Base Services, Defence Digital, Ministry of Defence Corsham

Security Assurance Support to Base Services in Defence Digital

Incomplete applications

8
Incomplete applications
5 SME, 3 large

Completed applications

11
Completed applications
8 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 31 January 2020
Deadline for asking questions Friday 7 February 2020 at 11:59pm GMT
Closing date for applications Friday 14 February 2020 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work The team will undertake a variety of Security/Assurance related technical support tasks dependant on the business need but will cover support to software upgrades (O2016/ Windows 10), MODNET-Official, MODNET-Secret, MODNET-Overseas, O365 E5 licence capability rollout including 13 additional Defence-wide capabilities and IUS Fixed Voice and Mobile Voice & Data Services.
Latest start date Monday 30 March 2020
Expected contract length NSoIT 12-month contract 30/03/2020-31/03/2021, IUS 6-month, 6-month option(Subject to Approval)
Location South West England
Organisation the work is for Base Services, Defence Digital, Ministry of Defence Corsham
Budget range The maximum amount of approved funds is
£740,000 (Ex VAT)

NSoIT T&S Limit of Liability - £8,000 for 12 month period
IUS T&S Limit of Liability - £2,000 for 6 month period
IUS T&S Limit of Liability – 6 Month Option Period - £2,000 for 6 month period (Subject to Financial Approval)

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done Specialist Security advice to meet assurance activities is required in order to ensure Base services projects deliver key capabilities on time and fit for purpose.
Problem to be solved Requirement to provide Security Assurance knowledge and expertise for all MODNET services.

NSoIT – 12 month contract from 30/03/2020 to 31/03/2021

IUS - Initial Period of 6 Months 30/03/2020 – 29/09/2020

(Option to extend the IUS element for a further 6 Months 30/09/2020 – 31/03/2021 subject to Financial approval)
Who the users are and what they need to do For the tasks required, the 'users' are the project team and our stakeholders.
Early market engagement
Any work that’s already been done Many items (Projects) have already been started or are in the delivery phase and as such, the task are about refinement, further development and operation.
Existing team Base Services – New Style of IT and Integrated User Services
Current phase Live

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Defence Digital, Ministry of Defence Corsham
Working arrangements Work onsite 4/5 days a week in Corsham as agreed with the Project Manager in order to support Project Teams in all of their Security Assurance activities.

NSoIT T&S Limit of Liability - £8,000 for 12 month period
IUS T&S Limit of Liability - £2,000 for 6 month period
Security clearance Minimum SC – with access to DV personnel as and when required

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Key Personnel will be required to hold/working towards CISM, CISSP, ISO27001 Lead Auditor or ISO27001 Lead Implementor.

T&S will be paid based on receipted actuals and in compliance with MoD Policy, no other expenses are permitted.

Suppliers must use the Authority’s Purchase to Payment Tool called CP&F or be prepared to sign up to the tool.

The Cyber Risk Profile has been identified as Moderate.

More detail will be provided at the tender stage, for suppliers that pass the shortlisting stage.

Further contractual conditions may apply, these will be comfirmed later in the tendering process.

IR35 does not apply.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Demonstrate with evidence recent working experience(s) of supporting delivery in a large scale IT Environment / Project (150k+ users) (5%)
  • Demonstrate experience of working in MOD or other large government organisation, with a good understanding of Defence Digital Services or equivalent and wider business practices (5%)
  • Demonstrate with evidence a clear understanding of the MOD estate or similar government organisation and the difference between Official and Secret environments (5%)
  • Demonstrate with evidence a firm understanding of Microsoft O365 environment in a large corporate deployment (10%)
  • Demonstrate a clear understanding of / recent working experience of JSP 604 Accreditation (10%)
  • Provide evidence of analysis and evidence gathering experience; ability to understand where potential Security gaps lie based on evidence and producing written analysis (15%)
  • Demonstrate recent experience in producing Security Cases that work in a pragmatic way for both Delivery and Security Teams, including providing evidence (15%)
Nice-to-have skills and experience
  • Demonstrate experience of conducting Technical security reviews / approvals of Supplier and MoD Design and Test documentation to ensure that it is compliant with Defence Security policy (15%)
  • Demonstrate experience of Defence Digital and/or MOD Security Accreditation and MOD Security Assurance process (10%)
  • Demonstrate previous working experience of Coordinating technical security documentation in support of CyDR to support achievement of accreditation (10%)

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Evidence/explain how you will introduce Security policies and templates with a pragmatic approach that allows flexibility for projects; ‘one size fits all approach’ will not satisfy our requirement (20%)
  • Provide a high level plan to your approach for identifying and managing Security Risks, Issues and Dependencies in mature business/project area (15%)
  • Evidence/explain how you have provided Security Assurance documentation to enable an organisation to continue the route to full rollout and adoption of policies and templates within delivery areas (20%)
  • Evidence your ability to mobilise your team quickly and to flex up and down resources to meet the demand of the project, whilst ensuring quality and consistency (5%)
  • Evidence Communications and Stakeholder Management operating at all levels collaboratively (10%)
  • Supporting CV’s – These should not be included in the main proposal word count but should be a maximum of 500 words and no longer than 1 page. (10%)
  • Evidence and explain how you have communicated new policies and change across multi-discipline teams (10%)
  • Evidence and explain how you have understood and incorporated project requirements whilst ensuring the results remain generic for the business (10%)
Cultural fit criteria
  • Ability to work in a complex defence IT environment, understanding the challenges and approaches to delivery (25%)
  • Work as a team with our organisation and other suppliers (25%)
  • Remain transparent and collaborative when making decisions (25%)
  • Excellent communication, presentation, collaboration and client/stakeholder engagement skills with a wide variety of grades/positions. (25%)
Payment approach Capped time and materials
Additional assessment methods
Evaluation weighting

Technical competence

60%

Cultural fit

5%

Price

35%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Key Personnel will be required to hold/working towards CISM, CISSP, ISO27001 Lead Auditor or ISO27001 Lead Implementor' means that there is no need to actually hold any recognised certification or qualification. Should it not include at least NCSC CCP SIRA with a Lead CCP SIRA or equivalent as Team Leader? A CCP or equivalent professional qualification is highly desirable.
2. Is there a current incumbent? Yes
3. We recognise the 150k user base, but this is not the same as the amount of projects / programme making demands of the Security Assurance. What is the scale of the operation? Scale is vast and includes (but is not limited to) supporting the following Base Services Projects (and associated work packages):

• MODNET OFFICIAL
• MODNET SECRET
• MODNET Overseas
• Windows10
• O365
• Fixed Voice OFFICIAL
• Fixed Voice SECRET
• Fixed Voice Overseas
Mobile Voice and Data Services
4. Can you please confirm who the incumbent suppliers are? The incumbent is Atkins
5. Given the quote is capped T&M, how will MoD evaluate the 35% marks that are for price, given the budget has been published? The 35% Price percentage will apply to the priced proposals.
6. Can you please provide a breakdown of how the budget of £740k is split between NSoIT and IUS? Is this budget to cover the 12 months/6 months? Budget is for both: 12 months for NSOIT and the 6 months for IUS.
7. Please advise whether the approved funds of £740k includes the possible 6-month extension for IUS, or whether further funds will be added if this extension is contracted. The 6-month option is subject to financial approval. The budget is for: 12 months for NSOIT and the 6 months for IUS.
8. Can the authority please confirm a maximum day rate? The maximum approved funds amount to £740,000, whereas the combined contract period is 2 years? This is DOS outcomes therefore a day rate is not published a budget is published.
The Contract period is 12 months with an option to extend the IUS element for a further 6 months subject to financial approval.
9. Can the authority please confirm how many people are required to provide this support? For information there are currently 6 personnel undertaking the requirement.
However, suppliers are to construct the team as they consider appropriate.