Awarded to Mastek (UK) Ltd

Start date: Thursday 30 September 2021
Value: £4,126,500
Company size: large
Ministry of Defence, Strategic Command UK - Defence Digital

Identity and Access Management Support Partner

7 Incomplete applications

3 SME, 4 large

3 Completed applications

2 SME, 1 large

Important dates

Published
Tuesday 29 June 2021
Deadline for asking questions
Tuesday 6 July 2021 at 11:59pm GMT
Closing date for applications
Tuesday 13 July 2021 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
The MOD is seeking a delivery partner for a number of Identity and Access Management workstreams across the OFFICIAL/SECRET domains, currently includes continued: Onboarding of relying parties, exit from existing brokering service contracts, Internet facing solutions, development of end to end people lifecycle management data, includes a contractor onboarding portal.
Latest start date
Monday 4 October 2021
Expected contract length
An initial period of 18 months with a 6 month option.
Location
South West England
Organisation the work is for
Ministry of Defence, Strategic Command UK - Defence Digital
Budget range
The MOD expects a spend of between £6.5M and £7.9M Ex VAT

About the work

Why the work is being done
Strategic Command UK - Defence Digital needs an Identity and Access Management (IdAM) service for its IT & Digital services; this delivers part of the Ministry of Defence 2010 IDAM strategy (available on gov.uk).
This service is to provide:
1. Improved compliance with HMG’s Technology Code of Practice, by providing a reusable service and will simplify maintaining compliance with the General Data Protection Regulation (GDPR).
2. A migration path from current IdAM and directories arrangements.
3. Identity related services that meet the Digital Service Standard, particularly for our partner organisations and external users.
Problem to be solved
MOD has many IT systems and applications that use different credentials and identities and directories. MOD is seeking a support partner to provide the skills and experience to both rapidly continue delivery of "in-flight" services under development and configure new services through beta phases until they can pass the digital service standard for a live service, and into production live spaces. The services will be for UK users handling both OFFICAL and SECRET information.

There are a number of services that will need to be replaced/revised and/or reconfigured to meet the needs of the Authorities digital services.
Who the users are and what they need to do
1. As an IT user, I want single sign on, so that I can seamlessly access IT & digital services
2. As an App or Service Owner, I want simpler, rule-based access to my service so that appropriate users get quicker access to my service and inappropriate ones are refused access
3. As a systems administrator, I want to maintain trust relationships between systems, so that normal IT operations can continue
4. As a Security Officer, I want a simpler means of securely providing access to IT so that access is quicker, more accurate and can be scrutinised.
Early market engagement
Any work that’s already been done
Discovery/alpha phases are complete, product suite is NetIQ. The beta phase for IdAM is underway for an Identity Brokering Service (IBS) being developed by an onboarded partner.

Existing data sources, capabilities and systems that may be used by or form part of the service have been identified and known limitations noted. Work identifying user groups, personas and backlog of Epics and User stories for the beta phase have been done. Direction of travel and backlog entries are mature.

Further user research and backlog refinement with the incoming team will be needed to accommodate new customer on-boarding requirements.
Existing team
The supplier will be working with a mixed team of Crown Servants and other contracted partners delivering Product Management and Business Change and service transition.

In addition to User/stakeholder access, there are other subject matter experts working with the team on a part-time/as-needed basis, including:
• architects from MOD’s Design Directorate (i.e. Enterprise architecture team) and relying parties
• technical leads and DevOps engineers from within the project team and relying parties

As the user base grows, so will a Crown Servant staffed Service desk support team. The current team size circa 60 personnel in total.
Current phase
Beta

Work setup

Address where the work will take place
The work will take place at MOD Corsham, SN13 9NR and remotely using MOD provided IT. Work at SECRET will be generally carried out at Andover, SP11 8HT.
Working arrangements
The supplier team will use SAFe and Agile principles. Utilising two-week sprint cycle, 3-month Programme Increments.

The partner is expected to work collaboratively with the Authority's team; infrequent face to face meetings will be required. All work at SECRET will be site based.

Delivery solutions will involve working with other MOD teams and third parties.
Security clearance
SC clearance required as a minimum, DV clearance will be required for certain aspects of project delivery.

Additional information

Additional terms and conditions
Cyber Risk Profile: HIGH
Risk Assessment Reference: 100049927
Shortlisted suppliers invited to stage 2 will be required to complete a Supplier Assurance Questionnaire.
As the Cyber Risk Assessment is HIGH, shortlisted suppliers will need to complete a Risk Assessment for each subcontracted element of the work.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of successfully delivering an IdAM service through a full project or development lifecycle in a large or complex organisation (including testing and deployment). (10 points)
  • Experience of creating services built around NetIQ products: Identity manager, Sentinel, Advanced Authentication, Access manager; including design, test, configuration, deployment and integration with Microsoft Active Directory/Azure Active Directory. (10 points)
  • Experience developing large digital services that meet the Digital Service Standard for a growing community of users applying appropriate digital (Agile and user centric) methods, techniques and skills. (8 points)
  • Experience obtaining and merging information from a range of sources/systems and addressing data quality issues to provide identity, role and security attribute data supporting attribute-based access control. (8 points)
  • Experience of building and testing an end-to-end digital service demonstrating a high level of quality. (7 points)
  • Experience of DevOps Engineering – particularly deploying builds, increments, and releases through Continuous Integration and Deployment pipelines, as well as scripting environment builds and changes. (7 points)
  • Experience of designing and delivering Information Services with a high level of cyber and general security threat and very high criticality and creating documents to achieve accreditation. (7 points)
  • Experience of providing solution, service and technical architecture and architectural roadmaps in a complex, security critical environment supporting an Agile release cycle and addressing migration considerations. (8 points)
  • Experience working with MOD or similar body, including familiarity with Joint Service Publications 604 (Defence Manual of ICT) and 440 (Defence Manual of Security) or similar guidance. (10 points)
Nice-to-have skills and experience
  • Experience integrating with wider business functions using NetIQ’s APIs and scripting environment to provide a service that delivers an excellent user experience whilst meeting business policy goals. (6 points)
  • Experience of digitising transactional processes and services internal to a large enterprise by applying good practices for: usability, user research, interaction, user-centric and graphic & content design. (5 points)
  • Experience of delivery management in Agile teams building digital products according to the Government Service Design Manual, applying a range of Agile techniques and practices. (6 points)
  • Experience of designing and building assisted digital elements of a service, where it is not practical or desirable to fully digitise aspects of the service. (5 points)
  • Capability to use test driven development creating software in Java and other languages that bridges gaps in necessary user journeys including creating Web user interfaces, APIs, RESTful architecture. (6 points)
  • Experience of testing iteratively, including test data creation and test automation in the context of a mature DevOps approach. (5 points)
  • Experience of integration testing in a large enterprise, including with legacy systems, and producing formal test documentation making maximum use of quality assurance provided by the iterative testing. (6 points)

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • How you will provide the Authority with a high-quality team that embodies the required skills; in particular, why you believe the team (collectively) will be high performing. (9 points)
  • How you will balance responsiveness and flexibility to changing demands of the work (skills and capacity) as it progresses with the benefits of a stable and consistent team. (8 points)
  • Indicative structure (i.e. people or roles in your proposed team and main interrelationships), indicative profile (how the team size and roles might change over time) and start date. (7 points)
  • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning. (7 points)
  • Your proposed approach and methodology to the digital service development: particularly how the various Digital, Data & Technology Roles will work together and how users will be involved. (8 points)
  • Proposed approach and methodology for achieving security/information assurance accreditation and maintaining through the Agile development, including identifying threats, putting in place controls and engagement with the risk owner(s). (6 points)
  • How you will ensure the service can meet the relevant digital service standard at various phases of development (e.g. closed beta, open beta, live). (5 points)
  • How you will ensure that the service meets the organisation’s policy goals in terms of providing more secure Identity and Access Management/Directories processes including incorporating existing policy. (7 points)
  • Your approach to knowledge management, particularly how the Authority and its partners can support and maintain the IdAM service after it has been developed. (8 points)
  • Technical proposal for a DevOps pipeline and suitable environments to enable rapid, modern development of the system. (9 points)
Cultural fit criteria
  • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form. (5 points)
  • Evidence to demonstrate Sharing of knowledge, experience and expertise with the Authority and other team members. (4 points)
  • Evidence to demonstrate a transparent and collaborative approach to delivery. (3 points)
  • Evidence to demonstrate how you attract and retain the best talent creating teams reflecting diversity of the country and can deliver a diversity of thought to the Authority. (4 points)
  • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome. (5 points)
  • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors. (4 points)
  • Evidence of working successfully in an Agile manner within an organisation where some units retain a big-design-upfront/command-and-control perspective, relation to governance and project control processes). (4 points)
  • Evidence of working with organisations and stakeholders with differing levels of technical expertise. (2 points)
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

No questions have been answered yet