This opportunity is closed for applications

The deadline was Wednesday 25 January 2023
Strategic Command (UKStratCom) part of the Ministry of Defence (MoD)

CRP - Secure at Reach - Cyber Security Engineer

12 Incomplete applications

6 SME, 6 large

6 Completed applications

6 SME, 0 large

Important dates

Wednesday 11 January 2023
Deadline for asking questions
Wednesday 18 January 2023 at 11:59pm GMT
Closing date for applications
Wednesday 25 January 2023 at 11:59pm GMT


Specialist role
Cyber security consultant
Off-payroll (IR35) determination
Supply of resource: the off-payroll rules will apply to any workers engaged through a qualifying intermediary, such as their own limited company
Summary of the work
Support the project to define and mature the cyber security assessment framework/methodologies based on approach on the various assessments conducted by the project.
Latest start date
Monday 6 March 2023
Expected contract length
12 months, with an option to extend by a further 6 months, subject to financial approvals.
No specific location, for example they can work remotely
Organisation the work is for
Strategic Command (UKStratCom) part of the Ministry of Defence (MoD)
Maximum day rate
£839.18 (exc VAT) Daily Rate

About the work

Early market engagement
Who the specialist will work with
Working with Project Manager and Project Technical Lead. Specialist will be part of the core team and will work within the core team to establish work streams that will involve different suppliers where applicable.
What the specialist will work on
To develop a proven & robust process, backed up with policy and technology that will provide cyber risk identification and reduction in the deployed environment. This also include the provision of high priority risk reduction where required.

Work setup

Address where the work will take place
London / Corsham (DD CRP) / Occasional Work at UK Military Sites
Working arrangements
Hybrid working, where the core team will meet at least once every week (London) and work with assessment locations, e.g. base station of an operation. This will be determined based on the work being undertaken.
Security clearance
Minimum of SC level clearance, DV-held preferred. Clearance must be in place prior to the contract start date and remain valid for the contract duration.

Additional information

Additional terms and conditions
T&S will be reimbursable when travelling to alternate locations (to be confirmed). All expenses must be pre-agreed between the parties and must comply with the MOD Travel and Subsistence (T&S) Policy.

Off-payroll working rules apply (IR35 in-scope). Any Personal Services Company (PSC) candidates will require to come through an umbrella company.

Risk Assessment Ref: RAR-458663198

Cyber risk profile: High

Potential bidders are required to complete a Supplier Assurance Questionnaire (SAQ) against the security controls appropriate to the risk level. Tenderers should complete their SAQ using the form in the following link:

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • > Experience of conducting Cyber Security engagements on industrial plants or critical network infrastructures including risk assessment/management and deployment of appropriate security measures [7.5%]
  • > Experience in solution analysis from vulnerability management, prioritization of cyber risks and establishing mechanisms or change management procedures to ensure secure operations of the infrastructure / systems [7.5%]
  • > Experience in development, planning, and deployment of security measures including monitoring of remediation activities to completion [7.5%]
  • > Experience in system patching, deployment of specialised controls, standards, procedures or infrastructure changes to deliver a strong vulnerability remediation plan [7.5%]
  • > Ability to identify risk criticality and urgency to inform remediation strategies/plans [7.5%]
  • > Experience in Windows or Linux systems (preferably embedded systems, SCADA, CANBus, Profibus, PLCs, sensors, etc…) [5%]
  • > MoD Background or Military with joint effects background preferred [2.5%]
Nice-to-have skills and experience
  • > Have critical national infrastructure projects experience) [2.5%]
  • > Proven experience / expertise in Assessment of Operational Technology / Internet of Things systems using IEC 62443 or relevant frameworks e.g. NIST CSF, CAF or others [10%]
  • > Relevant Certified Cyber Professional (CCP) qualifications [2.5%]

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

How many specialists to evaluate
Cultural fit criteria
  • > Work as a team with our organisation and other suppliers [collaboration across defence and its service providers] [5%]
  • > Be transparent and collaborative when making decisions [Recording all artefacts that support the decision making / rational] [5%]
  • > Take responsibility for their Work [Accountability - ability to identify potential blockers, working with multiple stakeholders / contributors to transparently achieve resolution] [5%]
  • > Share knowledge and experience with other team members [Building the project knowledge based through sharing of information / artefacts / documentation to support onboarding and growth within organisation. [5%]
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is there an incumbent?
There is no incumbent supplier for this requirement.
2. Is there a current incumbent or preferred supplier for this role?
There is no incumbent or preferred supplier for this requirement.
3. Are there incumbents for any of the 3 roles posted?
There are no incumbents for any of the 3 roles posted.
4. Can you please confirm if this role is inside/outside IR35?
The requirement is inside IR35, Reference the advert:
Off-payroll (IR35) determination: Supply of resource: the off-payroll rules will apply to any workers engaged through a qualifying intermediary, such as their own limited company.
5. Hello – in the main title you refer to a CS Engineer, in the detail you then talk of CS consultant. Can you clarify which, as each attract a different level of remuneration.
The advertised post is for a Cyber Security Engineer.
6. Does a 12 month contract mean 52 weeks paid work?
It will be the standard 220 contracting days within a year.