Awarded to SVGC Limited

Start date: Thursday 16 April 2020
Value: £981,000
Company size: SME
Strategic Command (Defence Digital) - Ministry of Defence

Defence Public Key Infrastructure (DPKI) Support Service

6 Incomplete applications

5 SME, 1 large

10 Completed applications

8 SME, 2 large

Important dates

Published
Thursday 30 January 2020
Deadline for asking questions
Thursday 6 February 2020 at 11:59pm GMT
Closing date for applications
Thursday 13 February 2020 at 11:59pm GMT

Overview

Summary of the work
Strategic Command requires external assistance with PKI experience in order to run the Defence Public Key Infrastructure service. This work involves operating the PKI service whilst supporting our customers. Key areas involve identifying and reducing risks, resolving incidents, help desk requests and change request as when directed by the authority.
Latest start date
Monday 13 April 2020
Expected contract length
15 months, with an option for a 3.75 month extension - priced separately as part of this tender
Location
South West England
Organisation the work is for
Strategic Command (Defence Digital) - Ministry of Defence
Budget range
A maximum of £68,500 per month excluding VAT

About the work

Why the work is being done
Strategic Command provides the MODs PKI service, this is a critical service that supports operational & deployed activities. The PKI solution for the Ministry of Defence is currently undergoing a change programme, in order to provide service assurance around the current solution it has been identified that external support is required.
Problem to be solved
In order to continue to support the Ministry of Defences critical PKI Solution service we require a highly skilled team with experience of managing PKI. This work involves operating the PKI service whilst supporting our customers. Key areas involve identifying and reducing risks, resolving incidents, help desk requests and change request as when directed by the authority. The team will need to provide advice and guidance to the project team delivering the updated service. The team will also be required to actively work to continually improve the service provided to the customers.
Who the users are and what they need to do
As a service/system provider I need to get certificates processed, renewed, revoked, and signed so that my service continues to provide the necessary assurance to our customers.
Early market engagement
N/A
Any work that’s already been done
This requirement is for the take on of an already in-service solution that issues approximately 5,000 certificates a year. Root Authorities and Certficiate Authorities are already operational along with existing helpdesk services.
Existing team
The team will be required to work under the authority of the existing custodians, whom will be responsible for the transition of responsibilities and providing crown oversight. There is also an Infrastructure Engineer who is responsible for the hardware layer of the solution, the team will need to work with this individual in order to deliver the service. The team will also be required to support the team delivering the updated PKI solution, providing advice and guidance on PKI at an SME level.
Current phase
Live

Work setup

Address where the work will take place
MOD Corsham will be the primary working location. T&S will not apply to this requirement.
Working arrangements
In order to support this solution the team must have regular access to the hardware (weekly for level 1 Certificate Authority). Some of the elements of delivery may be delivered offsite if the supplier can prove it won't negativily impact security, delivery or service to customers.
Security clearance
All members of the team must be a minimum of SC cleared. Those who will support the Certificate Authority and Root will require DV clearance with UKSV. DV/SC clearance must be held prior to start date - evidence of validity is required.

Additional information

Additional terms and conditions
IR 35 information: The intermediaries legislation doesn't apply to this engagement.
Suppliers must use the Authority’s Purchase to Payment Tool CP&F or be prepared to sign up to the tool.
In accordance with DEFCON 658 a Cyber risk assessment has been undertaken
REF: RAR-6NZ4YRCF
Potential bidders are required to complete an assurance questionnaire against the security controls appropriate to the risk level. Further information can be found at
https://supplier-cyber-protection.service.gov.uk/

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience and knowledge of creating and managing PKI systems, Including Entrust software and Gemalto hardware.
  • Ability to encode certificate profiles in ASN1 format without internet based tools.
  • Ensure all work is carried out and documented in accordance with required standards, methods and procedures.
  • Experience of supporting IT Services via a Helpdesk.
  • Ability to provide PKI Advice and guidance to the authority, customers and project team.
  • Ability to provide a service during UK office hours (9-5).
  • Experience of providing management information on service data and customer interactions.
  • Ability to be proactive, ensuring that customers are advised with plenty of time that certificates are expiring and are chased.
  • Ability to and experience of improving services, e.g. introduction of request priority system.
  • Ability to provide the PKI Service in line with Service Level Agreements. (Listed below).
  • Response & Provisioning times - Acknowledge contact: within 1 hour/Respond to urgent request: within 1 hours/Respond to routine request: within 4 working hours/Respond to query: within 4 working hours.
  • Routine certificate requests fulfilled within 10 working days of receipt of a valid application and CSR (Certificate Signing Request).
  • Notification of rejected application within 1 working day of receipt/Urgent requests fulfilled within 6 hours of the receipt of a valid application and CSR
  • Routine certificate revocations take place within 5 working days of valid application.
  • Submission of requests for new level 1 issuing CAs passed to the DPMA (Policy Management Authority) within 5 working days of receipt
  • New level 1 Issuing CA certificates issued within 20 working days of the receipt of approval from the DPMA
  • Evidence that valid SC-DV level Security Clearances are currently in place and will be held for the duration of the contract
  • Evidence for completion of Cyber risk assessment REF: RAR-6NZ4YRCF
  • Confirmation that the full team will be available on contract start date.
Nice-to-have skills and experience
  • Experience of virtualised environments
  • Experience of command line interaction with utilities such as OpenSSL.
  • Experience of supporting IT Services within the Ministry of Defence or a similar department.
  • ITIL Service Management knowledge and experience.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
6
Proposal criteria
  • Technical ability and knowledge - 40%
  • Quality and Governance - 15%
  • Staffing approach and team structure - 15%
Cultural fit criteria
  • Work as a team with our organisation and other suppliers - 1%
  • Be transparent and collaborative when making decisions - 1%
  • Take responsibility for their work - 1%
  • Share knowledge and experience with authority and customers - 1%
  • Can work with stakeholders with low technical expertise - 1%
Payment approach
Fixed price
Additional assessment methods
Presentation
Evaluation weighting

Technical competence

70%

Cultural fit

5%

Price

25%

Questions asked by suppliers

1. Can the Authority advise if this opportunity if this is a new requirement to expand the existing team or is there an incumbent team already in place for this requirement?
This opportunity is to replace the existing Crown Servant team to allow them to return to their core roles.
2. We have a team of SC cleared PKI support people with massive amounts of relevant experience in the products you are running and in a very similar industry – We would be a shoe-in for this requirement without the DV requirement. Will you sponsor DV?
On this occasion, due to tight timescales and the nature of this requirement, the Authority will not sponsor DV clearance. As mentioned in the advert, proposed staff will need to hold the relevant clearance prior to the start date - April 2020.
3. You mention a helpdesk service – is that continuing or is the supplier expected to run a helpdesk service too?
The supplier will be expected to run the helpdesk (existing capability will be made available to the supplier).
4. What is the status of the hardware and software – are they all in support and running up to date firmware and software? What is the SLA requirement? – is there a transfer of risk to the supplier for the whole solution or does the MOD retain responsibility for the hardware and software?
All hardware and software used to deliver the service is up to date and covered by support agreements. The Authority will retain responsibility for the hardware and software and the associated risks.
5. Can the Authority confirm whether there is an incumbent for this opportunity?
If there is an incumbent, can the Authority confirm who they are and whether they are able to bid for this opportunity?
This opportunity is to replace the existing Crown Servant team to allow them to return to their core roles.
6. (Part A)
Hi there, Can you tell us more about the structure of the existing CA hierarchy and the certificate issuance process for the 5K certs? Is the requirement to issue certs from the root (for intermediate CAs) for end entities or both? Are certs issued manually or is there an automated process?
Due to word count limitation, the following answer is in three parts.
(Part A)
There are a number of virtualised, offline, primarily Entrust based, roots. Very few certificates are issued off the roots but one or two a year may be required. When this necessitates a new profile, the certificate profile encoding would have to be done offline, using only those tools accredited by MOD Security.
7. (Part B)
Hi there, Can you tell us more about the structure of the existing CA hierarchy and the certificate issuance process for the 5K certs? Is the requirement to issue certs from the root (for intermediate CAs) for end entities or both? Are certs issued manually or is there an automated process?
(Part B)
The current incumbent takes one full working day to complete this task. Typically, this task is preceded by the creation of a certificate off the Development root (also part of the service to be supported), this enables the work carried out on the development profile and signing to speed up the live profile creation and to minimise rework, once the certificate is issued to the end user.
8. (Part C)
Hi there, Can you tell us more about the structure of the existing CA hierarchy and the certificate issuance process for the 5K certs? Is the requirement to issue certs from the root (for intermediate CAs) for end entities or both? Are certs issued manually or is there an automated process?
(Part C)
The level 1 signing CA is offline, currently the only automation is some scripting to extract audit information from the customer applications, and, on the CA server itself, to apply profiles to a batch of CSRs and to then sign the profiled files. Any proposed automation solution would be considered by the MOD and even solutions which remove this level 1 service from MOD Corsham would be considered but, once again, the proposed service changes would require acceptance by MOD Security.
9. The RAR you have supplied is a sample RAR and companies cannot complete the SAQ without a new RAR. Will you be issuing a new RAR that we can use and will you be extending the deadline?
The Cyber Risk Assesment code for this requirement is : RAR-JTPS89PJ
The Authority will not be extending the deadline.
10. The RAR you have supplied is a sample RAR and companies cannot complete the SAQ without a new RAR. Will you be issuing a new RAR that we can use and will you be extending the deadline?
The Cyber Risk Assesment code for this requirement is : RAR-JTPS89PJ
The Authority will not be extending the deadline.
11. Can you please clarify the reference given against the Cyber Risk Assemssment?
The Cyber Risk Assesment code for this requirement is : RAR-JTPS89PJ
12. You state the requirement to perform supplier assessment (cyber) against
REF: RAR-6NZ4YRC
We could not do this online and when querying with the Cyber Supplier Protection service they replied "You are unable to respond to the Risk Assessment (REF: RAR-6NZ4YRCF) as it a 'Sample' risk assessment and is therefore inactive on the platform. We recommend you contact your contracting authority to make them aware of this and we will attempt to the do the same. "
Please clarify!
The Cyber Risk Assesment code for this requirement is : RAR-JTPS89PJ