Defence Digital, Ministry of Defence Corsham

CCT 984-Security Assurance Support to Application Services and Development Team services

8 Incomplete applications

6 SME, 2 large

15 Completed applications

11 SME, 4 large

Important dates

Published
Friday 23 April 2021
Deadline for asking questions
Friday 30 April 2021 at 11:59pm GMT
Closing date for applications
Friday 7 May 2021 at 11:59pm GMT

Overview

Summary of the work
We are looking for support to develop and deliver packages of work to build our digital Security Assurance capability and capacity. The Supplier will work with our teams, delivering outcomes across our services.
Latest start date
Tuesday 1 June 2021
Expected contract length
Two years
Location
South West England
Organisation the work is for
Defence Digital, Ministry of Defence Corsham
Budget range
The budget is up to a maximum ceiling value of £5m including VAT.

This is not a commitment to spend up to this value and the Authority reserves the right to consume at its discretion.

The intended contract will be treated as an outcome based service solution. IR35 does not apply to this contract.

About the work

Why the work is being done
Specialist Security advice to meet assurance activities is required in order to ensure Application Services and Development Team services deliver key capabilities on time and fit for purpose.
Problem to be solved
Requirement to provide Security Assurance knowledge and expertise for all Application Services and Development Team services.

Management of security actions that arise out of the Joint Programme Security Working Groups. Act as chair/secretary on behalf of Application Services and Development Team which will be agreed at commencement of work.

Ensure the Accreditation Evidence Statement (AES) is scoped by the project to capture appropriate project requirements this will cover all the security activities required to achieve accreditation and addresses other activities such as GDPR/ DPIAs, Review of Solutions (Apps and Platform builds), Risk Assessments, providing good solid opinions and guidance from a security POV, including at PI Planning and demos.

Engagement/ liaison with the Case Officer and Accreditor.
Ensure production of Security Management Plan and Accreditation Strategy for the review and approval of Security Working Groups (SWG).
Ensure the production of the Risk Management and Accreditation Document Sets (RMADS) and any supporting documentation and evidence is produced as a project deliverable in line with JSP440 and JSP604.
Conducting technical risk assessments, including managing RMADS and managing TSIs.
Ensure new projects are registered (and entries maintained) on DART to enable an accreditor to be assigned.
Skills transfer to nominated project staff.
Who the users are and what they need to do
For the tasks required, the 'users' are the project team and our stakeholders. The IA specialists are required to liaise with the programme teams, key stakeholders in Defence Digital and across MOD as well as working with CyDR or other TLB Accreditors.
Early market engagement
Any work that’s already been done
Many items (Projects) have already been started or are in the delivery phase and as such, the tasks are about refinement, further development and operation.
Existing team
Application Services and Development Team services
Current phase
Live

Work setup

Address where the work will take place
Defence Digital, Ministry of Defence Corsham

However, at-the-time of-writing, government measures to reduce Covid-19 are in operation and as-such, work should be done remotely and in observance of social distancing and shielding guidance. MOD will continue to observe all government advice in the coming months aimed at reducing the spread of the disease.
Working arrangements
Work onsite 4/5 days a week in Corsham as agreed with the Project Manager in order to support Project Teams in all of their Security Assurance activities.

Currently with Covid19 until the foreseeable future all activity is likely to be remote. MOD Net UAD/Laptop will be provided to support remote working and there could be a potential to travel to Corsham or other sites whilst in lockdown to enable OS/above discussions to be had until we normalise.
Security clearance
Valid DV clearance must be in place prior to the contract starting and for the duration of the contract due to projects required to work with.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate with evidence recent working experience(s) of supporting delivery in a large scale IT Environment / Project (150k+ users)
  • Demonstrate experience of working in MOD or other large government organisation, with a good understanding of Defence Digital Services or equivalent and wider business practices
  • Demonstrate with evidence a clear understanding of the MOD estate or similar government organisation and the difference between Official and Secret environments
  • Demonstrate with evidence a firm understanding of Security Assurance environment in a large corporate deployment
  • Demonstrate a clear understanding of / recent working experience of JSP 440 and JSP 604 Accreditation
  • Provide evidence of analysis and evidence gathering experience; ability to understand where potential Security gaps lie based on evidence and producing written analysis
  • Demonstrate recent experience in producing Security Cases that work in a pragmatic way for both Delivery and Security Teams, including providing evidence
Nice-to-have skills and experience
  • Demonstrate experience of conducting Technical security reviews / approvals of Supplier and MoD Design and Test documentation to ensure that it is compliant with Defence Security policy
  • Demonstrate experience of Defence Digital and/or MOD Security Accreditation and MOD Security Assurance process
  • Demonstrate previous working experience of Coordinating technical security documentation in support of CyDR to support achievement of accreditation

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFP
  • Evidence/explain how you will introduce Security policies and templates with a pragmatic approach that allows flexibility for projects; ‘one size fits all approach’ will not satisfy our requirement (20%)
  • Provide a high- level plan to your approach for identifying and managing Security Risks, Issues and Dependencies in mature business/project area, including evidence of managing RMADS, managing TSIs. (15%)
  • Evidence/explain how you have provided Security Assurance documentation to enable an organisation to continue the route to full rollout and adoption of policies and templates within delivery areas (20%)
  • Evidence your ability to mobilise your team quickly and to flex up and down resources to meet the demand of the project, whilst ensuring quality and consistency (5%)
  • Evidence Communications and Stakeholder Management operating at all levels collaboratively (10%)
  • Supporting CV’s – These should not be included in the main proposal word count but should be a maximum of 500 words and no longer than 1 page. (10%)
  • Evidence and explain how you have communicated new policies and change across multi-discipline teams (10%)
  • Evidence and explain how you have understood and incorporated project requirements whilst ensuring the results remain generic for the business (10%)
Cultural fit criteria
  • FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFP
  • Experience of outcome-based delivery in a complex defence IT environment, understanding the challenges and approaches to delivery (25%)
  • Work as a team with our organisation and other suppliers, including knowledge and experience of scaled Agile ways of working. (25%)
  • Remain transparent and collaborative when making decisions (25%)
  • Excellent communication, presentation, collaboration and client/stakeholder engagement skills with a wide variety of grades/positions. (25%)
Payment approach
Fixed price
Additional assessment methods
  • Work history
  • Reference
Evaluation weighting

Technical competence

60%

Cultural fit

5%

Price

35%

Questions asked by suppliers

1. Why was the previous procurement for this requirement cancelled?
The issues arose because it became apparent that there was a lack of clarity over the scores that a bidder would receive for each of the elements being assessed, and a lack of scoring guidance to assist bidders in understanding what they needed to do to achieve top marks. No marks were set out in the document – only percentages for each section, with no detail of how a score for each section would be calculated.

These matters have been addressed to ensure that all future competitions are fully compliant with the Procurement Regulations and any associated legislation.
2. The answer to Q1 presumably relates to the Ph 2 element of the opportunity. Can you confirm that the Ph 2 Statement of Requirement will be phrased in such a way that all Ph 2 responders will be pricing against the same criteria in order to achieve a level playing field? In other words, will it be clear as to how many SACs are to be priced to ensure commonality of pricing, notwithstanding the minimum or maximum number of SACs that may be required across the life or the contract?
We recommend that you respond to the PH 2 Statement of Requirements and propose a team size which will meet the requirements and deliverables covered in the scope of work.
3. We have all the capabilities and experience to deliver this but do not have adequate number of SC/DV cleared candidates. Our team is all British citizens who are willing to obtain SC/DV clearance. Is this something that MoD can help sponsor if we are selected based on our other credentials?
We would expect that any individual is already security cleared to the required level and that the clearances are in place for the duration of the contract.
4. Can the Authority please provide further details on the reason this contact is being re-competed and what changes it expects there to be in how supplier responses will now be assessed?
The details on the reason this contract is being re-competed have already been provided. We shall be following the DOS guidance, including the scoring criteria which is as follows:

Score Description
0 Not met or no evidence
1 Partially met
2 Met
3 Exceeded

The deadline for asking questions about this opportunity was Friday 30 April 2021.