Awarded to Atos IT Services UK Ltd

Start date: Wednesday 1 April 2020
Value: £1,360,800
Company size: large
Home Office Digital Data and Technology (HO DDaT) - Enterprise Services

Home Office - ServiceNow Security Architecture Capability

15 Incomplete applications

10 SME, 5 large

11 Completed applications

6 SME, 5 large

Important dates

Friday 14 February 2020
Deadline for asking questions
Friday 21 February 2020 at 11:59pm GMT
Closing date for applications
Friday 28 February 2020 at 11:59pm GMT


Summary of the work
Provision of Security Architecture/assurance capability with specific knowledge/experience of the ServiceNow product integrations. This resource will fill a capability/capacity gap for the in-house ServiceNow DevOps team to achieve overarching Security Policy adherence/robust processes to maintain ongoing compliance as additional functionality, business areas and users are added to the platform.
Latest start date
Wednesday 1 April 2020
Expected contract length
18 -24 months
South East England
Organisation the work is for
Home Office Digital Data and Technology (HO DDaT) - Enterprise Services
Budget range
At least 2 x Security Architects with the ability to increase to approximately 6 resources for a period of 18 - 24 months.

About the work

Why the work is being done
The Home Office has increased the functionality and use of the ServiceNow Platform significantly over the past 2 years and as a result the level of Security Assurance has also increased. Security Architecture resource is essential to ensure that the ongoing security design of all projects and additional functionality are addressed appropriately. There is limited resource available in the HO to undertake the level of security design and assurance support required for the platform that is going through a high volume of change and integrations, such as standing up the 24/7 Operations Centre to monitor critical HO Services, onboarding of wider business areas with their differing levels of security requirements, collation of higher volume of data etc. This is required by 1st April 2020.
Problem to be solved
Third party supplier to provide access to specialised Security Architecture and assurance capability with specific knowledge and experience of the ServiceNow product and associated integrations such as: Event Management for service and security monitoring, discovery, other SM toolsets, population of CMDB, MID Server technology etc.

Security Architecture Capability and Capacity gap – all new functionality, projects and integrations need to be secure by design and to ensure this is done in a robust way, that adheres to stringent Security Policies and Procedures, skilled experience Security Architect resources are required.
This would need to include an element of knowledge transfer back in to the relevant teams to ensure Secure by Design principles are understood and worked in to the day to day activities.
Who the users are and what they need to do
ServiceNow is used to support IT Service Operations across the Home Office. Users of ServiceNow include: - End users accessing the Service Catalogue; - Service Operations management, using the data in ServiceNow to manage IT service provision; Service Desk staff supporting end users raising IT issues and - Service Operations staff supporting key ITIL processes.
In addition, there are evolving capabilities in the Home Office Cyber Security and IT Operations centres (CSOC and ITOC). These will use ServiceNow for Event Management, using integrations with monitoring tools to view and manage business service health, and to manage and monitor Security Incidents in a secure and controlled environment.
Early market engagement
Any work that’s already been done
The following applications and features have been implemented in the Home Office instance of ServiceNow: -Service Portal; Chat; Incident; Operational Change; Problem; Service Catalogue; Service Request Management; CMDB (including and SCCM integration) and elements of the CSDM; web service integrations with multiple 3rd party and in-house applications; SecOps – Security Incident; Event Management; GRC – Risk Management. The version of ServiceNow implemented is London, patch version 10 with an upgrade to New York patch 5 due 27/02/20.
There is currently an internal Security Audit underway alongside an ITHC (IT Health Check).
Existing team
The Home Office has an in-house DevOps team of permanent Civil Servants currently consisting of 8 Developers, 2 Business Analysts, Technical Architect, Delivery Manager, Product Manager and a Testing team. This team is being expanded through additional recruitment and will be supplemented by the successful supplier under this contract.
Current phase
Not applicable

Work setup

Address where the work will take place
Home Office locations mainly Croydon and Manchester. Occasional travel to other Home Office locations may be required.
Working arrangements
On site working 3-4 days a week co-located with other Home Office ServiceNow resources when required.
Security clearance
SC Security Clearance is required to operate on this project. Must hold or be willing to undergo security clearance (SC)

Additional information

Additional terms and conditions
Standard DOS framework and call-off terms and conditions.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • In depth understanding of Security best practice, policies, risk appetite and security controls that should be in place
  • Experience and knowledge of ServiceNow Product
  • Experienced security practitioners with Public Sector experience, CCP SIRA certified or equivalent.
  • Ability to clearly document security guidelines, including policies and processes, that should be followed to maintain Security compliance.
  • Experience in ensuring deliverables are secure by design
  • Ensure security policies and processes relating to ServiceNow are implemented effectively.
  • Develop appropriate security products for tooling that integrates with ServiceNow.
  • At least 2 years’ experience of working within the Public Sector
Nice-to-have skills and experience
  • Support production and agreement of ATOs (Authority to Operate) and ITHC for monitoring tooling and Event Management.
  • Experience of working with agile methodologies

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • The Match to the essential skills and experience outlined above
  • Demonstration of relevant experience in working with ServiceNow product to achieve security compliance
  • Technical solution
  • Value For Money
  • Approach and methodology
Cultural fit criteria
  • Ability of the Supplier to match the Home Office Values, which are:
  • Commitment to excellence
  • Open and collaborative team approach
  • Flexible working
  • Commitment to team working
  • o Shares skills and knowledge
  • • Ability to work within an environment of agile delivery and DevOps.
Payment approach
Time and materials
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is there an incumbent?
The service is currently being delivered by Atos, 2 year contract which expires 31/03/20.
Digital Marketplace ID:
2. Hi, is there a current supplier providing this support?
Yes the service is currently being delivered by Atos, 2 year contract which expires 31/03/20.
Digital Marketplace ID:
3. Does the organisation have a budget for this programme please?
The requirement is to provide 2 x Security Architects with the ability to increase to approximately 6 resources for a period of 18 - 24 months. The supplier is to determine the pricing to achieve this.
Note Rate caps - rates over £1000 per day are excluded.
SFIA 7 level resource is excluded. SFIA 6 is excluded for 'hands on' delivery roles.
4. You mention 3-4 days per week, does this mean a specialist can work 1 -2 days from home?
Yes that is correct, we’d like them onsite for 3-4 days and the other days can be remote as long as there is flexibility to be on site when required for any face to face meetings that are required.
5. Can the Authority confirm whether this opportunity is being treated as inside or outside of IR35, and how this opportunity will be treated throughout it's planned duration?
This opportunity is outside of IR35 during it's planned duration.
6. Can Home Office provide a view on what roles/skills the additional 4 resources may be required to do?
All resources are for the same type of Security Architecture work surrounding the ServiceNow Platform, integrations to the platform, security design and support activity required for the IT Operations Centre (ITOC) and some elements of CSOC (Cyber Security Operations Centre)
7. Would Home Office be open to a resource Augmentation Model to have access to a more flexible pool of resources/skills over the duration of the contract?
This requirement is specifically for Security Architect specialists.
8. Does the Home Office expect the Architect to act only in an advisory capacity or also do any development work?
No, the Architect wouldn’t be expected to do any development on ServiceNow but they would be expected to advise, develop recommendations, guide on priority of focus areas and produce Security related products such as Risk documents, Solution Security Documents etc. Also required to review HLD. LLDs from a security perspective.
9. The unlimited indemnity (clause 34.2 of the Call Off Contract) overrides the provisions of clause 34.3 which sets the liability to be no more than the greater of £500,000 or 200% of the Estimated Yearly Charges. However market trends show that customers are not asking for unlimited liability and indeed the guidance from Cabinet Office to all public bodies is to cap data protection breaches to be commensurate with the value of the contract. Can you please confirm if they will therefore remove the unlimited liability provision in respect of data breaches.
The unlimited liability with respect to data breaches will be removed.