Awarded to ThoughtWorks Limited

Start date: Monday 11 September 2017
Value: £261,120
Company size: large

Department for Work and Pensions

Department For Work And Pensions - DevOps/DevSecOps and Developer Support

8

Incomplete applications

6 SME, 2 large

8

Completed applications

5 SME, 3 large

Published	Friday 23 June 2017
Deadline for asking questions	Friday 30 June 2017 at 11:59pm GMT
Closing date for applications	Friday 7 July 2017 at 11:59pm GMT

Overview

Summary of the work	Design and automate the provision of security products, microservices, toolings and key infrastructure. Design out/introduce remediation for vulnerabilities identified by external penetration testing and continuous vulnerability management tool. Our estimates suggest we will need a service delivery team consisting of 1 experienced DevOps, 1 DevSecOps, and a developer.
Latest start date	Monday 7 August 2017
Expected contract length	This will be a two year contract with an initial Statement of Works for up to 4 months
Location	London
Organisation the work is for	Department for Work and Pensions
Budget range

About the work

Why the work is being done	In order to ensure that this key DWP application is able to support the scaling and security requirements, it is being re-engineered for resilience and to allow it to operate in a commodity cloud hosting environment. In support of this, Agile and adaptable vulnerability management within production, support and development environments is required to support risk management activity.
Problem to be solved	The scaling and security goals for the application have led to a strategy of commodity cloud hosting. There is a need to develop and implement solutions to remediate any identified vulnerabilities.
Who the users are and what they need to do	Universal Credit Claimants will use the the system to mange and progress their claim online. DWP Job Centre and Services Centre Agents will use the system to perform their roles in support of the Universal Credit Applicants.
Early market engagement
Any work that’s already been done	Work to deliver a Minimum Viable Product (MVP) is concluding.
Existing team	The supplier will be working as a part of a multi-disciplinary team dedicated to the work to migrate the service to a commodity cloud platform. This team consists of internal DevOps, QA, network engineers, Security and delivery / project managers. The team is 10 strong and follows agile processes to prioritise and manage the activities.
Current phase	Discovery

Work setup

Address where the work will take place	Caxton House, London
Working arrangements	On-site in London office for the majority of the time with some scope for remote working. The collaborative nature of the team means that face to face interaction and presence at daily stand-ups is essential.
Security clearance	SC clearance.

Additional information

Additional terms and conditions	Additional DWP Terms and Conditions will apply. These can be found at https://dwp.bravosolution.co.uk/web/login.shtml.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience	Experience designing and implementing secure, resilient, highly available configurations of infrastructure components.- 5% Extensive, demonstrable knowledge of system security vulnerabilities and remediation techniques.- 5% Experience of automation of cloud deployments and developing infrastructure as code using terraform.- 5% Experience creating destructive testing frameworks including the use of Jepsen to simulate failure scenarios.- 4% Experience of cloud migrations for large microservice architectures- 5% Capacity to supply,experienced DevOps, DevSecOps engineer and developer with technical skills (>3 years’ experience) in Terraform, puppet, github, bash, python, java, Mongo, ActiveMQ, jepsen, microservice architectures,commodity cloud environments- 5% Have experience of working within DWP or a comparable organisation within the last 3 years- 5%
Nice-to-have skills and experience	Ability to provide technical leadership in multi-supplier team environments- 3% Experience working with AWS- 3%

How suppliers will be evaluated

How many suppliers to evaluate	3
Proposal criteria	Please provide details of situations where your resources have delivered DevOps and testing engineering / development capability within the context of vulnerability management using agile methodologies- 7% What experience do you have delivering major cloud migration projects for a comparable customer. Please clarify how your resources added value, delivery focus and technical leadership- 7% Experience of aligning activities with other parallel work streams, ensuring quality standards are maintained- 7% In past assignments,how have you ensured that you gain at pace, a detailed understanding of the service and project requirements to allow rapid, involvement in design and decision activities- 7% Describe your processes for identification of risks and dependencies and the approaches to manage them- 7%
Cultural fit criteria	Describe your processes for identification of risks and dependencies and the approaches to manage them- 5%
Payment approach	Capped time and materials
Assessment methods	Written proposal Work history Presentation
Evaluation weighting	Technical competence 75% Cultural fit 5% Price 20%

Questions asked by suppliers

1. Will the role fall within IR35 legislation?	At this time the role has been deemed as outside of IR35 however, should the features of the engagement change, a further assessment will be made which could change the determination.
2. Does this fall within the IR35 rules?	At this time the role has been deemed as outside of IR35 however, should the features of the engagement change, a further assessment will be made which could change the determination.
3. Is there flexibility to propose a revised resourcing profile, or is the requested profile decided upon and agreed internally?	We require the skillsets and (team) composition specified in order to meet the requirements of this crucial piece of work. However, we are willing to consider an alternative resourcing profile as part of any proposal.