Qualify for the tender.
Survive the audit.

Almost always, yes. The CERT-In April 2022 directions plus the subsequent MeitY procurement guidance make a CERT-In empanelled audit a baseline qualification for almost every Government of India and PSU tender for a digital product or service that handles citizen data or government information. GeM (Government e-Marketplace) onboarding for ICT product categories, CPPP (Central Public Procurement Portal) tender responses for software services, MeitY-funded programmes and most state-government IT-department RFPs all reference CERT-In empanelment as either a mandatory qualifier or a strong scoring criterion. AxVeil itself is not currently CERT-In empanelled (see the BFSI disclosure), so for GovTech engagements we deliver the technical work as a sub-contractor to an empanelled partner who signs the regulator-facing report — the buyer signs paperwork directly with the empanelled firm.

CERT-In's April 2022 directions (No. 20(3)/2022-CERT-In) require any service provider, intermediary, data centre, body corporate and government organisation to report a defined list of cyber incidents to CERT-In within six hours of noticing them. The reportable list covers compromise of critical systems, unauthorised access to ICT systems, identity theft, website defacements, malicious-code attacks, attacks on servers / endpoints / IoT / SCADA, DDoS, attacks on email infrastructure, and unauthorised access to social-media accounts. Meeting the six-hour window requires: a 24x7 monitoring or callout function, a pre-approved incident-classification matrix, a templated CERT-In notification form ready to populate, named on-call owners with delegated authority, and tabletop-exercised escalation chains. The engagement deliverable includes the playbook, the templates and a tabletop exercise that validates the timeline.

STQC (Standardisation Testing and Quality Certification, Ministry of Electronics and Information Technology) operates the formal product-level certifications: Common Criteria evaluations, ITSAR (Indian Telecom Security Assurance Requirements) for telecom equipment under the Trusted Telecom Product framework, the e-Pramaan / DigiLocker integrator certifications, and the GIGW (Guidelines for Indian Government Websites) 3.0 compliance assessment for government websites and applications. STQC is a separate body of work from the CERT-In empanelled audit — STQC certifies the product against a defined evaluation profile; the CERT-In audit certifies the security posture of the deployed system and its operator. Many GovTech RFPs ask for both. The AxVeil engagement covers the technical work for both tracks; STQC certificate issuance is handled by the appropriate STQC-authorised laboratory.

Section 70 of the IT Act 2000 empowers the Government to declare any computer resource that directly or indirectly affects Critical Information Infrastructure as a Protected System. NCIIPC (National Critical Information Infrastructure Protection Centre) operates as the nodal agency under the National Technical Research Organisation (NTRO) for the sectors notified as CII — Power, Banking & Financial Services, Telecom, Transport, Government and Strategic & Public Enterprises. Notification as a Protected System adds penalties under §70 (up to ten years imprisonment for unauthorised access), specific NCIIPC reporting obligations, mandatory adoption of NCIIPC's Guidelines for Protection of Critical Information Infrastructure, and an annual CISO-led security audit by a CERT-In empanelled auditor. Engagement scope expands to include NCIIPC controls mapping, supply-chain risk on critical components, and the §70 procedural compliance posture.

DPDP Act §17 provides specified exemptions for processing of personal data by the State and its instrumentalities for sovereign functions (national security, prevention of offences, judicial functions, research, statistical analysis) — but the exemption is bounded, requires notified instrument, and does not extend to most citizen-services GovTech use cases. Citizen-services platforms (DigiLocker integrations, PMJAY claim systems, scholarship portals, GST and tax-filing, e-District, transport / driving-licence systems, state-level health-and-education portals) operate as Data Fiduciaries under the full DPDP regime: lawful processing, consent capture (with §6 grounds for legitimate State use limited), purpose limitation, retention, breach notification to the Data Protection Board, children-data §9 obligations, and Significant Data Fiduciary obligations where notified by volume / sensitivity. The DPDP Rules 2025 detail the operational mechanics. The engagement includes a §17-applicability mapping and a Data Fiduciary posture review against the operating Act and Rules.