Harrogate Borough Council

Multi factor authentication implementation

9 Incomplete applications

8 SME, 1 large

12 Completed applications

12 SME, 0 large

Important dates

Thursday 12 March 2020
Deadline for asking questions
Thursday 19 March 2020 at 11:59pm GMT
Closing date for applications
Thursday 26 March 2020 at 11:59pm GMT


Summary of the work
To assess our systems and infrastructure, provide a report detailing the MFA solution (and any constraints), provide a project plan and support the deployment of the solution
Latest start date
Wednesday 15 April 2020
Expected contract length
Yorkshire and the Humber
Organisation the work is for
Harrogate Borough Council
Budget range

About the work

Why the work is being done
HBC require multi factor authentication (MFA/2FA) across on premise and cloud systems using a single MFA solution. We would like an initial assessment of the current position by the end of April 2020, with a view to implementation (needing support) during May/June 2020
Problem to be solved
HBC have a number of on premise, remote access and (in the very near future) cloud based systems such as 365. In order to provide an additional layer of security and comply with PCI DSS/PSN requirements we must implement a further authentication method (MFA) but wish to avoid the possibility of needing different MFA solutions to address that need.
Who the users are and what they need to do
HBC have around 2,000 users working across a geographically dispersed estate, home workers and customer premises. We need to allow remote access to on premise systems and applications and are in the process of migrating to 365. MFA is seen as a prerequisite to ensuring authorised access to on and off premise systems.
Early market engagement
Initial conversations with our Pen test organisations and PCI inspections have suggested Cisco Duo would answer the need for MFA without needing different solutions for on and off premise. No other engagement has taken place
Any work that’s already been done
Existing team
Internal ICT team, selected corporate users (not yet appointed) and Councillors
Current phase

Work setup

Address where the work will take place
Harrogate, North Yorkshire
Working arrangements
Discovery phase: On-site.
Deployment: On-site
Support: On or off site by agreement
Security clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Understand Multi-factor authentication systems, their respective benefits and weaknesses
  • Be familiar with NCSC/PCI DSS requirements and how their solution meets them
  • Have implemented MFA/2FA at other organisations of similar size and complexity
  • Be available to work to the identified timescales identified earlier in this submission
Nice-to-have skills and experience
  • Have familiarity with local government systems and processes
  • Understand constraints over time and budgets

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Estimated timeframes for the work, (start to delivery, including any downtime during which the supplier is unable to progress the project)
  • Technical solution, ease of use, and applicability to our needs
  • How they’ve identified risks and dependencies and offered approaches to manage them
  • How the approach or solution meets our organisation’s goal
  • Clarity over roles and responsibilities and implications if deadlines are slipping
Cultural fit criteria
  • Evidence of integration with a team that are under-resourced, using their resources to ensure completion
  • Open, approachable and supportive. Enabling the ICT team to support the solution after go live
Payment approach
Fixed price
Additional assessment methods
  • Reference
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. You mention a request for a proposal but provide no details of how to submit the proposal, could you please confirm an email address to send this to?
Please submit responses to michael.evans@harrogate.gov.uk
2. Do only shortlisted suppliers (5 suppliers) need to submit the proposal at the second stage OR do you need the proposal by the 26th of March?
All suppliers wishing to be considered should submit a proposal by 26th March
3. Other than the stated 2000 users will Service Providers to HBC need to access information within Council Systems adhering to a "Role Based Access Control" (RBAC) Strategy
Other than the stated 2000 users - no; existing access arrangements for suppliers will continue in tandem with MFA
4. HBC highlight they require an MFA solution to address future requirements – With this in mind, will HBC use MFA to authenticate the Identity of Citizens for Council Services and Citizen future payments and benefits?
Any Citizen access is outside the scope of this requirement which covers Council employees only (on site contractors would be considered employees in this context)
5. What Version of Windows do HBC have deployed?
We have Windows 10 for desktops and Server 2016/19. Whilst there are older versions of these in the current device estate, suppliers can assume they will no longer be in service at the time of go live for MFA
6. Will users be utilising a dedicated device?
In the majority of cases yes. There is a potential (but unqualified at this time) that some devices may be shared. In addition, not all devices are controlled by HBC, therefore any considerations which apply to these should be explained in the submission
7. Will HBC need to provide flexibility to enable multiple users to access data from shared devices?
Please see the previous question on a similar subject. Potentially but unqualified at this time; supplier should provide details on any implications of doing so
8. How important is the provision of an audit trail adhering to non-repudiation on the information accessed?
Non repudiation is out of scope of the current requirement
9. Other than Office 365 what other Cloud based applications will the users need to access?
HBC are embarking on a "cloud first" strategy. At this time we have only two other cloud based solutions. The current thinking is that access to these will be via VPN to Harrogate Council and thence to the application. As part of this project we are seeking supplier expertise to guide us on options, and will consider opportunities and implications
10. Will the HBC users have access to the use of mobile phones which could be used as the authentication device?
We have a number of Corporate mobile devices which it is expected we would use as the authentication device. However, these cover about 25% of the potential users. We are seeking supplier expertise to guide us on options and opportunities and will consider other methods of authentication
11. Will the evaluation be based on 100-word answers to questions on the DOS marketplace – essential and nice-to-haves? or on the proposal submitted via email? Is the proposal required now or the next stage, after shortlisting?
Shortlisting will be based on a mixture of the 100 word answers AND the proposal submitted. Selection and award would be made based on a combination of the two elements
12. What identity repositories are in use at Harrogate Council (MS AD / LDAP? )
Both of these repositories are in use
13. • Do HBC have an authentication authority in place (Federation / SSO)
Both, ADFS
14. What applications are needed to be covered by MFA
There is no simple answer to this question. The solution would be for suppliers to list which standards they support and HBC will cross check across its application and server estate escalating to application suppliers where necessary
15. What is driving the PCI DSS compliance – what payments need to be secure
HBC have an SAQ-D PCI-DSS compliance requirement. We believe further information is unnecessary and presents a risk to the Council. Changes to the Councils' DSS scope are not within the remit of this project
16. Could you confirm that you are asking for the DOS Stage-2 response in the form of a proposal to be sent in by suppliers at the same time as the DOS Stage-1
Yes we can confirm
17. What is your budget for this project?
We have budget which encapsulates a number of projects, as part of this exercise we wish to quantify the element of that budget which is needed for MFA/2FA
18. Should pricing be provided exclusive of VAT?
Yes please
19. Are you able to provide your T&S expenses policy/guidelines?
Reasonable travel expenses and subsistence are to be expected. Please estimate their cost as a separate line entry in your response. For clarity HBC do not authorise first class travel or luxury hotels/meals for its staff.
20. Are there any word count limits for the proposal?
The separate proposal does not have an imposed word count limit, succinct proposals would be preferable to verbose.
21. Are you currently using Cisco AnyConnect?
22. In addition to the 365 environment, what other platforms would need to be supported by the new solution?
Predominately internal (virtual and physical) servers running Windows2017/2019 and Windows10 desktops. HBC are looking to the supplier to provide solutions and opportunities and to guide us in product selection and implementation. Our cloud first direction means this is a fluid situation and will change throughout the life of the ICT estate.
23. Are you looking to deploy a zero trust model?
The scope of the project is MFA/2FA for additional authentication and access control to our network. If the proposed solution offers additional functionality, this can be outlined in your proposal together with the benefits gained
24. Is your preference to use push authentication where possible?
HBC do not have a particular preference. Suppliers should outline the options and benefits of any methodology available
25. Is access to Cisco Webex in scope?
No. HBC do not use Cisco Webex at this time
26. You mention support – is this ongoing, or only for the duration of the project, indicated as expected to complete by end of June 2020?
Support would be required both to implement the solution and train our team to be self sufficient, however we would also consider 3rd line support on an annually renewable basis for the lifetime of the solution. If there are discount opportunities for 3 / 5 year contracts suppliers should indicate this in their proposal.
27. Regarding the structure of the team, what specific roles would you expect the supplier to provide?
HBC would expect the supplier to provide expertise in the initial selection, implementation and deployment of the solution; provide training to our internal staff - all of which is expected to be on site. Thereafter remote support with issues, upgrades and future opportunities to maximise the benefits of the solution. The supplier should suggest the most appropriate SFIA grade/role for these tasks
28. is there any flexibility for either the Discovery and/or Deployment phase to be a mixture of off-site and on-site?
Our expectation is that works will be on site up to the point of deployment
29. Are the remote access services already in place, or will these form part of the solution?
Remote access services are already in place, any opportunity to improve them as part of this solution would be welcome, but other than applying MFA to them, out of scope of the stated requirements
30. What are the remote access services that are in scope?
HBC use Cisco Anyconnect - VPN, Web access and some Vworkspace
31. Has Harrogate Borough Council made a decision on which MFA factors must be supported?
No. HBC are looking to suppliers to advise the best product/solution and explain options, costs and benefits of each
32. Has Harrogate Borough Council made a decision on which MFA factors must be supported?
No. HBC are looking to suppliers to advise the best product/solution and explain options, costs and benefits of each
33. Should the solution provide additional access controls (such as role based access to services)?
See previous question. Suppliers should advise on options, benefits and costs where they see an opportunity for HBC to improve
34. Is change in those systems in scope to support the deployment of an MFA solution, or must the MFA solution work across all systems/services without any change impact ?
HBC expect there will be a change impact, preference would be given to minimising it. Suppliers must be realistic on the scale, duration and depth of the impact to ensure the success of the project
35. Is a list of this systems and services available?
36. Is the technical capability of those systems/services known or does that form the assessment phase?
HBC believe the capability is known, however we do not have expertise in MFA/2FA implementations so there is a high likelihood that the supplier would be aware of opportunities we have not considered