Nuclear Decommissioning Authority (NDA)

Cyber Security and Resilience in the Supply Chain

40 Incomplete applications

24 SME, 16 large

3 Completed applications

2 SME, 1 large

Important dates

Published
Thursday 29 April 2021
Deadline for asking questions
Thursday 6 May 2021 at 11:59pm GMT
Closing date for applications
Thursday 13 May 2021 at 11:59pm GMT

Overview

Summary of the work
This project will examine and enhance the NDA Group’s capability to manage cyber risk and ensure resilience with its supply chain, in an increasingly complex ecosystem of 3rd party system and service delivery and operations.
Latest start date
Wednesday 26 May 2021
Expected contract length
The contract length will be up to 12 months.
Location
North West England
Organisation the work is for
Nuclear Decommissioning Authority (NDA)
Budget range
Up to £500k for the initial phase of work.

About the work

Why the work is being done
The NDA is 3 years into a Cyber Security and Resilience Programme implementing change across 7 businesses. A key goal is to ensure a secure and resilient supply chain, therefore this project will examine and enhance the NDA Group’s capability to manage cyber risk and retain resilience within its supply chain, in an increasingly complex ecosystem of 3rd party system and service delivery and operations. Strengthening, harmonising and ideally standardising approaches across the group is key. There will be an initial one year’s work to create the strategy and approach, and potentially two additional years’ work to rollout the design.
Problem to be solved
Securing the supply chain effectively is hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. Key stakeholders include security, commercial and supplier teams.
A series of global, high profile, damaging attacks on organisations has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security.
The NDA Group comprises various businesses increasingly coming together under a group approach, whilst still legally accountable to the Office of Nuclear Regulation (ONR). Therefore, an approach is needed that is risk-based, efficient, collaborative and addresses current and future threats.
Who the users are and what they need to do
As a CISO I need to be confident that our policies, processes and guidance for procurement and supply chain management are effective at highlighting any security concerns and ensuring that security risks are identified and mitigated accordingly as part of our secure-by-default approach and security culture. This will limit vulnerability to cyber threats and ensure readiness to handle any incidents that do occur.

As a procurement manager I need clear policies, processes and guidance ensure compliance and allow effective management of all risks, including security risks, whilst still ensuring innovation and value for money.
Early market engagement
Any work that’s already been done
A CSRP operations plan for 2021-22 has drafted for this project to create a community of interest, to assess current level of capability, to facilitate a common strategy, to facilitate enhanced supply chain security measures and to create a supply chain mapping of dependency and risk. An initial strategy is needed by end of Q2.

Outside of CSRP, but still within the NDA, there is also an active Contract Security Working Group, a Supply Chain Forum, a supply chain assurance function and a significant commercial project (‘Project Victory’) to enhance commercial IT systems and supply chain risk management.
Existing team
The supplier will work as part of the CSRP team, which is made up of a combination of NDA staff, contractors and other suppliers that are responsible for CSRP related services. The supplier may encounter other suppliers as they engage with NDA businesses, who have their own support teams and security services in place. The supplier will work with the forums and working groups described above, as well as all the NDA businesses.
Current phase
Discovery

Work setup

Address where the work will take place
Whitehaven, Cumbria.
Some meetings may take place at various other NDA sites.
Working arrangements
Whilst Covid restrictions limit contact in the near term, allowing the supplier to work remotely during early phases, the intent is for the Supply Chain project to be run from Whitehaven, Cumbria, with a mix of onsite and remote working.
The supplier PM and key personnel will be expected to be routinely available with daily stand-ups by conference call. Online communication is inevitable given the geographic spread of NDA sites.
Expenses will be as per the NDA policy and all travel will be authorised by the NDA point of contact.
Security clearance
BPSS minimum (or equivalent) and personnel may need to go through additional NDA clearance checks.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Capability to create/enhance a Community of Interest between all stakeholders in supply chain(SC) security and their initiatives to address SC cyber security, to facilitate an effective, holistic and coordinated approach.
  • Capability to assess the current level of capability/capacity and performance of cyber security/resilience in the SC, with links to the current Target Operating Model (NIST CSF) and Risk Assessment approaches/tooling.
  • Capability to facilitate a common SC security strategy and implementation plan, with interventions, recommendations to deliver ‘quick wins’ and highlight opportunities. This will enhance the group cyber security strategy.
  • Capability to facilitate, document and support the implementation of enhanced SC security policies and associated best practice measures consistent with the NDA ecosystem and the dynamic threat environment.
  • Capability to create a SC mapping of level of security dependency (or impact of breach) versus maturity of security measures in place, in order to provide a SC risk dashboard.
  • Capability to recommend appropriate digital solutions based on experience.
  • Experience in creating improved security and resilience through effective observation and control of security risks and management of security operations between companies and suppliers.
  • Experience delivering improved (measurable) effectiveness/efficiency through the implementation of a standardised approach to applying security requirements and operational arrangements in relevant contracts at the start of the procurement cycle (Service/Systems)
  • Experience creating improved relationships and communication between the companies and its supply chain through the sharing of transparent policies and procedures and educating stakeholders on supply chain threats.
  • Ability to deliver an Agile project, using relevant programme tools ( eg AgiliePgM personal ) Sy SFIA skills
  • Utilise inhouse personnel and not subcontracting the work out.
Nice-to-have skills and experience
  • Experience in NDA/ONR/MOD(DCPP)/other CNI environments
  • Reference library of relevant supplier security documentation

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Ability to meet timeframe
  • Experience in creating and delivering other supplier and supply chain security projects and solutions
  • Approach to project and task management, including a risk-based approach given that the NDA Group uses >5000 suppliers directly a year and spends ~£1.9bn/yr through suppliers
  • Value for money (including transparency of costs)
Cultural fit criteria
  • Demonstrate the ability to work within a wider cyber programme as demonstrated by previous case studies
  • Demonstrate the ability to focus on the outcome of the work, not the specifics of their technical capability
  • Demonstrate the ability to work collaboratively to co-develop approaches that get buy-in from stakeholders across the NDA Group
  • Demonstrate a willingness to share wider knowledge and experience
  • Demonstrate a willingness to take responsibility
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

No questions have been answered yet

The deadline for asking questions about this opportunity was Thursday 6 May 2021.