Central Digital and Data Office

WP1978: Domains toolset stabilisation and enhancements

7 Incomplete applications

6 SME, 1 large

0 Completed applications

Important dates

Tuesday 20 July 2021
Deadline for asking questions
Tuesday 27 July 2021 at 11:59pm GMT
Closing date for applications
Tuesday 3 August 2021 at 11:59pm GMT


Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
Creation of an MVP domain checking toolset by integrating an existing prototype with commercially available third party services
Latest start date
Thursday 30 September 2021
Expected contract length
1 year
No specific location, for example they can work remotely
Organisation the work is for
Central Digital and Data Office
Budget range

About the work

Why the work is being done
This work supports the Cabinet Office's priority to strengthen and secure the UK.

Secure government services depend on secure domain names. CDDO helps public sector organisations keep their domain names secure through guidance (Keeping your domain name secure), and providing focused support where needed.

There are several commercial services that can check the DNS and domains for issues, and CDDO has also developed its own prototype toolset that can be used alongside these.

The CDDO prototype toolset has been operating successfully for 18 months. We now want to create an MVP that:
- collects data from commercially available services selected by CDDO
- augments this with data from CDDO's prototype toolset, refactored as necessary
- brings together all the collected data, into a secure repository of known domains and issues
- allows the repository to be viewed, interrogated, filtered, and managed to allow the team to work through the issues, according to priorities, to resolution
- is of production quality, and able to be used and maintained by a small group of technical and non-technical staff.

CDDO will establish the necessary relationships, and provide the licences and support from the suppliers of commercial services.

To be completed by December 2021.
Problem to be solved
1. Onboard/design (~15%-budget)
Understand the current prototype, MVP specification and high-level solution architecture provided by CDDO. Provide a detailed design showing how the components will integrate to meet the MVP.

2. Build. Integrate outputs from the selected set of commercial tools, namely: (~15%-budget)
- DNS infrastructure and checks for changes
- domain discovery
- checks for domain issue-types
- manage results from different sources
- a database of domain issues, aligned with a new data model.
- tests to show which parts of the MVP are met

3. Refactor parts of the existing prototype toolset for functionality not provided by commercial services (~40%-budget)
- refactor prototype toolset
- integrate outputs into the database
- show which parts of the MVP are met

4. Present and analyse the data (~20%-budget)
- enable records to be manually updated individually or in bulk with additional information
- enable the repository to be sorted, filtered, viewed in tabular or graphical form, exported, and browsable for analysis
- enable users to generate summary reports for specific stakeholders.
- Show that all requirements in the MVP are met

5. Operation (~10%-budget)
- train users in using the toolset.
- train technical staff in maintaining the toolset.
Who the users are and what they need to do
Users of the domains toolset:
As a member of the CDDO Domains Team, I need to:
- know what domain configuration issues exist and how to fix them
- alert and advise stakeholders (eg people who are responsible for a public sector domain name) about domain configuration issues
- ensure the quick resolution of domain configurations
So that:
- security vulnerabilities in public sector domains are minimised
- public sector digital services remain available
- CDDO is supporting Cabinet Office's priority to strengthen and secure the United Kingdom at home and abroad.

People who are not users of the domain toolset:
As the person responsible for a public sector domain name, or other stakeholder, I need to:
- be made aware of any domain configuration issues in my organisation
So that:
- I can manage my domain properly
- my organisation's digital presence remains available
- my organisation's digital services runs effectively
- my organisation is trusted online by other government organisations, commercial organisations and citizens.
Early market engagement
Any work that’s already been done
A significant amount of work has already gone into the prototype toolset.

It has been built according to the GDS Way , most components are well documented and operating at production quality, and the discovery phase is complete.

The toolset currently:
- collects data
- identifies certain domain configuration issues from the data collected
- presents that information in files for specialist users
- passes some of its data to Salesforce for generalist users
- exports some of its data via Salesforce API to third parties
Existing team
The supplier will be working with the CDDO Domains team. This team includes subject matter experts. The team can provide material produced by recent user research and service design
Current phase

Work setup

Address where the work will take place
No specific region, they can work remotely. The domains team is normally based at The White Chapel Building 10 Whitechapel High Street, 7th Floor, London, E1 8QS
Working arrangements
This is a piece of development work whose primary focus is on getting information presented to a small community of specialist users quickly and accurately. As such, the team should consist predominately of senior specialist developers. The supplier can rely on CDDO to provide specialist domain knowledge, user research and service design input.
Security clearance
SC clearance required

Additional information

Additional terms and conditions
All expenses must be pre-agreed with between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy.

All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website:https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • In depth knowledge of: - AWS
  • In depth knowledge of: - Postgres
  • In depth knowledge of: - Python
  • In depth knowledge of: - DNS
  • In depth knowledge of: - Scripting
  • In depth knowledge of: - Salesforce
  • In depth knowledge of: - Building capability to interact with third party APIs, including Salesforce and EPP.
  • In depth knowledge of the public core of the internet, specifically: - naming and numbering systems
  • In depth knowledge of the public core of the internet, specifically: - cryptographic security and identity mechanisms
  • In depth knowledge of the public core of the internet, specifically: - common protocols and standards
  • Experience of operating in a hybrid of Agile, waterfall and other project delivery methodologies.
Nice-to-have skills and experience
  • Experience of the DNS marketplace and global structure
  • Experience of Public Sector IT strategy
  • Experience in delivering services in accordance with the Technology Code of Practice.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • The proposed technical solution - 40 points
  • The proposed approach and methodology - 10 points
  • How the approach meets our business goals - 10 points
  • How the approach meets our business goals - 10 points
  • How proposed approach meets our timeframe - 5 points
  • How the approach identifies risks and dependencies and offers ways to manage them - 10 points
  • Team structure and organisational makeup - 5 points
  • Value for money of the proposed solution - 10 points
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Transparent and collaborative when making decisions
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Work history
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Will there be any further Q&A sessions?
We have provisional plans to hold a Q&A session potentially on 26 July 2021. If you are interested in joining, please contact, gds-digital-buyer@digital.cabinet-office.gov.uk
2. Does the £300k budget cover all of the five points in the scope/ ‘problem to be solved’ section?
3. Who was the incumbent at the discovery stage?
The majority of the work was carried out internally.
4. Would the CDDO cover security clearance sponsorship or would consultants need to be security cleared prior to starting the delivery?
The latest start date is 13 September 2021. The currently published date of 30 September 2021 is an error.
6. If suppliers could do it faster, would that be acceptable?
Yes, that is fine.
7. Would the Alpha be GDS assessed?
It would not be.
8. Please can you confirm what you mean by the public sector IT strategy?
We're not referring to one single document, we mean the collection of material published by Cabinet Office and NCSC that supports the cloud first policy.
9. What is the connection to Salesforce?
When we first started buliding this tool, we was looking for a way to present data about a large number of customers, things we know about them, and our histort of engagement with them. Salesforce is a great fit for this, and it also comes with strong authentication, a large customer base and a good API. We currently use Salesforce for this part of the toolset, but we may choose to move to another platform if we find any showstoppers
10. Would BPSS be sufficient?
SC will be required and would have to be in place before supplier begins work.

The deadline for asking questions about this opportunity was Tuesday 27 July 2021.