This opportunity is closed for applications

The deadline was Friday 26 June 2020
Ministry of Defence - Defence Digital

CCT879 - Architectural Design Support Specialists for IdAM and DDS - REISSUE

4 Incomplete applications

3 SME, 1 large

16 Completed applications

11 SME, 5 large

Important dates

Published
Friday 12 June 2020
Deadline for asking questions
Friday 19 June 2020 at 11:59pm GMT
Closing date for applications
Friday 26 June 2020 at 11:59pm GMT

Overview

Summary of the work
Production of “IdAM and Directory” High Level Service Design (HLSD) to include but not limited to:
Solution designs (HL), incl. product family selection where appropriate
User cases and user stories
Functional and non-functional requirements
Testing and acceptance requirements
Security model
Solution/service interfaces and dependencies
Stakeholder maps
Latest start date
Monday 17 August 2020
Expected contract length
12 months
Location
South West England
Organisation the work is for
Ministry of Defence - Defence Digital
Budget range
Up to £540,000 Ex VAT which includes an allowance for T&S Limit of Liability

About the work

Why the work is being done
Delivery of future Defence provisioned Identity Access Management (IdAM) and Digital Directory Managed Services is critical to enabling authentication and authorisation of personnel to applications and services. Transforming and rationalising from the "as is" position of disparate, complex, inadequately understood and bespoke extant solutions, to an orchestrated set of managed services which will benefit MOD and external partners whilst supporting compliance on a range of legislation and policies.
Problem to be solved
IdAM and Directories Services are to be in-sourced to Defence and in-house solutions are required. The current architectural documentation requires additional input and further investigation into potential solutions.
Who the users are and what they need to do
Defence wide Users of IT as this affects access to all applications and services provided by Defence.
Early market engagement
N/A
Any work that’s already been done
Defence has a current development partner developing and configuring the IdAM MicroFocus NetIQ product. Directories is currently in discovery, imminently about to move into alpha.
Existing team
The Project Team comprises circa 40 personnel consisting of: IT Design Architects, Project Management professionals and contracted parties working on the development of the IdAM Identity Brokering product. Further work is being reviewed in the Directories space by the same blend of Crown Servants and Contractors
Current phase
Discovery

Work setup

Address where the work will take place
The Project Delivery Team is located at MOD Corsham in Wiltshire (SN13 9NR). Occasional travel to Customers may be required dependent on the need, however this will be kept to a minimum. This will be paid in accordance with MoD rates.
Working arrangements
Most work will be undertaken at MoD Corsham and the successful candidate will work from this location at least 3 days per week in the normal climate. Flexible working is encouraged. The working day is 8 hours to include 30 minutes for lunch. Some work may be conducted at other MoD and industry partner sites in the UK. A MODNet laptop will be supplied to allow remote working.
Security clearance
Potential suppliers will be expected to hold or be in the process of obtaining SC Clearance. The Authority WILL NOT sponsor SC clearance, it must be in place and remain valid for the duration of the contract.

Additional information

Additional terms and conditions
Bid Responses to be submitted on the templates provided and in Microsoft Office Excel/Word 2013 format only.

T&S will be paid based on receipted actuals and in compliance with MoD Policy, no other expenses are permitted.

Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up to the tool.

The role is outside IR35.

The Cyber Risk Profile has been identified as Moderate.

More detail will be provided at the tender stage, for suppliers that pass the shortlisting stage.

Further contractual conditions may apply, these will be confirmed later in the tendering process.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Proven and demonstrable experience in working within a project or product of similar size and complexity - 5%
  • Experience or knowledge of Data to support IdAM Identity Matching and transfer of data from existing data sources to new consolidated data storage repositories - 15%
  • Proven and demonstrable experience and knowledge of Directory services such as X500, LDAP, Microsoft Active Directory (AD), MicroFocus eDirectory, Directory exchange and synchronisation methods - 15%
  • Proven and demonstrable experience and knowledge of ID Management Policy, Governance and tools, such as Oath 2.0 & OIDC, SAML, XML - 15%
  • Proven and demonstrable experience and knowledge of Access Management including knowledge of interoperability tools, techniques and standards such as RESTful Web Services, JSON, SAML, OIDC - 15%
  • Experience working with TOGAF, ArchiMate, BPMN (Business Process Model and Notation), Service Design Package, BizzDesign and NATO C3 taxonomy within the last 12 months - 15%
Nice-to-have skills and experience
  • Experience in working within the MOD (in the last 10 years) - 5%
  • Knowledge of current Defence Identity Access Management and Directory systems (in the last 10 years) - 5%
  • Experience of working with remote capabilities (in the last 10 years) - 5%
  • Experience of setting up and developing Directory Services (in the last 10 years) - 5%

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • How you will provide the Authority with high-quality specialists that embodies the required skills across IdAM and Directories; why you believe the specialists are high performing. CV’s required - 17%
  • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning - 16%
  • Your proposed approach and methodology for production of detailed technical specifications for existing ID stores/directories and their interfaces, at a high level and a low level of detail - 17%
  • How you will work within an Agile Devops pipeline, assisting Dev colleagues to structure a series of sprints to create an iteration of capability to replace directories services/IdAM - 17%
  • How you will assist Dev colleagues in creating testing strategies, and testing plans - 16%
  • Your proposed methodology for documenting detailed technical specifications for existing ID stores/directories and their interfaces - 17%
Cultural fit criteria
  • Shares knowledge, experience and expertise with the Authority and other team members - 20%
  • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form - 20%
  • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome - 20%
  • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors - 20%
  • Evidence of working with organisations and stakeholders with differing levels of technical expertise - 20%
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

1. Is this opportunity a follow on to the previously awarded requirement CCT767?
Yes, that is correct.
2. Is there an incumbent supplier providing resources with the required essential skills & experience (TOGAF, ArchiMate, BPMN (Business Process Model and Notation), Service Design Package, BizzDesign and NATO C3 taxonomy)?
No, there is no current Architect Supplier.
3. Can the Authority confirm what remote capabilities refers to in the Nice-to-have skills and experience question -"Experience of working with remote capabilities (in the last 10 years)"
This could include but is not limited to the deployment of remote working capabilities I.e. Accessing computers from a remote (different geographical) location through a network connection.
4. The wording in the advert about the existing team would suggest that there is an incumbent provider for IdAM and Digital Directories Services. Is there an incumbent?
There are other suppliers working on IDAM and DDS, but there is not an incumbent for this specific Architect role.
5. Is there an incumbent in the role?
No, there is no current Architect Supplier.
6. Knowledge of MOD Policy in the Technical Information Assurance Architecture (TIAA), particularly Authorisation Zones and Trust Classes and how they may affect IdAM – Is this policy publicly available to the suppliers who are unfamiliar with MoD or haven't worked with MoD before? If not then does this criteria implies that suppliers who do not have previous engagement with MoD will not be considered or will be at disadvantage?
The policy cannot be shared as it is classed as Official-Sensitive. Having reviewed the criteria and the potential disadvantage it may give, we have chosen to remove this essential criteria in this reissued advert.
7. Would you be willing to consider a part solution/submission to this particular opportunity?
Unsure as to what a part solution entails, please clarify.
8. Is there a preference for pre-built vs built for purpose?
The overarching requirement is for a standards-based solution that is independent of any of the infrastructure, services or service suppliers’ solutions with which it will work.  All interfaces and APIs with consuming or contributing services should, by strong preference, be non-proprietary.  The preference is for configuration rather than bespoke.
9. If it has to be an off the shelf solution, how do we define which stakeholder requirements are lower priority if the feature sets to requirements do not match? (e.g. control over encryption methods and data storage/locality)
The requirement set contains MoSCoW prioritisation, but in the event of a clash of requirements and features, this will be resolved with stakeholder (e.g. Security, User, Customer) involvement.
10. Is there a list of systems for integration?
System dependencies have been mapped however this may not be complete and that will be one of the tasks to be completed.
11. Do all existing systems support oAuth/OiDC/SAML or will the solution designs have to factor in custom integration work/integration layers?
Those are the frameworks / authentication standards of choice for the target architecture and many systems are conformant.  There will be existing, ‘bespoke extant’ interfaces that are not so conformant and will require integration work/layers.
12. Will the security model vary by access/stakeholder etc…?
Yes.  Access management will be rich and varied.  There will be variability based on a number of factors, including access location, device used, status of individual (job/role).
13. What level of HLSD are we required to go down to? (Logical/Physical?)
Logical.
14. Where will the system be hosted?
UK Gov / MOD approved facilities, taking into account whatever the legal positions on holding data become during and after EU transition period.
15. Will data need to be stored within the hosted location?
Yes, but the data, logical, and physical architectures will also need to take account of MOD’s sometimes challenging and disparate operating environments.
16. Does the proposed solution have to be an off the shelf solution, or can it be a custom-built solution (in its entirety) based on stakeholder requirements?
Off the shelf is the way forward with minimal bespoking to meet GDS.
17. Please could the Authority provide the Cyber Risk Assessment Reference for a Supplier to complete the required SAQ?
The SAQ will not be released until the second stage of the ITT.
18. Is a SAQ code, or other information, available to help with the understanding of requirements to meet the Cyber Risk Profile of Moderate?
The SAQ will not be released until the second stage of the ITT. Information on the requirements of a 'Moderate' Cyber Risk Profile can be found at https://www.gov.uk/guidance/defence-cyber-protection-partnership
19. What is the difference between Proposal Criteria #3 and #6 ?

4. Your proposed methodology for documenting detailed technical specifications for existing ID stores/directories and their interfaces

I can see there are some Key Word differences: Approach Production at High/Low detail vs Documenting
How do we interpret the differences?
Both are worth 17%.
How do we score max points?
As noted in the question, the differences between the criteria are the methodology vs how you will document the technical specifications. Suppliers could score full marks on both criteria if they are each covered sufficiently.
20. Please can you clarify if the difference between these is essentially method vs output? Or elaborate if not.

Your proposed approach and methodology for production of detailed technical specifications for existing ID stores/directories and their interfaces, at a high level and a low level of detail

Your proposed methodology for documenting detailed technical specifications for existing ID stores/directories and their interfaces
As noted in the question, the differences between the criteria are the methodology vs how you will document the technical specifications.