Awarded to Amethyst Risk Management Limited

Start date: Thursday 1 February 2018
Value: £198,135
Company size: SME
Ministry of Defence

CCT544 - Information Assurance (Security) SME

7 Incomplete applications

7 SME, 0 large

18 Completed applications

14 SME, 4 large

Important dates

Friday 10 November 2017
Deadline for asking questions
Tuesday 14 November 2017 at 11:59pm GMT
Closing date for applications
Friday 17 November 2017 at 11:59pm GMT


Specialist role
Cyber security consultant
Summary of the work
This requirement is to provide an Information Assurance Subject Matter Expert to the CES project team in the MOD Information Systems and Services organisation. The post holder will be responsible; completing and managing assurance activities for CES project to ensure accreditation is achieved supporting the successful delivery of the project.
Latest start date
Friday 1 December 2017
Expected contract length
1 year
South West England
Organisation the work is for
Ministry of Defence
Maximum day rate
£800 per day Ex VAT

About the work

Early market engagement
Who the specialist will work with
This SME will work within the highly focussed Cryptographic Enabling Services (CES) Information Assurance team to deliver the project to operational use and also to liaise with commercial suppliers, internal assurance, design teams, and other stakeholders as required.
What the specialist will work on
Provide support/develop the Information Assurance, Cyber and Accreditation evidence in support of Design, Development and Deployment of ISS Cryptographic Enabling Services project. The individual will provide expert advice and input to ensure the system meets all necessary technical and policy security requirements, is assessed for IA/Cyber risks and provides support for risk management/accreditation decisions.
Activities will include but not limited to:
• Produce/Review/Manage accreditation deliverables and activities in accordance with MOD Policy and in line with Project Plans.
• Attendance and input within specialist area at meetings/workshops/working groups.
• Provide updates to the Security stakeholders in support of these activities.

Work setup

Address where the work will take place
ISS, Building 405, Spur F1, Westwells Road, MOD Corsham, SN13 9NR
Working arrangements
All tasking will take place from MoD Corsham, with the need to travel to stakeholders and Industry partners when required under the direction of the MOD Security Assurance Coordinator. You are required 5 days a week, the working day is 8 hours to include 30 minutes for lunch. Overnight visits will only be permitted if permission is sought in advance. This individual will report to the SyInfra Security Assurance Coordinator.
Security clearance
SC Clearance must be in place and cover the duration of the contract.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of providing technical security support on Government projects, working to HMG/MOD Security Policy and requirements (JSP 440, 604 etc).
  • Evidence of working with MOD security stakeholders and coordination, analysis and management of system security risks.
  • Able to demonstrate the application of contextualised risk management in the application of technical/procedural/physical security controls within the risk/cost/benefit trading space.
  • Understanding of NATO Crypto Key production, movement and use and experience of working within the MOD Cryptography environment and understanding of Cryptography policy and requirements (JSP 490, 491 etc)
  • Experience of scoping ITHC activity and remediating ITHC Recommendations
  • Evidence and proven track record of delivering security assurance, accreditation documentation and activities within a complex MOD IT system/service, to successful outcomes. Including experience of working to MOD accreditation processes
  • Experience of identifying, assessing, recording and managing risk at programme/project level and then producing/maintaining risk documentation for use in system accreditation and Capable of managing compliance against security requirements
Nice-to-have skills and experience
  • Ex-CLAS
  • CISSP (Or industry equivalent)
  • CCP SIRA (Or industry equivalent)
  • Demonstrable experience of working as a technical security SME within a project environment, using Agile methodologies
  • Experience of leading Security Working Groups as a way of managing project security risks

How suppliers will be evaluated

How many specialists to evaluate
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Be comfortable with presenting highly technical subjects to non-technical audiences
Assessment methods
  • Work history
  • Interview
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Under the "Nice to Have Skills and Experience" the Authority is asking for Ex-CLAS. Why is the Authority requesting an expired qualification in a now closed down scheme?
It is recognised that the new CCP scheme has not had the take up in the same way as CLAS. So whilst we recognise this is an expired scheme this simply enhances our knowledge of the candidate. CCP scheme registration is of course relevant for ISS.
2. Can you confirm if there is currently, or if there has recently been, an incumbent carrying out similar work for the Authority.
This post has been gapped for some time
3. Given the level of security involved with cryptography, can the Authority confirm the requirement for SC clearance as involvement at this level of security assurance normally requires DV clearance.
DV would be preferable.
4. The role states it requires SC. If an SME has DV will this role be classed as 'utilising' the DV in order to keep it active?
5. Will this role be inside or outside of IR35?
I can confirm this role is within the IR35
6. Is this role inside IR35 or outside IR35
I can confirm this role is within the IR35
7. Is this role inside or outside of IR35?
I can confirm this role is within the IR35
8. Please can you confirm if this role is deemed inside or outside IR35
This role is within IR35
9. Please state the IR 35 Status of this role
The role is within IR35
10. Can the authority please provide confirmation of the IR35 status for this requirement
Role is within IR35
11. Does this role fall inside or outside of IR35?
Inside of IR35
12. Can you please confirm if this role is outside of IR35?
This role is within IR35
13. Please could you advise IR35 status of the role?
Within IR35
14. Please may you confirm your IR35 assessment of this task.
The role is within IR35
15. Can the authority confirm if there is a current incumbent providing this service?
This post has been gapped for some time
16. Is the latest start date of 01/12/2017 fixed, or would 02/01/2018 be acceptable?
17. Does the individual need to be onsite in Corsham 5 days per week?
No the individual does not need to be on site in Corsham 5 days a week but must be contactable and be available to attend meetings.
18. Please could it be confirmed whether the Authority would accept the required personnel for 3 days a week instead of 5?
It is not anticipated that the workload for this role with be less than 5 days a week.
19. Any chances of change in start date as the latest date mentioned is Friday 1 December 2017
It has been decided that the start date can now slip to start mid-December - Early January
20. Is there any travel involved in this role and will the travel expenses be paid ?
T&S is not included within the Business Case. However, if short notice, overnight or travel overseas occurs this will be dealt with separately through programme budget, subject to Budget Holder approval.
21. Is occasional remote working allowed?
Yes if using MOD supplied assets (laptop) and agreed by authority
22. What are the other expenses which will be paid
T&S is not included within the Business Case. However, if short notice, overnight or travel overseas occurs this will be dealt with separately through programme budget, subject to Budget Holder approval.
23. What is the lead time for feedback once the application is submitted?
Applications will be reviewed and feedback will be provided with 2 weeks of submission.
24. Will you sponsor SC clearance
Supplier must have a valid SC clearance which will cover the duration of the contract
25. (the answer to this question posted before is ambiguous) Is the latest start date of 01/12/2017 fixed?
It has been decided that the start date can now slip to start mid-December - Early January
26. Would you consider work permit holders (e.g. Tier 2 General Visa) and EU passport holders for this role ?
Due to the security classification this requirement is for UK national applicants only
27. Has any governance been laid down to date (RMADS, supporting documentation) – or is it a day-zero start? Is there a recognised accreditation statement for the project or has this yet to be reviewed? Where is the accreditor based? Where is the SyInfra Security Assurance Coordinator based? What is the expected dated of project delivery/FOC? Can the scope of the deployed solution be made available? Is there a current incumbent already fulfilling this role?
"There are an number of projects under CES. Some will require the creation of RMADS, supporting documentation etc.
An Accreditation Evidence statement has been agreed for all projects with the accreditor.
Accreditor based: Wyton/Corsham
Based in: Corsham
End dates: Due to need to work on more than one project this information is deemed unnecessary at this time
We are unsure what is meant by scope of deployed solution is referring to.
No, there isn't a current incumbent"