The Foreign and Commonwealth Office

SOC Cyber Security Improvement Plan

Incomplete applications

16
Incomplete applications
11 SME, 5 large

Completed applications

41
Completed applications
21 SME, 20 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Tuesday 27 August 2019
Deadline for asking questions Tuesday 3 September 2019 at 11:59pm GMT
Closing date for applications Tuesday 10 September 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Discovery Phase outcome supporting the FCO in enabling the transformation of its cyber security capability, including a strategic cyber security improvement plan/roadmap, and a clear and prioritised outline business case. Supplier will assist, support and work with the FCO through cyber security expertise and knowledge within public and private sectors.
Latest start date Thursday 21 November 2019
Expected contract length Up to 3 months
Location London
Organisation the work is for The Foreign and Commonwealth Office
Budget range £300,000

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done Key drivers for this work include the National Cyber Security Strategy and the FCO's Diplomacy 20:20 programme.

No successful organisation remains static - in a fast-changing world, it needs to adapt quickly and respond to new challenges and opportunities. To support this the FCO’s change programme, Diplomacy 20:20, is designed to deliver a more expert and agile organisation, supported by a world-class platform.

The National Cyber Security Strategy details the UK government’s investment in cyber security, with the vision for 2021 that the UK will be secure and resilient to cyber threats while prosperous and confident in the digital world.
Problem to be solved The improvement plan and accompanying outline business case will cover people, process, information / data, technology and governance. The supplier will also provide programme management and organisational development resources. These will support the improvement plan elements responsible for embedding cyber security across the organisation, including transforming organisational culture, procurement, programme delivery and governance processes.

Deliverables include an outline business case (using the HMG 5 case model) that is supported by (but not limited to):
• Cyber security improvement plan / road map;
• Defined cyber security target state;
• Prioritised areas for further work.
Who the users are and what they need to do As an Audit and Risk committee member, I want to understand how well we are managing our strategic risks, have clear metrics for judging progress and be confident we are doing our best to keep up with good practice.

As CIO, I want to ensure that technology programmes improve our management of risk, not expose us to new vulnerabilities.

As the CISO, I want our approach to cyber security to be one that supports organisational objectives, delivers an effective end-to-end cyber culture throughout the organisation, and prevents us from unknowingly being exposed to unmanaged risk.
Early market engagement N/A
Any work that’s already been done There are number of ongoing projects, details of which will be available to winning supplier.
Existing team The internal FCO team consists of an array of personnel from across its Knowledge and Technology Directorate (KTD).
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The team will work within the FCO's main offices in King Charles St, Whitehall, Westminster, London SW1A 2AH. Close collaboration with teams in Milton Keynes will be required, including some travel to the area.
Working arrangements There may be some scope for remote working, our focus is to build a close and effective relationship between the supplier and KTD teams.

The FCO will not be liable for any travel and subsistence expenses within M25/Greater London. Any travel and subsistence expense reimbursements outside M25/Greater London will be in accordance with FCO’s Travel & Expenses Policy.

The supplier must follow the FCO's IT and security procedures and policies in relation to access, data and equipment use.
Security clearance Minimum SC vetting for all core staff involved. It would be desirable if at least one team member was DV cleared. Non-core staff (e.g. additional SMEs) may be BPSS/CTC cleared where there is prior agreement and an appropriate security management plan.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience in successful delivery of cyber strategy and target operating models [20%]
  • Proven track record of working with stakeholders to generate programme implementation plans / road maps for large-scale complex projects [17%]
  • Examples of working with customers to design and deliver cyber improvement business cases [17%]
  • Previous experience of supporting organisational change (including culture and skills) within large organisations support board-level decisions [15%]
  • Experience in supporting organisations in the assessment and management of risk across a broad spectrum of technologies [15%]
Nice-to-have skills and experience
  • Proven track record of assessing governance procedures for large projects and recommending / implementing improvements [4%]
  • Previous experience of working with a large central UK government department on complex cyber projects in accordance with HM Treasury’s Green Book [4%]
  • Ability to think creatively and articulate innovative ideas to solving complex business, technology and risk management problemss [4%]
  • Experience of designing management information and performance metrics for audit and risk assurance committees [4%]

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Documented proposed solution.
  • Documented proposed approach, methodology.
  • Estimated timeframes for the work.
  • Detailed resources plan, including team structure
  • Confirmation of ability to supply a team with the required clearances.
  • Identify risks, assumptions, issues and dependencies and how they’ve been approached to manage them.
  • Plan for service quality management.
Cultural fit criteria
  • Able to understand role in the wider context of diplomacy and national security.
  • Have excellent interpersonal and influencing skills and a positive approach.
  • Ability to transfer knowledge.
  • Establish good working relationships and generate team spirit.
  • Work collaboratively with permanent staff and other suppliers.
  • Approach to issue management, problem resolution and improving ways of working.
  • Approach to commercial and contract management.
  • Ability to use the existing knowledge, experience and lessons learnt from previous similar engagements.
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. 'DS_CQ_01'
Requirement Title
For the avoidance of doubt, this requirement is for an enterprise wide cyber security strategy and not limited to Security Operating Centre (SOC) or SOC processes.
2. 'DS_CQ_02'
Will the FCO sponsor the vetting process for SC and DV clearance or do staff have to have this already?
The FCO will be a sponsor for any suppliers attaining security clearance.

Please note that the FCO has no involvement with the clearance process and cannot guarantee when, or if, any clearances will be attained. SC clearances can take up to 12 weeks to be processed. Suppliers must have the appropriate clearances for all staff they chose to allocate to deliver this requirement at any time during this contract. It is preferred that any proposed teams already hold clearances, as without it will impact delivery timescales.
3. 'DS_CQ_03'
Would the buyer sponsor SC vetting if this clearance is not already held by the team members, or is it expected that team members should already have the clearance?
The FCO will be a sponsor for any suppliers attaining security clearance.

Please note that the FCO has no involvement with the clearance process and cannot guarantee when, or if, any clearances will be attained. SC clearances can take up to 12 weeks to be processed. Suppliers must have the appropriate clearances for all staff they chose to allocate to deliver this requirement at any time during this contract. It is preferred that any proposed teams already hold clearances, as without it will impact delivery timescales.
4. 'DS_CQ_04'
Please could you advise whether an incumbent supplier is already providing the same or similar services for FCO?
No current supplier providing or contracted to provide this service for Cyber business cases.
5. 'DS_CQ_05'
The sentence: "Deliverables include an outline business case (using the HMG 5 case model) that is supported by (but not limited to)..." implies that there could be more deliverables, apart from the ones given. Please could the Authority be specific on the deliverables of this engagement?
Deliverable is the Outline Business Case (OBC). There was not enough space in the word count to say exactly what a OBC should contain, but refer to the HMG Green Book for detail of what should be included in such a business case.
6. 'DS_CQ_06'
For the first essential skills and experience question, are the authority looking for an example of a cyber specific target operating model?
There is a word limit on this answer, but the Authority is expecting that the supplier is able to demonstrate that they have the capability (and have relevant experience) to produce a Cyber specific target operating model as a deliverable as part of their response
7. 'DS_CQ_07'
Is there an incumbent supplier?
No current supplier providing or contracted to provide this service for Cyber business cases.
8. 'DS_CQ_08'
Is this opportunity inside or outside IR35 legislation?
This procurement is for a service-delivery (i.e. an outcome) as opposed to for specified resource (i.e. individuals), therefore this opportunity is outside of IR35.
9. 'DS_CQ_09'
Can we confirm that the opportunity timescale indicated is actually "up to 3 months" please?
Yes.
10. 'DS_CQ_10'
Has the FCO completed a "cyber maturity assesment" and if so, can it be shared? What method was used to determine this maturity level?
This is not required in order to provide a response against the 'Essential' and 'Nice-to-have' criteria.
11. 'DS_CQ_11'
Do FCO currently use security standards e.g. NIST, CIS ?
This is not required in order to provide a response against the 'Essential' and 'Nice-to-have' criteria.
12. 'DS_CQ_12'
Does providing these advisory services preclude the successful bidder from competing to design/build/support the future SOC capabilities?
No. However, some sort of Ethical Wall will be required if the successful supplier wishes to tender for any future related tender whilst on contract.
13. 'DS_CQ_13'
Do bidders need to consider the UK Government guidelines for Enterprise Architecture for any proposed strategic development?
Suppliers should consider guidelines from HMG, but we can discuss any requirements that the supplier are not required for this project that are not HMG mandated
14. 'DS_CQ_14'
Are the FCO ISO 27k compliant?
This is not required in order to provide a response against the 'Essential' and 'Nice-to-have' criteria.
15. 'DS_CQ_15'
Do the FCO have existing operating models that can be made available at the start of the project?
Current status of operating models, in flight projects, methologies and standards will be made available at the start of the project.
16. 'DS_CQ_16'
Do the FCO have a defined security architecture that, where permissible, can be made available at the start of the project?
Current status of operating models, in flight projects, methologies and standards will be made available at the start of the project.
17. 'DS_CQ_17'
Are you working with an incumbent supplier that has provided support in the domains of cyber strategy and programme design?
There is no incumbent supplier providing this service.
18. 'DS_CQ_18'
The duration for the work is 3 months and in the ‘problem to be solved’ you state that the supplier is expected to provide programme management and organisational development resource to support the improvement plan elements. Does this mean that you want the supplier to provide delivery resource to support execution of existing plans, or is your requirement for the supplier to support design of future improvement plans i.e. to enable the strategy?
This requirement is not asking for any delivery resources to execution of existing or new plans, it is to enable the strategy via the requirements (i.e. outline business case)
19. 'DS_CQ_19'
Do you already have a baseline of cyber risk exposures that will inform the improvement plan?
Current status of operating models, in flight projects, methologies and standards will be made available at the start of the project.
20. 'DS_CQ_20'
Does the business case need to follow the full requirements of the HMG 5 case model or is it possible to use an abridged version?
The business case should follow the HMG 5 Case model, but we can discuss any requirements that the supplier believes are not required and are not mandated by HMG once they begin work.
21. 'DS_CQ_21'
What existing design and procedural documentation will be provided?
Current status of operating models, in flight projects, methologies and standards will be made available at the start of the project.
22. 'DS_CQ_22'
Will documentation and deliverable's be able to be produced and stored on supplier systems?
The supplier will have to use FCO provided IT and equipment.
23. 'DS_CQ_23'
To aid suppliers planning resources, will we have 1 or 2 weeks notice between PQQ and Evaluation stages? And could you specify the planned date for release of the evaluation phase please
Please see the indicative procurement timeline below:
- Tue 10 Sep - Closing date for supplier down-select applications
- Tue 17 Sep - Authority finalised down-selection
- Thu 19 Sep - Top five down-selection suppliers invited to tender (ITT)
- Mon 07 Oct - ITT Supplier Tender submission deadline
- Thu 10 Oct - ITT Supplier Presentations
- Tue 22 Oct - Authority finalised ITT Tender evaluation
- Wed 23 Oct - Authority notifies ITT Suppliers of decision of award
- Wed 30 Oct - Authority Awards contract
24. 'DS_CQ_24'
Will you be seeking a presentation to be conducted for those who are selected from the evaluation stage? And what is the likely date for this?
Yes, along with the other Assessment Methods listed within the requirement:
• Written proposal
• Case study
•Work history

Presentations are expected to be presented around Thursday 10 October. See the indicative procurement timeline in response to 'DS_CQ_23'.