Awarded to We Are Snook Ltd

Start date: Tuesday 5 January 2021
Value: £926,706
Company size: SME
Ministry of Housing, Communities and Local Government

Alpha and Beta Cyber Health Framework for Local Government in England

13 Incomplete applications

9 SME, 4 large

25 Completed applications

20 SME, 5 large

Important dates

Published
Tuesday 20 October 2020
Deadline for asking questions
Tuesday 27 October 2020 at 11:59pm GMT
Closing date for applications
Tuesday 3 November 2020 at 11:59pm GMT

Overview

Summary of the work
Alpha/beta research, prototype, test, learn and design of a cyber health framework for English local authorities to support councils to work with existing cyber standards and meet a minimum level of cyber health.
Latest start date
Monday 23 November 2020
Expected contract length
Up to 6 months.
Location
London
Organisation the work is for
Ministry of Housing, Communities and Local Government
Budget range
Overall budget: up to £1,000,000 (excluding VAT)

Continuation into beta will be contingent on alpha findings and subject to a service assessment / spend control.

Suppliers are requested to provide a budget split for the 2 phases of work.

Suppliers are also requested to provide a timeline for the 2 phases of work.

A short break should be allowed for between alpha and beta to allow for a review of the alpha phase, including a service assessment and review of findings to confirm the work should proceed to beta.

About the work

Why the work is being done
MHCLG is looking to support councils in England to improve their cyber health and reduce their cyber risk.

There is no shared baseline against which councils can measure their cyber health. This absence makes it difficult to secure buy-in from senior leadership. Current standards and principles are not applicable or appropriate to every council and no single standard covers all the requirements.

We have identified tools (see below) that have been developed for other sectors and would like to use these as a basis for identifying what MHCLG should provide through a process of design, prototyping and testing with users.
Problem to be solved
Discovery work into cyber security in local government found that councils need a framework to apply a minimum level of cyber health and ensure the continued delivery of services.

The framework should reflect the wider view of cyber security addressing non-technical and technical practices, such as:

- People - knowledge and behaviours

- Processes - procurement, executive governance

- Technology - standards, architecture, management

Local authorities should be able to:

- know that there is a minimum level of cyber security to reach

- determine their own organisation’s level of cyber security

- devise a path to build greater resilience
Who the users are and what they need to do
Council person responsible for cyber security:

- understand what an acceptable level of security is so I can plan and prioritise our efforts.

- need advice and support on how to reach the acceptable level so we have the skills and knowledge to be secure.

- want a trusted and recognised level so I can evaluate and measure the level of cyber health.

Council CEO:

- to be confident that my organisation is secure so able to assure the continued delivery of services to citizens.

Person at MHCLG:

- want to understand where local authorities are not secure so can provide support where appropriate.
Early market engagement
n/a
Any work that’s already been done
We have completed a Discovery phase.

Our end of Discovery blog post can be found at:

https://mhclgdigital.blog.gov.uk/2020/08/25/key-findings-and-recommendations-from-the-cyber-security-discovery

During Discovery we identified work that the Scottish Cyber Resilience Unit and NHS have undertaken to develop tools/frameworks for their respective sectors:

- Scottish Cyber Resilience Framework and Self-Assessment Tool

https://www.gov.scot/publications/cyber-resilience-framework

- NHS Digital's Data Security and Protection Toolkit

https://www.dsptoolkit.nhs.uk

We expect reuse of existing work from other sectors to develop candidate toolkit, relevant to English councils through analysis of existing standards and tools, producing prototypes for validation in Alpha, with continuation into Private and Public beta, subject to GDS assessment.
Existing team
The service designer from the Discovery will be part of the team. A user researcher from MHCLG is potentially available who is new to the workstream.

We have / will be commencing work on the other recommendations from our Discovery phase and there is an expectation that this team will work in partnership with other workstreams including sharing learning and any other artefacts.

A delivery manager is helping to manage across the workstreams.

We expect flexibility in any proposed service and financial model to replace supplier team members with internal team members during the lifetime of the project.
Current phase
Alpha

Work setup

Address where the work will take place
The primary site is the MHCLG office located at 2 Marsham Street, London, SW1P 4DF.

However current circumstances mean remote working is the default.

Given the nature of the work is working with councils in England, travel may be necessary.

**Travel/expenses to sites must be included in your costs and WILL NOT be reimbursed separately**
Working arrangements
The supplier is expected to work alongside existing teams for face-to-face meetings and work in the open with the sector through open show-and-tells and blogging.

The supplier should demonstrate effective use of Agile principles and established project management approaches enabling progress to be shared, continually visible, monitored and issues resolved.

Current working means much of this work will need to be completed via video calling so the supplier should be comfortable using products e.g. Microsoft Teams and Google Meet with cameras on.

The supplier will work with MHCLG to identify the appropriate architecture and technologies for a beta phase.
Security clearance
CTC or above is desirable as staff will otherwise need escorting on site. If the successful supplier does not have CTC cleared staff, MHCLG will sponsor clearance. The supplier team will be expected to start this immediately after appointment.

Please make it clear whether staff have clearance when submitting responses.

Additional information

Additional terms and conditions
1. All outputs will be owned by MHCLG and published openly where appropriate using a suitable open license that supports reuse.

2. All materials/outputs derived from the contract shall be the property of MHCLG.

3. GDPR requirements will be discussed and agreed once the successful supplier has been notified (as part of discussions to agree the wording of the call-off contract).

4. Continuation to beta is subject to the outcome of the alpha phase and positive alpha service assessment.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate meeting skill requirements based on the anticipated composition of the team and as outlined in the Government Service Standard
  • Proven and demonstrable knowledge of IT security standards and asssesments not limited to Cyber Essentials, PSN, PCIDSS, NCSC's 10 steps and Government Minimum Cyber Security Standard
  • Demonstrate having experience of undertaking user research, design and prototyping of public services
  • Demonstrate having experience of designing a service that everyone can use as outlined in the Government Service Standard (point 5)
  • Demonstrate having recent experience of working with local authorities
Nice-to-have skills and experience
  • Demonstrate experience of presenting and explaining technical content (such as IT or cyber) to non-technical senior leaders
  • Demonstrate experience of 'working in the open' (blogging, show and tells, project backlog) and regularly sharing project findings and progress with a wide audience inside or outside of the organisation
  • Demonstrate experience of using open standard, common components and patterns from inside and outside government as outlined in Government Service Standard (point 13)

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Approach and methodology to the work - including technical proposal
  • Demonstrating an understanding of our requirements
  • Identified risks and dependencies and potential approaches to manage them
  • Team structure, including skill, experience and accreditation of individuals and their relevance
  • Estimated and credible time-frames for the work
  • How the approach or solution meets user needs
  • How you will ensure smooth transition and knowledge transfer to the live service team
  • Value for money of the proposed approach
Cultural fit criteria
  • Experience of successful collaborative working as part of a mixed supplier-client delivery team sharing knowledge within the team and with other suppliers
  • Be transparent and collaborative when making decisions
  • Demonstrate supporting a no-blame culture and encouraging people to learn from their mistakes
  • Demonstrate establishing rapport with stakeholders, keeping them informed and managing their expectations
  • Demonstrate understanding of the local government landscape and the spirit of the Local Digital Declaration https://localdigital.gov.uk/declaration/
Payment approach
Capped time and materials
Additional assessment methods
  • Work history
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

15%

Price

35%

Questions asked by suppliers

1. Have the Authority not considered tasking NCSC Assured suppliers with this opportunity? For example, NCSC Certified Cyber Security Consultancy suppliers?

This requirement is an exact match to what the scheme was set up for. Also, why was the CCS Cyber Security Services DPS not used for this requirement?
This was considered, but the Digital Marketplace was selected as the preferred route.

We are not looking purely for advice on cyber security, but testing a variety of solutions (as prototypes) on how to support English local authorities at scale to improve their cyber security. We therefore expect this requirement to be delivered by a digital team as described in the Government Service Manual but include cyber subject matter expertise.
2. Why is it a mandatory requirement to have worked with local authorities in the past?

We have several years experience fulfilling all of your requirements (including for central government and private industry) and struggle to see why restricting this opportunity to suppliers that have worked with local authorities is necessary?

Applying these security skills and experience to a local authority will be no different to applying to applying them with the wider HMG.

Surely this should just be a nice to have requirement? You will needlessly restrict the quality of suppliers who apply for this opportunity otherwise.
On this occasion, given where we are, we feel it important to ask for a supplier that has experience of working with local government and understands the relationship between central and local government.

This is not just about applying security skills but understanding how to engage and provide support at scale to local authorities who have varying levels of capability and capacity.
3. Please can you clarify how this project fits in with the recently published "Cyber and Technical Support for Councils".

Particularly regarding:

• Timeline of delivery of both projects;

• Whether the same supplier can be awarded both contracts.
The projects will run in parallel. The cyber and technical support requirement has only just been awarded and has yet to commence. We expect them to run for a similar length of time.

An incumbent supplier is welcome to bid if they believe they can also meet the requirement. However, the requirements are quite different, and the same organisation may not be suited to deliver both.
4. Can you clarify the process up to award? At this stage we can only complete the 100 words against each of the 'essential' and 'nice to have' criteria. When would you ask for the written proposal and what is the criteria for being asked? i.e. is it only the top 3, everyone who responds or only those who score highly enough from the initial stage.
The procurement will follow the standard process for the Digital Outcomes and Specialists framework. An initial sift will be carried out based on the supplier responses against the Essential and Nice-to-Have criteria. The top 3 suppliers from the sift will invited to submit a full proposal and attend a presentation, which will be assessed against the Proposal and Cultural Fit criteria.
5. Can the Authority provide guidance on the format for question responses? The questions do not appear to fit the guidance previously issued to suppliers.
Suppliers should provide their responses via the DOS website, adhering to the word limits set for each question.
6. Could the Authority provide a definitive list of the skill requirements for this work which will allow us to answer the first question in ‘Essential Skills and Experience’ section?
It is down to suppliers to anticipate the skills they believe are required to deliver this requirement and identify the type of roles in the team that will provide them.
7. Was the Discovery phase of this work delivered with support from industry? If so, is the industry partner an incumbent for this subsequent phase?
The Discovery phase was delivered with a mix of Civil Servants and digital specialists obtained via the Digital Marketplace. The same supplier is currently providing digital specialists to the wider programme.
8. Could the Authority provide detail on down-stream timescales for this procurement after evaluation of this phase? i.e. How long will the 3 suppliers who are down-selected be provided to produce their written proposal and prepare a presentation?
It is anticipated that suppliers will be preparing proposals between 9-18 November. However, please note that this is only an indicative timetable and is subject to change dependent upon the number of suppliers who express an interest at the sifting stage.
9. Please can you confirm the requirement to have a signed contract in place with a start date of the 23rd November for the selected supplier to begin work. What is the timeline for the bid process please?
We currently anticipate completing the process by 20 November, so we would like suppliers to be available from the week commencing 23 November.

The approximate timetable is as follows – but please note this is subject to change and is dependent upon the number of suppliers we need to evaluate during the sifting stage.

First Stage Sift: 3-6 November
Shortlisted Suppliers Prepare Proposals: 9-18 November
Supplier Presentations: 20 November
Suppliers Notified of Award Decision: 23 November
10. In question 7 you mentioned that the supplier involved in the discovery phase is supporting the ‘wider programme’. Please can you elaborate on the objectives and scope of the ‘wider programme’ to help us understand how this requirement fits in?
The Local Digital programme support local government more broadly with their digital transformation work and supporting the Local Digital Declaration - https://localdigital.gov.uk/what-is-the-declaration

This cyber work sits within that.
11. Do you envisage the product(s) delivered in alpha and beta phases will be digital product(s) that can be deployed at scale (for example via a self-service portal) as opposed to a static framework? We assume the former but the reference to DSPT implies an assurance framework rather that a set of digital tools. We'd be grateful for any clarification on this point.
The alpha should help identify the products, but our hypothesis is some sort of deployment at scale. Both the Scottish tool and DSPT are delivered as Excel based documents that we think will serve as a good basis to develop more scalable prototypes in alpha.
12. Is the supplier that delivered the Discovery phase and currently providing digital specialists to the wider programme bidding for this outcome based engagement, or do they just supply specialists?

Is there an expectation of providing a centralised hosting platform for this solution or is this optional?
The supplier has, in the past, provided specialists and teams. It is for them to determine if they are bidding for this work.

Hosting and the exact products should be determined as part of this work and be based on user needs.
13. For suppliers selected to go through to the next stage of assessment, will the client expect the supplier to include a full technical platform solution in the proposal?
For suppliers that are short-listed they will be asked to provide a written proposal which will be expected to include details of any technical solution(s).
14. Does the stated (approximate) £1m budget cover both the alpha and beta phases?
Yes, the budget covers both phases.
15. Does the council have a documented and consistent approach to the assessment and management of risk?
Assuming ‘the council’ refers to all local authorities, there is unlikely to be a consistent and documented approach across them all.
16. Is the overall budget allocated for everything up until the ‘go-live’ of the Beta i.e. Design, Build, Host & Test?
Yes, this is correct.
17. Are bidders expected to submit suggestions for any post-beta activity at this stage?
No, not at the first stage. Suppliers that are short-listed will have to complete a written proposal where one of the criteria is “How you will ensure smooth transition and knowledge transfer to the live service team”