National Crime Agency

DevSecOps Skills to support Cyber activity

Incomplete applications

11
Incomplete applications
5 SME, 6 large

Completed applications

11
Completed applications
4 SME, 7 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 18 September 2019
Deadline for asking questions Wednesday 25 September 2019 at 11:59pm GMT
Closing date for applications Wednesday 2 October 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work To move a number of COTs products into the AWS cloud, utilising existing DevOps approach. Work to identify and implement process improvements in a number of areas.
Latest start date Friday 15 November 2019
Expected contract length March 2020 with a possible extension up to 12 months
Location London
Organisation the work is for National Crime Agency
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The NCCU have a number of services which need migrating to AWS. This work is designed to support the provision a resilient suite of tools to law enforcement partners. The NCCU have implement the landing zone pattern and the services need to exist within this approach.
Problem to be solved MigrateCOTs products to current NCCU AWS cloud infrastructure ensuring existing guard rails are followed and best practice is adhered to.

Provide rapid application development services to implement create a number of lightweight serverless applications/experiments to deliver business value.

Provide Agile software development, data architecture expertise to improve capabilities for data analytics platform exploiting best practice serverless to implement improved decoupling, provenance, resilience work, seeking to baseline, standardise architecture.

Provide support/foundation for the DevSecOps team, form of tooling and process improvement.

Work with wider organisation ensuring compliance with an ambition to connect corporate network and support other initiatives requiring DevOps skills.
Who the users are and what they need to do The users of the platform are the NCCU and wider policing. However the NCCU on premise NCCU DevSecOps team are the primary point of contact for this piece of work.
Early market engagement No market engagement has been conducted to date, however we have an existing supplier, which will need to be engaged with if successful.
Any work that’s already been done 18 months of work conducted which has resulted in a mature platform using best of breed technologies. The approach is well defined and understood. The work has resulted in a number of systems being migrated into AWS.
Existing team The team consisted of a number of NCCU employees and contract resource. The mix is about 40/60 respectively.
Current phase Not started

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Spring Gardens, Vauxhall, London
Working arrangements Standard office hours 5 days a week onsite at the NCA offices in London.

Expenses will need to be as per the NCA's Travel and Subsistence policy which will be provided at the shortlisting stage. Any travel expenses will be at cost and pre agreed with the NCA.
Security clearance SC clearance with the ability to pass NCA top up.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Additional terms will be sent out to shortlisted suppliers.
These will include
FOIA terms as the NCA is not subject to FOI requests.
Security terms to include Security aspects letter, information security.
Shortlisted suppliers will be required to utilise Bravo during the shortlisted stage will be sent out to shortlisted suppliers.

The NCA will be using the a Scoring matrix of 1 – 5. Further clarification will be issued via a clarification question.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Be an AWS Premier Partner or have considerable cloud native/ cloud first experience in AWS (resource supplied must at a minimum have AWS associate level certification) - 20 points
  • Have demonstrable experience of implementing the AWS landing zone pattern as published by AWS. In-depth expertise of providing serverless solutions - 10 Points
  • DevSecOps skills, expertise in Python, Javascript frameworks, HTML/CSS, Terraform, Gitlab CI, Git, o Significant expertise in Agile, Site reliability engineering practices (understanding of Beyond Corp model) 15 Points
  • Ability to develop niche capability including an approach to buy or build - 15
Nice-to-have skills and experience
  • Knowledge of data analytics and recent cloud developments related to data analytics. Experience of supporting users of data analytic systems - 10 Points
  • Knowledge of security and performance monitoring and alerting in a cloud environment and how to make decisions based on the results. - 10 Points
  • Knowledge of automation as a first principle including infrastructure automation and automation for cost saving - 10 Points

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 4
Proposal criteria
  • Please provide evidence of experience in moving COTs products to AWS cloud. What was your approach and methodology and what was the outcome. - 10 Points
  • AWS landing zone pattern. Knowledge of implementing, migrating services to and best practices around this design pattern - 10 Points
  • Agile Software Development. Experience of using Agile to build software in the cloud. Qualified individuals who can mentor around Agile techniques - 10 Points
  • Knowledge of DevSecOps. Awareness of now to deliver capability in a DevSecOps fashion and how to upskill and mentor teams in the use of DevSecOps practices - 10 Points
  • Awareness of designing within the Cloud and in particular designing with consideration of Cost Management - 10 Points
Cultural fit criteria
  • Please provide you approach & Experience in up skilling and mentoring during client engagement. Willingness to provide knowledge transfer sessions and training sessions - 5 Points
  • Agile ceremonies ability to following agile best practices - 5 Points
  • Knowledge of data architecture and building scalable data applications - 5 Points
Payment approach Time and materials
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence

55%

Cultural fit

20%

Price

25%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. The scores for this qualification phase add up to 90, and we notice that the third Essential Skills question appears to us to perhaps be two questions with a sub-bullet part way though. We will happily address this with a single answer.
Please can you advise how bidders should address the third Essential Skills question?
The points are points are not designed to add up to 100.
Please address the answer in one question
2. Can you elaborate or express in another way the question "Ability to develop niche capability including an approach to buy or build?" Reworded - "Ability to take a requirements driven approach to understand whether a required capability needs bespoke development or whether an off the shelf/ open source product could be adapted to fit"
3. lease can you provide an indication of the available budget until March 2020. £600k-£800k
4. Do you have an ideas of the level of resourcing (FTEs) to be provided on-site? No - The response will be evaluated based on expertise of the team proposed and the ability to complete the work in a transformational fashion.
5. Would you be able to say who the existing supplier is? Not at this stage
6. Is there scope for a percentage of off site development to be undertaken within a supplier's own List X facilities or for work at other NCA sites outside of London – as opposed to just on-site 5 days a week at Spring Gardens? Potentially - However it should be noted that a robust apporach to managing off site working should be provided. We rely on good communication with our suppliers, previous off site approaches have proven more difficult than on premise approach
7. Would you be willing to sponsor SC clearance for team members who have previously held it but for whom it has lapsed Yes - however given the time frames to obtain clearance (3-4 months) and the desire to deliver by March 2020, this could prove problematic if the entire team requires sponsoring
8. Should the third "Essential" Skills bullet point be split into two bullet points? That is, DevSecOps skills... and Significant expertise in Agile...
There seems to be a second bullet point embedded. One hundred words doesn't seem like a lot for the full question.
The third Essential skill was a list of skills and where bulleted
9. Do have any idea of budget at this stage? £600 - £800k
10. Would you consider/prefer SMEs for this? All suppliers will be considered.
Reponses will be evaluated equally via an open and fair competition.
11. Would you consider a consortium bid? Yes
12. Could you please indicate whether this opportunity will be considered outside or inside of IR35 by The Authority? This requirement should be based on outcomes and deliverables, not a contingent labour requirement.
13. It was mentioned you're working with an incumbent - who is the supplier and how long have they been engaged. Approximately 18 months, details will be supplied at later stage.
14. It was mentioned NCA Top up in addition to SC clearance. What is meant by NCA Top Up. The NCA conduct additional checks to identify links to organised crime
15. Would the NCA be willing to sponsor our team through SC clearance as part of the on-boarding process? Whilst going through the SC process can work be started under the contract? (i.e. access to dev environments, site access etc) Access to production systems would not be possible but access to site for meetings would be possible. Given SC enhanced takes 3-4 months it would be necessary to understand the impact this would have on delivery by March 2020
16. In case of a consortium bid do you require both suppliers to be listed on the DOS Framework or just the prime. Only the prime would have to be on the DOS Framework.