Ministry of Justice

MoJ Enterprise IT Cyber Security Assistance

Incomplete applications

17
Incomplete applications
15 SME, 2 large

Completed applications

39
Completed applications
24 SME, 15 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 16 August 2019
Deadline for asking questions Friday 23 August 2019 at 11:59pm GMT
Closing date for applications Friday 30 August 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Update risk reviews, assess compliance with CS standards and best supplier security practice recommendations, check deployment configurations, recommending remedial actions, on-going testing processes. Focus on TTP Enterprise, EUCS Client, COPE mobile, firewall domains. Replace Accreditation with an Assurance perspective. Structure the work as component deliverables that are highly cohesive.
Latest start date Monday 7 October 2019
Expected contract length 12 Months
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Justice
Budget range Bidders to suggest total cost based on requirements, total budget of £500,000 (inc VAT) has been forecast.

We have assumed the team will be made up of at least a Security Architect, Security Consultant, and Business Analyst. The MoJ are willing to consider an alternative team make-up if a suitably strong case is made.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Ministry of Justice has a number of technology improvement and transition projects for online access to information and applications. An example is a programme to renew and update the underlying enterprise technology used by 20k+prison workers at 100+ sites. Other projects include the EUCS (End User Computing Solution), and migration to Cloud-based environments. A critical success factor is to ensure users have a coherent, consistent, and easy-to-use experience.

The systems must deploy and function within a security enviroment that delivers high-levels of assurance and rigour across essential characteristics such as Confidentiality, Integrity, Availability, and Identity (ID) and Access Management.
Problem to be solved The problem is how to best ensure that current, updated, and new end user devices and services, along with the supporting infrastructure, are all (re-)designed, implemented and operated securely. Challenges in solving the problem include: reviewing and understanding risks from across the IT estate; measuring, reporting, and monitoring core and critical systems; checking configurations for best-practice compliance and implementing necessary remedial mitigation; benefitting from flexible operating models such as COPE (Corporate Owned, Personally Enabled); ensuring safe and secure operation in a potentially hostile environment; and demonstrating on-going security standard assurance and compliance throughout.
Who the users are and what they need to do The users include anyone with authorisation to access information or services that are available within the MoJ IT Estate.

Of particular importance are key stakeholders: the CISO (Chief Information Security Officer), the SSA (Senior Security Advisor), and the DPO (Data Protection Officer). Each needs to see current and on-going evidence that data and services are protected against applicable passive and active cyber security threats, so that they can provide all users and other stakeholders with confidence that the MOJ technology and information infrastructure can be trusted for effective and safe access and handling of sensitive material.
Early market engagement None conducted.
Any work that’s already been done Previous solutions were accredited using the legacy HMG IS1/2 approach. The existing Security and Privacy team have performed initial assessments as part of the task, and are looking to expand and enhance the delivery.
Existing team Digital and Technology Security & Privacy Team
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Primarily at 102 Petty France London SW1H 9AJ
Working arrangements Following Agile methodology.
Working on site / remote, but assuming remote as default.
Use of standard on-line collaboration tools Slack, Hangouts, Skype, Google G-Suite or Office 365. Report deliverables can also use PDF.
Supplier to use their own equipment; MoJ equipment to be provided on an exceptional, case-by-case basis.
Access to the Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a daily basis.
Access to SMEs for insights and environment-specific details, by arrangement.
Access to colleagues and suppliers working on other (new) IT systems, by arrangement.
Security clearance Baseline Personnel Security Check (BPSS) as a minimum. See https://www.gov.uk/government/publications/government-baseline-personnel-security-standard for further guidance.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Standard Digital Outcomes and Specialist contract and MoJ's Travel and Subsistence policy.

Please see:
https://www.gov.uk/government/publications/digital-outcomes-and-specialists-2-call-off-contract

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Evidence of recent, demonstrable, and successful experience in advising on security designs for complex enterprise IT systems, conducted in the last three years.
  • Evidence of recent, demonstrable and successful experience in providing security assessment(s) of a supplier, and their proposed solutions, meeting business needs, conducted in the last three years.
  • Evidence of recent, demonstrable, effective, and successful experience communicating security risk information to decision makers, enabling them to take appropriate action with positive outcomes, conducted in the last three years.
  • Evidence of recent, demonstrable and successful experience designing successful and pragmatic security features for compliant technology solutions based on user and organisational (business) needs, conducted in the last three years.
  • Evidence of recent, demonstrable and successful identification and application of legislation and guidance to secure information in a compliant form, within modern enterprise IT systems, in the last three years.
Nice-to-have skills and experience
  • Evidence of successfully securing Windows 10 end user devices at an Enterprise scale, in the last three years.
  • Evidence of successfully securing O365-based solutions, at an Enterprise scale, in the last three years.
  • Evidence of successfully following, implementing and assessing offerings to standards set-out in the GDS Service Assessment Framework, technology code of practice and Cabinet Office spend-controls, in the last-three years.
  • Knowledge of relevant regulations and guidance relating to security matters in HM Prisons.
  • Evidence of successfully securing mobile ('phone) devices at an Enterprise scale, in the last three years.

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Describe the method you would propose to use, referencing your experience on how you would conduct research and assessment to meet our user needs and develop pragmatic security designs.
  • Describe the method you would propose to use, referencing your experience on how you would develop and present security risks to decision makers. to meet the department's needs successfully.
  • Describe how you will ensure that the recommendations meet applicable legislation, standards, and best practices in cyber security.
  • Describe how you would ensure that designed and implemented solutions meet the security expectations placed on them, both at initial deployment, and through life.
Cultural fit criteria
  • Show how you have worked successfully and effectively in the public sector or a highly regulated environment.
  • Explain how you’ll ensure collaboration at all levels of the project and programme delivery between users, team members and management. Give examples of where you have successfully applied this approach.
  • Explain how you’ll ensure productive and successful collaboration with suppliers to understand how their technology aligns with MOJ business needs, and to ensure the technology addresses those needs.
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Presentation
Evaluation weighting

Technical competence

70%

Cultural fit

5%

Price

25%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. does the MOJ already have incumbents doing these positions currently or is this a new task entirely No the MoJ does not have an incumbent workig on this project.
2. Do you require a proposal at this stage (to answer the
points under Proposal Criteria and Cultural Fit Criteria), or just answers to
the Essential and Nice-to-have criteria? If a proposal is required, to where
should we submit it?
The more detailed the submisison, the easier and smoother the evaluation process. A submission that does not address the critera is unlikely to do so well during evaluation as one that does address the criteria. A proposal which shows evidence of understanding and appreciating the complexities of subject and context is likely to do better during evaluation.
3. Various questions were asked on the previous version of this
requirement (DOS Outcomes #10374) will they be answered on this updated
requirement listing or do they need to be re-asked?
This is a distinct and separate requirement. Questions asked in this requirement will be answered.
4. Does the MOJ already have incumbents doing these positions currently or
is this a new task entirely
No, the MoJ does not have an incumbent working on this project.
5. Are you looking for a team with previous experience of
delivering a similar project together or will you consider a newly formed team
with relevant and project-specific experience?
Neither variant is excluded from evaluation.
6. In the Problem to be solved section, it talks about the need to measure and monitor core and critical systems. Are we to understand
that there is a requirement to introduce a Security Operations capability and make use of SIEM tooling to achieve this
No. We are interested in a higher-level perspective; in other words, 'meta'. Fulfilling the requirement would build on information provided by an existing SecOps / SIEM capability.
7. In the Problem to be solved section it mentions the need to
check configurations. Is the use of Threat and Vulnerability management tooling
within the scope of this work?
Potentially. The requirement is looking at things from a higher level perspective. Therefore, tooling that provides information about threat and vulnerability management tasks and status is likely to be more applicable than tooling that performs those tasks.
8. If tools are required to be scoped and implemented to support
the above would this be inside the scope of this work package, and if so, would
you agree that an engineering capability should also be deployed?
Yes - however it might also indicate that the perspective taken is too low level and technical. A successful candidate is likely to have focused on the higher-level processes and procedures, rather than tool acquisision, configuration or deployment.
9. Does the MoJ have a transformation Director/ Manager in place?
This project and the 'Cyber Security Policy/Guidance Review & Refresh'
project seem as though they may be workstreams of a larger co-ordinated
programme? Is there a chance these two pieces of work could end up conflicting
with each other?
Transformation and improvement is always an important part of our work. This requirement is distinct and separate from other requirements, but has been produced by team members who naturally and normally work in alignment and co-operation. It is unlikely that this requirement and the Policy/Guidance requirement will be in conflict. Rather, they are likely to complement each other.
10. Does the written response to this Digital Marketplace enquiry constitute the
"Written proposal", or will there be a follow up ahead of the
"Presentation" phase?
The written response is the only material expected ahead of the presentation phase.
11. How is the process currently undertaken and how is its
efficiency measured?
There are several distinct facets to existing processes. A successful submission will address how to accommodate variations, and look to advance and harmonise processes using a higher-level perspective.
12. What is the average level of support required for a typical new
project?
It is impossible to generalise. For this project, access is provided to the Security & Privacy Team Project Manager (PM) to provide reviews, direction and clarification on progress on a daily basis. Similarly access to SMEs for insights and environment-specific details, by arrangement, and access to colleagues and suppliers working on other (new) IT systems, also by arrangement.
13. It is impossible to generalise. For this project, access is provided to the Security & Privacy Team Project Manager (PM) to provide reviews, direction and clarification on progress on a daily basis. Similarly access to SMEs for insights and environment-specific details, by arrangement, and access to colleagues and suppliers working on other (new) IT systems, also by arrangement. The MoJ does perform DPIAs, but given the high-level perspective embodied in this requirement, it is not envisaged that DPIAs will be a significant activity.
14. Does MoJ envisage any requirement for any penetration testing to
be included in the proposal?
Given the high-level perspective embodied in this requirement, it is not envisaged as being at all likely that Penetration Testing will be a significant activity.
15. Essential Skills and Experience. Evidence of recent,
demonstrable and successful identification and application of legislation and
guidance to secure information in a compliant form, within modern enterprise IT
systems, in the last three years”. Is the Buyer looking for evidence that the
Supplier has identified legislation and guidance or that the Supplier has
experience of implementing security controls according to guidance and to meet
legislative obligations?
The latter.
16. Does the scope of the work extend to new security assurance work
for older systems that were previously accredited under IS1/2?
Yes.
17. Has the Buyer already carried out work to develop a
Security Architecture and Target Operating Model
Yes.
18. The opening statement in the Summary of the work is “Update risk
reviews”. To what extent does the Buyer envisage the Supplier updating existing
risk reviews and to what extent is the work creating and updating new risk
reviews? (We note the statement in Any work that’s already been done)
Identifying and addressing gaps in risk reviews, and updating existing risk reviews, are broadly equally important. However, this prioritisation will reflect the context of the affected system(s).
19. Could a single resource, potentially supported by additional
burst resources (for example, researchers or technical vendor solution subject
matter experts) be used to satisfy this requirement?
Potentially, yes. A 'burst' resourcing approach is workable.
20. What technology vendor choices, if any, have been made and/or
expected to be made prior to the commencement of this contract for security
assurance?
None that are applicable - the emphasis is definitely on a technology/supplier/platform -agnostic approach.
21. At a technology architectural level, are there any existing or
required interoperability requirements between the different MOJ enterprise IT
technology estates?
Information about the interaction characteristics will be available - however the emphasis of this project should be as technology/supplier/platform -agnostic as possible, and produce deliverables that mitigate such differences as much as possible.
22. Will existing MOJ technology live operations (including security
operations) process/requirement/decision-tree documentation be available to the
successful bidder on commencement of contract?
All relevant and appropriate information will be shared with the winning bidder as required during the contract.
23. Will relevant HMPPS PSIs and/or corruption prevention technology
standards be provided to the successful bidder on contract commencement?
All relevant and appropriate information will be shared with the winning bidder as required during the contract.
24. What existing security assurance work (for example, surrounding
principles) has been completed or embedded within this enterprise technology
programme beyond that commonly generated by any National Technology Authority
(such as NCSC EUD guidance)?
The MoJ has indeed done some assurance work. Some information about the approach is available here:
https://medium.com/just-tech/measuring-against-cyber-security-standards-82082c9031a7
and here:
https://ministryofjustice.github.io/security-guidance/guides/standards-assurance-tables/
25. What is the programme's overall timeline and the requirement for
the successful bidder's engagement within the same? The opportunity describes
FY19/20. Is the successful bidder expected to complete all security assurance
works (as per scope of work) prior to 31 March 2020?
The target is for delivery of agreed materials by 31 March 2020.
26. Does the MOJ have a preferred methodology and/or document set
that can be shared with a successful bidder in relation to threat and/or risk
assessments following it's move away from IS1/2?
Candidates are encouraged to include recommendations for this as part of their proposal.
27. Do the 100+ sites that prison workers work from have
varying technology security requirements or are they all standardised/common
Standardised.
28. Please describe the existing technology programme
structure/state including filled and unfilled full-time equivalency AND
external professional services/consultancy
This is a simple question that requires a complex answer. In (very) brief: there is a team of department-wide security and privacy specialists who take a big-picture view of MoJ security and assurance requirements. There is likewise a team of people who provide enterprise-grade technical design, development and support for systems, services, and applications. There are also specialist teams who provide focused capability, encompassing all the above areas, but targeted at a specific domain, for example Prisons or Courts. The teams vary in size; there is also natural overlap and sharing of capacity, according to circumstance.