Awarded to NCC Services Limited. Trading as NCC Group.

Start date: Friday 10 February 2017
Value: £120,000
Company size: large
Met Office

Security Testing Engagement Partner

0 Incomplete applications

17 Completed applications

8 SME, 9 large

Important dates

Friday 30 September 2016
Deadline for asking questions
Friday 7 October 2016 at 11:59pm GMT
Closing date for applications
Friday 14 October 2016 at 11:59pm GMT


Summary of the work
An ongoing project to provide IT health checks and penetration testing; knowledge transfer and other security-related services.
Latest start date
Expected contract length
18 months, plus a possible 6 month extension
No specific location, eg they can work remotely
Organisation the work is for
Met Office
Budget range
£60,000 to £100,000 per annum.

About the work

Why the work is being done
As an organisation, we need to regularly carry out IT health checks/penetration testing and accreditation of new projects and also our existing systems and services. Rather than procure these on an ad-hoc basis, we are seeking to partner with an established provider of these services over a longer-term period.
Problem to be solved
Agile and consistent IT health checks and penetration testing of our newly developed and existing products and services.
Who the users are and what they need to do
As the Met Office Security Testing Team and Accreditation team, we need to identify and work with an established IT Security testing partner, so that we can assure and test our products and services.
Early market engagement
Any work that’s already been done
The Met Office has a standard, established process for engaging external security testing (see also Working Arrangements below).
Existing team
The Met Office has an internal Security Testing team who will be co-ordinating all partner engagements.
Current phase

Work setup

Address where the work will take place
The Met Office has its headquarters in Exeter, where the majority of engagements will take place if an on-site visit is required. Remote working is an option where this is appropriate and possible. The Met Office has a number of outstations around the UK, where some engagements may be required to take place, although this will be a minority, if any.
Working arrangements
In general, for each engagement, a Target of Evaluation (ToE) will be provided and should be mutually agreed with a proposal/test plan. Once agreed, this engagement will be arranged and scheduled with initiation and conclusion meetings taking place.

A detailed test exit report with recommendations must be provided as per CHECK practices.
Security clearance
SC clearance is required for this engagement. Some limited engagements may require DV clearance. Please consider when responding, the necessity for some individuals to be willing and able to pass DV clearance. This is expected to be a low number of engagements.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • An established and recognised provider of penetration testing services
  • Web Application testing (CHECK and CREST Accredited)
  • Infrastructure testing (CHECK and CREST Accredited)
  • Build reviews (CHECK and CREST Accredited)
  • Code reviews (CHECK and CREST Accredited)
  • Firewall and networking audits (CHECK and CREST Accredited)
  • Wireless and networking audits (CHECK and CREST Accredited)
  • Security Training
  • Knowledge Transfer
Nice-to-have skills and experience
  • Mobile device and application testing
  • Incident response
  • Social engineering
  • Physical security

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • The experience and professionalism of the provider
  • The thoroughness and efficiency of the test plan/proposal
  • The lead time to complete an engagement
  • The value for money of the proposal
Cultural fit criteria
  • Timeliness and effectiveness of communication
  • Willingness to engage as a partner
  • Openness and approach to knowledge transfer/training
Payment approach
Time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Hello, Can you please clarify the submission requirements for this procurement exercise? It is mentioned in the contract notice that bidders will be evaluated based on •Written proposal •Case study •Work history •Presentation However when we tried to access the application, it is just a questionnaire for us to complete. Can you please clarify if you want the additional info sent to you by separate email ( as there is no space for additional attachments) or do we need to fill just the questionnaire for this stage? Many thanks
At this stage, we only require you to complete the questionnaire. The DOS process is a two-stage process. If shortlisted for the evaluation stage we would then require the Written proposal, case study, work history and presentations to be completed.
2. Is CREST accreditation alone sufficient to be eligible for this opportunity? If not, what does CHECK give the Met Office that CREST does not?
We may stipulate CHECK for some formal IT Health Checks, in part due to the security clearance and official sensitive information handling requirements of this accreditation. Without CHECK a more limited amount of work may be available through this opportunity, but we would nevertheless encourage you to apply.
3. We would love to work with you on this opportunity, however we currently not CHECK accredited, however we have CREST accreditation and obviously are held in high regard for our Security practise across the world. Would this preclude us from applying? Until earlier this year we were CHECK accredited but this has lapsed due to customers not requesting this accreditation over the last year.
We may stipulate CHECK for some formal IT Health Checks in part due to the security clearance and official sensitive information handling requirements of this accreditation. Without CHECK a more limited amount of work may be available through this opportunity, but we would nevertheless encourage you to apply. If you have held CHECK accreditation, then we would obviously encourage you to mention that where possible, and we may encourage you to re-accredit yourselves.
4. 1. Approximately how many days testing is required per annum?
2. How much notice can you provide prior to a test being conducted?
We are anticipating 60-80 days worth of testing in a given year. Notice is flexible, we would expect to arrange dates 2-4 weeks in advance, but would be able to communicate our intention to test earlier.