Ministry of Defence - ISS DAIS

DAIS Innovation Cyber Security and Assurance Team (DISCAT) - to support Defence Innovation Pilots

Incomplete applications

12
Incomplete applications
9 SME, 3 large

Completed applications

15
Completed applications
10 SME, 5 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Tuesday 24 September 2019
Deadline for asking questions Tuesday 1 October 2019 at 11:59pm GMT
Closing date for applications Tuesday 8 October 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work The requirement is for a specialist service for a period of up to 24 months to support, advise and assure MoD Innovation projects through life, as being safe and secure to operate within Defence Industry and according to MOD policy.
Latest start date Monday 21 October 2019
Expected contract length Up to 24 months.
Location London
Organisation the work is for Ministry of Defence - ISS DAIS
Budget range Total Budget Limit of Liability of £2.0M

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done A newly formed DAIS Innovation Cyber Security and Assurance Team (DICSAT), will be based in London and execute the Cyber Security roles and responsibilities of ISS Hd DAIS as ISS Head of Function for IA and the Defence Authority for Accreditation and Cyber Security. It will advise, support and assure Defence’s Innovation project portfolio, as prioritized and endorsed by ISS Hd Innovation.
Problem to be solved It has been recognised that at present Innovation projects tend not to have their own Security SMEs in place to support DAIS - and DAIS are not resourced to support the volume and types of demands of the innovation community in terms of the volume and pace of the projects compared to their existing priorities and workload, through to the breadth of emerging technologies, many of which are not familiar to the existing staff.
Who the users are and what they need to do The various TLB Innovation teams require the DICSAT, to ensure they deliver accurate, trusted and timely Security Assurances for each Stage and/or Sprint of their Innovation projects. Without this assurance they will be potentially denied access to MoD infrastructure and/or process MoD Information.
Early market engagement
Any work that’s already been done An early DRAFT Mandate for the DISCAT has been generated along with an Alpha process for assessing and articulating the risk, mitigations and residual Cyber Risk of a particular Sprint.
Existing team This is a new, not previously existing team.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Whitechapel - Aldgate - London
Working arrangements The team rely on technology to work collaboratively (facilitated by MODNET) and should have a presence in London (4-5 days/week) but individuals may expect to travel between defence establishments in line with a project’s needs, not all members of the team will be there every day.
There is a requirement for transition and knowledge-transfer to Crown Servants.
T&S should be limited to essential requirements in the UK. Travel to and from duty station is at the individual’s own cost. Any other travel will be approved in advance by ISS Head of DAIS at MOD extant rates.
Security clearance The partner needs to supply people with a DV clearance in line with defence establishment Security guidelines, although one portfolio manager may be SC.
The Authority WILL NOT sponsor DV Clearance: it must be in place at commencement and remain valid for the duration of the contract.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions • Occasional Home or remote working is permitted as endorsed by DAIS Dep Hd.
• More detail will be provided at the tender stage, for suppliers that pass the shortlisting stage.
• MODNET assets may be assigned to suppliers, accounts can be created and accessed from assets in MoD locations.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Assessment of cyber security and information risk of services against UK, HMG and MoD policy and appetites. (30%)
  • Within an AGILE approach - Delivery planning, assurance & materials/artefacts necessary to evidence the security & compliance processes & support the customer in gaining approval to operate the SPRINT. (20%)
  • Within a CADMID/Waterfall approach - Delivery planning, assurance & materials/artefacts necessary to evidence the security & compliance processes & support customer in gaining approval to operate the SPRINT. (5%)
  • Assess International, HMG & Private Sector Certification processes & deliverables to support reuse/mutual recognition & inform compliance in MoD context & policy. (5%)
  • Cyber Security & Information Assurance Risk Management reporting, escalation and MI to Hd DAIS & CISO as required. (15%)
  • Understand & assess New and emerging technologies for use in an HMG context. (5%)
  • Deliver Cyber Security Architecture patterns & designs to enable Innovation projects to transition & operate as LIVE solutions or services. (15%)
  • Portfolio and Project /Sprint Management: for each SPRINT track, manage & ensure mitigation activity is in place . Liaise with other MOD processes for security, business & service changes. (5%)
Nice-to-have skills and experience

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Provide evidence for Assessing cyber security and information risk (30%)
  • Provide evidence of producing Assurance evidence for an AGILE project. (20%)
  • Provide evidence of producing Assurance evidence for HMG CADMID (Waterfall) project. (5%)
  • Provide evidence of Assessing various HMG and Private Sector Certification processes. (5%)
  • Provide evidence of producing Cyber Security and Information Assurance Risk Management and reporting. (15%)
  • Demonstrate assessment and understanding of a new and emerging technologies. (5%)
  • Provide evidence of producing Cyber Security Architecture and design patterns. (15%)
  • Provide evidence of managing and integrating a capability Portfolio Management. (5%)
Cultural fit criteria
  • Constructive and innovative challenges to current wow, implementations, policy and behaviours. (15%)
  • Transparent and honest with clients and forges strong relationships based on mutual respect. (10%)
  • Works collaboratively across multiple locations and organisations to achieve security and business balanced success. (10%)
  • Drives work forward, taking the initiative and catalysing progress (5%)
  • Assures the quality of their work, benchmarking against best practice/other organisations and ensuring it meets the client expectations/needs. (10%)
  • Shares knowledge and experience with other MoD teams (10%)
  • Responsive and focuses on understanding the user needs and challenges of the client. (15%)
  • Adds value proactively to strengthen project outputs, strategies and thinking. (15%)
  • Can interact with large organisations, with complex hierarchies, bureaucracy and slow decision-making processes (10%)
Payment approach Fixed price
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Q1. Can the authority confirm if the total budget LOL is inclusive or exclusive of VAT ? A1. The figure is VAT inclusive.
2. Q2. Can the authority provide any idea on the team size they are looking for ? A2. The advert is Output-based, so it is up to the Bidders to put forward the number of people that they think are necessary.
3. Q3. Can the authority please confirm the IR35 status of this requirement ? A3. The Intermediaries Legislation does not apply to this engagement.
4. Q4. Will you help an SME find a temporary sponsor to hold DV clearances whilst they become able to hold their own? A4. No.

Note: Although the question is unclear, 'No' is the answer to both possible interpretations i.e. If it is asking the authority to sponsor an individual's DV the answer is NO. If it is asking the authority store or manage an individual's DV the answer is NO.
5. Q5. Do you support SME's applying for this business? A5. Yes
6. Q6. Will you help SME's archive list-x status to be able to hold DV clearance? A6. No. List-X status is not required to hold DV clearances.
7. Q7. What third party support has the Authority had to establish the DISCAT so far? A7. To date, no 3rd party has been involved in defining, analysing or generating the DISCAT requirement.
8. Q8. Are we able to put forward an individual initially, with the view to building a team. Or are you after a fully formed team on day one (entire team starting on 21 October 2019)? A8. This is an outcome based contract, so the number of individuals required to deliver the outcome is at the discretion of the bidder. However, it would be reasonable to have a lower number of team members at the initial start-up of the service, which is then scaled up as the tasking demands and Ways of Working (WoW) are evolved.
DV clearances must be held as detailed in the advert.
9. Q9. Are we able to put forward an individual initially, with the view to building a team. Or are you after a fully formed team on day one (entire team starting on 21 October 2019)? A9. This is an outcome based contract, so the number of individuals required to deliver the outcome is at the discretion of the bidder. However, it would be reasonable to have a lower number of team members at the initial start-up of the service, which is then scaled up as the tasking demands and Ways of Working (WoW) are evolved.
DV clearances must be held as detailed in the advert.