This opportunity is closed for applications

The deadline was Monday 26 August 2019

Ministry of Justice

MoJ Cyber Security Policy/Guidance Review & Refresh

23 Incomplete applications

19 SME, 4 large

30 Completed applications

17 SME, 13 large

• Published: Monday 12 August 2019
• Deadline for asking questions: Monday 19 August 2019 at 11:59pm GMT
• Closing date for applications: Monday 26 August 2019 at 11:59pm GMT

Overview

• Summary of the work: To perform a comprehensive analysis of the existing technology-focused information security governance documentation 'stack' (policies, standards, guidances and so on) across the MoJ, in order to make improvement, including devising underlying policy decisions in addition to revising the policy document itself.; ; Documentation outputs must-be in lightweight markup langagues (e.g. Markdown).
• Latest start date: Monday 2 September 2019
• Expected contract length: Total length of contract should not exceed 12 months
• Location: No specific location, eg they can work remotely
• Organisation the work is for: Ministry of Justice
• Budget range: Bidders to estimate total cost based on requirements up to a total of £250,000 (exc VAT)

About the work

• Why the work is being done: The Ministry of Justice (MoJ) has been working on improving it's IT security policies and guidance to update them into modern, pragmatic, user-centric content. Our goal is to have an updated portfolio that enables digital and technology delivery teams, and all of our suppliers, to easily understand their responsibilities with regards to security and privacy matters, and provide clear guidance on good ways to acheive good security outcomes. This will enable our security specialists to focus on the more complex and challenge security problems we face.
• Problem to be solved: The MoJ doesn't have a totally modern security 'stack' (policies, standards, guidelines and procedures) in relation to technology. The MoJ wants to undertake a comprehensive review across the central MoJ, its executive-agencies, non-departmental public-bodies and other related/funded organisations in order to modernise. The outcomes should be revised documentation with keenly modernised positions.; ; The work should provide internal staff, contractors, supply chain and external partners with a coherent risk-balanced 'stack' which supports the safe and secure function of the MoJ.; ; The MoJ has been working on policy and standards improvements and is now seeking an external partner to complete this work.
• Who the users are and what they need to do: As a designer/implementer of MoJ technology solutions, I need a clearly policies, standards and guidance so that I can build secure systems to enable the MoJ to deliver its functions.; ; As a technology supplier to the MoJ, I need a clearly articulated and understandable set of requirements, so that my service provision to the MoJ meets the MoJ's information security requirements.; ; As an MoJ risk owner, I need to be assured that each role involved in the design, provision, management, maintenance and support of technology within the MoJ is aware of their roles andresponsibilties in a way they can understand.
• Early market engagement: None conducted.
• Any work that’s already been done: The MoJ Security & Privacy team previously retained technical writers to review existing MoJ technology-related information security policies and guidances. Some policies/standards were revised (such as passwords and password management) but due to the extent of the task and limited resource some policies were identified as deprecated have not yet been revised. The public work in progress MoJ policy repository can be found here: https://github.com/ministryofjustice/itpolicycontent/; ; The MoJ Cyber Security team has created and maintains https://ministryofjustice.github.io/security-guidance/ (source code: https://github.com/ministryofjustice/security-guidance) to provide guidance on different security topics.
• Existing team: MOJ Digital & Technology - Security & Privacy Team
• Current phase: Alpha

Work setup

• Address where the work will take place: Supplier location(s) and Petty France, London, SW1H 9AJ
• Working arrangements: - On-site for an-initial discovery period (as mutually agreed), as-per interviewee preferences, and the majority of analytical and drafting delivery being completed from Supplier location(s); - Use agile working-methods; - At least bi-weekly progress-reports (no-less than once every 2 weeks); - Use of digital collaboration tools such as Slack and Skype for remote working where possible; - Use of MoJ digital work planning tools (Jira, Confluence and Trello) where mutually agreeable; - Change/source control platform Github.com; - The Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a required (but at least bi-weekly) basis
• Security clearance: Baseline Personnel Security Check (BPSS, https://www.gov.uk/government/publications/government-baseline-personnel-security-standard) as a minimum for any persons entering MOJ buildings and/or viewing unpublished MOJ documents

Additional information

• Additional terms and conditions: - Standard Digital Outcomes and Specialist framework & call-off contract; - MoJ's Travel and Subsistence policy (**no T&S payable inside M25**)

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • Outline recent experience (within the last 3 years) in advising public sector (or clients from other highly regulated environments) on information security governance
  • Outline recent experience (within the last 3 years) in conducting user research interviews for the purposes of policy, guidance and/or procedural design
  • Outline recent experience (within the last 3 years) in user-focused content design
  • Outline recent experience (within the last 3 years) in user-focused technical writing
  • Outline recent experience (within the last 3 years) in authoring content with markup languages based on plain text formatting syntax (for example, Markdown)
  • Outline recent experience (within last 3 years) delivering HMG security policies and guidance
• Nice-to-have skills and experience:
  • Outline recent experience (within the last 3 years) around analysing technology standards from organisations (for example, BritishStandardsInstitute or InternationalOrganizationForStandardization) in-order to inform organisational policy/guidance/standards reviews
  • Outline recent experience (within the last 3-years) around analysing technology security standards from organisations (for example, CenterForInternetSecurity or the NationalCyberSecurityCentre) in order to inform organisational security policy/guidance/standards reviews
  • Outline how you would-use recent public sector / highly regulated sector experience (within last 5 years) to inform content and direction, to achieve expert efficiency through this programme of work

How suppliers will be evaluated

• How many suppliers to evaluate: 5
• Proposal criteria:
  • Describe how you would approach understanding the existing MOJ technology-related information security policies, standards, guidance, procedures (etc) scope, landscape and documentation sets
  • Describe how you would create a governance framework to allow policies, standards, guidance and procedures to be inherited between MoJ organisations
  • Describe how you would prioritise which policies (etc) should be reviewed in which order
  • Describe how you would approach stakeholder engagement over a diverse organisation (including independent arms-length organisations)
  • Describe how you would approach end-user engagement over a diverse organisation to conduct user-focused interviews to establish their requirements
  • Describe how you would ensure all documentation outputs (for example, a policy document) could be maintained by a future suitably skilled policy reviewer
• Cultural fit criteria:
  • Describe recent (within the last 3 years) experience working in the public sector or other highly regulated sector
  • Explain how you’ll ensure collaboration at all-levels of the project and programme delivery between users, team members and management. Give examples of where you have taken this approach.
  • Explain how you’ll ensure collaboration at all-levels of the project and programme delivery between users, team members and management. Give examples of where you have taken this approach.
• Payment approach: Capped time and materials
• Assessment methods:
  • Written proposal
  • Presentation
• Evaluation weighting:

  Technical competence

  65%

  Cultural fit

  10%

  Price

  25%

Questions asked by suppliers

• 1. Can you please help us understand the scale and size of thecurrent policies, standards, guidelines and procedures that need to be reviewedeg. how many documents and their average number of pages.: https://github.com/ministryofjustice/itpolicycontent/tree/master/content; https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security and https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security/framework and https://github.com/ministryofjustice/security-guidance likely contain 200 'documents' with an average of 3 'pages' per document.; ; The existing document estate does not imply it is comprehensive, complete nor adequate. Whilst the existing document estate should be reviewed for content, gaps are likely to be identified for new documents to be created.
• 2. https://github.com/ministryofjustice/itpolicycontent/tree/master/content; https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security and https://github.com/ministryofjustice/itpolicycontent/tree/master/content/security/framework and https://github.com/ministryofjustice/security-guidance likely contain 200 'documents' with an average of 3 'pages' per document.The existing document estate does not imply it is comprehensive, complete nor adequate. Whilst the existing document estate should be reviewed for content, gaps are likely to be identified for new documents to be created.: This work is outside of scope for IR35
• 3. Is the development of education / training and awarenessmaterials required for each of the revised documents?: At this stage we are only seeking to have the policies and guidances refreshed/renewed
• 4. Please can you advise the team size you anticipate will be required for this project. Is it anticipated to be 1 x FTE or more?: We would expect the supplier to use their experience in being able to size the scale of this requirement and resource it appropriately.
• 5. Can the MoJ clarify the scope of the work?i.e. looking for (either):a) A full review of the documents based on our experience; recognised bestpractise documents (NIST etc), and aligned with our understanding of the MoJ'srisk appetite? Documents would need finalising by MoJ after reviewing thefeasibility of implementing/enforcing the updates.b) As above, in addition the documents are reviewed with MoJ to ensure fit forpurpose (relevant to the organisation, technically/practically possible),undergo a review/revision cycle, and formally submit the new documents ascomplete. We would then align with business requirements and ready toembed/roll-out: We will be looking to the supplier to bring their expertise and experience in creating the new documents which is not limited to but includes material from commericial best practices and HMG policy. ; ; The Authority will work with the supplier to review documentation throughout the development before being published.
• 6. Is there an incumbent for the work?: No
• 7. Please can you advise how it is feasible for a written proposaland presentation to be completed and to start work by 2nd September when thedeadline for submission is Monday 26th August (Bank Holiday)?: The dates have been revised. I can confirm:; The deadline for phase 1 - midday 25 August 2019; ; Shortlisted - 2 September 2019; ; Start Phase 2 - 2 September 2019; ; Phase 2 Proposal Criteria, Cultural Fit and Commercial; response - 11 September 2019; ; Presentation to assist with scoring - 16 - 17 September 2019; ; Suppliers notified - 26 September 2019; ; Contract Start Date - Monday 7 October 2019
• 8. On what date will the successful bidder be notified?: 26th September 2019
• 9. Howmany documents are in scope?The provided Github link lists between 50-60 Policies, Standards and Guidelines(depending on whether to count the directory listing, or master review lists)and no processes are listed (although they are mentioned in the request forwork).: The Github links show the documents in their current state. Some maybe deprecated and other may be able to be amalogonated into each other. We will be looking for the supplier to provide their expertise on this
• 10. Please confirm if each area of MoJ family has individualdocuments for review and if so please provide an approximate number ofdocuments to be reviewed: MoJ agencies may have some localised versions of specific policies, however those are out of scope of this requirement. ; ; This requirement is to refresh the MoJ Central documents <provide links again/or state as per advert>
• 11. Is all the documentation to be reviewed held on github or another system? If on a separate system how will the successful bidder access the information: All documentation to be revised is in the open Github repos
• 12. Please confirm the total number of areas to be covered withinthe MoJ family i.e. number of Executive Agencies; non-departmental policies: This is focuing on Central MoJ, its agencies shall adopt these documents
• 13. Will the MoJ be undertaking the BPSS before the start of theproject or at the start of the project?: The current assumption is that BPSS will be carried out externally and not by the MoJ
• 14. There is an assumption that a RASCI (Matrix for Roles,Responsibilities, Accountabilities etc) will be required for the processes.Will this require compliance metrics / KPIs (to measure the processes successetc) to be required?: A RASCI will be required. KPI's will be discussed at a later date.
• 15. is the start date fixed or is it dependent on the date ofnotification?: The authority can work with the awarded supplier on an agreed start date
• 16. Are senior individuals at the MoJ available on the 2nd Septemberfor an initial meeting?: Meetings will be arranged in advance and sufficient notice will be given. ; Representatives will be available
• 17. Your revised dates have submission moved from a Bank Holiday toa Sunday before the BH! Likelihood is application will not be processed untilthe Tue – 27 Aug. Could the submission date be set at 1200 that day to allowfor weekend working and a final working day check?: Content with this ; ; The deadline for Phase 1 - Midday 27 August 2019
• 18. does the MOJ already have incumbents doing these positions currently or is this a new task entirely: No The MoJ does not have an incumbent working on this project.
• 19. Are you looking for a team with previous experience ofdelivering a similar project together or will you consider a newly formed team with relevant and project-specific experience?: We will consider a newly formed team with the relevant experience.
• 20. Your revised dates have submission moved from a Bank Holiday toa Sunday before the BH! Likelihood is application will not be processed untilthe Tue – 27 Aug. Could the submission date be set at 1200 that day to allowfor weekend working and a final working day check?: The Digital Marketplace platform automatically publishes the closing date 1 week from the date of publishing for specialists opportunities and 2 weeks for outcomes.; Unfortunately, this does not take into account bank holidays. I'm afraid there is not a function on the platform to extend the timescales.; ; So unfortunately the date will return to midnight Monday 26 August 2019