Awarded to Apadmi

Start date: Friday 28 May 2021
Value: £46,410
Company size: SME
Department for Digital, Culture, Media and Sport

102423 - App development across various app stores to identify and map security and privacy guidance

11 Incomplete applications

9 SME, 2 large

11 Completed applications

11 SME, 0 large

Important dates

Published
Wednesday 21 April 2021
Deadline for asking questions
Wednesday 28 April 2021 at 11:59pm GMT
Closing date for applications
Wednesday 5 May 2021 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Summary of the work
The Department for Digital, Culture, Media and Sport requires a Supplier with experience in developing apps for Android or iOS devices to identify security and privacy guidance provided to developers by app stores through creating a basic app for 12 app stores.
Latest start date
Monday 31 May 2021
Expected contract length
The project to be completed by 13 August 2021, the contract won't be extended beyond 31 August 2021.
Location
No specific location, for example they can work remotely
Organisation the work is for
Department for Digital, Culture, Media and Sport
Budget range
£35,000 to £50,000 excl VAT

About the work

Why the work is being done
DCMS are working with the National Cyber Security Centre to assess where Government intervention can help protect users of app stores. This project is focused on identifying and mapping what guidance is being provided by app store operators to developers during the app development process, specifically in terms of security and privacy content. This includes capturing any information provided by app store operators which set out what responsibilities are currently placed on app developers for ensuring that good security and privacy is built into apps. The supplier will be expected to create a basic app and go through app development process for 12 app stores. The supplier will be required to note where app store operators differ in terms of the guidance they offer and requirements they place on vendors.

The Supplier is not expected to submit an app for app store verification. If during the app development process the Supplier reaches a situation when guidance is inaccessible because it is pay walled, this should be noted but we do not require the Supplier to pay to access this guidance. This work shall be completed by the 13th August 2021.
Problem to be solved
It is not possible to identify what security and privacy guidance is provided by app stores operators for developers through open source research. Therefore, DCMS needs a supplier to create a basic app and go through the app development process for 12 app stores (Google, Apple, Samsung, Amazon, Microsoft, Huawei, Cydia, Aptoide, GetJar, F-Droid, AltStore and APKPure) to identify the guidance and responsibilities set out.
Who the users are and what they need to do
DCMS policy officials and National Cyber Security Centre (NCSC) technical officials are the main users of this service. The Supplier will be expected to produce a report in HTML, DOC and PDF versions which sets out the findings of the project. This report should be written to a high standard because it will be used to help the Government to decide our interventions for app stores. The report could be published at some point by DCMS and will likely be shared with various teams across Government.
Early market engagement
Any work that’s already been done
No relevant work has been done.
Existing team
The supplier will be expected to provide weekly project updates in virtual meetings with the DCMS policy lead responsible for app store security. These meetings may also involve NCSC officials (when possible).
Current phase
Not applicable

Work setup

Address where the work will take place
This can be determined by the Supplier, but must be somewhere in the UK.
Working arrangements
There are no restrictions on working arrangements except that the project should be completed in the UK. The supplier must ensure they are able to hold a weekly video call with DCMS to update officials on the progress of their work and note any challenges that have arisen. Subject to Covid -19 guidance, the Supplier should expect to attend one face to face meeting at DCMS's 100 Parliament Street, London, SW1A 2BQ address to present the findings of the project/the draft report for feedback.
Security clearance
The supplier personnel involved in this project should have BPSS clearance as a minimum.

Additional information

Additional terms and conditions
All the IPRs generated through this contract shall rest with DCMS.
Pricing shall be a Fixed Price for delivering the full scope of work, including all fees, costs, expenses; and responding to feedback from DCMS and their stakeholders, for example by amending reports, where appropriate.
Shortlisting and Evaluation Criteria Weighting Split:
Stage 1
- Essential Skills and Experience - 15%
- Nice to have skills 10%

Stage 2
- Proposal Criteria 50%
- Cultural Fit 5%
Price - 20% - fixed price

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • At least 3 years expertise in leading the development and publishing of apps for Android and/or iOS (ideally both) over the last 5 years. (10%)
  • Experience of quickly accessing necessary hardware and software (such as a device that runs Android Studio and the latest version of macOS and Xcode) for app related projects (5%)
Nice-to-have skills and experience
  • Experience of developing and publishing apps for a wider variety of app stores (5%)
  • Experience of delivering qualitative research linked to a cyber security area or software development, ideally which has been published (5%)

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Approach and methodology (30%)
  • Project management including estimated timeframes for the work and how supplier will identify risks and seek to manage them (10%)
  • Team structure and skills (10%)
Cultural fit criteria
Share knowledge and experience with the authority (5%)
Payment approach
Fixed price
Additional assessment methods
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

1. 1. What application supplier need to develop? Can you share scope of the application?
1. The apps to be developed do not need to perform any specific user function, but they should be sufficiently complex to trigger all security or privacy controls in place on the platform. For example, on iOS, the requirement to include a descriptor string when accessing capabilities and services such as the microphone, location, or camera.
2. 2. Is there an incumbent for this role and if so are they planning on putting an application in to tender?
2. Currently, there is no contract for this work therefore no incumbent supplier in place.
3. 3. Is the emphasis here on the process of how security and probity is assured overall. Or, the guidance provided, as in its basic, enough, exemplary, gaps, issues?
3. Both – the goal is to understand what guidance/documentation is surfaced directly through the process, how clear and thorough each is, and what is captured in documentation but isn’t pushed directly via the development process to an app developer (e.g. documentation that says how to manage cryptographic keys, or versions of third-party libraries, but where the developer would need to actively seek this out). Some information and documentation will likely not be actively shown to developers as part of the process, therefore the Supplier will also need to search for security and privacy guidance across the platform.
4. 4. We believe the app developer’s security and privacy guidance is all available in the 12 app stores’ documentation. Has DCMS and the National Cyber Security Centre seen or read these and if not, should that and a synopsis be included in the scope?
4. This documentation is included within scope as part of the app store operator’s guidance.
5. 5. Would you consider development resources spread across geographical location?
5. As set out in the Department's requirement, the Supplier's team should be based in the United Kingdom. There is no specific requirement for colocation of the team members within the United Kingdom. The supplier will be responsible to coordinate and manage their team to ensure seamless delivery of the required services within the fixed price offered by the supplier.
6. 6. My company is part of the Digital Marketplace but we do not have security clearance. Is it possible to apply for this in parallel with submitting this tender?
6. The Department (DCMS) cannot indicate/advise on the time it may take to complete the BPSS process. The supplier personnel involved in this project should have BPSS clearance as a minimum.