Ministry of Defence - Information Systems and Services

Digital Directory Services (DDS) Technical Delivery Support (ASDT0094)

Incomplete applications

6
Incomplete applications
4 SME, 2 large

Completed applications

3
Completed applications
0 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Monday 9 September 2019
Deadline for asking questions Monday 16 September 2019 at 11:59pm GMT
Closing date for applications Monday 23 September 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work To work on the Digital Directories Services to provide authentication and authorisation for IdAM across OFFICIAL and SECRET domains.
Latest start date Monday 11 November 2019
Expected contract length 24 Months Contract. Extension Options: 2 optional 3 month extensions
Location South West England
Organisation the work is for Ministry of Defence - Information Systems and Services
Budget range £ 2.5 - 2.9 Million (Ex VAT)

Contract Value includes a Limit of Liability for T&S of £40K.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The handling of contact information and other directory related services are currently spread across disparate systems run under various outsourced contracts. The directories service needs to:
• Ensure compliance with Data Protection Legislation
• Improve compliance with National Cyber Security Centre guidelines and reduce security vulnerabilities
• Create a more joined-up user experience that can meet the Digital Service Standard for live service
• API enable important datasets in line with the Technology Code of Practice
• Enable exit from several current contracts
• Improve quality of the data, including related reference data (e.g. location and organisation)
Problem to be solved UK Defence is currently supported by a disparate collection of directory services which need to be rationalised.

The Partner will develop, configure and deliver the technical aspects of a Directories service, including:
• Authentication for IdAM to the Defence Gateway and Core Network across both OFFICIAL and SECRET domains
• Interfacing with the IdAM solution
• A service that curates and makes available contact information, including related reference data on organisations and locations.
• Providing the Active Directory (AD) that can authenticate/authorise users, devices and processes – working in tandem with Defence’s IdAM service.
Who the users are and what they need to do Users of MOD’s IT system want to present their credentials once to be authenticated both to MODNet (AD) and to the Single Sign-on Service (Identity Brokering Service (IBS) part of the IdAM service).

Members of the Defence community need to be able to update and use contact information for people they need to work with.

Defence Personnel sharing SECRET information need to be able to ensure the authenticity of recipients complies with National caveats.

Users working for Defence’s Allies and Partners around the globe need to be able to consume UK Defence contact information within their own IT systems.
Early market engagement
Any work that’s already been done Some, but not all, baseline logical architecture identifying the key systems involved in providing directory information and the AD have been documented. An architectural decision has been taken that this service will include an AD and that it will be built within MOD cloud hosting (no technology choices for the ‘white/yellow pages’ part of the service have been made at time of writing).

An accompanying IdAM service, which includes Single Sign On (SSO) for Web applications and management of digital identities (including what roles/access they are permitted) for core authority personnel is about to enter closed beta.
Existing team A project manager to oversee this activity is currently in place.

The incoming team will receive support from the wider team working on identity and directories challenges including Architects, an Engineering Lead and a Senior project manager. They will provide guidance and ensure coherence across this and related work (but not detailed/solutions architecture).

Around 20 people are currently engaged on the IdAM project working collaboratively with the existing contractors; the directories and IdAM teams will be expected to work collaboratively following SAFe delivery principles.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The Project Delivery Team is located at MOD Corsham in Wiltshire (SN13 9NR). Occasional travel to Customers may be required dependent on the need, however this will be kept to a minimum.
Working arrangements The Partner will be expected to work full time. The IdAM delivery team works in an Agile Scrum environment under the direction of a Scrum Master (Delivery Manager) and Project Manager. Current expectations are that the Digital Directories Team will be at Corsham at least 4 days per week. Travel and subsistence expenses to attend other sites will be payable from Corsham using current Civil Service T&S practices. Locations such as but not limited to: Andover, Farnborough & Gosport.
Security clearance Potential suppliers will be expected to hold or be in the process of obtaining SC Clearance. The Authority will not reimburse costs incurred to gain SC clearance, it must be in place and remain valid for the duration of the contract.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The successful shortlist suppliers must request a Security Aspects Letter and provide a Cyber Essentials Certificate in line with Cyber Risk Assessment Reference Number: RAR-D2EZ9E2W.

T&S will be paid on receipted actuals in compliance with MoD policy , no other expenses are permitted.

Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up the tool.

Suppliers must adhere to the MOD Corsham working policies.

The following Quality Assurance standards will be applicable.
Concessions Def Stan 05-61 Part 1 Issue 6
Contractor Working Parties Def Stan 05-61 Part 4 Issue 3

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience of successfully delivering a Directory service through a full project or development lifecycle in a large or complex organisation (including testing and deployment)
  • Proven and demonstrable experience of working with multi-disciplinary teams in an agile (SAFe) development/delivery environment
  • Experience developing large digital services that meet the Digital Service Standard for a growing community of users applying appropriate digital (Agile and user centric) methods, techniques and skills
  • Experience obtaining and merging information from a range of sources/systems and addressing data quality issues to provide identity, role and security attribute data supporting attribute based access control
  • Experience of building and testing an end-to-end digital directory service demonstrating a high level of quality
  • Experience in designing, deploying and operating services using public and private cloud infrastructure including up-to-date knowledge of AWS, Azure and VMWare
  • Experience in Active Directory solutions, including setting up forests, trees, domains and trusts for a large and complex organisation
  • Experience at providing Data Architecture to support solving complex problems, including: logical and physical data architectures, clear concept definitions and relationships, familiarity with x.500 directory structures
  • Experience of providing Data Engineering skills to merge and export large sets of data, including having addressed operational issues caused by differing quality and periodicities between datasets
  • Experience of DevOps Engineering – particularly automation, deploying builds, increments and releases through Continuous Integration and Deployment pipelines, as well as scripting environment builds and changes
  • Experience of designing and delivering Information Services with a high level of cyber and general security threat and very high criticality, and creating documents to achieve accreditation
Nice-to-have skills and experience
  • Experience in working within the MOD and knowledge of current Defence Directory Services
  • Experience of working with deployable capabilities
  • Experience of setting up and developing directories in conjunction with Identity and Access Management Services
  • Experience of designing and implementing transitional architectures to move from existing to future arrangements via a series of Minimum Viable Products and other iterative releases
  • Familiar with related Microsoft technologies including Azure Active Directory and Windows Hello; experience with presenting contact information to Microsoft Office 365 and Exchange users via Outlook etc

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • How you will provide the Authority with a high-quality team that embodies the required skills; in particular, why you believe the team (as a collective) will be high performing. (12%)
  • How you will balance being responsive/flexible to changing work demands (in terms of skills and capacity) as it progresses with the benefits of a stable and consistent team. (11%)
  • Indicative structure (people/roles in your proposed team and their main interrelationships), indicative profile (how team size and roles might change over time) and when they can start. (11%)
  • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning. (11%)
  • Your proposed approach and methodology for managing the development and transitioning of directories services: particularly how this will inform the backlog entries and priotisation of delivery and transition activities. (11%)
  • Proposed approach and methodology for achieving security/information assurance accreditation and maintaining it through the Agile development, including identifying threats, putting in place controls and engagement with the risk owner(s). (11%)
  • How you will ensure the service can meet the relevant digital service standard at various phases of development (e.g. closed beta, open beta, live). (11%)
  • How you will ensure that the service meets the organisation’s policy goals in terms of providing more secure Directories processes including incorporating existing policy. (11%)
  • Your approach to knowledge management, particularly how the Authority and its partners can support and maintain the Directories services after they have been developed. (11%)
Cultural fit criteria
  • Shares knowledge, experience and expertise with the Authority and other team members. (13%)
  • Be transparent and collaborative. (13%)
  • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any for. (13%)
  • Evidence that your organisation reflects the diversity of the country and how it attracts and retains the best talent. (13%)
  • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome. (12%)
  • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors. (12%)
  • Evidence of working successfully in an Agile manner within an organisation where some units: (particularly in relation to governance and project control processes) retain a big-design-upfront/command-and-control perspective. (12%)
  • Evidence of working with organisations and stakeholders with differing levels of technical expertise. (12%)
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

20%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. 1. Can the Authority confirm this contract will be outside of IR35? Yes, IR35 legislation does not apply to this requirement
2. 2. How do we respond to this requirement? Bid responses are to be submitted on the DOS templates and in Microsoft Office Excel/Word 2013 format only. The Successful Shortlist Suppliers will receive further additional information and instructions.
3. Why is the Directories project being undertaken? Defence has a large number of Directories supporting a range of services including IdAM, many of the contracts currently in place are due to expire. Defence is in-sourcing these services which will enable a range of solutions to be applied including a rationalisation of need. Some of the services will be subsumed within the IdAM solution space whilst others will be redesigned and built
4. Which classifications will Directories cater for? For both OFFICIAL and SECRET applications and services.
5. Who can use Directories services? We recognise 4 main user groups which are permitted licenses for IdAM Services, these are:
• MOD personnel: civil servants, UK military, Royal Fleet Auxiliary, MOD police, locally engaged civilians
• Other government officials: department civil servants, other public sector employees, crown ministers, special advisers, ministerial assistants, honorary/ ceremonial appointments, non-executive directors, select parliamentary committee members
• Partner organisations: supplier employees, MOD contracted personnel, foreign military allies, international government organisations (IGOs)
• Affiliated organisations personnel: Cadet forces, veterans, service personnel dependents
6. How does GDPR affect Directories? • Lawfulness, fairness and transparency – the MOD policy for data collection is available to all and agreement is through signing SyOps
• Purpose limitation – personal data is held only for IdAM purposes
• Data minimisation – information held is required to support identity and access management only.
• Accuracy – information is held in one location, easier to keep data accurate
• Storage limitation –linking relevant personal information in one location is easier to delete
• Integrity and confidentiality – personal data will be held in a secure vault for use in automated processes for access decision making.
7. How are will the Directories capabilities be rolled out? The Directory services will be developed following Agile methodology. The technical team will release functionality incrementally using sprints to plan and monitor progress. This means that up front planning and stage gate time deadlines associated with PRINCE2/ Waterfall project management will not be applicable to the delivery of the Directories functionality.
8. Which Technology is the Directories solution based on? To meet the Directories needs of the various MOD wide populations and corresponding services, several technologies are likely to be needed. A core technology will potentially use the existing NetIQ products being used by the IdAM project.
9. Where will the Directories be hosted? Directories will utilise MOD Cloud platforms to provide the services.
10. Can the Authority, please confirm the procurement timetable in relation to the written proposal, presentation dates and contract award? Proposed date for Written and Case Studies submission to the Authority - W/c 14th Oct 2019.

Proposed date for Presentations if required - W/c 21st October 2019 at MOD Corsham.

Latest Contract Start Date 11th Nov 2019
11. In the Nice-to-have skills, the authority has asked for “Experience of working with deployable capabilities”. Could the authority clarify, if this refers to moving built technical solutions between environments, or to the management of identities when deployed and associated persona changes? Deployable/Remote capabilities refers to meeting the needs of dependent systems that may have unreliable, high-latency or low-bandwidth connectivity (or all of these). These include systems on Permanent Joint Operating Bases (such as the Falkland Islands) or systems deployed into battle-spaces.