This opportunity is closed for applications

The deadline was Thursday 1 October 2020
Ministry of Justice

Provision and Support of Data and Analytical Services Directorate (DASD) Service

4 Incomplete applications

2 SME, 2 large

4 Completed applications

0 SME, 4 large

Important dates

Published
Thursday 17 September 2020
Deadline for asking questions
Thursday 24 September 2020 at 11:59pm GMT
Closing date for applications
Thursday 1 October 2020 at 11:59pm GMT

Overview

Summary of the work
Providing IT and security maintenance for the air gapped DASD statistics and analysis system sufficient to maintain its functionality and accreditation.
Latest start date
Tuesday 1 December 2020
Expected contract length
2 years with an option to extend
Location
London
Organisation the work is for
Ministry of Justice
Budget range
The total Supplier charge will be evaluated as per evaluation criteria % with the lowest bid achieving the highest percentage score.
Pricing submission documents will be issued to suppliers who pass Round 1 (first round). Each Statement of Work shall detail the allocated spend to that particular project.
Transparent pricing – Suppliers are expected to provide transparent pricing to enable MOJ full visibility of charges and costs including overheads and profit-margin in an auditable form.

About the work

Why the work is being done
MoJ is charged with end to end management of the criminal justice system. This includes the point a suspect has been charged, courts, prison and probation.

DASD provide detailed analyses, particularly of extracts of personal sensitive data stored on an air-gapped system. The present environment consists of a set of managed clients running local statistical tools connected to production servers which host business, administrative and support software in order to produce data analyses and extracts for a variety of business purposes. This work is being done to provide and maintain a secure environment for this analysis to be undertaken
Problem to be solved
The air-gapped DASD system needs to be maintained to ensure that they receive
- a reliable and resilient service, with a service wrap which offers value for money throughout its lifecycle
- a service which is sufficiently powerful to meet the detailed performance and storage requirements, and is scalable for any future functional or non-functional requirements which may be requested
- upgraded software to users which has been tested
- a service which can meet and maintain accreditation to secret classification throughout the lifecycle of this service
Who the users are and what they need to do
The users are about 50 analysts within the MoJ, but there will be 15 terminals which are shared between users. They require a secure, efficient system with on-going system support, so they can produce data for:
- scheduled National and Official Statistics bulletins and contributions to bulletins on re-offending;
- data provision to probation providers for Payment by Results;
- Parliamentary Questions;
- justice outcomes published on the police.uk website;
- evaluating whether intervention are effectively supporting offenders
- MoJ’s data linking projects
- Policy-facing analysis on topics like prolific offending etc
Early market engagement
None
Any work that’s already been done
None
Existing team
The supplier will be working with a small team of DASD analysts. There is likely to be some handover required with the current suppliers.
Current phase
Live

Work setup

Address where the work will take place
The supplier will need to be onsite at 102 Petty France, London once a week. The rest of the time service support can be provided remotely
Working arrangements
Contractor will need to be onsite once a week to access the system. The airgap system prevents remote access, so support has to be in person. The contractor will also need to attend (remotely) a security working group once every quarter. The contractor will need to provide remote service support during office hours.
Security clearance
Contractor will require SC clearance and will also require NPPV3 clearance

Additional information

Additional terms and conditions
None

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • The supplier must have experience of working with SECRET level data and detail how the service will maintain this accreditation, and what security measures will be implemented to support this.
  • The supplier must have experience of managing a server that is hosted on customer site
  • The supplier must have experience of managing server performance so that limitations/bottlenecks can be overcome.
  • The supplier must have experience of managing back ups
  • The supplier must have experience of deploying software
  • The supplier must have experience of carrying out capacity management for the performance of the service, identifying relevant thresholds which may limit performance, availability or scalability of the service.
  • The supplier must provide a service that is robust and resilient with minimal points of failure
  • The supplier must ensure a suitable change control process is utilised for all changes. No changes will be performed on the system unless adequate testing has been carried out.
  • Personnel will be required to travel to 102 Petty France on a weekly basis to maintain the system. They will require NPPV3 clearance and SC clearance.
  • The supplier must have experience of implementing suitable controls to prevent unauthorised access to the server and system.
  • The supplier must be able to provide remote service support on working days. The supplier must provide a documented support process.
  • The supplier must have experience of testing and installing purchased hardware; including conducting test and acceptance activities in support of system go live
Nice-to-have skills and experience
Experience of working with justice data

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Please provide a detailed description of the proposed solution
  • Please provide details on how the service will continue to achieve secret accreditation including the use of protective monitoring, security practices, ISMS usage and maintenance.
  • Please supply detail about how ongoing performance of the service will be monitored, and how this will be communicated
  • Please detail how poor performance would be overcome if performance is found to be insufficient, and how this process would be managed.
  • Please explain how you will ensure the system will be resilient
  • Please detail the level of system availability
  • Please explain how back-ups will be managed
  • Please provide detail on how all software and business applications will be deployed and maintained
  • Please explain how support will be provided and queries responded to
  • Please detail how capacity will be managed
  • Please detail how you will liaise with us to manage the service
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Challenge the status quo
  • Be comfortable standing up for their discipline
  • Can work with clients with low techinical expertise
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

1. Please can you provide any further information on the handover that will be required between the current suppliers and the new supplier.
The current supplier will provide data and information to the new supplier. Including information on volumes, usage, technical aspects, service performance and staffing. This information will be accurate and complete in all material respects and the level of detail will be sufficient to reasonably enable a third party to provide a replacement services
2. Please can you confirm how many current suppliers there are and what their current roles/responsibilities are.
here is currently one supplier. They maintain the airgapped network and provide technical support for our users. The air-gapped DASD system needs tobe maintained toensure that they receive
- a reliable and resilient service, witha service wrap which offers value for money throughout its lifecycle
- a service which is sufficiently powerful tomeet the detailed performance and storage requirements, and is scalable for any future functional or non-functional requirements which may be requested
- upgraded software to users which has been tested
- a service which can meet and maintain accreditation to secret classification throughout the lifecycle of this service
3. Is the Authority prepared to sponsor SC and NPPV3 clearance?
No, these are the responsibility of the supplier
4. Would the Authority accept NATO secret as an equivalent to NPPV3?
No, NPPV3 is still required
5. Can you share any documentation detailing the existing solution architecture?
Unfortunately I am not able to add attachments at this stage. The document will be shared with the bidders selected for stage two of this framework exercise.
6. What is the tech stack made up of? Eg OS, devices types etc
5 HP ProLiant DL380 Gen9 E5 servers – VMWare ESXi 6.5 (4 production, 1 test),
2 HP ProLiant DL380 Gen9 E5 servers–Windows 2012 R2 Domain Controllers.
1 HP StoreEasy 1850 SAS Storage Server+additional connection disk enclosure–Windows 2012 R2 Storage Server.
1 HP StoreEver MSL4048 Tape Library with 2 HP MSL LTO-5 Ultrium 3000 SAS drives.
2 HP Aruba 2920-24G stacked switches.
1 Cisco WS-C2960S-48TS-L switch.
11 Production VMs–Windows Server 2012 R2.
1 Test VM–Weindows Server 2012 R2.
1 Production AlienVault-USM All in One 75A(VMWare Appliance).
20 End User Devices (18 Desktops, 2Laptops)–Windows 8.1
2 HP PRO 400 M401DN Printers.
7. Where physically is the solution hosted?
102 Petty France, London
8. What management software is used? Eg backup, monitoring, security etc
ESET Endpoint Antivirus.
AlienVault - USM All in One 75A (VMWare Appliance).
Symantec NetBackup.
VMware vSphere 6.5
SCCM
SCOM
GFI EndPoint Security
SQL Server
Becrypt - Disk Protect CPA Foundation
9. How is remote support currently managed?
Air-Gapped environment so unable to remote in to site. Remote support is limited to Change Mgt Board (CAB), Service Desk fault logging, technical investigations/analysis of data logs retrieved by Engineers following onsite visits and 3rd Party engagement as part of technical analysis.
10. What type of hardware needs supporting and testing?
HP, Cisco and Dell
11. The details state that the system is air gapped and can only be accessed on site and prevents remote access but also states that the supplier will need to be on site just once a week and the rest of the time, service support can be provided remotely. If remote access is prevented please can the Authority provide more details around how they envisage the service support being provided remotely.
Air-Gapped environment so unable to remote in to site. Remote support is limited to Change Mgt Board (CAB), Service Desk fault logging, technical investigations/analysis of data logs retrieved by Engineers following onsite visits and 3rd Party engagement as part of technical analysis.
12. Does the Authority require the supplier to have obtained NPPV3 clearance for staff prior to support commencement or can this be obtained upon contract award?
NPPV3 needs to be obtained prior to the award of the contract as without it the supplier will not be able to acces the system.
13. Does the Authority just want a system/server to be maintained or does the requirement also include the environment that supports DASD? For example, networking, firewalls, backups, access control, etc?
Full infrastructure support, including Systems, Servers and Backups is required
No firewalls (hardware or software) in place.
End to end support, from Becrypt tokens, EUDs, servers, switches, printers.
Building infrastructure is not supported – OM3 fibre uplinks, server room / communications room power/cooling, patching from the desk floor ports to the communications room.
14. Please can the Authority confirm what the current system's platform/environment looks like?
Unfortunately I am not able to add attachments at this stage. The document will be shared with the bidders selected for stage two of this framework exercise.
15. Requirement: "upgraded software to users which has been tested"
What is the software?
Is it a fat client on the 15 devices?
Is this a SAAS solution (thin client)?
Is there a test environment for this?
There is a single test ESXi server with a single test Windows Server 2012 R2 VM.
16. Requirement: "a service which can meet and maintain accreditation to secret classification throughout the lifecycle of this service "
Please can the Authority confirm who would own the health checks and security scanning of the environment and who would lead on gaining accreditation?
Supplier should complete health checks and security scanning as part of routine maintenance, reporting findings to the Authority. The Authority holds the direct relationship with the Accreditor and will lead on accreditation.
17. "15 terminals which are shared between users"
Do the 15 terminals also need supporting? Does this support include the server + terminals + network?
17 EUDs – 15 Desktops, 2 Laptops, all running Windows 8.1. Support covers KVM and the Ethernet cable to the floor port, but not from the floor port to the communications room patch panel.
18. "The supplier must have experience of managing back ups "
Please can the Authority confirm how the backups will need to be secured? To tape? Taken offsite?
Backups are completed using NetBackup and relocated on a Monthly basis to an offsite storage location
19. "The supplier must have experience of deploying software" This suggests there are apps to be deployed to the 15 terminals – please can the Authority confirm whether this is the case?
Software deployment and routine Patching (via SCCM) is required. Ensuring deployed Apps on User devices are maintained to latest versions/licensing is required as part of routine maintenance/patch releases. Maintaining each device is completed locally.
20. Is there a test and UAT environment?
There is a single test ESXi server with a single test Windows Server 2012 R2 VM.
21. Requirement: "The contractor will need to provide remote service support during office hours". Please can the Authority confirm whether this is only to the equivalent of one working day per week or, while not on site at Petty France, on a full time basis (Mon-Fri 9-5)?
This will be on a full time basis, not just the one day a week they are on site
22. Please can the Authority confirm whether the Supplier is required to maintain an existing system or is this a requirement for procuring and implementing a new air gapped system?
Maintain an existing system
23. Is there a requirement for a permanent onsite body or would you accept a shared service with a proportion of onsite time and on-call?
1 day onsite, 4 days remote support
24. What specific improvements (top 3) are the MoJ wanting to see from the new service?
1. A more reliable and resilient service, with a service wrap which offers value for money throughout its lifecycle
2. A service which can meet increased storage requirements in the future
3. A service which can support multiple users without a drop in performance
25. Who is the incumbent service provider?
Sopra Steria Limited