Home Office Digital Data and Technology (HO DDaT) - Enterprise Services

Home Office - ServiceNow Security Architecture Capability

Incomplete applications

15
Incomplete applications
10 SME, 5 large

Completed applications

11
Completed applications
6 SME, 5 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 14 February 2020
Deadline for asking questions Friday 21 February 2020 at 11:59pm GMT
Closing date for applications Friday 28 February 2020 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Provision of Security Architecture/assurance capability with specific knowledge/experience of the ServiceNow product integrations. This resource will fill a capability/capacity gap for the in-house ServiceNow DevOps team to achieve overarching Security Policy adherence/robust processes to maintain ongoing compliance as additional functionality, business areas and users are added to the platform.
Latest start date Wednesday 1 April 2020
Expected contract length 18 -24 months
Location South East England
Organisation the work is for Home Office Digital Data and Technology (HO DDaT) - Enterprise Services
Budget range At least 2 x Security Architects with the ability to increase to approximately 6 resources for a period of 18 - 24 months.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Home Office has increased the functionality and use of the ServiceNow Platform significantly over the past 2 years and as a result the level of Security Assurance has also increased. Security Architecture resource is essential to ensure that the ongoing security design of all projects and additional functionality are addressed appropriately. There is limited resource available in the HO to undertake the level of security design and assurance support required for the platform that is going through a high volume of change and integrations, such as standing up the 24/7 Operations Centre to monitor critical HO Services, onboarding of wider business areas with their differing levels of security requirements, collation of higher volume of data etc. This is required by 1st April 2020.
Problem to be solved Third party supplier to provide access to specialised Security Architecture and assurance capability with specific knowledge and experience of the ServiceNow product and associated integrations such as: Event Management for service and security monitoring, discovery, other SM toolsets, population of CMDB, MID Server technology etc.

Security Architecture Capability and Capacity gap – all new functionality, projects and integrations need to be secure by design and to ensure this is done in a robust way, that adheres to stringent Security Policies and Procedures, skilled experience Security Architect resources are required.
This would need to include an element of knowledge transfer back in to the relevant teams to ensure Secure by Design principles are understood and worked in to the day to day activities.
Who the users are and what they need to do ServiceNow is used to support IT Service Operations across the Home Office. Users of ServiceNow include: - End users accessing the Service Catalogue; - Service Operations management, using the data in ServiceNow to manage IT service provision; Service Desk staff supporting end users raising IT issues and - Service Operations staff supporting key ITIL processes.
In addition, there are evolving capabilities in the Home Office Cyber Security and IT Operations centres (CSOC and ITOC). These will use ServiceNow for Event Management, using integrations with monitoring tools to view and manage business service health, and to manage and monitor Security Incidents in a secure and controlled environment.
Early market engagement None
Any work that’s already been done The following applications and features have been implemented in the Home Office instance of ServiceNow: -Service Portal; Chat; Incident; Operational Change; Problem; Service Catalogue; Service Request Management; CMDB (including and SCCM integration) and elements of the CSDM; web service integrations with multiple 3rd party and in-house applications; SecOps – Security Incident; Event Management; GRC – Risk Management. The version of ServiceNow implemented is London, patch version 10 with an upgrade to New York patch 5 due 27/02/20.
There is currently an internal Security Audit underway alongside an ITHC (IT Health Check).
Existing team The Home Office has an in-house DevOps team of permanent Civil Servants currently consisting of 8 Developers, 2 Business Analysts, Technical Architect, Delivery Manager, Product Manager and a Testing team. This team is being expanded through additional recruitment and will be supplemented by the successful supplier under this contract.
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Home Office locations mainly Croydon and Manchester. Occasional travel to other Home Office locations may be required.
Working arrangements On site working 3-4 days a week co-located with other Home Office ServiceNow resources when required.
Security clearance SC Security Clearance is required to operate on this project. Must hold or be willing to undergo security clearance (SC)

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Standard DOS framework and call-off terms and conditions.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • In depth understanding of Security best practice, policies, risk appetite and security controls that should be in place
  • Experience and knowledge of ServiceNow Product
  • Experienced security practitioners with Public Sector experience, CCP SIRA certified or equivalent.
  • Ability to clearly document security guidelines, including policies and processes, that should be followed to maintain Security compliance.
  • Experience in ensuring deliverables are secure by design
  • Ensure security policies and processes relating to ServiceNow are implemented effectively.
  • Develop appropriate security products for tooling that integrates with ServiceNow.
  • At least 2 years’ experience of working within the Public Sector
Nice-to-have skills and experience
  • Support production and agreement of ATOs (Authority to Operate) and ITHC for monitoring tooling and Event Management.
  • Experience of working with agile methodologies

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 4
Proposal criteria
  • The Match to the essential skills and experience outlined above
  • Demonstration of relevant experience in working with ServiceNow product to achieve security compliance
  • Technical solution
  • Value For Money
  • Approach and methodology
Cultural fit criteria
  • Ability of the Supplier to match the Home Office Values, which are:
  • Commitment to excellence
  • Open and collaborative team approach
  • Flexible working
  • Commitment to team working
  • o Shares skills and knowledge
  • • Ability to work within an environment of agile delivery and DevOps.
Payment approach Time and materials
Additional assessment methods
Evaluation weighting

Technical competence

50%

Cultural fit

15%

Price

35%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is there an incumbent? The service is currently being delivered by Atos, 2 year contract which expires 31/03/20.
Digital Marketplace ID: https://www.digitalmarketplace.service.gov.uk/digital-outcomes-and-specialists/opportunities/1956
2. Hi, is there a current supplier providing this support? Yes the service is currently being delivered by Atos, 2 year contract which expires 31/03/20.
Digital Marketplace ID: https://www.digitalmarketplace.service.gov.uk/digital-outcomes-and-specialists/opportunities/1956
3. Does the organisation have a budget for this programme please? The requirement is to provide 2 x Security Architects with the ability to increase to approximately 6 resources for a period of 18 - 24 months. The supplier is to determine the pricing to achieve this.
Note Rate caps - rates over £1000 per day are excluded.
SFIA 7 level resource is excluded. SFIA 6 is excluded for 'hands on' delivery roles.
4. You mention 3-4 days per week, does this mean a specialist can work 1 -2 days from home? Yes that is correct, we’d like them onsite for 3-4 days and the other days can be remote as long as there is flexibility to be on site when required for any face to face meetings that are required.
5. Can the Authority confirm whether this opportunity is being treated as inside or outside of IR35, and how this opportunity will be treated throughout it's planned duration? This opportunity is outside of IR35 during it's planned duration.
6. Can Home Office provide a view on what roles/skills the additional 4 resources may be required to do? All resources are for the same type of Security Architecture work surrounding the ServiceNow Platform, integrations to the platform, security design and support activity required for the IT Operations Centre (ITOC) and some elements of CSOC (Cyber Security Operations Centre)
7. Would Home Office be open to a resource Augmentation Model to have access to a more flexible pool of resources/skills over the duration of the contract? This requirement is specifically for Security Architect specialists.
8. Does the Home Office expect the Architect to act only in an advisory capacity or also do any development work? No, the Architect wouldn’t be expected to do any development on ServiceNow but they would be expected to advise, develop recommendations, guide on priority of focus areas and produce Security related products such as Risk documents, Solution Security Documents etc. Also required to review HLD. LLDs from a security perspective.
9. The unlimited indemnity (clause 34.2 of the Call Off Contract) overrides the provisions of clause 34.3 which sets the liability to be no more than the greater of £500,000 or 200% of the Estimated Yearly Charges. However market trends show that customers are not asking for unlimited liability and indeed the guidance from Cabinet Office to all public bodies is to cap data protection breaches to be commensurate with the value of the contract. Can you please confirm if they will therefore remove the unlimited liability provision in respect of data breaches. The unlimited liability with respect to data breaches will be removed.