This opportunity is closed for applications

The deadline was Friday 20 January 2023

Central Digital and Data Office

Support the public sector to manage their DNS vulnerabilities

6 Incomplete applications

4 SME, 2 large

12 Completed applications

8 SME, 4 large

• Published: Friday 6 January 2023
• Deadline for asking questions: Friday 13 January 2023 at 11:59pm GMT
• Closing date for applications: Friday 20 January 2023 at 11:59pm GMT

Overview

• Off-payroll (IR35) determination: Contracted out service: the off-payroll rules do not apply
• Summary of the work: CDDO want a supplier to carry out a Discovery and potential Alpha into the way public sector bodies discover, triage, and resolve vulnerabilities in their DNS. We are looking for a supplier to investigate the potential for improving efficiency by using automation to self-serve this data, which we hold centrally
• Latest start date: Monday 6 February 2023
• Expected contract length: 8-week Discovery phase + 16-week Alpha phase.
• Location: No specific location, for example they can work remotely
• Organisation the work is for: Central Digital and Data Office
• Budget range: Fixed price, excluding VAT not to exceed: £650,674.00

About the work

• Why the work is being done: This work supports the delivery of the government’s Roadmap for Digital and Data 2022-2025, and the Government Cyber Security Strategy: 2022-2030. ; ; We want to reduce the time that domain-related cyber vulnerabilities are open for exploitation, and hence reduce the Government’s overall exposure to cyber risk. We believe that part of the solution is to optimise the processing of vulnerabilities, so we are investigating using organisations' existing SIEM tools or equivalent to ingest vulnerability information from CDDO's public sector domains monitoring platform. This will get the right information to the right teams in a timely manner for a rapid response.; ; The potential impact of a domain-related vulnerability is not always well understood, so we also believe that business changes may be required at working and senior levels to embed the right accountabilities and responsibilities and so ensure domain-related vulnerabilities are fixed quickly. ; ; Having an accurate and up-to-date list of all domains and subdomains that an organisation has is a key dependency for finding vulnerabilities, so we want public sector organisations to maintain such lists, understand what their domains are being used for, and share this information regularly with CDDO's domains monitoring platform. This will likely require business changes within the organisation.
• Problem to be solved: Discovery: (20% budget); -Recruit 4 public sector partner organisations with a large number of subdomains, willing to participate. These organisations must be using at least 3 different SIEM tools or equivalent between them; -Understand how these organisations manage domains; how they receive, triage, resolve vulnerabilities in those subdomains; to what extent senior staff understand the threat represented by these vulnerabilities; and what business process change would be needed to reduce the number and duration of such vulnerabilities ; -Identify what, and how, automation can be brought to bear to solve this problem; -Developed a set of KPIs that will tell us whether or not our Alpha approaches are a success; ; Alpha: (80% budget); For each organisation:; -Support partner organisations to ingest standardised data from the domains team's monitoring platform into their SIEM tool/equivalent; -Prototype business changes needed to reduce the frequency and duration of these domain-related cyber vulnerabilities ; -Prototype a solution that would maintain an up-to-date list of all domains and subdomains that an organisation has; -Prototype a solution that enables these lists of domains/subdomains to be shared with CDDO; -Identify at most three effective solutions as measured by the KPIs defined in the Discovery; -Pass Service Assessment for both phases
• Who the users are and what they need to do: Group 1:; domain managers - people with technical skills to manage domain records correctly; those that operate Security Information,Event Management tools,Security Operations Centres or otherwise monitor health and security of their external facing cloud services.; ; As one of these users, I need to be made aware of/understand the significance of any domain related vulnerabilities in my organisation so that:; I can address these vulnerabilities quickly and manage my domains properly; I can manage my domains alongside my other digital assets.; ; Group 2:; ; domain name administrators - people with authority to request significant changes to a .gov.uk domain name; those responsible for digital services that a public sector organisation provides, or someone who works for them; those accountable for business risk in a public sector organisation, or someone who works for them.; ; As one of these users, I need to be made aware of any domain related vulnerabilities in my organisation so that:; I understand and can prioritise the cyber risks associated with my domains ; I can ensure that my organisation has the resources, skills, focus to address these risks quickly; my organisation's digital services operate effectively and remain available; my organisation is trusted online by other government/commercial organisations and citizens.
• Any work that’s already been done: CDDO has been running an operations team for some time, which currently carries out this work via email. We have not carried out a formal discovery, but we have a lot of anecdata. We have also built a domains monitoring platform. We will use this to ingest data from our Alpha partners, ensuring that any data we provide to them through the prototyping phase is valid and useful. We will have developed strong relationships with 4-8 organisations from across the public sector that meet our criteria, including at least one large central government department and one large local authority.
• Existing team: The supplier will work alongside our existing development team, to identify improvements to our API (if users want to ingest this intelligence automatically). The team is interested in publishing the data in a standard format that can be ingested by SIEM tooling; ; They will also work with the operations team, who have a wealth of experience in this space and excellent contacts with the wider public sector
• Current phase: Not started

Work setup

• Address where the work will take place: No specific region, they can work remotely. The domains team is normally based at The White Chapel Building 10 Whitechapel High Street, 7th Floor, London, E1 8QS
• Working arrangements: The supplier can rely on CDDO to provide specialist domain knowledge.; We expect the supplier to meet with us virtually, using Google Meet or similar platforms.; There will be no reimbursement for travel costs to meet stakeholders.
• Security clearance: SC

Additional information

• Additional terms and conditions: There will be a break clause and we reserve the right to re-tender for the Alpha phase.; ; "All expenses must be pre-agreed with between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy."; ; "All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website:https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/"

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • Experience of successfully passing the service assessment process, specifically at Discovery/Alpha stage
  • Experience of delivering business and technical changes that improve how a large public sector organisation addresses its operational cyber security risks
  • Experience of translating complex technical issues and security vulnerabilities into actions that can be understood and implemented by non-technical people
  • Experience of designing and implementing KPIs for business and technical changes that demonstrate measurable improvements in cyber security posture
  • Experience of a broad knowledge of a range of popular SIEM tools, including how to configure them to ingest different types of external data.
• Nice-to-have skills and experience:
  • List three common misconfigurations in DNS, and the security impact(s) they would have on a public sector organisation
  • Experience of influencing senior executives and helping them understand security risks in a holistic way
  • Experience conducting user research with deep technical experts, including analysis and synthesis

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

• How many suppliers to evaluate: 3
• Proposal criteria:
  • The proposed approach and methodology - 30 points
  • How the approach identifies risks and dependencies and offers ways to manage them - 20 points
  • Please provide details of your overall team structure, including relevant roles, expertise and skills. Please also detail how this structure will deliver the requirements of this contract. - 10 points
  • How the approach will ensure the programme can be continued by another supplier - 10 points
  • Please provide work histories of all proposed team members - these will be scored as a set. - 15 points
  • How proposed approach meets our timeframe - 5 points
• Cultural fit criteria: Please provide evidence of a team which reflects the diversity of the nation.
• Payment approach: Fixed price
• Additional assessment methods: Presentation
• Evaluation weighting:

  Technical competence

  75%

  Cultural fit

  5%

  Price

  20%

Questions asked by suppliers

• 1. Can you confirm that requiring CVs from proposed team members is consistent with this work being delivered as a contracted out service and therefore does not jeopardise the IR35 status of the work?: Yes, the contract is outside IR35. The CVs provide supporting evidence that the supplier has the capability to deliver.
• 2. Please can CDDO confirm whether there is an incumbent supplier supporting your domain management activities (other than the internal team mentioned) and if so, whether they are expected to bid in this process?: There is no incumbent supplier.
• 3. Do you have a list of public sector organisations to be recruited from, or must the supplier canvass then recruit?: A number of departments and public sector bodies have already expressed an interest in the programme and we will pass these on to the successful bidder. However, we expect the supplier to assess these organisations for suitability, and if necessary recruit others. The Cabinet Office could be included as a department.
• 4. We understand four organisations are to participate. Could you please confirm whether we would be responsible for recruiting these organisations or does this sit with CDDO?: A number of departments and public sector bodies have already expressed an interest in the programme and we will pass these on to the successful bidder. However, we expect the supplier to assess these organisations for suitability, and if necessary recruit others. The Cabinet Office could be included as a department.
• 5. The 4 public sector organisations with a large number of subdomains that are to be identified, are these to be outside of the cabinet office?: A number of departments and public sector bodies have already expressed an interest in the programme and we will pass these on to the successful bidder. However, we expect the supplier to assess these organisations for suitability, and if necessary recruit others. The Cabinet Office could be included as a department.
• 6. Please confirm the current API referred to, as we cannot see it indexed under https://www.api.gov.uk/cddo/#central-digital-and-data-office: The API is not currently public.
• 7. Research, process and change factors aside: would the CDDO consider a pre-existing commercial product as a viable technical solution (which is not made by the bidder and would be licensed between CDDO and third-party)?: Yes.
• 8. Do you require the whole team to be SC cleared or only specific roles with access to data? Will you sponsor SC clearances or will you require all team members to be SC cleared when they begin work?: The nature of the work we are undertaking means that an individual could reasonably overhear a discussion that would be highly damaging to HMG. Therefore, even those without access to the data will need to be cleared to SC. As the framework states, suppliers can be sponsored for SC if they not have clearance - see https://assets.crowncommercial.gov.uk/wp-content/uploads/RM1043.7-DOS-5-Supplier-onboarding-QA.pdf
• 9. Will you provide CDDO laptops / collaboration software for supplier staff for this work?: Yes.
• 10. For nice to have criteria “List three common misconfigurations in DNS, and the security impact(s) they would have on a public sector organisation” – is it required to embed the 3 criteria in a case study example as for other criteria? How might a supplier exceed on this criteria and score 3?: This is not a case study example. It is a question to test technical competence in this area. To exceed on this question, the supplier's answer will discuss each criterion and demonstrate an understanding of not just technical security but the wider impact on the organisation.
• 11. Can you advise on your procurement timetable once first round submissions have been made?: Yes, suppliers that get through the shortlisting stage will be advised of the proposed timeline.
• 12. For the following question, please can you define what you mean by ‘implemented’? Do you mean implemented as in policy, or actual implementation? Experience of translating complex technical issues and security vulnerabilities into actions that can be understood and implemented by non-technical people: In answer to this question, suppliers should provide an example of a time where their advocacy and clear explanation has resulted in improved security for an organisation. The improved security might have come through a policy change, a configuration change, or even a cultural change. We want to have confidence that the supplier is able to translate the complex problems in the DNS space into language that a very busy, non-technical person can understand and take action on.
• 13. Your latest start date of Monday 6 February 2023 doesn’t seem to give enough time for usual procurement timelines and contract award / standstill period – can you confirm that the start date is correct and that the procurement timetable will be adhered to to meet this date?: The original procurement timetable will now be amended following successful shortlisting. To account for the rest of the procurement process, we anticipate that the contract will start w/c 27/02/23. This is subject to change as the formal procurement competition is still yet to take place. Cabinet Office / Crown Commercial Service will ensure that all timetables are issued within sufficient time following successful completion of the Digital Marketplace shortlisting process.
• 14. Is CDDO‘s aim to utilise existing SIEM tools and technology that is currently deployed in public partner organisations by integrating them with their current “CDDO public sector domain monitoring platform” or is there a need to procure a new technology DNS protection solution?: We expect to utilise existing SIEM tools and technology.
• 15. Are the discovered domain related cyber vulnerabilities in the public organisations expected to be remediated by the public sector organisations support team and not CDDO?: Yes, any vulnerabilities should be remediated by the team that owns them.
• 16. What is the future role for CDDO in terms of DNS protection ? e.g. co-ordinate threat intelligence on known domain related cyber vulnerabilities across all public partnership organisations domains that are onboarded?: This is subject to future funding and approval decisions within Cabinet Office.
• 17. Can you share the details of the current CDDO solution?: We cannot share such details at this stage.
• 18. Are there specific SIEM tools you’re looking for experience in?: We are looking for experience in as broad a range as possible, in order to cover the tools most likely in use by our Public Sector partners.
• 19. Is automated VA scanning already in place or is this a requirement that hasn’t been scoped / included?: Monitoring for domains vulnerabilities is in place.