Awarded to Nine23

Start date: Tuesday 8 February 2022
Value: £10,000
Company size: SME
Huntingdon District Council, Cambridge City Council, South Cambridgeshire District Council

Investigation and feasibility to implement zero trust technology

8 Incomplete applications

5 SME, 3 large

5 Completed applications

5 SME, 0 large

Important dates

Monday 11 October 2021
Deadline for asking questions
Monday 18 October 2021 at 11:59pm GMT
Closing date for applications
Monday 25 October 2021 at 11:59pm GMT


Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
We shall review the current operation within our tenant, anticipating an outcomes paper detailing analysis, recommendations, plan to implement a solution to implement secure shared access.

This may take the form of workshops to:
understand existing environment
understand business users requirements for future set up
review technical/security requirements and options
Latest start date
Monday 15 November 2021
Expected contract length
4 to 6 weeks
No specific location, for example they can work remotely
Organisation the work is for
Huntingdon District Council, Cambridge City Council, South Cambridgeshire District Council
Budget range
£5k - £10k

About the work

Why the work is being done
The council require the ability to share documents, videos and other artifacts with an increasing number of external organisations that are not connected to our network infrastructure.

We are looking to embrace existing technologies to review options to move to a Zero Trust Security model.
Problem to be solved
Currently our tenant is secured for internal staff only in a walled garden security approach, but we are increasingly seeing requirements that require external sharing with other local authorities/partnerships, councillors, external organisations and in some cases individuals.
Who the users are and what they need to do
As a council we need to be able to share data, documents, recordings and other artifacts with external customers and guests of the council. We need to do this so that the right artifacts are shared with the correct individuals and organisations easily yet securely.
Early market engagement
There has been no market engagement previously for this activity
Any work that’s already been done
The council have complied a series of requirements that are following a theme that raise the requirement to share data and artifacts external with organisations and individual external to the council
Existing team
There is no official team organised at present anticipating that the discovery stage shall inform on the best approach to deliver the required outcome. The selected will have access to technical IT and some business users to get an overall picture of what we are wanting to achieve
Current phase

Work setup

Address where the work will take place
St Mary's St,
PE29 3TN

Mostly Remote
Working arrangements
The work can be predominately remote. The council encourages home working. Most of the investigation can be completed remotely. However if there is a need to meet F2F this can be in Huntingdon at the council office or at another location
Security clearance
None needed

Additional information

Additional terms and conditions
none specified

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • have previous experience implementing zero trust technologies and process
  • have previous experience of delivering discovery phases where the outcomes are actionable recommendations
  • able to provision skills in technical architecture and network design with all round knowledge of Microsoft products and knowledge of Azure
  • be able to provide services including business analysis (requirements gathering), process mapping, best practice assessment, options appraisal, specification development
  • be able to evidence using technology to build resilient platforms and solutions
  • experience in traditional infrastructure and data centre set up
  • experience of cybersecurity controls
  • able to build capability in client departments demonstrating knowledge transfer
  • able to showcase delivering discovery projects covering a broad scope
  • highlight similar projects within the public sector
  • the supplier should be comfortable with remote working and video conferencing
  • be able to communicate to non-technical people without the use of complex technical jargon
Nice-to-have skills and experience
  • highlight working with organisations moving towards a zero trust architecture
  • find solutions that balances needs of the users against security regulations
  • be a Microsoft partner

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • technical solution
  • approach and methodology, how the approach meets the requirements
  • identified risks and dependencies
  • value for money
Cultural fit criteria
  • offer collaboration in and across teams where there are multiple organisational stakeholders
  • knowledge transfer to permanent staff within the client organisation
  • have the ability to manage stakeholder expectations, ensuring clear communication lines on progress and risk
  • demonstrate continuous improvement: people, process and solutions
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Can you describe the purpose of the sharing you wished to undertake that requires zero trust. Is this to
A support provision of information on an authorised access basis in the context of a specific transaction
B as part of meeting GDPR obligations for data portability, subject access requests
C provide portable proofs of claim to citizens to remove the need for physical letters or evidence to support their activities e.g. applying for benefits or grants
We require to support the provision of information and artifacts on an authorised basis in the context of transactions. This is better explained by a user story.
There are lots of briefings run by various departments for councillors on a wide range of subjects. Not all Members are able to attend these briefings and there is often only one session run, particularly when given by external organisations.
Councillors, expect to, and should be able to, access these briefings at a later date by recording them but this is not currently possible due to factors in our setup.
2. Please can you define the context in which you are using the term Tenant, is it
A – A citizen who is a tenant of the council or other registered social landlord
B – An organisation who is a tenant of the councils commercial property portfolio
C – A tenant who is using Council platforms and services as a client
None of the above. In this context when we are using the word tenant we are referring to the organisational environment for our IT assets with particular reference to the Office 365 stack where our subscription contains SharePoint, PowerBI, Exchange, Teams, OneDrive, Office etc. Within this we have users, domains, groups, subscriptions that have access to the tenant and create documents, recordings, artifacts that we would like to share with other outside of the tenant.
3. Would you be prepared to consider a distributed solution whereby citizens can hold certified copes of documents and access control rights to content hosted by the council to enable them to share these documents with third parties. This would reduce the threat vector of access to Council Systems by empowering the individual with their own certified copies of the data / documents / assets
Yes we would. As stated we are looking for a safe and secure way to share artifacts with people and organisations that are external to the 3 councils. We are open to any ideas that are proven to satisfy the needs of council and does so in a save, easily managed and easily implemented operation. Ultimately IT need to give the councils the tools to be able to share artifacts safely. It will be the administrators within the council that execute sharing rights so that needs to be straightforward, easily operated and monitored.
4. Is the 10k budget for a discovery project a fixed budget or variable ?
The budget set for the discovery phase is £5k to £10k. £10k is the maximum the councils can go to for this piece of work. We do not have the authority to increase that budget so to that extent the budget is a maximum, fixed value. The council anticipates that for the discovery phase the minimum it would be is £5k.
5. Can you please revalidate the budget for the discovery work as this seems to be specialised effort ?
The budget set for the discovery phase is a maximum of £10k. Let me reiterate this is a feasibility study of what is possible given our current IT structure and the way the councils want to operate. I should also say this is not the delivery and implementation stage. It is envisaged that the councils shall initiate other stages to accomplish the overall outcome to be able to share documents and artifacts easily with external organisations and individuals through better use of technology.
6. Caretower would like to propose that the discovery and scoping of the services for a solution be considered as a pre-sales engagement, and therefore not chargeable. This engagement would be delivered in partnership with the vendor, Galaxkey who already provide such services to the DfE, MoJ and other Local Authorities. Would your consortium accept an approach on this basis. Galaxkey is CPA certified by the NCSC.
The councils would prefer that a supplier approach this requirement as a distinct piece of work and at the end of that work the councils have no obligation to take any further action and nor are they obligated to appoint a supplier that approached this as pre-sales activity. Our requirement is to be fair to all parties with the understanding that at the end of this phase of work the 3 councils can determine their next action based on a clear cut activity with no obligation to any supplier. Therefore we would not consider this as a pre-sales engagement.
7. Is there an incumbent supplier ? If so, are they bidding ?
There is no incumbent supplier. The councils have an IT department that has implemented and supported it's own MS Office suite environment. In the past other organisations have assisted in this setup but that was some years ago and there is no engagement with any supplier currently, hence the requirement.
8. Would the council be open to an entirely cloud-based system for sharing files?
That is not beyond the realms of possibility, we are looking for a company to challenge the councils IT department and offer a working solution that can eventually be supported and maintained by the councils IT but the criteria to share a file with an external company or individual will be with the council staff and that needs to be a ''easy'' operation. Keep in mind the councils operate an on-premise Data Centre and that shall remain for the foreseeable future.
9. Have the councils considered identity checks for individuals requesting access to documents or data and do they envisage different levels of assurance (LOA) depending on Personal Identity Information (PII) or sensitivity of information being shared? Do administrators in the councils currently have an easy and automated way to verify the identity of individuals and linking them to shared credentials?
The councils IT have not consider this, and this may be something that we shall require as part of the overall solution. The council administrators, who shall be sharing the documents, videos, artifacts with external organisations and individuals, will know their audience and have manually identified those who shall receipt artifacts. Currently, through other tools we do share documents with external organisations but there is no easy and automated way of verifying their identity except through manual action.
10. Would the council be open to considering a cloud-only, Microsoft 365 based implementation that uses Azure Active Directory to manage access control, SharePoint Online to store the information and artifacts, and workflows and user interfaces to enable administrators to manage different transactions – the workflows and user interfaces would likely be built with Microsoft technology (Power Platform, Azure Automation runbooks, SharePoint Framework webparts etc.) If so would the council still require experience in traditional infrastructure and data centre set up for this project?
The council are open to any workable solution that shall deliver the requirements of the business. So this approach would be considered and it might be that we ''bunny hop'' to this final point. However we are a traditional infrastructure and Data Centre operation and would envisage the selected supplier would have some experience of this.
11. Would the council consider experience of configuring Azure Active Directory sufficient so as to meet the essential requirement ‘experience of cybersecurity controls’?
The council IT are interested to hear from any supplier that feels they have a solution to offer that would satisfy our requirements to share documents and artifacts with external agencies. On the face of it experience of configuring Azure Active Directory may be sufficient to tick the cybersecurity controls box, however we'd anticipate this to be complimented with experience in cybersecurity prevention, detection, and respond protocols, that would give us an overall view of how we can share artifacts with external agencies.