Crown Commercial Services (CCS), Digital Services Directorate (DSD)

Conclave - IDAM (CCSO20A10)

Incomplete applications

10
Incomplete applications
8 SME, 2 large

Completed applications

20
Completed applications
17 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 21 February 2020
Deadline for asking questions Friday 28 February 2020 at 11:59pm GMT
Closing date for applications Friday 6 March 2020 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Development and implementation of a system to manage user accounts and sign-on for an unlimited number of CCS and wider Government systems (all current and future CCS systems, with additional consideration for wider government services).
Latest start date Wednesday 15 April 2020
Expected contract length 30 Weeks. The Milestone for agreed successful MVP Delivery is within 25Weeks.
Location No specific location, eg they can work remotely
Organisation the work is for Crown Commercial Services (CCS), Digital Services Directorate (DSD)
Budget range Not to exceed £1,000,000 exc VAT

Contract Value will be set at 15% above the fixed price in the event of scope change or amendment by CCS. Changes being Cost Neutral as a possibility must be explored first before any additional costs can be considered.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The purpose of this piece of work is to provide CCS with an Identification and Access Management (IDAM) system a Single Sign on (SSO) capability which is supported by an automated Identification system. The system is to support both internal CCS need and the wider need of the CCS customer base simplifying usability and accessibility of CCS procurement systems and services.
Problem to be solved The general problem to be solved is as follows:

-Elimination of the need for both internal and external users to hold multiple logins and passwords to access CCS Services.
-Provision of an automated/federated identification verification system.
-Ability to federate with multiple worldwide identity service providers.
-Capability for unlimited
-A lasting future proofed system/service
-User self management and password reset

The Project Scope includes but is not limited to.

1. Support for modern authentication mechanisms, including OIDC, SAML, associated technologies.

2. Designed and implemented to be secure to industry best practice.

3. Self-service password reset capability (for internal IdP users).

4. Bulk data upload facility (for internal IdP users).

5. Unlimited API integration capability.

6. Performing user testing prior to final signoff and product release

7. Integration with Central Identity Index Service (CII) - central index to identify organisations using external registers and indexes

8. Microservices architecture

9. The system shall be capable of internationalisation. Specifically, all front end and public access elements of the system must at a minimum be available in both English and Welsh languages (in compliance with ‘Welsh Language (Wales) Measure 2011’).
Further Technical details and information will be provided at the Proposal Stage.
Who the users are and what they need to do The users of the intended system will be both internal and external users of CCS systems and services.

The system must permit users to access CCS systems in an easy and effective manner, enabling users to authenticate and authorise services. The system must support delegation of roles, varying access levels and full usermulti functionality.

The following are key User needs:

- SSO authentication using OIDC and SAML protocols

- Provide full roles & permissions functionality to enable fine-grained access control to CCS services

- Posture checking of user connection (Location, device type, Network IP) against security criteria

- authenticate via a number of predetermined OIDC authentication providers

- authentication via third-party OIDC authentication provider

- a CCS IdP for users unable/unwilling to utilise OIDC authentication.

- Provision of organisational and user profile services.

Further User needs will be provided at the Proposal Stage.
Early market engagement
Any work that’s already been done An element of project discovery work has been conducted. Discovery findings is that there is no currently available market IDAM solution which meets current CCS need.

Discovery recommendation which is supported by elements of internal research and validation is that CCS design and build a bespoke IDAM solution to meet the need of CCS and its customer base.
Existing team CCS currently has a dedicated Project_Manager(PM) in place responsible for the management of this project. The PM is supported by a Technical/architectural lead and a Steering Committee providing project guidance and governance.

All technical aspects of the project solutions must be agreed and signed off by the Conclave Technical Lead and project Senior responsible Officer (SRO).
Current phase Alpha

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Remote working from supplier home offices is acceptable.
Supplier must be able to facilitate face to face meetings with the Conclave PM on a minimum of a weekly basis or as otherwise required. A senior organisational Rep must ATTEND the monthly Conclave SteerCo meeting which will take place at the CCS London Offices.
Working arrangements Supplier to facilitate a minimum of 1 face to face meeting per week with the Project Manager (either at supplier offices or CCS London Offices). Supplier to facilitate a further 2 calls/video chats per week to support project activity. Additional meeting to be facilitated as per buyer or supplier request.

Supplier Project Manager (or equivalent) togher supplier Technical Lead (or equivalent) to attend monthly Steering Committee meetings to provide project updates and reporting.
Security clearance SC security clearance required.

CCS will sponsor required security clearance applications,however, all associated costs are to be met by the supplier and are NOT claimable against CCS as an incurred expense.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions A Non-Disclosure Agreement will need to be signed and agreed to before Contract_Award.

Potential Bidders must sign up to the CCS e-Sourcing Suite for the Proposal Stage before the Shortlisting Stage submission deadline. https://crowncommercialservice.bravosolution.co.uk/web/login.html

35% of the aggregate total fixed price will form a Retained Sum. This is subject to payment upon agreed successful on-time delivery.
The Following will occur for unsuccessful delivery.
0-7 Days late, no deduction
8-21 days late,7.5% deduction,30% paid.
22-30 Days Late,15% deduction,20% paid.
31-45 days Late,20% deduction,15% paid.
46+ days late, 25% deduction,10% paid.CCS reserves the rights to terminate and seek to recover any losses

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Must demonstrate experience of where you have identified continuous improvement possibilities and successfully presented these to stakeholders that then accepted the possibilities. - 1%
  • Must demonstrate a capability to successfully deliver in an agile way -1%
  • Must demonstrate a knowledge and experience of working on and with AWS platforms and services-1%
  • Must demonstrate previous experience of successfully developing IDAM platforms to modern, open standards, including OIDC, OAuth, SAML-1%
  • Must demonstrate a where you have successfully developed a microservices-based architecture in an API-first way.-1%
  • Must demonstrate previous experience in successfully designing and implementing secure RESTful APIs.-1%
  • Must demonstrate previous experience of integrations with external active directories and identity providers.-1%
  • Must demonstrate experience of developing data intensive solutions including data and alignment to data standards and legislation, (GDPR).-1%
  • Must demonstrate a proven minimum of 3 years of experience in successfully providing similar secure security based solutions within the public or private sector. -1%
Nice-to-have skills and experience Should demonstrate knowledge and experience of UK GOV.UK Government Platform as a Service (PaaS) Platform-1%

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 4
Proposal criteria
  • Demonstrate and detail as to how your proposed solution would ensure the User Needs are successfully met in full. - 30%
  • Demonstrate and detail as to how you will ensure the solution meets all milestones, this should include your process for proactively identifying and resolving potential delays. - 20%
  • Demonstrate and detail as to how your solution is secure by design and will meet all relevant Security Standards. -5%
  • Demonstrate and detail as to how your solution will be built robustly with minimal defects or faults(no Major or Critical faults.)alongside future proofing for emerging technologies. -10%
  • Provide a Case study of where you have successfully implemented a federated SSO and ID&V system with a similar level of complexity in User Needs -15%
  • Demonstrate how you will successfully perform knowledge transfer and handover of completed pieces of work to the Contracting Authority during and at the end of the Contract - 10%
Cultural fit criteria
  • Please detail and demonstrate as to how your approach will ensure successful engagement and communication with all Stakeholders, including standups,SteerCo Meetings and weekly face to face - 50%
  • Detail how you will identify opportunities to continuously improve the product/service through on-going changes or innovative approaches - 20%
  • Demonstrate your understanding of CCS and it’s unique Customer and User Base alongside how the solution will be built to be fully usable and accessible for all. - 30%
Payment approach Fixed price
Additional assessment methods Case study
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. The Following is the Markscheme to be utilised throughout the entire procurement.
Please be sure to make note and be aware of the mark scheme to be used throughout the procurement
This will be used at both the Shortlisting Stage and the Proposal Stage
0 -Failed to provide confidence that the proposal will meet the requirements. An_unacceptable response with serious reservations.

25-A Poor response with reservations. The response lacks convincing detail with risk that the proposal will not be successful in meeting all the requirements.

50-Meets_the_requirements – the response generally meets the requirements, but lacks sufficient detail to warrant a higher mark.

75 A Good response that meets the requirements with good supporting evidence. Demonstrates good understanding.

100-An Excellent comprehensive response that meets the requirements. Indicates an excellent response with detailed supporting evidence and no weaknesses resulting in a high level of confidence.
2. Has the Authority considered re-using an IDAM service that may be available from another Public Sector department i.e. NHS/MOD? There is currently no known system available which provides the functionality that is required by CCS.
3. Was the Discovery conducted internally or by a third party supplier? The discovery was conducted by a third party as an agent under the direct control with daily input and management from the internal team.
4. How many users? No practical limit - This is to be able to accessed by all customers of CCS and have a wider applicability across Government as send fit.
5. What are the specific industry security standards you require for this outcome? Required security standards is an element competency. Standards are outlined within the link below.
Link - Security Principles
6. Can the Government Technology Code of Practice Value Chain Map for this service be shared with potential bidders? The Technology Code of Practice is relevant to this project as it is to all CCS projects. This is a publicly available document on GOV.UK.

The Value Chain Map of CCS would contain Commercially Sensitive information which we would be unable to share. Any relevant information if regarded relevant may be shared with shortlisted bidders if deemed relevant.
7. Has extending/improving an existing CCS IDAM solution (eg SID4GOV/Salesforce) been considered over building a new custom solution? If it has, can the gap analysis be provided to potential bidders? There is currently no single CCS IDAM. All existing solutions have been assessed as part of discovery and none were deemed suitable for re development.

Further information may be shared with the winning supplier under an NDA.
8. What specific CCS needs are not met by standard off the shelf IDAM products? The User Needs will be discussed at the Proposal Stage if deemed appropriate. Comparison between existing and a bespoke CCS solution will not be provided. CCS requires a bespoke solution. This may include pre-built open-source solutions where appropriate.
9. Does the delivered service need to go through a GDS Service Standard assessment? CCS maybe able to achieve an exemption, however, assumption should be that this does need to go through GDS Service Standard assessment
10. This outcome is listed as ‘alpha’ stage, but states that MVP delivery is expected in 25 weeks. Is this outcome an alpha or live MVP delivery? Live MVP delivery. We expect a planned alpha phase as part of this.
11. If this is an alpha outcome, what is the scope? If not an alpha, what alpha work has been done to date? Work to date includes discovery and some high level component design.
12. Please explain the term ‘Conclave’ in relation to CCS Conclave is the assigned project name. It is a suite of three services, of which IDAM is one component.
13. What is the make up and purpose of the Conclave SteerCo? Project Governance - makeup is confidential to CCS. The SteerCo purpose is the same as any industry Project Board.
14. Why is SC clearance required for this outcome? There is a heightened risk profile due to the nature of information that will be worked with during the course of delivery. CCS protects information for which it is responsible in line with the highest standards and is therefore requesting SC clearance.
15. How have you determined the user needs for this outcome? Discovery plus known users need requested by internal and by elements of the existing CCS customer base.
16. Please provide a list of evidenced user needs for this work The provision of user research and full Discovery outcomes will be discussed at the Proposal Stage to those successfully Shortlisted as required under NDA.
17. What user research have you undertaken to determine the user needs? Discovery plus known users need requested by internal and by elements of the existing CCS customer base (buyers and suppliers)
18. How have you determined a budget of up to £1m? The budget has been determined through market research and a robust understanding of the market itself. This budget also includes the addition of a suitable variance. Bids should not seek to meet the budget but be a competitive true reflection of market rates
19. Could you please provide clarification around the below question:
Should demonstrate knowledge and experience of UK GOV.UK Government Platform as a Service (PaaS) Platform-1%
Is this asking for experience working on GAAS or working on a PAAS within government?
Knowledge of the systems and a proven history of having successfully worked on similar types of systems/products.
20. Because this is for Government systems, are there any data locality issues we should be aware of? Services should be located within the UK or EEA. CCS will require that services be repatriated to the UK if necessary.
21. Are CCS services located on-prem, in the cloud or a combination of both? AWS and GPaaS
22. Are the applications in scope accessible through a browser? Yes - authentication, user and org profiles will all need to be accessed via a browser
23. Is there any requirement to access applications hosted in a datacenter from the public internet? The IDAM will provide authentication and authorisation to all CCS internet-accessible services (both M2M and Web)
24. How do apps integrate with Central Identity Index Service (CII)? CII is the registration point for organisations. The organisation data will be consumed by other services (including but not limited to IDAM and Evidence Locker) via a RESTful API. The API is currently under development but will be available to the winning bidders.
25. The general size of the project and scope is clear, however, could CCS please indicate the expected numbers of: a. IdPs and users
b. Relying Parties (types i.e. modern and legacy applications)
IdPs - Unlimited
Users - Unlimited
Initially a limited number of RPs; other Conclave services, followed by a number of wider CCS and cross-departmental services.
26. Typical projects of this nature require clearly documented functional and non-functional requirements, is this the case? An extensive set of initial requirements has been developed, although it is anticipated that some further gap analysis and reviews will be conducted by the successful supplier.
27. The discovery that has taken place, how extensive is this? What does it cover? Discovery was extensive and covers the future need which CCS believes it will need to support its customer base.
28. The requirement for experience of integrations with external active directories and identity providers, is this in reference to federation with CCS Office 365/Azure AD or other government organisations directories and identity providers through trusts? We might wish to federate directories (e.g. Active Directory) but the focus will be on OIDC and modern authentication models to achieve a passwordless login using the user’s home organisation credentials, generally via well-known providers.
29. The requirement for experience developing IDAM platforms to modern, open standards references OIDC – could you please provide details on the Certified Relying Parties provider / language you plan to use or have gained approval for use? No decisions have yet been taken. We would expect the successful supplier to provide recommendations for the implementation approach inline with the solution which they are offering.
30. The "problem to be solved" section of the opportunity description states the service should be built using MicroServices.
Could you provide details of any tools / platforms / *aaS relevant to the IdAM service?
Application gateway on AWS
31. Could you provide indicative authentications per second, and total number of identities you envisage the capability to support? Unknown - as this is an entirely new service. Full details will be discussed as needed with the winning supplier. Usage volume should be considered and planned as V high.
32. SAML is listed as a required integration capability, could you please clarify if this SAML V1 or V2? SAML V2, as this is pretty much a greenfield service there’s little to be gained from supporting older protocols
33. Can we still bid for this project if we want to implement an existing IDAM solution? Should you feel that the solution which you intend to submit meets the
requirements as published, please feel free to submit your bid which will
be judged and scored against the published requirement in line with all
other submissions.
34. Can we have a chat (or meet up) to discuss the above in more detail? Please be aware that your kind offer of a pre-engagement meeting would not have been allowed as part of a fair and open procurement process. You are reminded that potential bidders are not allowed to directly engage with the Customer - any and all contact should be via CCS.