NDA Cyber Security Resilience Programme - Assurance
11 Incomplete applications
8 SME, 3 large
17 Completed applications
9 SME, 8 large
- Saturday 30 April 2022
- Deadline for asking questions
- Friday 6 May 2022 at 11:59pm GMT
- Closing date for applications
- Saturday 14 May 2022 at 11:59pm GMT
- Off-payroll (IR35) determination
- Contracted out service: the off-payroll rules do not apply
- Summary of the work
- Supplier will undertake assurance activities across multiple UK sites across the NDA Group.
- Latest start date
- Friday 1 July 2022
- Expected contract length
- 24 months
- North West England
- Organisation the work is for
- Nuclear Decommissioning Authority (NDA)
- Budget range
- Circa £2m per annum.
About the work
- Why the work is being done
- The Cyber Security Resillience Programme (CSRP) within the NDA requires a partner to independently assure the outcome of work carried out in relation to the improved cyber security posture across our estate (inclusive of NDA operating companies). The selected partner will be required to work closely with the 5 pillars that make up the NDA Group.
- Problem to be solved
- The NDA requires the supplier to independently assure the capability of the NDA Group. This will include a review of all the Operating Companies using the NIST framework as the baseline standard. The organisation will be required to identify areas for improvement and areas of good practice and help the NDA and its Operating Companies to improve there capability in line with the risk appetite set by the NDA Board .
- Who the users are and what they need to do
- The lead for this work within the NDA is the CSRP Programme Manager. The supplier will work alonsgide the Cyber Security Governance, Risk and Compliance Manager to integrate the Risk and Assurance, the Technical Manager to ensure technical products are fit for purpose and the Project Controls Manager to ensure the Grop have effective reporting and performance management systems in place. In order to complete the identified scope the supplier will be required to engage with various NDA stakeholders (CISOs and security staff), and other suppliers across the Cyber Security & Resilience Programme.
- Early market engagement
- Any work that’s already been done
- The NDA and its operating companies have adopted the NIST framework and CSRP has developed a performance management system which details the capabilitity of each operating company set against the NIST framework. This work has been supported by a supply chain organisation with the existing contract up for renewal.
- Existing team
- The supplier will work as part of the CSRP team, ( circa 70 people ) which is made up of a combination of NDA staff, contractors and other suppliers that are responsible for CSRP related services (such as Incident Response, Threat Intelligence and Risk/Testing). The supplier may encounter other suppliers as they engage with NDA Operating Company's, who have their own support teams and security services in place.
- Current phase
- Address where the work will take place
The main area where the CSRP team is located is Cumbria
Assurance activities will take place at all of the NDA Group Operating Company's locations
- Working arrangements
Due to prior Covid restrictions, previous work has been conducted remotely. However due to restrictions now lifted, face-to-face visits to sites will be required. During these instances working arrangements will be agreed with the key stakeholders.
The supplier PM and key personnel will be expected to be routinely available with daily stand-ups by conference call. Online communication is inevitable given the geographic spread of NDA sites . There will be a requirement to attend Delivery Group Meetings face to face/ deep dive reviews face to face at the request of the CSRP Programme Lead.
- Security clearance
- Appropriate security clearances for work in the nuclear sector (SC and where necessary DV clearance). The NDA will support security clearances.
- Additional terms and conditions
- Zero commitment Call-off Agreement
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
- Essential skills and experience
- Evidence of technical, personnel and physical security Assurance of third parties, highlighting gaps and areas for improvement. Evidence of developing, documenting and maintaining security policies, processes & Procedures.
- Evidence of deep dive assurance reviews aligning the maturity of a Business against the NIST framework. Must be NIST practitioners
- Evidence which drives innovation and improvement and demonstrate that the assurance activities improve operational effectiveness and deliver financial savings.
- Evidence and ability to undertake Security Risk assessments (IT/OT)/Catalogue assessments. Knowledge of HMG IS1 and IS2 and NDA CSSRF framework
- Experience of integrating Risk and Assurance outputs using a Governance Risk & Compliance Tool (GRC). EG/ Stream
- Experience of undertaking assurance reviews of cryptographic holdings conforming to HMG IS4.
- Experience of devising integrated assurance plans
- Ability to provide resource that has appropriate security clearances (combination of BPSS, SC and where necessary DV).s appropriate security cleara
- CHECK, OSCP, CREST certified professionals and meets NCSC requirements
- Availability/Ability to commence at the beginning of July 2022 using in-house personnel
- Experience/ability to undertake a maturity review of SQEP resources working across the Group with familiarity of the CIISEC framework, and experience of undertaking a maturity review of security operations centre
- Nice-to-have skills and experience
How suppliers will be evaluated
All suppliers will be asked to provide a written proposal.
- How many suppliers to evaluate
- Proposal criteria
- As above
- Cultural fit criteria
- Experience of working within CNI / highly regulated sector and the ability to work across the 17 NDA sites.
- Ability to deliver an Agile project, using relevant programme tools in house and have appropriate management systems to support this way of working.Eg/Kanban Boards
- Experience with developing apprentices, graduates and mentoring staff
- Payment approach
- Capped time and materials
- Additional assessment methods
- Evaluation weighting
Questions asked by suppliers
- 1. Is there a current incumbent supplier delivering this capability?
- 2. "Availability/Ability to commence at the beginning of July 2022 using in-house personnel” – Is it OK to propose a mixture of in-house and sub-contract personnel?
- It is ok to propose this however we will score in house teams higher than a mixture
- 3. Is this opportunity inside or outside IR35?
- This is sub contracted activity based work not level of effort and we believe that it will sit inside of IR35.
- 4. Is this an incumbent?
- This is a new contract opportunity but there is an incumbent supplier.
- 5. A number of our consultants are NIST practitioners, and they regularly undertake NIST Framework orientated engagements. What would you require in terms of evidence of practitioner status?
- We would like to see evidence of their qualification.
- 6. We rely on an ongoing relationship with a 3rd Party provider to meet the requirements for certified CHECK, OSCP and CREST practitioners. Our provider has huge experience of CNI, working with us and independently. Would the use of a third party to provide any of these services exclude us from the process?
- As above our requirement is for the organisation to be able to provide the service rather than subcontracting out.
- 7. The Opportunity specifies that NIST Practitioners are required. Does this mean people holding the NCSP qualification? If so, this qualification is not widely adopted, so would NDA accept NCSC Certified Professional (NCP) qualifications or CIISP with demonstrable experience of NIST CSF?
- We would like to see evidence that the proposed professionals have a relevant NIST qualification.
- 8. Will NDA provide access to the CSSRF Framework to allow bidders an opportunity to familiarise with it?
- Our intention is to have a two stage selection process where we down select to 5 bidders. At the down select stage we will provide documentation related to the CSSRF.
- 9. This opportunity was published on the saturday of a bank holiday weekend, meaning that bidders have fewer than the standard allowance of 10 working days to respond. With this in mind, would the authority consider extending the submission deadline to allow bidders sufficient time to review the yet to be published clarification questions and submit a response.
- Unfortunately we had not considered this when launching the procurement and for that we apologise. Having contacted CCS to see if we can implement an extension we are unable to extend it by a few days as the procurement would have to be reset to the full 2 week period. Given the time constraints involving clearances etc we don't have the option to delay the procurement any further.
- 10. Does NDA expect direct assurance activities to extend to Operating Companies suppliers?
- This is not expected in the current scope however we will remain open to this requirement.
- 11. Does NDA anticipate any physical security assurance activity as part of the scope?
- Not expected, however we will remain open to this requirement.
- 12. How many days do you expect to take for assurance review per site and/or operating company?
- We would expect the bidders to assess this as part of their response.
- 13. What is the expectation of frequency of assessments?
- We regularly review all available management information which comes from different sources to build up an assured view of each Op Co based on the NIST framework. We undertake field work under the current operating model with Op Co's on a bi annual basis. This is not a fixed position.
- 14. Does the scope include recurring assessments of Operating Companies using a risk-based approach?
- 15. Does NDA expect exhaustive assessments on all NIST categories, or applying a risk-based prioritisation approach?
- NDA & Op Co's use the full NIST process and relates this to IT / OT & Cloud.
- 16. Does NDA expect exhaustive assessments on all NIST categories, or applying a risk-based prioritisation approach?
- NDA & Op Co's use the full NIST process and relates this to IT / OT & Cloud
- 17. Is any OpCo out-of-scope for this work?
- 18. Will the applicable NDA/Operating Companies CISO organisations provide advisory, feedback & coaching to the operating companies to clarify activities required to close gaps?
- The reports provided to the Op Co's from the assurance review are based on independent assurance, - feedback, coaching and training etc are provided by other parts of the NDA's cyber programme if requested.
- 19. Will you require suppliers to develop documentation where gaps are found for the sites?
- 20. What proportion of the team do you think will be required to cover the North West England?
- If you visit the NDA website you will get a better understanding of the NDA's mission strategy & priority. Some important sites are in the North West however the NDA covers a diverse geographical region.