Awarded to IBM United Kingdom Ltd

Start date: Thursday 16 December 2021
Value: £20,000,000
Company size: large
Secretary of State for Home Department (acting through the Home Office)

C18477 Digital Data and Technology (DDaT) Central Security Architecture.

17 Incomplete applications

7 SME, 10 large

12 Completed applications

5 SME, 7 large

Important dates

Thursday 8 July 2021
Deadline for asking questions
Thursday 15 July 2021 at 11:59pm GMT
Closing date for applications
Thursday 22 July 2021 at 11:59pm GMT


Off-payroll (IR35) determination
Supply of resource: the off-payroll rules will apply to any workers engaged through a qualifying intermediary, such as their own limited company
Summary of the work
The Home Office is looking for a supplier who can provide the necessary knowledge, skills and experience to help meet the demands for Security Architecture Services within the Home Office’s Digital, Data and Technology (DDaT) directorate, on a range of internal and public facing services from discovery to live.
Latest start date
Friday 1 October 2021
Expected contract length
24x Months.
No specific location, for example they can work remotely
Organisation the work is for
Secretary of State for Home Department (acting through the Home Office)
Budget range
The Home Office anticipates the total cost for DDaT Security Architecture Services to be in the following range for 24 months £15m - £20m. This is based upon benchmarked costs from existing suppliers providing similar levels of resources.

About the work

Why the work is being done
Home Office customers and employees rightly expect modern technology which helps customers receive the service they require and supports employees in protecting the public. We are increasingly reliant on technology to support the Home Office in its role to lead on immigration and passports, drugs policy, crime policy and counter-terrorism, and to ensure visible, responsive and accountable policing in the UK. We need to design and deliver technology which supports the transformation of the Home Office and the modernisation of our processes making them fit for a digital future.

Home Office DDaT requires a Security Architecture Partner to provide SA capability and delivery across all our areas of work (including immigration and passports, borders, policing and counter-terrorism).
Problem to be solved
Supporting the Principal Security Architect by providing specialist security advice, leadership and governance for HO DDaT portfolios, programmes and projects and:

• Advising on the evaluation of complex applications and architectures using both manual and automated techniques (e.g. code security scanners, web vulnerability scanners and assessment support tools) to identify security issues

• Making and guiding effective decisions on the highest complexity risks, based on information assurance risk assessment methodology, trusted by senior risk owners as an expert in security

• Articulating the impact of vulnerabilities on existing and future designs and systems to senior stakeholders, explaining how easy or difficult it will be to exploit the vulnerabilities

• Advising on security concepts at a technical level across multiple projects, working with security tools, network security infrastructure technologies, and information security management frameworks

• Understanding NCSC information security guidance and architecture patterns

• Understanding architecture methodology e.g. SABSA, TOGAF
Who the users are and what they need to do
Home Office service users (staff and external).
Early market engagement
Home Office intends to hold an Overview and Clarification Session via Teams on 14th July 2021. To attend the Overview and Clarification Session potential providers will need to complete, sign and return a non-disclosure agreement (NDA). Suppliers are restricted to a maximum of 2 people per organisation and one NDA copy required to cover one organisation.

For further information on the Overview and Clarification Session and NDA bidders should submit an email request to by no later than 12:00 (noon) 13th July 2021. Non-Disclosure Agreements or request received to attend the event after the deadline will be rejected.
Any work that’s already been done
Existing team
A civil service led mixed team of managed service providers, contractors and civil servants. The successful bidder will be required to engage and collaborate across all groups delivering and maintaining services for the Home Office.
Current phase
Not applicable

Work setup

Address where the work will take place
The majority of the services are expected to be based at our London, Croydon, Sheffield or Manchester sites. However, the successful supplier must be capable of providing the service nationwide. Secondary locations may include Glasgow, Liverpool, Southport or Hendon.

The work will be divided into Statements of Work (SOWs) which will clearly identify the relevant base location.
Working arrangements
A flexible approach is required to meet the needs of each individual project and programme. The work will be divided into Statements of Work (SOWs) which will clearly identify the working arrangements.
Security clearance
All staff must have Security Clearance (SC) prior to starting work. Staff not in possession of security clearance must be willing to undergo security clearance. Occasionally, NPPV3 or DV clearance is required. Clearance needs to have been achieved and validated by the Customer prior to commencement.

Additional information

Additional terms and conditions
1.Travel expenses are payable for journeys outside the M25 (Greater London) or journeys greater than 10 miles from other base locations, where approved in advance and in line with HO Travel policy (subsistence not payable).

2. Professions rate caps will be applied to all roles at all SFIA levels. Caps will be provided to shortlisted suppliers at RFP stage.

3. Seasonal furloughs may be required.

4. Maximum sub-contractor margin caps will be applied

5. Potential Providers participate in the RFP stage will need to complete, sign and return a non-disclosure and ethical walls agreement (NDA) prior to receiving the RFP.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Recent experience (within the last 2 years) of placing SFIA level 3-5 architects into delivery teams in government or critical National Infrastructure & understanding how those roles work together.
  • Evidence of supporting a Principal Security, Lead Security and Security Architect in shaping and leading the overall security architecture for portfolios, programmes and projects using open standards (such as TOGAF)
  • Evidence of supporting a Principal Security, Lead Security Architect and Security Architect in developing and implementing the end-to-end risk management lifecycle for portfolios, programmes and projects
  • Evidence of providing operational security advice to portfolios, programmes and projects
  • Evidence of providing leadership and governance within both the central hub and a spoke of a spoke governance model
  • Evidence of providing a searchable, collaborative capability for capturing and maintaining key security architecture knowledge
  • Evidence of developing, documenting and maintaining security-architecture, policies and procedures. Security risk assessments. Security input to project-planning. Conduct internal security-audits/remediation. Manage external security-audit. Ongoing skills-transfer.
  • Designing, delivering, securing cloud based security architecture. Ensuring security controls are appropriate to mitigate, minimise, treat discovered risks. Technical assurance to ensure compliance with security architecture, covering new/legacy systems.
Nice-to-have skills and experience
  • Provide evidence of resources that have existing SC clearance that will support the speeding up of on-boarding teams
  • Demonstrate experience of handing over products to another team, including service transition

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Essential Skills from Stage 1
  • On-boarding and transition
  • Work packages
  • Organisation and sub-contractors
  • Proposed Leadership/Management Team
  • Thought leadership in Security Architecture
  • Social Value
Cultural fit criteria
Social Value
Payment approach
Capped time and materials
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. The budget states £15m – £20m over a period of 24 months, can you articulate the number of resources we could be expected to provide?
We cannot confirm how many resources will be required concurrently.
2. You state off-pay rules apply, but further state that a SoW per resource or delivery will be provided. This would indicate these roles would be deemed to be outside IR35, can you please clarify?
The majority of the requirements are expected to be assessed as 'inside IR35'. Use of a SOW alone is not an indicator of status and SOWs that include direction and control by the client may be determined as 'off-payroll rules apply'
3. Is SC support offered if required via sponsorship?
The authority sponsor any required clearance over and above BPSS.
4. You mention TOGAF/SABSA, are we able to leverage other security frameworks as reference architecture exp, e.g. (CIS/AWS Well-Architect)?
Yes sure. TOGAF/SABSA were mentioned as examples, we can and should leverage other security frameworks.
5. Considering there are similar Security Architecture functions that exist for individual portfolios, how do you foresee this function operating? Is it to work with the other Security Architecture functions or to eventually replace them?
As other Security Architecture contracts expire and if a requirement still exists, then the central contract will be the first option considered.
6. Could you please advise the RFP stage in more detail that will be issued to the 5 suppliers? E.g. Presentations etc.
The timings for these activities are indicative and subject to change: RFP to be issued to shortlisted suppliers on 12th Aug, deadline for responses is 1st September, presentations will be held on 16th and 17th September. The RFP evaluation criteria and weightings are shown in the advert.
7. Are suppliers who are currently providing the Security function for other portfolios able to bid for this work or is this a conflict?
Yes suppliers currently providing security architecture services to Home Office are able to tender.
8. Will you be selecting a single supplier for this engagement, or between 2-5 of your intended short-list?
The Home Office intend to award the contract to one single supplier, we will be shortlisting up to 5 suppliers to go through the final round of the RFP stage. And only one supplier will be selected from this stage to be awarded the contract.
9. Will you be selecting a single supplier for this engagement, or between 2-5 of your intended short-list?
The Home Office intend to award the contract to one single supplier, we will be shortlisting up to 5 suppliers to go through the final round of the RFP stage. And only one supplier will be selected from this stage to be awarded the contract.
10. Is there a revenue/income minimum that SMEs need to comply with for this opportunity?
"No, but it is important the Authority has confidence in the ability of the bidder to deliver a contract of the proposed value and therefore limits any risk of default during the contract which could cause significant disruption. The Authority will undertake an independent credit check to ensure that the  successful contractor is financially stable."
11. As you confirmed, this contract is outcomes based, with professional service SFIA personnel – not the supply of products. And therefore, if the average rate for a SFIA-4 is £750, then divide into £20m, gives 26,666 man days over 24 months. That works out at 256 per week, or 51+ per day. So can you clarify you are looking for teams of people across multiple locations? If so, have you considered there are not many companies that can provide 51+ dedicated people a day, and it will rule out a lot of small to medium suppliers, by default?
Requirements will be mixed with both teams and individuals across multiple locations. We appreciate that for SMEs the numbers may not be manageable and we are supporting the formation of sub-contract / partner arrangements by facilitating introductions. Sub-contractors will very much be known partners in the delivery and will not be white-labelled.
12. Following on from my last question on the number of people required, will you be sharing how you worked out your £20m budget. For example, do you have an idea of the quantity and level of skills required, per location, for 51+ people per day?
We've estimated the potential spend using contract data which indicates the spend on security architecture services across DDaT portfolio.
13. In light of the response to question 11 – about how many staff you are looking for and how this might affect the ability of SMBs to respond – your response sounds like there is no point in SMBs responding – is this a correct interpretation?
No that’s not correct. SMEs may well be able to deliver the services but the point was made that, should they need to call on sub-contract arrangements to deliver, that would be acceptable. We welcome submissions from all sizes of capable organisations.
14. Regarding Question 1, please clarify what is meant by the term ‘understanding how those roles work together’. Does this refer to how architects work with delivery teams?
Correct, understanding how security architects work with delivery teams.
15. Please define ‘operational security’ and how that is distinguished from security architecture advice. Does this refer to day to day advice on the secure handling of information in accordance with classification and operational processes?
Operational security and security architecture advice are very similar with the small difference that operational security advice goes beyond the architecture design and touches on to the BAU - basically getting closer to "plumbing" exisiting security products and implementations.
16. Does the hub and spoke governance model refer management/decision making, or to architecture?
It refers to architecture.
17. Regarding Question 7, ‘Evidence of developing, documenting and maintaining security-architecture, policies and procedures. Security risk assessments. Security input to project-planning. Conduct internal security-audits/remediation. Manage external security-audit. Ongoing skills-transfer.’ Does the authority expect a general answer, or for each point mentioned to be described? Given the word limit, it will be difficult to cover all points in sufficient detail.
A general answer that will enable us understand whether your services will meet our requirements will suffice.
18. Regarding Question 9 – Provide evidence of resources that have existing SC clearance that will support the speeding up of on-boarding teams. Please clarify the question, does this refer to the firm possessing SC cleared staff who can immediately join a project, or is the authority looking for staff who have SC clearance and are able to support the on-boarding of teams (e.g. PMO function). Does ‘on-boarding teams’ refer to our internal teams, or on-boarding other teams?
This is to gauge if you already have some SC cleared security architects who can quickly join our project teams if required urgently. Onboarding teams is basically bringing on board teams to assist with a particular project.
19. Where one case study does not fully answer a single response, can multiple case studies be used?
We have now finalised our proposal questions and a case study will not be required.
20. Regarding Question 6, ‘Evidence of providing a searchable, collaborative capability for capturing and maintaining key security architecture knowledge’. Does this refer to a knowledge library, playbooks, or a type of collaboration tool?
This is basically envidence of providing documented knoweldge base which is shareable with other teams to encourage re-use.
21. What the ethical walls in place to ensure there are fair opportunities when competing against incumbents?
Most DDaT contracts are procured via CCS frameworks so the standard framework terms are in place. It should be noted that the proposal questions do not require any Home Office specific knowledge in order to be able to respond fully.