Awarded to Amethyst Risk Management Limited

Start date: Thursday 1 February 2018
Value: £198,135
Company size: SME

Ministry of Defence

CCT544 - Information Assurance (Security) SME

7 Incomplete applications

7 SME, 0 large

18 Completed applications

14 SME, 4 large

• Published: Friday 10 November 2017
• Deadline for asking questions: Tuesday 14 November 2017 at 11:59pm GMT
• Closing date for applications: Friday 17 November 2017 at 11:59pm GMT

Overview

• Specialist role: Cyber security consultant
• Summary of the work: This requirement is to provide an Information Assurance Subject Matter Expert to the CES project team in the MOD Information Systems and Services organisation. The post holder will be responsible; completing and managing assurance activities for CES project to ensure accreditation is achieved supporting the successful delivery of the project.
• Latest start date: Friday 1 December 2017
• Expected contract length: 1 year
• Location: South West England
• Organisation the work is for: Ministry of Defence
• Maximum day rate: £800 per day Ex VAT

About the work

• Who the specialist will work with: This SME will work within the highly focussed Cryptographic Enabling Services (CES) Information Assurance team to deliver the project to operational use and also to liaise with commercial suppliers, internal assurance, design teams, and other stakeholders as required.
• What the specialist will work on: Provide support/develop the Information Assurance, Cyber and Accreditation evidence in support of Design, Development and Deployment of ISS Cryptographic Enabling Services project. The individual will provide expert advice and input to ensure the system meets all necessary technical and policy security requirements, is assessed for IA/Cyber risks and provides support for risk management/accreditation decisions. ; Activities will include but not limited to:; • Produce/Review/Manage accreditation deliverables and activities in accordance with MOD Policy and in line with Project Plans. ; • Attendance and input within specialist area at meetings/workshops/working groups.; • Provide updates to the Security stakeholders in support of these activities.

Work setup

• Address where the work will take place: ISS, Building 405, Spur F1, Westwells Road, MOD Corsham, SN13 9NR
• Working arrangements: All tasking will take place from MoD Corsham, with the need to travel to stakeholders and Industry partners when required under the direction of the MOD Security Assurance Coordinator. You are required 5 days a week, the working day is 8 hours to include 30 minutes for lunch. Overnight visits will only be permitted if permission is sought in advance. This individual will report to the SyInfra Security Assurance Coordinator.
• Security clearance: SC Clearance must be in place and cover the duration of the contract.

Additional information

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • Experience of providing technical security support on Government projects, working to HMG/MOD Security Policy and requirements (JSP 440, 604 etc).
  • Evidence of working with MOD security stakeholders and coordination, analysis and management of system security risks.
  • Able to demonstrate the application of contextualised risk management in the application of technical/procedural/physical security controls within the risk/cost/benefit trading space.
  • Understanding of NATO Crypto Key production, movement and use and experience of working within the MOD Cryptography environment and understanding of Cryptography policy and requirements (JSP 490, 491 etc)
  • Experience of scoping ITHC activity and remediating ITHC Recommendations
  • Evidence and proven track record of delivering security assurance, accreditation documentation and activities within a complex MOD IT system/service, to successful outcomes. Including experience of working to MOD accreditation processes
  • Experience of identifying, assessing, recording and managing risk at programme/project level and then producing/maintaining risk documentation for use in system accreditation and Capable of managing compliance against security requirements
• Nice-to-have skills and experience:
  • Ex-CLAS
  • CISSP (Or industry equivalent)
  • CCP SIRA (Or industry equivalent)
  • Demonstrable experience of working as a technical security SME within a project environment, using Agile methodologies
  • Experience of leading Security Working Groups as a way of managing project security risks

How suppliers will be evaluated

• How many specialists to evaluate: 5
• Cultural fit criteria:
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Be comfortable with presenting highly technical subjects to non-technical audiences
• Assessment methods:
  • Work history
  • Interview
• Evaluation weighting:

  Technical competence

  70%

  Cultural fit

  10%

  Price

  20%

Questions asked by suppliers

• 1. Under the "Nice to Have Skills and Experience" the Authority is asking for Ex-CLAS. Why is the Authority requesting an expired qualification in a now closed down scheme?: It is recognised that the new CCP scheme has not had the take up in the same way as CLAS. So whilst we recognise this is an expired scheme this simply enhances our knowledge of the candidate. CCP scheme registration is of course relevant for ISS.
• 2. Can you confirm if there is currently, or if there has recently been, an incumbent carrying out similar work for the Authority.: This post has been gapped for some time
• 3. Given the level of security involved with cryptography, can the Authority confirm the requirement for SC clearance as involvement at this level of security assurance normally requires DV clearance.: DV would be preferable.
• 4. The role states it requires SC. If an SME has DV will this role be classed as 'utilising' the DV in order to keep it active?: Yes
• 5. Will this role be inside or outside of IR35?: I can confirm this role is within the IR35
• 6. Is this role inside IR35 or outside IR35: I can confirm this role is within the IR35
• 7. Is this role inside or outside of IR35?: I can confirm this role is within the IR35
• 8. Please can you confirm if this role is deemed inside or outside IR35: This role is within IR35
• 9. Please state the IR 35 Status of this role: The role is within IR35
• 10. Can the authority please provide confirmation of the IR35 status for this requirement: Role is within IR35
• 11. Does this role fall inside or outside of IR35?: Inside of IR35
• 12. Can you please confirm if this role is outside of IR35?: This role is within IR35
• 13. Please could you advise IR35 status of the role?: Within IR35
• 14. Please may you confirm your IR35 assessment of this task.: The role is within IR35
• 15. Can the authority confirm if there is a current incumbent providing this service?: This post has been gapped for some time
• 16. Is the latest start date of 01/12/2017 fixed, or would 02/01/2018 be acceptable?: No
• 17. Does the individual need to be onsite in Corsham 5 days per week?: No the individual does not need to be on site in Corsham 5 days a week but must be contactable and be available to attend meetings.
• 18. Please could it be confirmed whether the Authority would accept the required personnel for 3 days a week instead of 5?: It is not anticipated that the workload for this role with be less than 5 days a week.
• 19. Any chances of change in start date as the latest date mentioned is Friday 1 December 2017: It has been decided that the start date can now slip to start mid-December - Early January
• 20. Is there any travel involved in this role and will the travel expenses be paid ?: T&S is not included within the Business Case. However, if short notice, overnight or travel overseas occurs this will be dealt with separately through programme budget, subject to Budget Holder approval.
• 21. Is occasional remote working allowed?: Yes if using MOD supplied assets (laptop) and agreed by authority
• 22. What are the other expenses which will be paid: T&S is not included within the Business Case. However, if short notice, overnight or travel overseas occurs this will be dealt with separately through programme budget, subject to Budget Holder approval.
• 23. What is the lead time for feedback once the application is submitted?: Applications will be reviewed and feedback will be provided with 2 weeks of submission.
• 24. Will you sponsor SC clearance: Supplier must have a valid SC clearance which will cover the duration of the contract
• 25. (the answer to this question posted before is ambiguous) Is the latest start date of 01/12/2017 fixed?: It has been decided that the start date can now slip to start mid-December - Early January
• 26. Would you consider work permit holders (e.g. Tier 2 General Visa) and EU passport holders for this role ?: Due to the security classification this requirement is for UK national applicants only
• 27. Has any governance been laid down to date (RMADS, supporting documentation) – or is it a day-zero start? Is there a recognised accreditation statement for the project or has this yet to be reviewed? Where is the accreditor based? Where is the SyInfra Security Assurance Coordinator based? What is the expected dated of project delivery/FOC? Can the scope of the deployed solution be made available? Is there a current incumbent already fulfilling this role?: "There are an number of projects under CES. Some will require the creation of RMADS, supporting documentation etc. ; An Accreditation Evidence statement has been agreed for all projects with the accreditor. ; Accreditor based: Wyton/Corsham ; Based in: Corsham; End dates: Due to need to work on more than one project this information is deemed unnecessary at this time; We are unsure what is meant by scope of deployed solution is referring to.; No, there isn't a current incumbent"