Home Office DDaT

Proc 585 - Specialist Client-side Security Architecture

23 Incomplete applications

16 SME, 7 large

0 Completed applications

Important dates

Published
Wednesday 29 July 2020
Deadline for asking questions
Wednesday 5 August 2020 at 11:59pm GMT
Closing date for applications
Wednesday 12 August 2020 at 11:59pm GMT

Overview

Summary of the work
To develop, implement and maintain the security architecture capability for HO DDaT portfolios, programmes and projects, in relation to the following areas:

• Security Leadership and Governance
• Security Architecture
• Security Risk Management
• Security Accreditation
• Security Operations
Latest start date
Tuesday 1 December 2020
Expected contract length
2 years
Location
No specific location, eg they can work remotely
Organisation the work is for
Home Office DDaT
Budget range
This competition includes a price-based element, so no indicative budget will be given.

About the work

Why the work is being done
The Home Office is enhancing its Cyber risk management and architecture functions within portfolios to ensure that the world class services delivered to internal and external Home Office customers have a robust security framework to support them.

This starts with Secure by design by embedding security architects within one or more delivery programmes to ensure security is at the forefront of developers minds. This is then backed up by security assurance to identify and help mitigate any residual risk and an Operational Security team to maintain a robust monitoring, reporting and support incident response.

The security architecture function will work with internal Home Office delivery programmes and external 3rd party suppliers to ensure that the Home Office has a secure supply chain.
Problem to be solved
Supporting the Principal Security Architect by providing specialist security advice, leadership and governance for HO DDaT portfolios, programmes and projects and:

• Identify, manage and address security concerns of key stakeholders
• Manage and develop the security architecture team and its capabilities
• Maintain the security architecture plan, and ensure it is communicated to the appropriate personnel
• Provide assurance of security-related technology selection, product evaluation and proof of concepts
• Ensure conformance with the target security architecture by implementation projects
• Ensure gating process is followed, design and code reviews are performed, and security issues / risks are appropriately addressed
• Ensure that the security architecture lifecycle is maintained & governance framework is executed
• Ensure that the security architecture meets the non-functional qualities as defined by HO DDaT
• Ensure that agreed security principles and standards are consistently applied and clearly communicated across HO portfolios
• Ensure that dependencies are appropriately managed between HO DDaT portfolios, programmes and projects
• Ensure that HO DDaT joined-up agenda is supported at portfolio, programme and project level and opportunities for re-use across HO DDaT are maximised
Who the users are and what they need to do
The end customers are the build, infrastructure and security operations within portfolios and the wider Home Office. The business services that are delivered by the Home Office are to a mix of other Home Office staff and public customers.
Early market engagement
Any work that’s already been done
There is an existing Security Architecture team that currently undertake all the activities required within this contract. The successful supplier will work in conjunction with the existing supplier to ensure there is a full knowledge handover. The successful bidder is expected to continue with bot the in train work and new requests from the front line business areas.
Existing team
The incumbent team compromises 1 permanent Civil Servant who heads up the BICS Security Function, supported by 17 full time contractors provided by the incumbent supplier. The incumbent uses a mix of grades within its team, which is headed up by a Lead Architect. The skillset of the incumbent includes: Security Architecture, Assurance and Risk Management, Scrum Master, Ethical Hacking, security DevOps and Operational Security.
Current phase
Live

Work setup

Address where the work will take place
The principal Home Office locations where the services are expected to be performed are:
o Croydon/London/Sheffield
o Alternate/Offsite working locations as applicable
Working arrangements
Working arrangements are a mix of onsite and remote working, depending on the prevailing business need. The onsite working location is Croydon; however, under the current Covid-19 restrictions, all work is undertaken remotely. It is expected that when the situation allows, staff will be expected to travel to the office for face-to-face meetings when required.
Security clearance
Service Provider personnel need to be compliant with SC clearance. Depending on the nature of the role, if escalated and/or privileged access is necessary then there may be a requirement for DV clearance.

Additional information

Additional terms and conditions
Bid pricing will be subject to a DDaT rate card, which details the Target Rates (i.e. the rates which the Authority believes are acceptable) and the Maximum Rates (i.e. the rates in excess of which the bid will be considered non-compliant).

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Provide details of recently (within the last 2 years): Supporting a Principal Security Architect by providing specialist security advice, leadership and governance for portfolios, programmes and projects
  • Supporting a Principal Security Architect in shaping and leading the overall security architecture for portfolios, programmes and projects using open standards (such as TOGAF)
  • Supporting a Principal Security Architect in developing and implementing the end-to-end risk management lifecycle for portfolios, programmes and projects
  • Supporting a Principal Security Architect to deliver successful security accreditation for portfolio, programme and project releases
  • Providing operational security advice to portfolios, programmes and projects
  • Providing leadership and governance within both the central hub and a spoke of a spoke governance model
  • Using Amazon Web Services (e.g. Lambda; EC2; KMS; Cloud* RDS databases); CI/CD Pipeline tools (e.g. Jenkins; Bitbucket; Packer); Containerisation (e.g. Kubernetes and EKS); programming capability to produce scripts (e.g. Python)
  • Providing a searchable, collaborative capability for capturing and maintaining key security architecture knowledge
Nice-to-have skills and experience
  • Provide evidence of resources that have existing SC clearance that will support the speeding up of on-boarding teams
  • Demonstrate experience of handing over products to another team, including service transition

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • T1(a) - How will you manage the work and maintain quality? - 5%
  • T1(b) - How will you quickly identify resources and on-board them on site and on the start date? - 5%
  • T1(c) - What is your approach to transition and handover from the incumbent? - 7%
  • T1(d) - How will you adopt the approach/solution, allowing for ongoing support and further development? - 5%
  • T1(e) - How will you enhance the methodology and offer opportunities for improvement? - 5%
  • T2 - Give a detailed example of where you have successfully deployed a cyber security team that undertook Architecture, Assurance and Operational security functions - 12%
  • T3(a) - Identify the key team roles and proposed team members - 3%
  • T3(b) - Describe your proposed team structure - 3%
  • T4 - Describe how you would add value to individual project teams and the wider Home Office (do not discuss pricing) - 10%
  • T5 - Presentation (shortlisted bidders only) - 10%
  • P1 - Whole life cost (broken down by year) - 25%
  • P2(a) - Overall Average Day Rate (total cost divided by number of staff days required) - 5%
  • P2(b) - Rate card (not evaluated)
  • P2(c) - Breakdown of staff days by SFIA Level and daily rate (not evaluated)
  • C1 - Cultural fit - 5%
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Application of Agile Principles
  • Ability to add value
Payment approach
Capped time and materials
Additional assessment methods
Evaluation weighting

Technical competence

65%

Cultural fit

5%

Price

30%

Questions asked by suppliers

1. Who is the current incumbent and will they be bidding?
The incumbent is 6point6 and they are able to bid. The Authority has no knowledge of whether or not they intend to bid.
2. Can the Authority please confirm whether this opportunity is being assessed as inside or outside of IR35?
This is outside of IR35.
3. Can the Authority please confirm the mix of grades provided by the existing teams in terms of SFIA levels for each skillset?
The current team comprises:
• SFIA 6 – 1
• SFIA 5 – 10
• SFIA 4 – 3
• SFIA 3 – 1
The 6 is the Supplier lead as well as undertaking team activities. The 5s are the leads in the projects, with one being the Operational Security lead; they are supported by the 3s and 4s. All the team undertake Assurance and Architecture and Operational Security responsibilities. Each 5 backs up another, avoiding single points of failure. We wish to restructure the team to decrease the 5s and remove the 6, and increase the 4s and 3s.
4. Can the authority confirm what the DDaT Target and Maximum Rates will be at this stage in the process?
The rates are a matrix but the DOS pages have no document upload functionality. Please could any interested party email IPTCommercial@homeoffice.gov.uk with the heading 'Proc 585 - DDaT Rates', and the document will be sent.
5. Can you help obtain the SC clearance please?
SC clearance can be sought through the Authority; however, this would be done only once a winning bid has been identified. The vetting process takes a minimum of 8 weeks, so bidders will need to factor this into the timetable and still be able to mobilise by the required date.
6. Can you confirm whether these rates (on the rate card) need to include Travel and Subsistence costs incurred, or are these to be charged for separately please?
The Charges are inclusive of all Supplier travel and subsistence for work conducted within the M25 motorway, or any other location nominated by the Supplier, with the exception of Supplier premises. The Supplier location for this call off is Home Office, Metro Point, Croydon. For work at Customer premises outside the M25, or any other location nominated by the Customer outside the M25, reasonable expenses will be payable.
The deadline for asking questions about this opportunity was Wednesday 5 August 2020.