Awarded to Frazer-Nash Consultancy

Start date: Friday 1 December 2017
Value: £40,000
Company size: large
Department for Business, Energy and Industrial Strategy

Industry engagement for a penetration testing framework for the civil nuclear sector (NBEST)

10 Incomplete applications

7 SME, 3 large

11 Completed applications

3 SME, 8 large

Important dates

Monday 2 October 2017
Deadline for asking questions
Monday 9 October 2017 at 11:59pm GMT
Closing date for applications
Monday 16 October 2017 at 11:59pm GMT


Summary of the work
To deliver a written framework for carrying out advanced cyber assessments for the civil nuclear sector. In doing so, the contracted party will facilitate up to six workshops with industry representatives from the civil nuclear sector, threat intelligence and penetration testing providers over a three month period.
Latest start date
Monday 30 October 2017
Expected contract length
3 months, following sign off of the framework.
Organisation the work is for
Department for Business, Energy and Industrial Strategy
Budget range
The target budget for the 3 months of work is for approximately £40,000 exclusive of VAT.

Contractors should provide a full and detailed breakdown of costs (including options where appropriate). This should include staff (and day rate) allocated to specific tasks.

About the work

Why the work is being done
The civil nuclear sector has invested in a broad range of cyber security and resilience measures in order to protect against, and mitigate the impacts of, cyber attacks.

An advanced cyber assessment will examine how effectively the protective cyber security and resilience measures have been implemented by the company/site, and whether or not they increase the capability to deter, detect, and defend against risk scenarios developed by the Department of Business, Energy and Industrial Strategy (BEIS), the Office for Nuclear Regulation (ONR), the National Cyber Security Centre (NCSC), and industry.
Problem to be solved
To deliver a technical written framework for carrying out advanced cyber assessments for the nuclear sector. In doing so, the contracted party will facilitate up to six workshops with industry representatives from the civil nuclear sector, threat intelligence and penetration testing providers over a three month period.

The engagement with industry will determine the appetite for, and viability of, carrying out penetration tests on nuclear sites. It will also look to establish any ‘red lines’ for the tests.
Who the users are and what they need to do
If the industry engagement proves successful and determines penetration testing is possible on nuclear sites, all civil nuclear licenced sites and the supply chain will be potential users of the framework. It will be used as part of a suite of tools to provide assurance to themselves, the regulator and government on the efficacy of their cyber security arrangements, and that vulnerabilities are being properly assessed and mitigated.
Early market engagement
Any work that’s already been done
Similar frameworks have been developed for the finance and telecoms sectors with support from the Bank of England (CBEST) and the Department for Digital, Culture, Media and Sport. This work should build on the existing frameworks, and benefit from the lessons learned.

The ONR has recently appointed a contractor to carry out a similar but distinct piece of work on conducting evaluations of cyber arragements at nuclear facilities, including a process to determine the readiness of sites to undergo an advanced penetration test. This is complementary to and will build on the work advertised here, but is separate from it.
Existing team
The supplier will be working with the civil nuclear cyber security team in BEIS who will manage the contract. The supplier will also need to work with teams in the National Cyber Security Centre, the Office for Nuclear Regulation, the Nuclear Decommissioning Authority and wider industry.
Current phase

Work setup

Address where the work will take place
Work will take place at BEIS offices (central London) and the supplier site as required. Work may also need to be carried out at sites in the North of England to allow participation by the greatest number of industry members.
Working arrangements
Actual arrangements will be agreed at the outset of Discovery. Users and stakeholders are nationwide so we anticipate a requirement to engage users from different regional areas.
Security clearance
Baseline Personnel Security Standard (BPSS)

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Have an aptitude for successfully carrying out and facilitating stakeholder engagement to achieve project objectives.
  • Have an understanding of the risks and benefits of penetration testing live systems.
Nice-to-have skills and experience
Demonstrate a familiarity with the nuclear sector

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • How the approach or solution meets your organisation’s policy or goal
  • Approach and methodology
  • How they’ve identified risks and dependencies and offered approaches to manage them
  • Value for money
  • Team structure (with roles and responsibilities)
Cultural fit criteria
  • Work as a team with our organisation and other organisations
  • Take a collaborative and sharing approach, actively seeking input from colleagues and stakeholders.
  • Challenge the status quo
Payment approach
Capped time and materials
Assessment methods
Written proposal
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Can you please confirm that DV clearance is not required for this work?
We do not require suppliers to hold DV clearance for this work, only Baseline Personnel Security Standard (BPSS) level security clearance.
2. Can you please confirm if travel expenses be available in addition to the daily rate for this work?
The budget for this work is £40,000 excluding VAT. Travel expenses need to be covered in your tender for the work within that budget.
3. Will the supplier who is selected to develop the NBEST framework be prohibited from providing or restricted in providing NBEST assessment services after the framework is developed? Furthermore, would there be similar independence restrictions applied for providing other “BEST” framework assessments (e.g. CBEST, TBEST, etc) as a result of developing the NBEST framework?
No restrictions will be placed on the successful supplier with regards to future ‘BEST’ work.