cybersecurity-workforce-framework)

MITRE ATT&CK Framework

(https://attack.mitre.org/wiki/Main_Page)

MITRE STIX 2.0 (https://oasis-

open.github.io/cti-documentation/stix/intro)

3. Number of professional

staff trained

Staff that has participated on the cybersecurity

trainings and exercises that have been

developed in the OCR format.

100

For the OCR project there is no single beneficiary, previous experience has shown that a Cyber

Range is a capability that can fully utilized only by very large entities (for example US military),

for smaller nations, universities and private sector it is feasible to share a common capability for

cost effectiveness and knowledge transfer. Thus a common project promoter is needed who will be

responsible for engaging partners, leading the project and promoting the capability. A vast amount

of knowledge, procedures and also technology can be transferred from the Estonian Cyber Range

for the benefit of the OCR project.

Estonia has operated the Cyber Range since 2012 and altogether about 10M€ has been invested to

existing capability, however this capability is now and in the future for government-to-government

activities while OCR will be open for wider audience. On the existing Cyber Range world’s largest

multinational cybersecurity exercises take place – Locked Shields and Cyber Coalition providing

training capabilities for more than thousand trainees simultaneously.

The current funding of the Estonian Cyber Range covers the governmental requirements for

training and experimentation, however making the capability available for industry and academia

requires a dedicated environment with modified toolset to meet their requirements.

The main funding gaps lie in:

1. Creating an underlying physical and logical environment based on the COTS technology

that will provide environment for the OCR to operate;

2. Developing both technical and procedural OCR specific concepts, methods, rules of

engagements and tools to support resolving the challenges mentioned in the beginning of

the document;

3. Researching and developing OCR specific tools e.g. automation of the deployment,

providing situational awareness, simulation of user activity and Internet, sanitation and

integrity of the environment etc.;

4. Creating sample scenarios, trainings, exercises, test and experimentation environments to

support participants introducing their ideas, concepts and products to the OCR and to

provide overview of the OCR capabilities;

5. Integration and/or federation with other Cyber Range, Cyber Lab and/or relevant

capabilities (non-enterprise environments such as ICS, IoT, medical equipment, legacy

systems etc.) from OCR will benefit.

Cooperation between Estonia and Norway

Estonian MoD will be responsible for the execution of the project, while some of the responsibilities

of project management will be shared with organizations governed by the MoD, these include

Foundation CR143 and Estonian Defence Investments Agency4.

Bilateral dimension is executed in the development of the OCR project while Estonian and

Norwegian counterparts conduct common R&D to develop OCR components, develop common

tools, promote the capability in both countries etc. NTNU has also involved local municipality to

the project to find common interest.

Within the OCR project NTNU will provide the knowledge and experience from operating their

academic Cyber Range, also NTNU has specific strengths in cybersecurity disciplines that are not

covered on Estonian side, more specifically social aspects, feedback loop and evaluation.

Estonian MoD, TalTech and NTNU had preliminary meetings in May 2018 to define project scope

and there are 18 Work Packages defined to be executed in the next three years. In almost all of

these Work Packages all participants are included while the lead of the Work Packages will be

shared based on the best knowledge of the topic between participants. The content of Work

Packages and exact responsibilities shall be reviewed once the project is agreed, overall it is

foreseen that the partner costs are divided 50:50 during the project execution.

Estonian MoD and NTNU have signed a Memorandum of Understanding (MoU) in May 2018

regarding co-operation on cyber defence exercises, training, development and research activities

and OCR project will be formalized as one of the co-operation activity under this MoU. Dedicated

contract (technical agreement) will be signed to define participant responsibilities, work shares,

financial aspects etc.

Intellectual Property Rights model considered for this project foresees sharing the intellectual

property as much as possible between project partners.

Link to national policies and strategies

Estonia has issued its third cybersecurity strategy5 in early 2019, among other topics a commitment

to develop the OCR platform is described in activity area 2.1 (Supporting and promoting

cybersecurity R&D and research-based enterprise), allowing to offer solutions to sectoral (start-up)

companies and universities for carrying out R&D activities, testing and products and training.

This is supported by other activities under the support for innovation generation and export

potential, but also ensuring an environment conducive to the inception and development of start-

ups and leveraging productive cooperation between private sector, state and academia. The OCR

project checks out all three priority categories.

In Estonian MoD a cybersecurity policy has been introduced6 in 2017 that includes Cyber Ranges

(National, NATO, Open and Classified) as part of the core capability to support cybersecurity

capability development, training and exercises, not just in the governance area of MoD, but nation-

wide as this is the only governmental Cyber Range capability operated in Estonia. Also the

3 Operator of the Cyber Range

4 Responsible for public tenders in governance area of MoD

5 https://www.mkm.ee/sites/default/files/kyberturvalisuse_strateegia_2022_eng.pdf

6 In Estonian, currently under review, will be updated by the end of 2020

cybersecurity policy include cybersecurity knowledge transfer and export from MoD to rest of the

nation, allies and partners.

MoD’s policy is also to promote Estonian defence industry that includes a cyber-cluster, companies

included to this cluster are not defence companies per se, rather they are providing dual-use

solutions that the Defence Forces have adopted (for example these include cybersecurity of

autonomous vehicles). Same channels can be used to promote SME-s using OCR capabilities once

their products and services are mature.

Measures and expected deliverables:

Measure 1 (30%): procure and set up the initial operational capability of the OCR environment

based on the COTS products that forms the core of the OCR (computing, storage, networking etc.).

This measure will deliver the baseline upon OCR specific research, tools etc. will be applied.

Measure 2 (10%): develop and implement OCR specific requirements such as specifications for

APIs, minimal security requirements, requirements for federating technical capabilities, guidelines

for documentation, KPIs etc.

Measure 3 (30%): research and develop automation tools for activity deployment, testing

capability of the deployed activities, simulation services to support activities, situational awareness

tools for different use cases, sanitation technology to clean the OCR between activities, integrity

platform to detect unauthorized changes etc.

Measure 4 (10%): populate OCR library with sample software, virtual machines, attack

simulations, scenarios, trainings, exercises, test environments and other artefacts, document the use

of forenamed items. This is a prerequisite for SMEs to be able to utilize the OCR, an initial set of

the library will be populated by the project participants, and however SMEs are encouraged to

contribute to this library while using the OCR capability they are not included in the development

period of the OCR.

Measure 5 (10%): develop connections and make available additional external capabilities that

supplement OCR capabilities and support OCR activities, this is achieved through integration

and/or federation of other capabilities, this might include public cloud services for additional

computing power, specialized Cyber Ranges/Labs for specific task (ICS, IoT etc.)

Measure 6 (10%): project management costs to cover one full time project manager for the

duration of the project and other project management related costs.

Operations and Maintenance:

The initial operations will be supported by the Estonian Ministry of Defence in co-operation with

project partners. During the project period when the capability and its operations mature, an

operations and maintenance model will be developed to support the capability after the project

period, this will include manning, financial provisions etc.

Estonian Ministry of Defence is planning to support the OCR capability with manning throughout

and beyond the project lifecycle through the Foundation CR14. To maintain the hardware and

software a business model will be created to charge SMEs for the use of capability, this allows also

to operate the capability for users that have a sustainable business model themselves. Alternatives

include requesting financing from national budget and opening the concept for wider sponsoring

model from larger enterprises.

Risk overview:

1. Operational requirements change throughout the implementation of the OCR that leads to

difficulty to support requested requirements.

a. Probability: Likely;

b. Impact: Moderate;

c. Response: Contracts with universities will be implemented in a way that allows

changing the necessary requirements if needed.

2. Procurements for hardware and/or software fail or will be delayed that leads to difficulty

to support requested activities.

a. Probability: Unlikely;

b. Impact: Major;

c. Response: Existing solutions from current Cyber Range capability will be provided

in a smaller scale until procurements have succeeded.

3. Universities are not able to deliver requested functionalities for OCR that leads to limited

capability.

a. Probability: Possible;

b. Impact: Major;

c. Response: Funding model will be changed to outsource the missing functionalities

to industry. This can be achieved while universities find the partners to deliver the

functionalities or project promoter will launch a public tender.

4. Lack of interest from industry that leads to underuse of the OCR capability.

a. Probability: Possible;

b. Impact: Moderate;

c. Response: Engage additional entities (Start-up Estonia, start-up accelerators etc.)

to promote the capability, promote capability in conferences, meetups, seminars

etc. Provide additional operational support from governmental agencies (e.g.

datasets that can be used only on OCR to solve specific problems).

Terms and acronyms

Abbreviation Content

API Application Programming Interface

Activity Event conducted on the OCR, this includes trainings, exercises, testing,

evaluation, validation and other similar activities.

Artefact

By-products produced during the development of software, trainings, exercises

etc., e.g., use cases, class diagrams, and other Unified Modelling Language

models, requirements and design documents

COTS Commercial-Off-The-Shelf

ICS Industrial Control System

ICT Information and communications technology

IoT Internet-of-Things

IPR Intellectual Property Rights

KPI Key Performance Indicator

Library An environment to store, document and make available items used in OCR

Abbreviation Content

OCR Open Cyber Range

SME Small and medium-sized enterprises

Lisa_2_EE-Innovation_PDP_1_Open_Cyber_Rang....pdf

5.1 Template for the PDP cost (budget)

Programme:

Project title:

Project Promoter:

Total project cost:

Project grant rate:

Project duration:

Unit

Number of

units

(a)

Unit price (€)

(b)

Total cost (€)

(a) x (b) Type of expenditure Comments/additional information

OCR Project Manager Month 36,00 5 352,00 192 672,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a 1 FTE

Travel costs Travels 36,00 1 000,00 36 000,00 Travel and subsistence

allowances for staff - Reg.

Art. 8.3.1.b

4 travels per year for three people (project manager + any

other function supporting the efforts)

ICT equipment for OCR Project Manager Kit 1,00 3 000,00 3 000,00 Cost of new or second hand

equipment - Reg. Art. 8.3.1.c

& Art. 8.3.2

ICT quipment includes computer and smartphone with

software and licenses required to implement the project

Communication costs Month 36,00 30,00 1 080,00 Costs of consumables and

supplies - Reg. Art. 8.3.1.e Mobile and landline costs, includes mobile data

OCR identity development Days 800,00 25,00 20 000,00

Costs entailed by other

contracts awarded by PP for

the purpose of carrying out

the project - Reg. Art. 8.3.1.f

OCR visual identity development, this includes wireframe for

the website, presentation background, roll-up design etc. All

those include logo, colorschema, fonts etc.

OCR website and connectivity to the OCR Days 800,00 60,00 48 000,00

Costs entailed by other

contracts awarded by PP for

the purpose of carrying out

the project - Reg. Art. 8.3.1.f

OCR website to promote the capability and connect users to

the OCR capability

OCR Framework development Days 1 200,00 20,00 24 000,00

Costs entailed by other

contracts awarded by PP for

the purpose of carrying out

the project - Reg. Art. 8.3.1.f

OCR Framework includes legal status, ruleset, business

model, contractual relationships with academia, start-ups

and enterprises etc.

Other costs 1,00 14 013,00 14 013,00

Costs arising directly from

requirements imposed by the

project contract - Reg. Art.

8.3.1.g

Publicity, translation, memorabilia, etc

-

338 765,00

WP1 - Servers Kit 1,00 300 000,00 300 000,00 Cost of new or second hand

equipment - Reg. Art. 8.3.1.c

& Art. 8.3.2

Consists of Dell or Cisco servers, either raw computing or

with some storage

WP1 - Fast data storage Kit 1,00 350 000,00 350 000,00 Cost of new or second hand

equipment - Reg. Art. 8.3.1.c

& Art. 8.3.2

Prefered solution is EMC XtremeIO that has proven its

capability in the Estonian Cyber Range setup or equivalent

solution, for activity use in live environments

WP1 - Slow data storage Kit 1,00 100 000,00 100 000,00 Cost of new or second hand

equipment - Reg. Art. 8.3.1.c

& Art. 8.3.2

Slow data storage is used for storing virtual machines,

templates, configurations, scenarios etc for on-demand use

WP1 - Networking equipment Kit 1,00 150 000,00 150 000,00 Cost of new or second hand

equipment - Reg. Art. 8.3.1.c

& Art. 8.3.2

Routers, switches, cables etc needed to connect OCR

together and to the Internet

WP1 - Civil works Days 800,00 50,00 40 000,00

Costs entailed by other

contracts awarded by PP for

the purpose of carrying out

the project - Reg. Art. 8.3.1.f

Any work (installation, initial setup etc.) or additional

datacenter small equipment (PDU-s, rack blinds, cabling or

cabling accessories, KVM, monitoring tools etc.) needed to

set up the OCR environment

WP1 - Security equipment Kit 1,00 120 000,00 120 000,00 Cost of new or second hand

equipment - Reg. Art. 8.3.1.c

& Art. 8.3.2

E.g. IPS or any other hardwar/software needed to enhance

security of the OCR

-

1 060 000,00

Development on technical requirements to achive initial operational

capability Month 12,00 8 000,00 96 000,00

Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

No specific WP - general work to be done under the project -

develop and implement OCR specific requirements such as

specifications for APIs, minimal security requirements,

requirements for federating technical capabilities,

guidelines for documentation, KPIs, evaluate existing

capabilities (market research), analyse solutions (e.g.

proprietary vs open source) etc.

WP2 - Scenario Language Development Month 3,00 8 000,00 24 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

The goal is to develop language to define scenarios at an

abstract level. Compilers and generator will follow and

allow the automatic generation of low level artifacts

WP5 - Language Development for Digital Library Month 4,00 8 000,00 32 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

The goal is to develop language to define artefacts to be

stored in Digital Library

WP17 - Collaboration tools on OCR Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Tools to run and operate activities on the OCR – chat, wiki,

project management tools etc.

WP18 - Hybrid systems related to the OCR Month 40,00 8 000,00 320 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Develop connections and make available additional external

capabilities that supplement OCR capabilities and support

OCR activities, this is achieved through integration and/or

federation of other capabilities, this might include public

cloud services for additional computing power, specialized

Cyber Ranges/Labs for specific task (ICS, IoT etc.)

This activity will be broken down to smaller parts during the

project development, currently 3 different hybrid systems

are foreseen

-

568 000,00

WP3 - Management system (VMWare) Month 6,00 6 500,00 39 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Middleware to operate the OCR, in case of Estonian CR vLM

is used on top of VMware, in case of Norway OpenStack is

used. This includes also support systems like git,

chef/puppet, etc.

This also includes potential sanitization and integrity tools

WP4 - Management system (OpenStack) Month 6,00 9 000,00 54 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Middleware to operate the OCR, in case of Estonian CR vLM

is used on top of VMware, in case of Norway OpenStack is

used. This includes also support systems like git,

chef/puppet, etc.

This also includes potential sanitization and integrity tools

WP6 - Digital Library development Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Component to store and organize artifacts for re-use –

scenarios, virtual machines, test cases, configurations etc,

creating marketplace

WP8 - User Simulation Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

3 types of simulation:

1. Simulate a core part of Internet for OCR use (BGP, DNS,

NTP etc servers „on 6 continents“)

2. User agents for several operating systems to simulate

user behavior (e.g. standard user, admin)

3. Capability to insert noise between any system on OCR

WP9 – Traffic simulation/generation Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

In general traffic collection and distribution capability, but

also storing console events, snapshots, screenshots and

video from virtual machines, playback capability

WP10 - Activity Monitoring Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

In general traffic collection and distribution capability, but

also storing console events, snapshots, screenshots and

video from virtual machines, playback capability

WP11 - Situational awareness Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Different views for teams (red, blue, green, white) with

distinct data about exercise or training environment

WP12 - Scoring and evalution module Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Technics and procedures to gather information from OCR in

order to evaluate and score the activities

WP13 - Feedback module Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Planning tool with feedback from technical environment,

lessons identified and lessons learned

WP14 - Social aspect module Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Evaluation social aspect in OCR, e.g. behavioral analysis

connected to OCR activities

WP15 - Federation of Cyber Ranges Month 6,00 8 000,00 48 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Federating EE (OCR) and NO Ranges – connectivity,

command and control, information sharing, resource sharing

etc.

Outsourced - Security testing and validation of the OCR capability Days 100,00 1 200,00 120 000,00

Costs entailed by other

contracts awarded by PP for

the purpose of carrying out

the project - Reg. Art. 8.3.1.f

Security testing of the hardware and software environment

set up during the project, security testing is conducted in

multiple iterations

1 029 000,00

Output / Activity 4 - Populating OCR with content

WP7 - Populating the digital library Month 24,00 8 000,00 192 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

This includes research and development on content

requirements.

Populate OCR library with sample software, virtual

machines, attack simulations, scenarios, trainings, exercises,

test environments and other artifacts, document the use of

forenamed items in a way that they are reusable by the

OCR users

This might be broken down into subprojects during the

execution

WP16 - Testing facility Month 12,00 8 000,00 96 000,00 Cost of staff assigned to the

project - Reg. Art. 8.3.1.a

Technics and procedures to test, experiment and evaluate

new software and solutions in X number of different

configurations; possible tiered sertification system for

software that has gone through the testing

Custom malicious content for the Digital Library Days 30,00 1 600,00 48 000,00

Costs entailed by other

contracts awarded by PP for

the purpose of carrying out

the project - Reg. Art. 8.3.1.f

Malicious content is usually in a form of exerciseware that

differs from actual malware in the ways of built in security

measures (e.g. Works only in dedicated environments and

on specific conditions)

-

336 000,00

3 331 765,00

-

3 331 765,00

338 765,00

2 993 000,00

Output / Activity 3 - Research and development on OCR tools

TOTAL PDP COST (1 + 2):

Total project management cost (€):

Total 1.4:

Total 1.5:

Total 1:

2. INDIRECT COSTS - Reg. Art. 8.5

Total 2:

Legend: EST price is 6 500€/per month, for NOR it is 9 000€/per month, combined price is calculated as 8 000€/per month.

36 months

OCR

Open Cyber Range

Estonian Ministry of Defence

3 331 765 €

100%

Total 1.2:

1. DIRECT EXPENDITURES - Reg. Art. 8.2 & Art. 8.3

Project management

Total 1.1:

Output / Activity 1 - Initial hardware and software environment

Total output related cost (€):

Output / Activity 2 - Project support development

Total 1.3:

Dokumendiregister	Majandus- ja Kommunikatsiooniministeerium
Viit	24.4-6/17-0524/1432
Registreeritud	05.03.2021
Sünkroonitud	26.03.2024
Liik	Leping
Funktsioon	24.4/S Väliskoostööprojektide koordineerimine
Sari	24.4-6/S Mitmepoolse / piiriülese koostöö dokumendid (Arhiiviväärtuslik)
Toimik	24.4-6/17-0524
Juurdepääsupiirang	Avalik
Juurdepääsupiirang
Adressaat
Saabumis/saatmisviis
Vastutaja	Tanel Tomson
Originaal	Ava uues aknas

Nimi	K.p.	Δ	Viit	Tüüp	Org	Osapooled
Käskkiri	12.07.2024	4	58	Käskkiri	mkm
Taotlus	22.02.2024	34	9-2/514-1	Sissetulev kiri	mkm	Kaitseministeerium

Failid

Digiallkirjad

Digiallkirjad

Seosed