Awarded to Actica Consulting

Start date: Monday 25 October 2021
Value: £184,200
Company size: SME
Department for Transport (DfT)

Identity and Access Management Discovery

14 Incomplete applications

12 SME, 2 large

21 Completed applications

12 SME, 9 large

Important dates

Published
Thursday 19 August 2021
Deadline for asking questions
Thursday 26 August 2021 at 11:59pm GMT
Closing date for applications
Thursday 2 September 2021 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
User-focused research into the as-is, pain points and opportunities of related programs. Expert recommendations, providing insight from robust technical domain experience, actions to improve identity governance and administration - enabling development of a robust Identity-based security strategy, resolving the pain points and enabling future delivery. All within our regulatory/security requirements.
Latest start date
Monday 11 October 2021
Expected contract length
8 Week Discovery (+ 8 week Alpha discretionary)
Location
No specific location, for example they can work remotely
Organisation the work is for
Department for Transport (DfT)
Budget range
Discovery: £200k - £250k
Alpha/Initial actions: £200k - £250k

About the work

Why the work is being done
Identity is a core element of our security and interoperability strategies and one of the Cabinet Office priorities. A robust and effective identity and access management platform and strategy will be a central pillar enabling effective secure delivery of our services both internally, within the wider DfT family, with central government colleagues and for our suppliers and customers.
Problem to be solved
We have both pressures and opportunities to improve how identity is managed within the department, our wider family and for our services. Our position has grown organically to date and so a robust discovery and exploration is needed to determine the future direction and to realise better and more effective ways of managing identity, meeting challenges and exploiting the opportunities in the best way possible.
Who the users are and what they need to do
• All members of DfT(c) staff
• DfT Family / cross-government who need to collaborate with the central department
• Suppliers and customers who need to access our (DfTc) services
Early market engagement
N/A
Any work that’s already been done
• Pre-project exploration and research.
• Initial user research within DfT(c)
Existing team
Suppliers undertaking this requirement will work remotely but in partnership with the Department for Transport’s Digital service team.

The core team will be:
• Jim Scott – Security Architect, Digital Service
• Simon Harris – Security Programme Manager and IDAM Project manager, Digital Service
• Sarah Norman – Head of Information & Cyber Security
Current phase
Not started

Work setup

Address where the work will take place
We expect this work will be done remotely for the foreseeable future. Should official guidance change during the duration of this engagement, you may be expected to attend meetings across England.
Working arrangements
We expect full-time engagement from delivery teams to deliver the required outcomes.

We would expect the discovery to be completed within 8 weeks, which should comprise several sprints, in accordance with Agile project management, to determine user needs.

Additional sprints for Alpha activity, deeper dives, further investigation or initial actions will be at the customer’s discretion.

Exact milestones will be determined with the supplier post-appointment.
Security clearance
All contractors’ personnel must be working toward security clearance level of SC as a minimum (United Kingdom Security Vetting: clearance levels - GOV.UK (www.gov.uk)).

Evidence of clearance or working toward clearance will be requested at the written proposal stage.

Additional information

Additional terms and conditions
The contract is limited to discovery only. Continuation into Alpha, actions to achieve initial recommendations/quick-wins may be approved by negotiation with the supplier. Please note: In the event that Discovery moves onto Alpha there is likely to be a short amount of downtime whilst the appropriate approvals are sought to progress.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate experience delivering discovery project(s) and their outcomes:- cover a broad scope of identity challenges for an enterprise, including privilege access management, identity governance and administration, and customer/supplier identity management.
  • Demonstrate experience of delivering discovery project(s) and their outcomes that:- support the formulation of identity and access management strategy in an enterprise setting
  • Demonstrate experience of delivering discovery project(s) and their outcomes that:- formulate actionable recommendations and plans to improve the identity and access management
  • Demonstrate experience of delivering discovery project(s) and their outcomes that:- have been conducted according to GDS guidelines for a government department
Nice-to-have skills and experience
  • Experience in Microsoft based identity management in a multi-cloud environment with explicit experience of interoperability between Microsoft and Google cloud platform
  • Experience in working with federated identity across multiple organisation units
  • Experience working with organisations moving towards zero trust security architecture and supporting that journey through robust identity management.
  • Find solutions that balance the needs of the user against security and regulatory standards

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Approach and methodology – 20%
  • Technical solution – 20%
  • Value for money – 10%
  • Team structure – 20%
Cultural fit criteria
  • Experience working in a public sector/government context, including awareness of governmental standards and requirements in terms of security and information protection. 5%
  • Experience working and communicating with security, assurance and technical professionals, business users and VIPs in championing the importance of robust identity and access management and control, where appropriate. 5%
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Presentation
Evaluation weighting

Technical competence

70%

Cultural fit

10%

Price

20%

Questions asked by suppliers

1. Do you have a size of team or specific roles in mind?
The proposed makeup of the team is one of the selection criteria and so we are looking for you to propose the size and make up of the team you deem to be appropriate against the requirement.
2. Do you want the team to be 100% self-contained? Will you be providing roles to augment the team? Is there a wider project / programme that the team will be reporting into?
The supplier will be responsible for the outcomes of the project. There will be close working with our security/technical architects as well as other colleagues. The project is part of a wider security improvement program, managed by a program manager and will report to our Project Deliver Group.
3. Is DfT prepared to sponsor the SC applications?
Yes – the department will sponsor SC applications.
4. Has there been any previous work conducted in this area? If so, what was done and who was this carried out by?
As per the specification – some pre-discovery user research was conducted to understand the baseline position within the organisation. Scoping and work to communicate the program has been completed. This initial work was completed by a user researched and a security architect .
5. “All contractors’ personnel must be working toward security clearance level of SC as a minimum“ Does this mean DfT won’t sponsor people for SC clearance if we are successful?
Do all roles require SC?
In our experience we would only require SC if working with live data which we wouldn’t expect to do during discovery, is this correct?
Although appreciated this would be needed for alpha
We will sponsor as per Q2 above.
It is feasible to mix between SC and non-SC depending on roles and access however we would need the supplier to demonstrate how this would work in practise.
Due to the nature of identity data subject to research there is likely to be a requirement for at least some roles to have SC during discovery (there isn’t really test data).
6. Please can you clarify the expectations for “working toward clearance”. Will DfT be able to sponsor clearance for appropriate staff to work on this project?
See Clarification Answer 3.
7. If successful at the Discovery phase, will companies be excluded from subsequent phases or free to participate?
Free to participate. At our discretion, Alpha may be in scope of this bid. Any subsequent phases, depending on agreed outcomes, will be subject to a fresh procurement with no exclusions.
8. We are interested in providing a response to this proposal -
Initial Question – Is this a services delivery requirement?
Also, are you looking at different IAM/MFA/PAM Technology providers and looking for a solution deployment?
Is this a services delivery requirement? – Not at this stage, a services delivery requirement may be an outcome of discovery.
Also, are you looking at different IAM/MFA/PAM Technology providers and looking for a solution deployment? – Again, not at this stage although we are aware there are various Identity, authentication, and privilege access management providers. The requirement for these may be an outcome of discovery but isn’t being explored yet.
9. Users mentions “Suppliers and customers”, does this include members of the general public?
Yes we have some public facing services which are used by members of the public. The majority of these provide open data and do not have identity management. For clarity - the larger public facing services associated with DfT (Driving licenses etc) are managed by our agencies and aren’t in scope for this discovery. Suppliers should note the answers to Q10 (GDS identity program) and Q11 – (decentralised identity management for suppliers and customers).
10. How does this fit with the GDS Cross-Government Identity project?
GDS identity program is one of the ‘opportunities’ referred to in the spec.
11. Approximately how many internal and external users?
We have 4.5k internal users there are 20k (approx.) in the wider DfT family and colleagues form other government departments. Our supplier and customers (external) identity management is decentralised and has grown organically. I don’t have a figure for the numbers of suppliers and customers but expect this to be in the thousands.