Ministry of Justice

MOJ Staff Account Management (Joiners, Movers, Leavers) Security-focused Discovery

Incomplete applications

6
Incomplete applications
3 SME, 3 large

Completed applications

11
Completed applications
5 SME, 6 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 17 July 2019
Deadline for asking questions Wednesday 24 July 2019 at 11:59pm GMT
Closing date for applications Wednesday 31 July 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Discovery work on enhancements to Joiners,-Leavers and Movers processes and technology across MoJ systems and applications, including as-is-audit and review.

Discovery-exercise and associated-reporting should be delivered within 3-months (theres no suggestion that 3 months full-time effort is required).

The contract length set at 4-6-months to cater for surrounding work-planning-procurement-flexibility etc.
Latest start date Tuesday 1 October 2019
Expected contract length 4-6 months
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Justice
Budget range Capped time and materials (CTM) up to £80,000 (exc VAT)

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Ministry of Justice (MOJ) has a diverse and sizeable technology estate, where many systems operate independent authentication/authorisation systems. Different user management approaches in use, which means account management when staff/contractors join, change role, or leave the organisation is inherently a manual and duplicate activity, and thus prone to delay or error.
Problem to be solved The MOJ are seeking to meaningfully understand (map, analyse) this account management estate in order to generate a prioritised cost and time estimated list of cost-effective, tactical/strategic improvements to technology systems and/or processes that drive joiners, movers and leavers activities to make them more accurate, resilient, automated and otherwise efficient.
Who the users are and what they need to do As a security manager, I need confidence that we have appropriate account/permission management, so information/system access is managed.

As an information asset owner, I need confidence that only-authorised-users can access information, so I can assure stakeholders such obligations are met.

As a system owner/administrator, I need to ensure accounts are created, managed and revoked, so I deliver a good service.

As a line manager, I need to have accounts created, modified and closed to so that my team can work efficiently and safely.

As a user, I need an account with suitable access, so that I can do my job.
Early market engagement None conducted
Any work that’s already been done Unique system-specific / user groups discoveries and limited pilot works for pointed account management improvements have previously been conducted. Existing documentation/information can be made available to shortlisted bidders on request.

The MOJ is currently investigating a federated account overlay solution for one main technology area (productivity suites). This information will be made available to the successful bidder(s) through project life.
Existing team MOJ Digital & Technology - Security & Privacy Team
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Supplier location(s); Petty France (London, SW1H 9AJ); 10 South Colonade (Canary Wharf, London); and various other UK MoJ sites as agreed as required.
Working arrangements - On site for face-to-face meetings and discovery work with user groups
- Use agile working methods
- At least bi-weekly progress reports
- Use of digital collaboration tools such as Slack and Skype for remote working where possible
- Use of MoJ digital work planning tools (Jira, Confluence and Trello) where mutually agreeable
- The Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a required (but at least bi-weekly) basis
Security clearance Baseline Personnel Security Check (BPSS, https://www.gov.uk/government/publications/government-baseline-personnel-security-standard) as a minimum for any persons interacting with, or receiving information directly relating to, MoJ data/systems

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions - Standard Digital Outcomes and Specialist framework & call-off contract (https://www.gov.uk/government/publications/digital-outcomes-and-specialists-2-call-off-contract)
- MoJ's Travel and Subsistence policy

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Recent experience (within the last 3 years) conducting user-led research for enterprise IT solution design/assessment
  • Recent experience (within the last 3 years) of enterprise account/identity and account managmenet within large-scale hybrid enterprise IT environments
  • Recent experience (within the last 3 years) of identifying and mapping existing user and technology processes
  • Recent experience (within the last 3 years) in implementing/configuring technologies such as Active Directory, Okta, Oracle IAM, Amazon Web Services IAM, Azure Active Directory and other modern identity management technologies
  • Recent experience (within the last 1 year) with external NCSC, CIS, NIST (etc) standards in relation to auditing/implementing account and account permission management
Nice-to-have skills and experience
  • Recent experience (within the last 3 years) in implementing retrospective account management process and technology changes
  • Recent experience (within the last 3 years) in conducting automated account and/or account permission audits using technical tooling

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Methodology/approach to understanding and mapping existing MOJ user and technology processes, dependancies and interconnections in relation to user account management
  • Methodology/approach to generating and prioritising recommendations for change/improvement in relation to processes and technology-driven account management
  • Methodology/approach to ensuring any recommendations are aligned with wider generally accepted good practices and external standards/guidance (where they are applicable)
  • References from UK public sector organisations for comparable work from within the last 5 years
Cultural fit criteria
  • Recent (within the last 3 years) experience working in the public sector or other highly regulated sector
  • Agile principles and ways of working
  • Quality assurance processes
Payment approach Capped time and materials
Assessment methods Written proposal
Evaluation weighting

Technical competence

65%

Cultural fit

10%

Price

25%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. IMPORTANT UPDATE

The Authority intended to add additional assessment methods and this was missed when we published. To avoid the need to withdraw and republish this procurment we have set out the additional assessment methods below.
* a presentation
* a case study
* a reference
* a work history
2. MoJ's Travel and Subsistence policy < given that the Call-Off terms already reference the Buyers expenses policy, what are you trying to add in addition to that term? MoJ Expense Policy - if the work was within London we would state no expenses
within M25 and if there are any expenses, the supplier would have to abide my MoJ expense policy
with regards to travel, hotel subsistence and book this through MoJ (i.e. Fola).
3. Standard Digital Outcomes and Specialist framework & call-off contract (https://www.gov.uk/government/publications/digital-outcomes-and-specialists-2-call-off-contract)
< are you seriously trying to add the entire of the Call-Off terms for DOS 2 to the Call-Off term for DOS 3, if so why?
Good point and the link is an old one!!
4. Is there any existing supplier providing the mentioned services? we have a number of suppliers who are involved in delivering parts of the Joiners Movers and Leavers processes as part of running different systems for the department, however there is no supplier running the entire JML process for the whole organisation.
5. 1. Can you advise, does this assignment sit
inside or outside of IR35?
Outside
6. The Authority intended to add additional assessment methods" the Authority is Crown Commercial Service – why are they asking questions in this procurement? What has the Buyer (MoJ in this case) got to say about that I wonder.... The MoJ has no further comment to make, unless the question can be more specifically defined”.
7. 1) Can you please confirm the scope of the assessment that needs
to take place. Which areas of the MOJ is the work looking to cover (MOJ HQ,
Prisons, HMCTS, HMPPS HQ, all departments etc).
MOJ Digital & Technology provide technology services across the entirety of the MOJ, including to executive agencies and non-departmental public bodies sponsored by,the MOJ. The target of this work is account management for MOJ Digital & Technology provided services and thus some scope/interaction with all utilising organisations is expected.
8. 2) Can you please cprovide details of what is required in the further assessments – (the case study, the presentation, reference, work
history).
Once initial bids have been sifted and bidders have been shortlisted for evaluation the MOJ
will confirm which assessment method(s) have been chosen and more information will be provided at that time. The MOJ may or may not seek to combine multiple methods, for example, a single presentation where bidders are requested to discuss their organisation and their approach to the MOJ's requirements while also referencing related work history.
9. 3) What further documentation will be made available to
qualified bidders?
There are various technical and process documentation sets describing currently account management workflows. All relevant MOJ documentation will be collated and made available to the successful bidder(s). The supplier(s) will have responsive persistent access to various key personnel who will also be able to provide further information as may be required.
10. 4) Do the MOJ have any specific deliverables they are expecting
from this project?
The MOJ is ltimately expecting one or more written reports that contextually consider
all provided account management related information (including, but not limited to,
technical diagrams, workflow information, internal policies, internal process documents and interview outputs) and describe detailed contextualised recommendations (in a prioritised order) that the MOJ can review and implement to meaningfully and efficiently improve account management within the MOJ.
11. 5) What are the expected volumes of Joiners, Movers, Leavers per
year that fall under the scope of this assessment?
We are working to establish numbers
12. 6) How many MOJ permanent employees are working in the Security
& Privacy Team?
There are currently 33 civil servants within the MOJ Security & Privacy team.
13. 7) Can you please clarify whether “Biweekly reports” refers to reports twice a week or once a fortnight A diarised touchpoint (can be entirely verbal but short presentations
or written paragraphs are preferred where suitable) at least once a fortnight.
14. 2ndClarification Question

• What is their coverage in user numbers and if applicable department/agency
etc?

• Are cloud based systems in scope?

o If so are these currently managed by the IT department to a process or are
they ad-hoc and at a departmental(business)level.

o How is access currently controlled for cloud based systems?

• Are all in scope systems and applications owned by the MoJ? Or are there
Civil Service wide systems, for example?

• Is Privileged Access in scope? For example,management of AD security
groups,domain account,root accounts?

o If so,is there a privileged account inventory mapped to users?
- Approximately 100,000 full time equialvents interact with MOJ Digital & Technology provided technology services within the MOJ (this excludes user bases to some systems, such as solicitors and barristers who access some MOJ applications). The scale should be relatively irrelevant, this work focuses on the account stores and surrounding processes.

- There is an unknown split between perm, non-perm (contractors) and other third parties.

- There isno single standard JML process adopted byall entities within scope.

- JML processes differ by location/organisation.

- JML processes may not be well documented.

- None of the JML processes are entirely automated.
15. Question 19 2ndClarification Question above has an incorrect response. The response to question 19 2ndClarification Question will be answered in due course.
16. 3rd CQ-

• What is the in scope user base?

• What is the split between permanent, non-permanent employees (contractors)
and other Third parties?

• Is there one, standard JML process that is adopted by all entities in scope?

• Do JML processes differ by location (i.e. within the assumed target department?)

o Do JML processes differ by department?

o Are these well documented?

• Are any of the JML processes currently automated?

• Are any of the JML processes managed by an offshore/outsources service
provider?
- Approximately 100,000 full time equialvents interact with MOJ Digital & Technology provided technology services within the MOJ (this excludes user bases to some systems, such as solicitors and barristers who access some MOJ applications). The scale should be relatively irrelevant, this work focuses on the account stores and surrounding processes.

- There is an unknown split between perm, non-perm (contractors) and other third parties.

- There isno single standard JML process adopted byall entities within scope.

- JML processes differ by location/organisation.

- JML processes may not be well documented.

- None of the JML processes are entirely automated.
17. 1st Clarification Question -

• Can you confirm the extent of the user population by a) department b) user
number c) location?

o Does the MOJ estate include your arm’s length bodies and/or executive
agencies (for example, HM Prison Service)?

o If so, are all of these entities in scope?

• What platforms are in scope for review (for example, AD, ADLDS, ADFS, Unix
etc.)? How many instances of these platforms are in scope?

• Is it your expectation that unstructured systems are in scope, for example
shared drives?

• What is the total number of systems (applications) in scope?
MOJ (including sponsored organisations) is approx 100,000 full-time equivalents, geographically split across hundreds of locations. Geographical diversity and scale of user accounts should play no baring, discovery exercise is into the surrounding account management.

MOJ Digital & Technology provide technology services across the MOJ. Work is account management for MOJ D&T provided services, scope/interaction with utilising organisations is expected.

Account management platforms, instances, processes in relation to technology account management operated for/by MOJ D&T. The number of unique account stores will be over 50 through likely governed by similar processes.
18. 2ndClarification Question

• What is their coverage in user numbers and if applicable department/agency
etc?

• Are cloud based systems in scope?

o If so are these currently managed by the IT department to a process or are
they ad-hoc and at a departmental(business)level.

o How is access currently controlled for cloud based systems?

• Are all in scope systems and applications owned by the MoJ? Or are there
Civil Service wide systems, for example?

• Is Privileged Access in scope? For example,management of AD security
groups,domain account,root accounts?

o If so,is there a privileged account inventory mapped to users?
MOJ (including sponsored organisations) is approx 100,000 full-time equivalents

Cloud based systems in scope.

Systems are predominantly managed by shared technology / IT functions.

Identities in cloud-based systems range from SSO federation through to 'local' identity stores within the system.

In scope systems are owned by the MOJ including where operated on it’s behalf.

Process mapping may include links to civil service wide systems, such as Shared Services Connected Limited (SSCL) and their operation of SOP.

Priviledged Access in scope.

There may be priviledged account inventory mapped to users on a per-account management system basis.
19. 4th CQ -

• Are any of the processes and infrastructure in relation to the MoJ shared
with any other organisation as part of a shared service centre, for example?

• Which, if any, Identity and Privileged Access Management (PAM)solution(S) are
currently used for JML?

Are any of the above points sufficiently documented (with a degree of
confidence) to enable the information to be provided prior to any assessment?

Why does the work need to be started by 31st July and what is the plan for
subsequent work to the discovery?
processes/infrastructure may overlap with non-MOJ organisation.

No (PAM)solution(s) are known.

Existing account management system and process documentation where they exist will be surfaced to successful bidder. Key personnel will be available for research interviews.

Purpose of work to receive prioritised, independent and expert set of contextualised high-value high-impact recommendations. The MOJ will consume recommendations, implement some / all of them, work to begin FY19/20 need recommendations in timely manner.
20. In relation to recent experience required with external
NCSC,CIS, NIST etc., can you be explicit as to whether you require the
successful bidder to have audit capabilities or whether they have delivered
services that have been externally audited?
The MOJ are seeking a supplier who has familiarity of working with these standards to ensure any recommendations are aligned with existing declared good practice from authoratative bodies. Auditing experience using them would count, but is not the only experience we would accept.