Ministry of Justice

MoJ Cyber Security Policy/Guidance Review & Refresh

Incomplete applications

23
Incomplete applications
20 SME, 3 large

Completed applications

30
Completed applications
17 SME, 13 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Monday 12 August 2019
Deadline for asking questions Monday 19 August 2019 at 11:59pm GMT
Closing date for applications Monday 26 August 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work To perform a comprehensive analysis of the existing technology-focused information security governance documentation 'stack' (policies, standards, guidances and so on) across the MoJ, in order to make improvement, including devising underlying policy decisions in addition to revising the policy document itself.

Documentation outputs must-be in lightweight markup langagues (e.g. Markdown).
Latest start date Monday 2 September 2019
Expected contract length Total length of contract should not exceed 12 months
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Justice
Budget range Bidders to estimate total cost based on requirements up to a total of £250,000 (exc VAT)

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Ministry of Justice (MoJ) has been working on improving it's IT security policies and guidance to update them into modern, pragmatic, user-centric content. Our goal is to have an updated portfolio that enables digital and technology delivery teams, and all of our suppliers, to easily understand their responsibilities with regards to security and privacy matters, and provide clear guidance on good ways to acheive good security outcomes. This will enable our security specialists to focus on the more complex and challenge security problems we face.
Problem to be solved The MoJ doesn't have a totally modern security 'stack' (policies, standards, guidelines and procedures) in relation to technology. The MoJ wants to undertake a comprehensive review across the central MoJ, its executive-agencies, non-departmental public-bodies and other related/funded organisations in order to modernise. The outcomes should be revised documentation with keenly modernised positions.

The work should provide internal staff, contractors, supply chain and external partners with a coherent risk-balanced 'stack' which supports the safe and secure function of the MoJ.

The MoJ has been working on policy and standards improvements and is now seeking an external partner to complete this work.
Who the users are and what they need to do As a designer/implementer of MoJ technology solutions, I need a clearly policies, standards and guidance so that I can build secure systems to enable the MoJ to deliver its functions.

As a technology supplier to the MoJ, I need a clearly articulated and understandable set of requirements, so that my service provision to the MoJ meets the MoJ's information security requirements.

As an MoJ risk owner, I need to be assured that each role involved in the design, provision, management, maintenance and support of technology within the MoJ is aware of their roles andresponsibilties in a way they can understand.
Early market engagement None conducted.
Any work that’s already been done The MoJ Security & Privacy team previously retained technical writers to review existing MoJ technology-related information security policies and guidances. Some policies/standards were revised (such as passwords and password management) but due to the extent of the task and limited resource some policies were identified as deprecated have not yet been revised. The public work in progress MoJ policy repository can be found here: https://github.com/ministryofjustice/itpolicycontent/

The MoJ Cyber Security team has created and maintains https://ministryofjustice.github.io/security-guidance/ (source code: https://github.com/ministryofjustice/security-guidance) to provide guidance on different security topics.
Existing team MOJ Digital & Technology - Security & Privacy Team
Current phase Alpha

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Supplier location(s) and Petty France, London, SW1H 9AJ
Working arrangements - On-site for an-initial discovery period (as mutually agreed), as-per interviewee preferences, and the majority of analytical and drafting delivery being completed from Supplier location(s)
- Use agile working-methods
- At least bi-weekly progress-reports (no-less than once every 2 weeks)
- Use of digital collaboration tools such as Slack and Skype for remote working where possible
- Use of MoJ digital work planning tools (Jira, Confluence and Trello) where mutually agreeable
- Change/source control platform Github.com
- The Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a required (but at least bi-weekly) basis
Security clearance Baseline Personnel Security Check (BPSS, https://www.gov.uk/government/publications/government-baseline-personnel-security-standard) as a minimum for any persons entering MOJ buildings and/or viewing unpublished MOJ documents

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions - Standard Digital Outcomes and Specialist framework & call-off contract
- MoJ's Travel and Subsistence policy (**no T&S payable inside M25**)

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Outline recent experience (within the last 3 years) in advising public sector (or clients from other highly regulated environments) on information security governance
  • Outline recent experience (within the last 3 years) in conducting user research interviews for the purposes of policy, guidance and/or procedural design
  • Outline recent experience (within the last 3 years) in user-focused content design
  • Outline recent experience (within the last 3 years) in user-focused technical writing
  • Outline recent experience (within the last 3 years) in authoring content with markup languages based on plain text formatting syntax (for example, Markdown)
  • Outline recent experience (within last 3 years) delivering HMG security policies and guidance
Nice-to-have skills and experience
  • Outline recent experience (within the last 3 years) around analysing technology standards from organisations (for example, BritishStandardsInstitute or InternationalOrganizationForStandardization) in-order to inform organisational policy/guidance/standards reviews
  • Outline recent experience (within the last 3-years) around analysing technology security standards from organisations (for example, CenterForInternetSecurity or the NationalCyberSecurityCentre) in order to inform organisational security policy/guidance/standards reviews
  • Outline how you would-use recent public sector / highly regulated sector experience (within last 5 years) to inform content and direction, to achieve expert efficiency through this programme of work

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Describe how you would approach understanding the existing MOJ technology-related information security policies, standards, guidance, procedures (etc) scope, landscape and documentation sets
  • Describe how you would create a governance framework to allow policies, standards, guidance and procedures to be inherited between MoJ organisations
  • Describe how you would prioritise which policies (etc) should be reviewed in which order
  • Describe how you would approach stakeholder engagement over a diverse organisation (including independent arms-length organisations)
  • Describe how you would approach end-user engagement over a diverse organisation to conduct user-focused interviews to establish their requirements
  • Describe how you would ensure all documentation outputs (for example, a policy document) could be maintained by a future suitably skilled policy reviewer
Cultural fit criteria
  • Describe recent (within the last 3 years) experience working in the public sector or other highly regulated sector
  • Explain how you’ll ensure collaboration at all-levels of the project and programme delivery between users, team members and management. Give examples of where you have taken this approach.
  • Explain how you’ll ensure collaboration at all-levels of the project and programme delivery between users, team members and management. Give examples of where you have taken this approach.
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Presentation
Evaluation weighting

Technical competence

65%

Cultural fit

10%

Price

25%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Can you please help us understand the scale and size of the
current policies, standards, guidelines and procedures that need to be reviewed
eg. how many documents and their average number of pages.
https://github.com/ministryofjustice/itpolicycontent/tree/master/content; https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security and https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security/framework and https://github.com/ministryofjustice/security-guidance likely contain 200 'documents' with an average of 3 'pages' per document.

The existing document estate does not imply it is comprehensive, complete nor adequate. Whilst the existing document estate should be reviewed for content, gaps are likely to be identified for new documents to be created.
2. https://github.com/ministryofjustice/itpolicycontent/tree/master/content; https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security and https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security/framework and https://github.com/ministryofjustice/security-guidance likely contain 200 'documents' with an average of 3 'pages' per document.

The existing document estate does not imply it is comprehensive, complete nor adequate. Whilst the existing document estate should be reviewed for content, gaps are likely to be identified for new documents to be created.
This work is outside of scope for IR35
3. Is the development of education / training and awareness
materials required for each of the revised documents?
At this stage we are only seeking to have the policies and guidances refreshed/renewed
4. Please can you advise the team size you anticipate will be required for this project. Is it anticipated to be 1 x FTE or more? We would expect the supplier to use their experience in being able to size the scale of this requirement and resource it appropriately.
5. Can the MoJ clarify the scope of the work?

i.e. looking for (either):

a) A full review of the documents based on our experience; recognised best
practise documents (NIST etc), and aligned with our understanding of the MoJ's
risk appetite? Documents would need finalising by MoJ after reviewing the
feasibility of implementing/enforcing the updates.

b) As above, in addition the documents are reviewed with MoJ to ensure fit for
purpose (relevant to the organisation, technically/practically possible),
undergo a review/revision cycle, and formally submit the new documents as
complete. We would then align with business requirements and ready to
embed/roll-out
We will be looking to the supplier to bring their expertise and experience in creating the new documents which is not limited to but includes material from commericial best practices and HMG policy.

The Authority will work with the supplier to review documentation throughout the development before being published.
6. Is there an incumbent for the work? No
7. Please can you advise how it is feasible for a written proposal
and presentation to be completed and to start work by 2nd September when the
deadline for submission is Monday 26th August (Bank Holiday)?
The dates have been revised. I can confirm:
The deadline for phase 1 - midday 25 August 2019

Shortlisted - 2 September 2019

Start Phase 2 - 2 September 2019

Phase 2 Proposal Criteria, Cultural Fit and Commercial
response - 11 September 2019

Presentation to assist with scoring - 16 - 17 September 2019

Suppliers notified - 26 September 2019

Contract Start Date - Monday 7 October 2019
8. On what date will the successful bidder be notified? 26th September 2019
9. How
many documents are in scope?

The provided Github link lists between 50-60 Policies, Standards and Guidelines
(depending on whether to count the directory listing, or master review lists)
and no processes are listed (although they are mentioned in the request for
work).
The Github links show the documents in their current state. Some maybe deprecated and other may be able to be amalogonated into each other. We will be looking for the supplier to provide their expertise on this
10. Please confirm if each area of MoJ family has individual
documents for review and if so please provide an approximate number of
documents to be reviewed
MoJ agencies may have some localised versions of specific policies, however those are out of scope of this requirement.

This requirement is to refresh the MoJ Central documents <provide links again/or state as per advert>
11. Is all the documentation to be reviewed held on github or another system? If on a separate system how will the successful bidder access the information All documentation to be revised is in the open Github repos
12. Please confirm the total number of areas to be covered within
the MoJ family i.e. number of Executive Agencies; non-departmental policies
This is focuing on Central MoJ, its agencies shall adopt these documents
13. Will the MoJ be undertaking the BPSS before the start of the
project or at the start of the project?
The current assumption is that BPSS will be carried out externally and not by the MoJ
14. There is an assumption that a RASCI (Matrix for Roles,
Responsibilities, Accountabilities etc) will be required for the processes.
Will this require compliance metrics / KPIs (to measure the processes success
etc) to be required?
A RASCI will be required. KPI's will be discussed at a later date.
15. is the start date fixed or is it dependent on the date of
notification?
The authority can work with the awarded supplier on an agreed start date
16. Are senior individuals at the MoJ available on the 2nd September
for an initial meeting?
Meetings will be arranged in advance and sufficient notice will be given.
Representatives will be available
17. Your revised dates have submission moved from a Bank Holiday to
a Sunday before the BH! Likelihood is application will not be processed until
the Tue – 27 Aug. Could the submission date be set at 1200 that day to allow
for weekend working and a final working day check?
Content with this

The deadline for Phase 1 - Midday 27 August 2019
18. does the MOJ already have incumbents doing these positions currently or is this a new task entirely No The MoJ does not have an incumbent working on this project.
19. Are you looking for a team with previous experience of
delivering a similar project together or will you consider a newly formed team with relevant and project-specific experience?
We will consider a newly formed team with the relevant experience.
20. Your revised dates have submission moved from a Bank Holiday to
a Sunday before the BH! Likelihood is application will not be processed until
the Tue – 27 Aug. Could the submission date be set at 1200 that day to allow
for weekend working and a final working day check?
The Digital Marketplace platform automatically publishes the closing date 1 week from the date of publishing for specialists opportunities and 2 weeks for outcomes.
Unfortunately, this does not take into account bank holidays. I'm afraid there is not a function on the platform to extend the timescales.

So unfortunately the date will return to midnight Monday 26 August 2019