Gas & Electricity Markets Authority (Ofgem)

RIIO-2 Cyber Security submissions review - Role 2 - Project PMO Support/Analyst

Incomplete applications

21
Incomplete applications
18 SME, 3 large

Completed applications

17
Completed applications
14 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 25 October 2019
Deadline for asking questions Tuesday 29 October 2019 at 11:59pm GMT
Closing date for applications Friday 1 November 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Specialist role Cyber security consultant
Summary of the work Understand and map cyber security control requirements (i.e. NIS regulations, industry best practice) against OES’s RIIO-2 submissions.
Review OES’s submission costs, security improvement plans & project timelines.
Perform security reviews, facilitate workshops, producing high quality decision reports covering the assigned OES scope, aligned with compliance & regulatory requirements.
Latest start date Monday 25 November 2019
Expected contract length
Location London
Organisation the work is for Gas & Electricity Markets Authority (Ofgem)
Maximum day rate

About the work

About the work
Opportunity attribute name Opportunity attribute value
Early market engagement
Who the specialist will work with The Specialist will be working with other Cyber Security specialists working on the RIIO2 OES submissions. The NIS Regulations impose new duties on Operators of Essential Services (“OES”) and give relevant Competent Authorities (“CAs”) new powers and responsibilities to ensure OES are meeting those duties. Ofgem is a joint CA with BEIS, for the Downstream Gas and Electricity sectors in Great Britain.
What the specialist will work on Project PMO support / Analyst (x1 resource)
A project PMO/analyst with experience in cyber security, with extreme attention to detail, able to understand and map cyber security control requirements (i.e. NIS regulations, industry best practice) against OES’s RIIO-2 submissions.
Ability to review OES’s submission costs, security improvement plans & project timelines.
This role will require knowledge performing security reviews, facilitating workshops, producing high quality decision reports covering the assigned OES scope and aligned with compliance & regulatory requirements.

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The majority of the reviews will take place on Ofgem's premises at 10 South Colonnade, Canary Wharf, London E14 4PU
Working arrangements The contract will be for total of 50 input days starting in November 2019. The selected company/candidate must be available to commence this assignment on mid November 2019 and be available until late January 2020.
Security clearance Staff visiting Ofgem’s & OEM’s premises shall hold at least a minimum of BPSS (Baseline Personnel Security Standard) level security clearance. The Contractor is responsible for obtaining clearance for all Staff and shall bear all costs associated with the clearance process.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Three years’ proven track record of delivery of complex information security control reviews ideally in the industrial cyber security space
  • have 3 years’ proven track record of cyber security assessments, report writing, programme management, project & budget reviews
  • Clear evidence of a track record of successful project engagements covering a minimum of 6 of the topics listed below
  • a) Industrial cyber security strategy & architecture; b) Project Planning
  • c) Security assessments; d) Budgeting & timelines management
  • e) Asset management; f) Programme management responsibilities including tracking timelines, milestones & budgets
  • g) Industrial control systems controls & regulations (NIS, NERC-CIP, ISA/IEC 6443, NIST 800-53/8, etc.)
  • h) Data protection; i) Application security
  • j) Industrial Health & Safety requirements; k) Identity & Access management
  • l) Change management; m) Malware & antivirus management
  • n) Information Security processes & policies; o) Incident response
  • p) Vulnerability management; q) System security
  • r) Security awareness and training; s) Security monitoring
  • t) Third party vendors & access management; u) Portable media
  • v) Resilience and business continuity
Nice-to-have skills and experience
  • demonstrate their knowledge of the energy sector through direct experience with energy stakeholders
  • demonstrate a knowledge of agile working practices

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many specialists to evaluate 6
Cultural fit criteria
  • Be able to engender confidence with OES and Ofgem
  • Work well under pressure
  • Take responsibility for delivering successfully
  • Work well in a transforming environment
  • Work well in a team and autonomously
Additional assessment methods
  • Reference
  • Interview
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

20%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Do you have an incumbent providing this service? No, this is a new requirement to provide support for this specific activity.
2. How should we respond where experience examples are combined in the same box? for example Change Management/Malware and anti-virus management are unrelated subjects but in the same 100 word box. Do we submit 50 words on Change Management and 50 words on Malware and anti-virus? 100 words combining the 2 subjects? or 100 words on one or the other? Ideally 100 words combining the subjects. Don't waste words if the subject is 'no direct experience'. We won't exclude candidates with low/zero score answers against some criteria.
3. Please can you clarify if you are looking for one individual that meets all the criteria, or can we submit an individual that covers most of the criteria with reach-back to capability as and when required? Individuals should covers at least 6 of the criteria well but it will be rated accordingly. Reach-back is added value for us, so should be mentioned (once) in the overall response.
4. "The contract will be for total of 50 input days starting in November 2019. The selected company/candidate must be available to commence this assignment on mid November 2019 and be available until late January 2020."
There are a maximum of 47 working days from 25 Nov 2019 to 31 Jan 2020. Is this a full-time assignment?
It is expected that this will be a full-time assignment but could be extended post 31 Jan 2020.
5. Please confirm if this assignment fall's outside or inside IR35? Outside of IR35, as this is a short-term requirement for consultancy, for which we have no permanent equivalent.
6. Please can you confirm the maximum all in day rate (inc VAT)? We expect to pay market rates for the right combination of skills/expereince.
7. Please can you confirm the length of contract and maximum day rate The contract will run until 31 January with possible extension. We will pay market rates for the right combination of skills/experience.
8. Can the authority please confirm the IR35 status of this role Outside IR35, as this is a short-term role, for which there is no permanent equivalent.
9. Is there a current incumbent and can you give any indication on expected day rate ? No, this is a new requirement to provide support for this specific activity.