Ministry of Defence - Information Systems and Services

IdAM Development and Implementation Partner (ASDT0093) - Re-issue

Incomplete applications

10
Incomplete applications
7 SME, 3 large

Completed applications

7
Completed applications
1 SME, 6 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 10 July 2019
Deadline for asking questions Wednesday 17 July 2019 at 11:59pm GMT
Closing date for applications Wednesday 24 July 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work MOD seeking partner to develop Identity and Access Management service through Beta Phase, until able to pass the digital service standard for live services and achieve security accreditation. It is to be built around NetIQ products and will focus initially on systems handling OFFICIAL information in the UK.
Latest start date Monday 30 September 2019
Expected contract length Duration: 24 months with an additional 6 month option period.
Location South West England
Organisation the work is for Ministry of Defence - Information Systems and Services
Budget range £5 - £6 Million (Ex VAT)

Contract Value includes a Limit of Liability for T&S of £50K.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Ministry of Defence (MOD) needs an Enterprise Identity and Access Management (IDAM) service for its IT & Digital services; this delivers part of MOD’s 2010 IDAM strategy (available on gov.uk).

This service is to provide:
1. Improved compliance with HMG’s Technology Code of Practice, by providing a reusable service and will simplify maintaining compliance with the General Data Protection Regulation (GDPR).

2. A migration path from current IDAM arrangements.

3. Identity related services that meet the Digital Service Standard, particularly for our partner organisations and external users.
It is an essential prerequisite for new IT services from Q2 2019.
Problem to be solved The Development & Implementation Partner will develop, configure and deliver Defence IdAM, including:
• IdAM services (e.g. single-sign-on & authentication) for the defence gateway and Core Network across both OFFICIAL and SECRET domains;
• IdAM directly related Directory services and interfacing with the wider directories (e.g. a master Active Directory and corporate directory).
The defence product of choice is the NetIQ product. The development focus is on OFFICIAL information in the UK, SECRET.
Who the users are and what they need to do All MOD Personnel/Partners/Contractors requiring IT application & services access.
1. As an IT user, I want single sign on to seamlessly access IT & digital services.
2. As an App or Service Owner, I want simpler, rule-based access so appropriate users get quicker access to my service and inappropriate ones are refused access.
3. As a systems administrator, I want to maintain trust relationships between systems, so normal IT operations can continue.
4. As a Security Officer, I want a simpler means of securely providing access to IT so access is quicker, more accurate and can be scrutinised
Early market engagement
Any work that’s already been done An IdAM alpha was conducted during 2016 using the Authority's product of choice, the MicroFocus NetIQ product suite. This product was selected after a market competition and evaluation. Development work commenced in Sept 2018 with the existing Development Partner who is working in an Agile manner to deliver incremental releases of the configured IdAM solution including identity log-in for defence gateway and the core network at OFFICIAL.
Existing team A project manager to oversee this activity is currently in place.

The incoming team will receive support from the wider team working on identity and directories challenges including tree Architects, an Engineering Lead and a Senior project manager. They will provide guidance and ensure coherence across this and related work (but not detailed/solutions architecture).

Around 20 people are currently engaged on the IdAM project. Collaborative working is essential between contracted parties across the directories and IdAM teams following SAFe delivery principles.
Current phase Beta

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The Project Delivery Team is located at MOD Corsham in Wiltshire (SN13 9NR). Occasional travel to Customers may be required dependent on the need, however this will be kept to a minimum.
Working arrangements The Partner will be expected to work full time (220 days per year). The IdAM delivery team works in an Agile Scrum environment under the direction of a Scrum Master and Project Manager. Current expectations are that the Development Implementation Partner will be at Corsham at least 4 days per week. Travel and subsistence expenses to attend other sites will be payable from Corsham using current Civil Service T&S practices. Locations such as but not limited to: Andover, Farnborough & Gosport.
Security clearance Potential suppliers will be expected to hold or be in the process of obtaining SC Clearance. The Authority WILL NOT sponsor SC clearance, it must be in place and remain valid for the duration of the contract.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Additional information will be provided for successful Suppliers following the short-list stage.

The successful Supplier must request a Security Aspects Letter and provide a Cyber Essentials Certificate.

T&S will be paid on receipted actuals in compliance with MoD policy , no other expenses are permitted.

Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up the tool.

Suppliers must adhere to the MOD Corsham working policies.

The following Quality Assurance standards will be applicable:
Concessions Def Stan 05-61 Part 1 Issue 6
Contractor Working Parties Def Stan 05-61 Part 4 Issue 3

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience of successfully delivering an IdAM service through a full project or development lifecycle in a large or complex organisation (including testing and deployment).
  • Experience of creating services built around the NetIQ products: Identity manager, Sentinel, Advanced Authentication, Access manager; including design, test, configuration and deployment of those products.
  • Experience developing large digital services that meet the Digital Service Standard for a growing community of users applying appropriate digital (Agile and user centric) methods, techniques and skills.
  • Experience obtaining and merging information from a range of sources/systems and addressing data quality issues to provide identity, role and security attribute data supporting attribute based access control.
  • Experience of building and testing an end-to-end digital service demonstrating a high level of quality.
  • Experience of DevOps Engineering – particularly deploying builds, increments and releases through Continuous Integration and Deployment pipelines, as well as scripting environment builds and changes.
  • Experience of designing and delivering Information Services with a high level of cyber and general security threat and very high criticality and creating documents to achieve accreditation.
  • Experience of providing solution, service and technical architecture and architectural roadmaps in a complex, security critical environment supporting an Agile release cycle and addressing migration considerations.
Nice-to-have skills and experience
  • Experience integrating with wider business functions using NetIQ’s APIs and scripting environment to provide a service that delivers an excellent user experience whilst meeting business policy goals.
  • Experience of creating an IdAM service, based around NetIQ’s products, but incorporating other technologies where appropriate, such that an optimised set of maintainable technology underpins the service.
  • Experience of digitising transactional processes and services internal to a large enterprise by applying good practices for: usability, user research, interaction, user-centric and graphic & content design.
  • Experience of delivery management in Agile teams building digital products according to the Government Service Design Manual, applying a range of Agile techniques and practices.
  • Experience of designing and building assisted digital elements of a service, where it is not practical or desirable to fully digitise aspects of the service.
  • Capability to use test driven development to create software in Java and other languages that bridges gaps in necessary user journeys including creating Web user interfaces, APIs, RESTful architecture
  • Experience of testing iteratively, including test data creation and test automation in the context of a mature DevOps approach.
  • Experience of integration testing in a large enterprise, including with legacy systems, and producing formal test documentation that makes maximum use of the quality assurance provided by the iterative testing.

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • How you'll provide the Authority with high-quality team that embodies the required skills; particularly, why you believe the team (as a collective) will be high performing (10%)
  • How you'll balance being responsive and flexible to changing work demands (in terms of skills/capacity) as it progresses with the benefits of a stable and consistent team. (9%)
  • Indicative structure (i.e. people/roles in your proposed team and their main interrelationships), indicative profile (how team size and roles might change over time) and start date. (9%)
  • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning. (9%)
  • Your proposed approach and methodology to the digital service: particularly how the various Digital, Data & Technology Roles will work together and how users will be involved (9%)
  • Proposed approach and methodology for achieving security/information assurance accreditation and maintaining through the Agile development, including identifying threats, putting in place controls and engagement with risk owner(s). (9%)
  • How you will ensure the service can meet the relevant digital service standard at various phases of development (e.g. closed beta, open beta, live). (9%)
  • How you'll ensure the service meets the organisation’s policy goals in terms of providing more secure Identity and Access Management/Directories processes, incorporating existing policy. (9%)
  • Your approach to knowledge management, particularly how the Authority and its partners can support and maintain the IdAM/Directories services after they have been developed. (9%)
  • How you will optimise costs for the Authority and deliver value for money though the development and the lifetime of the service (total cost of ownership of the service.) (9%)
  • Technical proposal for a DevOps pipeline and suitable environments to enable rapid, modern development of the system. (9%)
Cultural fit criteria
  • Shares knowledge, experience and expertise with the Authority and other team members (13%)
  • Be transparent and collaborative (13%)
  • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form (13%)
  • Evidence that you attract and retain the best talent to create teams that reflect the diversity of the country and can deliver a diversity of thought to the Authority (13%)
  • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome (12%)
  • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors (12%)
  • Evidence of working successfully in an Agile manner within an organisation where some units: (particularly in relation to governance and project control processes) retain a big-design-upfront/command-and-control perspective (12%)
  • Evidence of working with organisations and stakeholders with differing levels of technical expertise (12%)
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

20%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is this requirement the same as the previous requirement issued - ASDT0093? Yes the Authority can confirm that due to issues with the advert for ASDT0093, that advert has been withdrawn and this advert is issued as a replacement. There are some slight amendments so please be sure to read this advert fully.
2. Can the Authority confirm this contract will be outside of IR35? Yes, IR35 legislation does not apply to this requirement
3. How do we respond to this requirement? Bid responses are to be submitted on the DOS templates and in Microsoft Office Excel/Word 2013 format only. The Successful Shortlist Suppliers will receive further additional information and instructions.
4. Can the Authority, please confirm the procurement timetable in relation to the written proposal, presentation dates and contract award? Proposed date for Written and Case Studies submission to the Authority - W/c 12th August.

If Presentations are required the dates to be held are between W/c 20th August - 6th Sept at MOD Corsham.

Latest Contract Start Date 30th Sept 2019
5. Please could the Authority provide the Cyber Risk Assessment Reference for a Supplier to complete the required SAQ? The Risk Assessment is Low and reference number: RAR-W66D3HTA
6. What is Identity Access Management (IdAM)? IdAM, is the creation and management of digital identities which are used to access information, systems and applications and physical access. The programme in ASDT is designing and building systems for the consolidated management of identities- people or things (devices, processes etc.), across MOD. This will enable appropriate access to the systems or applications in the first instance, and to information embedded within these as well.
Simplifying the management of credentials and access privileges across the multiple systems present across Defence, will considerably streamline authentication processes for users, enabling one username and password for sign onto multiple services.
7. What are the benefits of the IdAM Programme? The recognised benefits include:
• Minimize Security Risk – control access to the networks and applications and instantaneously update accounts in a complex and ever-changing IT landscape.
• Centralized auditing and reporting – know who did what and report on system usage.
• Reduce IT operating costs – immediate return on investment is realized by simplifying and automating much of the existing process for account management.
• Improved quality of IT services – creating a better user experience simplifying authentication and authorisation:
• Legal compliance – specifically, Data Protection Laws and other government mandates require secure control of access
8. Which classifications will IdAM cater for? The IdAM roadmap will be available for both OFFICIAL and SECRET applications, however, the initial set of work is focusing on OFFICIAL information resources.
9. Who can use IdAM services? We recognise 4 main user groups which are permitted licenses for IdAM Services, these are:
• MOD personnel: civil servants, UK military, Royal Fleet Auxiliary, MOD police, locally engaged civilians
• Other government officials: department civil servants, other public sector employees, crown ministers, special advisers, ministerial assistants, honorary/ ceremonial appointments, non-executive directors, select parliamentary committee members
• Partner organisations: supplier employees, MOD contracted personnel, foreign military allies, international government organisations (IGOs)
• Affiliated organisations personnel: Cadet forces, veterans, service personnel dependents
10. How does GDPR affect IdAM? • Lawfulness, fairness and transparency – the MOD policy for data collection is available to all and agreement is through signing SyOps
• Purpose limitation – personal data is held only for IdAM purposes
• Data minimisation – information held is required to support identity and access management only.
• Accuracy – information is held in one location, easier to keep data accurate
• Storage limitation –linking relevant personal information in one location is easier to delete
• Integrity and confidentiality – personal data will be held in a secure vault for use in automated processes for access decision making.
11. How are IdAM capabilities being rolled out? The E-IdAM services are being developed following Agile methodology. The technical team is releasing functionality incrementally using sprints to plan and monitor progress. This means that up front planning and stage gate time deadlines associated with PRINCE2/ Waterfall project management will not be applicable to the delivery of IdAM functionality.
12. What is Federation/ Federated Access? Federated access refers to a user’s digital identity and associated attributes from a separate organisation (eg. NATO) to be used by MOD systems and vice versa. This allows trusted partners to create and maintain digital identities for their personnel to gain appropriate access to their respective authorised MOD systems rather than have accounts, credentials or identities manually provisioned by the other party. For trusted partners, the IdAM IBS component would recognise the credentials of a federated individual and allow authentication. This extended access to third parties will only be delivered once IdAM capabilities have been established for the MOD userbase.
13. Which Technology is the IdAM solution based on? To meet the IdAM needs of the various MOD wide populations and corresponding services, several technologies are likely to be needed. A core technology will be NetIQ products, namely: Identity Manager, Access Manager, Advanced Authentication, Access Review, which have been procured. the IdAM project has purchased 440,704 NetIQ licences.
14. Where will IdAM be hosted? IdAM is providing a set of services which applications will interact with, therefore where IdAM will be hosted is not relevant for application owners. IdAM will be utilising MOD Cloud platforms to provide the services. We will be expanding the services into all environments depending on availability and maturity.
15. What is the range of anticipated integration mechanisms? The preferred pattern for applications to integrate with the Identity Brokering service is using Security Assertion Markup Language (SAML) and WS-Federation (WS-FED), widely used industry standards. Teams responsible for building or buying new software (or SaaS services) should ensure their software supports this. Where there is a strong case for doing so, other technologies and patterns such as Kerberos or encrypted storage of legacy application credentials can be supported by exception.

Functions other than authentication and authorisation of users, such as self-service and provisioning, will be made available through Application Programming Interfaces (API) and Graphical User Interfaces (GUI) where appropriate.
16. Please can the MOD provide information on the selection rationale from the Alpha phase to NETIQ products? No, however where not commercially sensitive, information about the business requirements for the Alpha phases will be provided as appropriate to the awarded supplier.
17. It is understood that the Discovery and Alpha phase for the project has been completed. Could you MOD confirm which organisation completed this work? No, however this will be provided where required in order to facilitate handover, as appropriate to the awarded supplier.
18. Can the Authority confirm if the requirement to replace the existing Alpha external contractor or to augment and scale the IdAM project team? The requirement is for the incoming contractor to work collaboratively with the existing contractor until their contract ends (January 2020) at this point the incoming contractor will assume delivery responsibilities. The new contractor will also commence activities in the areas that have not yet started such as the secret development space, building on the work that has already been achieved in the Official space.
19. Given the potential conflict of interest, are we right to assume that any supplier bidding for “IdAM Development and Implementation Partner (ASDT0093)” will not be permitted to also bid for “IdAM Product Managers & Service Transition Partner (ASDT0092)? The adverts ASDT0092 & ASDT0093 are two separate contracts and the same supplier can bid for both. In this eventuality the Authority will require the provision of two independent teams with specific roles.
20. What are the current IAM arrangements? Current IAM at MOD is essentially a matter devolved to each individual system, with some minimal reuse of identifiers. As such they are highly variable in both technology and procedures
21. Can we assume the NetIQ application will bolt into a current back-end AD instantiation in each security classification/domain? No. In some domains IdAM is expected to interoperate with one or more AD services (but it must be able to serve a range of needs/use cases without reliance on a separate AD). ADs that IdAM interoperates with may or may not pre-exist it.
22. Is a common SSO and authentication capability meant to span multiple classifications? IdAM is meant to provide a coherent service to users using systems protecting both OFFICIAL and SECRET information, but this does not necessarily mean reuse of credentials across systems protecting different classifications of information.
23. How big is the user base and how is it split across classifications and caveats? The core user for IdAM is around 0.5 million people. In the longer term it is intended that the IdAM service will allow federation to key allies and partners whose users are not included in this figure. The IdAM service is a core part of provisioning and authorising access to systems and information of all classifications below TOP SECRET based on rules, policies and attributes of the users, as such the user base is not really segmented in the manner the question implies
24. How will user credentials be protected? The iterative design and delivery of the IdAM service in collaboration with the Authority - including solving and evolving the solution to that problem - is the service that is to be delivered under the contract.
25. What is the interdependency on existing PKI infrastructure? It provides the root certificate Authority (which is the same as all other defence systems).
26. Will the developed system support remote access and/or current MoD VPN solutions? Yes.
27. What are the KPIs for solution performance? (user response times, availability, etc) Understanding the user needs and meeting them (including the non-functional aspects of that need) is part of the scope of the engagement.
28. We originally received this opportunity on 26th June with a submission deadline of today. We have already submitted our proposal.

Can you confirm has this been re issued? if so, can you confirm the reasons as to why?
The original advert was cancelled on 10th July, when it was cancelled it showed no completed applications, the Authority have not received any applications.

The advert has been re-issued as "IdAM Development and Implementation Partner - ASDT0093 - re-issue", the reason for cancelling the original advert is due to the incorrect information in the 'Essential Skills and Criteria' element. The Authority rectified this information utilising the Clarification Question facility, however it was identified that Suppliers would not see the amended 'Essential Skills' on the submission element of the portal, therefore would respond to the incorrect detail on the original advert.
29. Will the MoD consider alternative solutions to NetIQ? No
30. Has NetIQ been procured and is it currently being designed/deployed? Yes, the incoming team will be expected to work with the incumbent contractor to continue development and to take on new activities.
31. With regards to the question under the ‘Nice-to-have skills and experience’ criteria “Experience of designing and building assisted digital elements of a service, where it is not practical or desirable to fully digitise aspects of the service.”
Please can the Authority confirm whether they are referring to assisted digital in terms of the Government Digital Service’s “Assisted Digital” campaign to improve accessibility and uptake of digital services or whether this in relation to not digitising specific components of a service due to technical limitations?
The question requires further clarity to enable an appropriate response. However, the Authority has provided a response in relation to the ‘what does assisted digital mean’. The question refers principally to Assisted Digital as defined in the HM Government Service Manual (https://www.gov.uk/service-manual/helping-people-to-use-your-service/assisted-digital-support-introduction) – meaning ensuring users are not excluded when they cannot or will not complete tasks online (https://www.gov.uk/service-manual/helping-people-to-use-your-service/designing-assisted-digital). In this case, the Authority are applying this to all users (including internal MOD ones).
32. Same question stated at Number 31. This is to allow the Authority to provide further detail in the response to assist Suppliers. Note: this definition does include some ‘technical’ limitations such as the user lacking internet access - in this case that should be read in its historic/formal sense as ‘an internet’ with a small ‘i’ (as in short for internetwork) rather than ‘the Internet’. Defence users may encounter such ‘technical’ constraints when they are in Secure Compartmented Information Facilities (SCIFs) or other locations that restrict the use/availability of usual computing/smart devices, but equally issues of trust and motivation can come into play as with any other digital service. The Authority is not aware of a ‘campaign’ by GDS about assisted digital.