Ministry of Defence - ISS DAIS

DAIS Innovation Cyber Security and Assurance Team (DISCAT) - to support Defence Innovation Pilots

12 Incomplete applications

9 SME, 3 large

15 Completed applications

10 SME, 5 large

Important dates

Published
Tuesday 24 September 2019
Deadline for asking questions
Tuesday 1 October 2019 at 11:59pm GMT
Closing date for applications
Tuesday 8 October 2019 at 11:59pm GMT

Overview

Summary of the work
The requirement is for a specialist service for a period of up to 24 months to support, advise and assure MoD Innovation projects through life, as being safe and secure to operate within Defence Industry and according to MOD policy.
Latest start date
Monday 21 October 2019
Expected contract length
Up to 24 months.
Location
London
Organisation the work is for
Ministry of Defence - ISS DAIS
Budget range
Total Budget Limit of Liability of £2.0M

About the work

Why the work is being done
A newly formed DAIS Innovation Cyber Security and Assurance Team (DICSAT), will be based in London and execute the Cyber Security roles and responsibilities of ISS Hd DAIS as ISS Head of Function for IA and the Defence Authority for Accreditation and Cyber Security. It will advise, support and assure Defence’s Innovation project portfolio, as prioritized and endorsed by ISS Hd Innovation.
Problem to be solved
It has been recognised that at present Innovation projects tend not to have their own Security SMEs in place to support DAIS - and DAIS are not resourced to support the volume and types of demands of the innovation community in terms of the volume and pace of the projects compared to their existing priorities and workload, through to the breadth of emerging technologies, many of which are not familiar to the existing staff.
Who the users are and what they need to do
The various TLB Innovation teams require the DICSAT, to ensure they deliver accurate, trusted and timely Security Assurances for each Stage and/or Sprint of their Innovation projects. Without this assurance they will be potentially denied access to MoD infrastructure and/or process MoD Information.
Early market engagement
Any work that’s already been done
An early DRAFT Mandate for the DISCAT has been generated along with an Alpha process for assessing and articulating the risk, mitigations and residual Cyber Risk of a particular Sprint.
Existing team
This is a new, not previously existing team.
Current phase
Discovery

Work setup

Address where the work will take place
Whitechapel - Aldgate - London
Working arrangements
The team rely on technology to work collaboratively (facilitated by MODNET) and should have a presence in London (4-5 days/week) but individuals may expect to travel between defence establishments in line with a project’s needs, not all members of the team will be there every day.
There is a requirement for transition and knowledge-transfer to Crown Servants.
T&S should be limited to essential requirements in the UK. Travel to and from duty station is at the individual’s own cost. Any other travel will be approved in advance by ISS Head of DAIS at MOD extant rates.
Security clearance
The partner needs to supply people with a DV clearance in line with defence establishment Security guidelines, although one portfolio manager may be SC.
The Authority WILL NOT sponsor DV Clearance: it must be in place at commencement and remain valid for the duration of the contract.

Additional information

Additional terms and conditions
• Occasional Home or remote working is permitted as endorsed by DAIS Dep Hd.
• More detail will be provided at the tender stage, for suppliers that pass the shortlisting stage.
• MODNET assets may be assigned to suppliers, accounts can be created and accessed from assets in MoD locations.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Assessment of cyber security and information risk of services against UK, HMG and MoD policy and appetites. (30%)
  • Within an AGILE approach - Delivery planning, assurance & materials/artefacts necessary to evidence the security & compliance processes & support the customer in gaining approval to operate the SPRINT. (20%)
  • Within a CADMID/Waterfall approach - Delivery planning, assurance & materials/artefacts necessary to evidence the security & compliance processes & support customer in gaining approval to operate the SPRINT. (5%)
  • Assess International, HMG & Private Sector Certification processes & deliverables to support reuse/mutual recognition & inform compliance in MoD context & policy. (5%)
  • Cyber Security & Information Assurance Risk Management reporting, escalation and MI to Hd DAIS & CISO as required. (15%)
  • Understand & assess New and emerging technologies for use in an HMG context. (5%)
  • Deliver Cyber Security Architecture patterns & designs to enable Innovation projects to transition & operate as LIVE solutions or services. (15%)
  • Portfolio and Project /Sprint Management: for each SPRINT track, manage & ensure mitigation activity is in place . Liaise with other MOD processes for security, business & service changes. (5%)
Nice-to-have skills and experience

How suppliers will be evaluated

How many suppliers to evaluate
3
Proposal criteria
  • Provide evidence for Assessing cyber security and information risk (30%)
  • Provide evidence of producing Assurance evidence for an AGILE project. (20%)
  • Provide evidence of producing Assurance evidence for HMG CADMID (Waterfall) project. (5%)
  • Provide evidence of Assessing various HMG and Private Sector Certification processes. (5%)
  • Provide evidence of producing Cyber Security and Information Assurance Risk Management and reporting. (15%)
  • Demonstrate assessment and understanding of a new and emerging technologies. (5%)
  • Provide evidence of producing Cyber Security Architecture and design patterns. (15%)
  • Provide evidence of managing and integrating a capability Portfolio Management. (5%)
Cultural fit criteria
  • Constructive and innovative challenges to current wow, implementations, policy and behaviours. (15%)
  • Transparent and honest with clients and forges strong relationships based on mutual respect. (10%)
  • Works collaboratively across multiple locations and organisations to achieve security and business balanced success. (10%)
  • Drives work forward, taking the initiative and catalysing progress (5%)
  • Assures the quality of their work, benchmarking against best practice/other organisations and ensuring it meets the client expectations/needs. (10%)
  • Shares knowledge and experience with other MoD teams (10%)
  • Responsive and focuses on understanding the user needs and challenges of the client. (15%)
  • Adds value proactively to strengthen project outputs, strategies and thinking. (15%)
  • Can interact with large organisations, with complex hierarchies, bureaucracy and slow decision-making processes (10%)
Payment approach
Fixed price
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

1. Q1. Can the authority confirm if the total budget LOL is inclusive or exclusive of VAT ?
A1. The figure is VAT inclusive.
2. Q2. Can the authority provide any idea on the team size they are looking for ?
A2. The advert is Output-based, so it is up to the Bidders to put forward the number of people that they think are necessary.
3. Q3. Can the authority please confirm the IR35 status of this requirement ?
A3. The Intermediaries Legislation does not apply to this engagement.
4. Q4. Will you help an SME find a temporary sponsor to hold DV clearances whilst they become able to hold their own?
A4. No.

Note: Although the question is unclear, 'No' is the answer to both possible interpretations i.e. If it is asking the authority to sponsor an individual's DV the answer is NO. If it is asking the authority store or manage an individual's DV the answer is NO.
5. Q5. Do you support SME's applying for this business?
A5. Yes
6. Q6. Will you help SME's archive list-x status to be able to hold DV clearance?
A6. No. List-X status is not required to hold DV clearances.
7. Q7. What third party support has the Authority had to establish the DISCAT so far?
A7. To date, no 3rd party has been involved in defining, analysing or generating the DISCAT requirement.
8. Q8. Are we able to put forward an individual initially, with the view to building a team. Or are you after a fully formed team on day one (entire team starting on 21 October 2019)?
A8. This is an outcome based contract, so the number of individuals required to deliver the outcome is at the discretion of the bidder. However, it would be reasonable to have a lower number of team members at the initial start-up of the service, which is then scaled up as the tasking demands and Ways of Working (WoW) are evolved.
DV clearances must be held as detailed in the advert.
9. Q9. Are we able to put forward an individual initially, with the view to building a team. Or are you after a fully formed team on day one (entire team starting on 21 October 2019)?
A9. This is an outcome based contract, so the number of individuals required to deliver the outcome is at the discretion of the bidder. However, it would be reasonable to have a lower number of team members at the initial start-up of the service, which is then scaled up as the tasking demands and Ways of Working (WoW) are evolved.
DV clearances must be held as detailed in the advert.