Awarded to Celidor

Start date: Monday 27 January 2020
Value: £40,000
Company size: SME
The National Archives

AWS Cloud Security Engineer – Secure Transfer of Digital Records

16 Incomplete applications

14 SME, 2 large

23 Completed applications

22 SME, 1 large

Important dates

Friday 6 December 2019
Deadline for asking questions
Friday 13 December 2019 at 11:59pm GMT
Closing date for applications
Friday 20 December 2019 at 11:59pm GMT


Specialist role
Cyber security consultant
Summary of the work
Provide expert advice and guidance on information assurance, security standards, services, policies and tools
Review service design, identify and assess risks
Design, evaluate and recommend appropriate, cost-effective security controls and processes
Work with the team to implement recommendations to secure the service in line with business, user and compliance requirements.
Latest start date
Monday 3 February 2020
Expected contract length
Initial up to 8 weeks to 31/03/20; additional up to 8 weeks depending on needs, performance & budget
Organisation the work is for
The National Archives
Maximum day rate
Up to £1000 a day (not including VAT)

About the work

Early market engagement
The specialist will work with the ‘Transfer Digital Records’ product team at The National Archives. The team are building a service which enables the secure transfer of digital records to The National Archives. The service offers tools for content upload, validation and transfer of ownership to the Archive.
We have completed in-house discovery and Alpha prototyping phases to determine the scope of the proposed service; identify user, business and compliance requirements for access and security; and deliver a small-scale demonstration prototype and proof of concept for the service.
We now require a specialist to review the security and assurance aspects of our proposed design, identify threats and gaps and develop a strategy for delivering and operating a securing the service as we move into a Beta delivery phase.
Who the specialist will work with
The specialist will work with the ‘Transfer Digital Records’ product team at The National Archives:
Team roles include: Product manager, Delivery manager, Technical architect, Data analyst, Developers (front and back end), User experience researcher. There will be scope to engage with the Service Owner, Departmental Security Officer and IT Security Officer.
The specialist will need to engage with stakeholders across the organisation to present work, demonstrate designs and seek feedback as the work progresses.
What the specialist will work on
Requirements: Review and understand user, business and compliance requirements for service security
Risk discovery & analysis: Review relevant design decisions and assessment documentation from the Alpha phase; identify potential threats, weaknesses and gaps in our proposed approach
Risk treatment: Develop a pragmatic, appropriate and cost-effective strategy for securing the service
Assurance: Contribute to technical assessment and assurance processes
Implementation and testing: Work with the team implementing the approved design to ensure that the Beta product release meets our security requirements.
Documentation: Deliver appropriate documentation of requirements, design recommendations and risk assessments to support technical review and on-going service development.

Work setup

Address where the work will take place
The team is based at The National Archives, Kew, Richmond, Surrey TW9 4DU. You will be expected to work on-site. Some remote working may be possible by agreement.
Working arrangements
Co-located with the team in a highly collaborative environment to enable you to understand requirements, understand previous work, demonstrate your work and test and refine your proposed strategy with the team throughout the project. Normal office hours are 9am to 5pm, some flexibility is available.
We expect to interview on 13 January 2019.
Security clearance
An SC cleared specialist is required.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Hold relevant, current certification (please specify) with expertise and significant practical experience of developing security strategies in an AWS cloud environment.
  • Have a proven track record of risk assessing and assuring cloud based architectures for secure, content-driven services.
  • Have an in depth understanding of relevant security standards, protocols and architectural approaches
  • Have detailed knowledge and understanding of AWS security tools and services, open source security controls and automated security testing tools
  • Have expertise in developing an outcome based approach to risk identification, management and mitigation using techniques such as risk trees and attack tree methods
  • Have a good understanding of identity management and identity lifecycle management with strong experience of relevant security models and technical frameworks for access management.
  • Be able to deliver at pace within a fixed timeline and budget.
Nice-to-have skills and experience
  • Have experience of working within GDS standards and best practice.
  • Have knowledge and experience of designing cloud services for uploading and processing large collections of digital content.

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

How many specialists to evaluate
Cultural fit criteria
  • Be willing to work on site at The National Archives, in close collaboration with the product team.
  • Work closely with our organisation and other suppliers.
  • Have excellent problem solving skills and display initiative in proposing and testing different approaches to find a solution.
  • Communicate openly, demonstrate progress and discuss findings regularly.
  • Be transparent and collaborative.
  • Be comfortable standing up for their discipline.
  • Have a no-blame culture and take responsibility for their work.
  • Be able to work and make progress independently to deliver work to a deadline.
Additional assessment methods
  • Reference
  • Interview
  • Scenario or test
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Please can you confirm the IR35 status of this role?
We have checked the role requirements (to the best of our knowledge) using the assessment tool found at and, in our opinion, for the role(s) as advertised the intermediaries legislation does not apply to this engagement. If our opinion had been that these roles lay inside scope for IR35, we would not have published using this Framework.
2. Is there an Incumbent already in place delivering this work?
No, there is no incumbent in this role.
3. Must the specialist already be SC cleared or can the buyer sponsor the process?
The specialist must already be SC cleared.
4. Does the rate include agency fees?
5. What current certification do you expect from the candidates?
There could be quite a lot varied certificates, even within AWS domain. Can you please clarify this requirement?
We recognise that there are many certification programmes available, but as we’re building an AWS service, either the ‘AWS Certified Security - Specialty’ or some combination of ‘AWS Solutions Architect Professional’ and ‘Certified Cloud Security Professional’ or similar certification would be preferred. As per the requirement in full we will expect to see evidence of ‘expertise and significant practical experience of developing security strategies in an AWS cloud environment.’
6. When will the interviews be conducted for this role?
We expect to interview on 13 January 2019.
7. Can we please confirm the interview dates are the 13 Jan 20 and not 19?
Apologies. You are right, of course. We intend to hold interviews on 13 January 2020.