Ministry of Defence, Information Systems and Services

RM1043/CCT807 - Future Gateways Security Assurance Coordinator

Incomplete applications

15
Incomplete applications
14 SME, 1 large

Completed applications

7
Completed applications
7 SME, 0 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 10 October 2019
Deadline for asking questions Monday 14 October 2019 at 11:59pm GMT
Closing date for applications Thursday 17 October 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Specialist role Cyber security consultant
Summary of the work ISS delivers the core ICT Platform for Defence. Working within the Interoperability Services and Gateways team developing future cross-domain interoperability services at various security domains as the Security Assurance focal point, the role will assess and evidence the effectiveness of security controls; providing confidence that Defence threats are adequately addressed.
Latest start date Friday 15 November 2019
Expected contract length 16.5 Months with an extension option of 4 months pending internal financial approval.
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Defence, Information Systems and Services
Maximum day rate £783.00 (ex VAT) maximum budget per day including agency fees.

The total Limit of Liability for Travel and Subsistence is £4125.00 (ex VAT). Please note that payment will only be sanctioned on evidence of receipted actuals in accordance with MoD Civilian rates.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Early market engagement
Who the specialist will work with The specialist will be required to work alongside Civilian (Crown Servants), Military personnel and Contractors (Manpower substitutes and FATS) within the Interoperability Services and Gateways team at MoD Corsham.

With regard to the activities that the specialist will be required to work on as referenced in the previous section, it should be noted that specific outcomes/deliverables will vary based upon the stage of the project delivery; but these will be identified during work package scoping. They may include any of the activities listed.
What the specialist will work on -Security assure VMWare-based cloud infrastructure solutions

-Develop specifications-Windows/Linux hardened operating system configurations

-Select/trial Cross-domain Security Enforcing Applications to support range of required information exchange services

-Design audit solutions to meet MoD requirements

-Ensure suitable security testing-all system components throughout project build

-Review HLD/LLD

-Compete/maintain DART

-Define CTAS Scope

-Produce SRS and Risk Balance Cases

-Produce/Review RMADS, OSMP and associated documentation

-Review ITHC Testing and remediation plans

-Produce Pre-PIA, PIA, MOD Code of Connection and MOD Statement of Connection Conformity

-Chair SWG, Security Surgeries and production/distribution of outputs Meeting with Accreditor and NCSC

-Lead/manage Accreditation process

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Information Systems and Services, Building 405, Westwells Road, MoD Corsham, Wiltshire, SN13 9NR.
Working arrangements All tasking will take place from MoD Corsham. Ideally you are required to work from MoD Corsham, however a flexible working arrangement can be agreed. Travel may be required within the UK with Travel and Subsistence costs away from MoD Corsham recoverable in correspondence with MoD Departmental rates.
Security clearance DV Clearance must be in place prior to and for the duration of the contract starting due to the projects the individual is required to work with.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience of security assurance, accreditation and verification/validation of design artefacts and physical systems designs - 10 Points
  • Knowledge of gateway design and capability including NCSC Architectural Patterns and an in depth understanding of how NCSC work - 15 Points
  • Knowledge of RMADS Documentation - 10 Points
  • Holds CCP Senior SIRA status - 10 Points
  • Holds CCP Senior IA Architect Status - 10 Points
  • Evidence and knowledge of Government IA Policy, (including JSP440, JSP604, IS1/2, DIANS and NCSC IA Guidance), and Risk Management in the context of Defence - 10 Points
Nice-to-have skills and experience
  • Evidence and knowledge of the T&A process that is implemented across UK Government and Defence System projects - 5 Points
  • Evidence and knowledge of cross-domain interoperability services/gateways within Defence - 5 Points
  • Evidence of understanding of current Defence cross-domain gateways in the Secret domain - 5 Points
  • Evidence and understanding of the design and security aspects of the planned replacement defence cross-domain interoperability services solution(s) - 5 Points
  • Holds CISM - Certified Information Security Manager status - 5 Points
  • Holds CISSP - Certified Information Systems Security Professional Status - 5 Points
  • Holds ISO 27001 Lead Auditor/Implementer status - 5 Points

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many specialists to evaluate 3
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
Additional assessment methods
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Please let me know if you have an incumbent in place? I can confirm that there is an incumbent.
2. Can the Authority please confirm if there is a current incumbent? I can confirm that there is a current incumbent.
3. Can the Authority please confirm the IR35 status of this requirement? I can confirm that the intermediaries legislation does not apply to this engagement. The role is outside of IR35.
4. Is there an incumbent? I can confirm that there is an incumbent.
5. Is there an incumbent in the post, and, if there is, do you expect them to bid for this role? I can confirm that there is a current incumbent and yes, the Authority expects them to apply.
6. If the consultant needs to commute from his place to the location where the project needs to be carried out, will he be eligible for the allocated T&S budget (£4,125)? The normal place of work is Corsham. If asked to work at a different location, the incumbent will be eligible to claim the difference (if higher) between the cost of the normal commute to Corsham and the cost of the commute to the alternative location. Additionally, the incumbent may claim costs incurred with any overnight accommodation and food (actuals only, and in line with Civil Service limits).
7. Please can you confirm if there is an incumbent? I can confirm that there is an incumbent.
8. Please may you confirm the IR35 status of this task and whether or not there is a current incumbent? The intermediaries legislation does not apply to this engagement. This role is outside of IR35. I can confirm that there is a current incumbent in place.
9. Is this inside or outside of IR35? The intermediaries legislation does not apply to this engagement. The role is outside of IR35.
10. Will an application for an applicant with an extant SC who has previously held DV be considered? This application would not be considered. In accordance with the security clearances specified in the advert, DV clearance must be in place prior to and for the duration of the contract starting due to the projects the individual is required to work with.
11. The essential skills and experience are very prescriptive. Very few people have Senior SIRA, Senior Arch and a DV. Is this specification based on an incumbent? These criteria are not based on the incumbent. DV and Senior SIRA were part of the original contract requirement; both are essential given the specific demands and classification of the project. The key elements of the SIRA qualification are all valid and relevant to the SAC role. In addition, the Future Gateways project is a change project (not a BAU service), with the design being undertaken in-house (MOD are not contracting it out). Senior IA Architect skills are essential during this current phase due to the significant level of architecting required for the development of the solution.
12. Essential skills and experience usually require an answer that will be judged to gain all or a proportion of the available marks. If Senior SIRA and Senior Arch are essential, is this, in effect, a pass or fail question? 10 points or 0 points? And would, for instance, Lead SIRA gain no points as being over-qualified? All essential skills and experience items require an answer that achieves a score of ‘fully compliant’ in accordance with the criteria i.e. a score of 2. To elaborate, a score of 1 would be deemed as ‘partially compliant’ whilst a score of 0 would be deemed as 'non compliant'. For clarification, you are correct in assuming that this is a pass or fail question. However, if evidence of a higher qualification was provided (in this instance a Lead SIRA); this would still be accepted as sufficient evidence of having met this particular criteria.
13. Is there is an incumbent? I can confirm that there is an incumbent.
14. Nice to have skills and experience usually require an answer that will be judged to gain all or a proportion of the available marks. Are CISM, CIISP and ISO27001, in effect, a pass or fail question? 5 points or 0 points? Please see a similar response to the ‘Senior SIRA and Senior Arch’ essential skills and experience criteria listed above. Unlike the essential skills and experience, the nice to have skills and experience don’t require a candidate to be ‘fully compliant’ against all criteria items. Criteria items will still be scored as 'fully compliant', 'partially compliant' or non compliant' depending on the level of evidence provided but the difference is that this isn't a pass/fail question.
15. We have a specialist who was previously involved with the gateways both providing Security Assurance and Accreditation. However, as he is not a certified CCP Senior IA Architect, can the Authority please confirm that this is an essential requirement? I can confirm that this is an essential skills and experience requirement.