NEW DELHI: The government is rechecking the documents furnished into a Rs 110–125 crore annual contract recently awarded by the National Informatics Centre Services Incorporated (NICSI) for SMS and messaging gateway services.
According to government sources, the Ministry of Electronics and Information Technology (MeitY) is reviewing documents submitted during the tender process following allegations that the empanelled contractor may have submitted invalid or fraudulent certification documents to secure the deal.
A whistleblower within the government informed The420.in about the probe, which was initiated after MeitY received a formal complaint flagging alleged irregularities in the empanelment process.
The Contract
In January 2026, enterprise communication service provider OneXtel Ltd. announced that it had secured empanelment from NICSI to provide messaging gateway services for government organisations across India. The three-year arrangement, with provisions for a two-year extension, was expected to generate annual revenue of approximately Rs 110–125 crore for the company.
The empanelment authorised OneXtel to deliver SMS and messaging services to central and state government departments, ministries, public sector undertakings, and autonomous bodies under NICSI File No. 10(04)/2024-NICSI for Message Gateway Services. The scope of services includes transactional alerts, OTP-based authentication, public awareness campaigns, essential service notifications, emergency communications, and Rich Communication Services (RCS).
NICSI, which operates under MeitY, serves as the central technology services arm for government entities, with its message gateway framework supporting large-scale government-to-citizen communication.
The Complaint
The420.in has accessed the complaint letter, which raises serious concerns about the validity of a Capability Maturity Model Integration (CMMI) Level 5 maturity certificate submitted by OneXtel Ltd. during the empanelment process.
CMMI is a globally recognized framework that assesses an organization’s process maturity and capability in delivering quality products and services. Governed by the CMMI Institute (now under ISACA), the certification evaluates organizations across five maturity levels, with Level 5 being the highest, indicating optimized and continuously improving processes.
For government tenders involving critical infrastructure like messaging services, CMMI Level 5 certification serves as a key eligibility criterion, demonstrating that a vendor has established robust processes for project management, quality assurance, and service delivery.
The certification can only be issued by CMMI Institute-authorized Lead Appraisers, with all valid appraisals published on the institute’s Public Appraisal Results Site (PARS) for verification. By mandating CMMI certification, government agencies ensure that contracts are awarded to vendors with proven operational excellence and capability to handle large-scale, mission-critical projects.
According to the complaint, the CMMI Level 5 certificate was allegedly issued by UK Certification & Inspection Limited, an entity that is not authorised by the CMMI Institute to conduct such appraisals or issue certifications. If established, this would render the certificate invalid and place the company in non-compliance with eligibility criteria specified in the NICSI empanelment.
The Capability Maturity Model Integration (CMMI) framework is owned and governed exclusively by the CMMI Institute, which now operates under ISACA. As per established protocols, only CMMI Institute–authorised Lead Appraisers, using the official Benchmark Appraisal method, can issue valid CMMI Level 3, 4, or 5 ratings.
The complaint further highlights that all legitimate CMMI appraisals conducted by authorised Lead Appraisers are mandatorily published on the Published Appraisal Results System (PARS) for transparency and verification. The official verification portal is available at https://pars.cmmiinstitute.com.
Additionally, the CMMI Institute maintains a directory of authorised partners at https://cmmiinstitute.com/partners/directory. According to the complainant, neither OneXtel Ltd. nor UK Certification & Inspection Limited appear on this official registry.
Government sources noted that the tendering process itself was conducted transparently, with all bids and documents furnished by bidders uploaded on the official e-procurement portal. Bid documents related to Tender 2025_NICSI_228388_1 are available on https://etenders.gov.in for verification.
Official Response Awaited
The420.in has emailed a detailed questionnaire to NICSI seeking its response but has not received a reply at the time of publication. However, a senior government source confirmed that the complaint has been received by multiple senior officials within the ministry, triggering a review of all relevant documents and certifications.
The420.in has also reached out to OneXtel Ltd. for its response to the allegations. The company had not responded at the time of publication.
Expert Opinion
When asked about the importance of CMMI certification in government technology tenders, a senior bureaucrat and former advisor to TRAI wishing anonymity, told The420.in that such certifications are critical for ensuring operational reliability, security, and legal compliance in citizen communication infrastructure.
The officer said government departments require CMMI certification to gain assurance that service providers are capable of operating reliable messaging systems that directly impact public administration and safety. He added that beyond reliability, concerns such as privacy of personally identifiable information (PII), protection against insider threats, and the risk of misuse of citizen data are valid reasons for mandating rigorous capability assessments of vendors handling large-scale government communication platforms.
On the issue of non-authorised entities issuing CMMI certificates, the officer said that while he did not have specific data on the frequency of such cases, the government has established policies and procedures to prevent and address them.
He noted that if a non-authorised entity issues a certificate, the procuring agency does not receive the assurance it explicitly sought through the tender. “Acceptance of an invalid certificate, even inadvertently, amounts to a vitiation of the procurement process and a breach of the department’s fiduciary duty,” he said.
The officer explained that in such situations, procurement rules provide multiple corrective options, including disqualification of the vendor, cancellation of empanelment, withholding of purchase orders, or even voiding the procurement process, depending on the circumstances. He added that vendors may also be debarred from future government contracts for a specified period, which is typically around two years.
Responding to whether procuring agencies should independently verify certifications, the officer explained relying solely on bidder submissions is inconsistent with the Central Vigilance Commission’s broader guidelines on diligence in document verification. Drawing an analogy with Aadhaar authentication, he said an Aadhaar card or number represents a claim, not authentication, which must be verified through official systems. “Similarly, a CMMI certificate or appraisal ID is only a claim of successful appraisal and must be verified for scope and validity,” he said.
Another senior IAS office in the ministry pointed out that genuine CMMI certificates carry an appraisal ID that can be checked against the Published Appraisal Results System (PARS) to verify who was appraised, the scope of the appraisal, and the maturity level achieved.
He added that CMMI encourages reporting of unverifiable certificates and responds to such reports, particularly when they come from government agencies.
On the risks of empanelling vendors based on invalid or unverifiable certifications, the officer compared it to employing a driver with an invalid driving licence. “If a licence is unverifiable, it may have been revoked or impounded, or the person may not have the requisite competence. In any case, it is illegal to let them drive,” he said. Engaging a service provider whose capability has not been properly assessed, he added, poses similar risks to the integrity and reliability of critical government infrastructure.
Troubled Past
The current probe comes against the backdrop of earlier regulatory action involving OneXtel’s messaging operations.
In July 2024, the Department of Telecommunications (DoT) suspended OneXtel, along with V-Con, another registered telemarketer, for allegedly misusing their platforms to send malicious and phishing SMSes.
According to a DoT direction dated July 15, 2024, the two entities were found responsible for sending 55.5 million fraudulent SMSes to smartphone users since January 2024. The action followed multiple complaints filed by telecom users on the Chakshu portal regarding malicious messages.
What’s Next
The investigation is expected to focus on verifying the authenticity of the CMMI certification submitted by OneXtel Ltd. and assessing whether adequate due diligence was conducted during the empanelment process.
If the allegations are substantiated, the findings could have significant implications for the contract award and may lead to broader scrutiny of certification verification mechanisms in government procurement.
The case underscores the importance of robust verification processes, particularly for contracts involving critical communication infrastructure that supports citizen services across government projects. It also raises questions around background checks and due diligence, especially in light of the contractor’s prior regulatory action just months before the empanelment.
At the time of publication, neither NICSI nor OneXtel Ltd. had issued official statements regarding the complaint or the ongoing review.
