Defence Equipment & Support

Security Testing

Incomplete applications

6
Incomplete applications
2 SME, 4 large

Completed applications

4
Completed applications
1 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 12 April 2018
Deadline for asking questions Thursday 19 April 2018 at 11:59pm GMT
Closing date for applications Thursday 26 April 2018 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work We have a requirement for penetration testing on a complex bespoke network and it's component systems. We will require approximately 2-3 tests per year over the next two years by CHECK accredited, DV cleared testing team.
Latest start date Monday 28 May 2018
Expected contract length 2 years
Location West Midlands
Organisation the work is for Defence Equipment & Support
Budget range Each penetration Test task will consist of a capped time and materials value of 35 man/days with a maximum day rate of £1100 Ex VAT and inclusive of T&S.

We estimate approximately 2-3 tests per year with a minimum of 2 months notice before each test.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Authority has a requirement for several penetration tests in order to provide evidence for the ongoing accreditation of a bespoke computer network, approximately 2 tests per calender year. The first the first of these is currently scheduled to happen in June of this year.

Subsequent tests would be at dates mutually agreed between the parties with a minimum of 2 months notice. The second test is estimated to be required towards the end of 2018.
Problem to be solved Penetration testing a fundamental requirement of ongoing system accreditation.
Who the users are and what they need to do So that the System Design Authority are able to continue to develop and operate the network there is an ongoing requirement for penetration testing.
Early market engagement N/A
Any work that’s already been done The systems development is ongoing and there have been 2 previous penetration tests. These have been illustrative in determining the scale of this requirement and the estimated number of days for each penetration testing task.
Existing team The supplier will be performing security tests in support of the system design authority, this a multi-disciplinary team dedicated to the delivery and support of system capability; the team is comprised of system engineers, QA, network engineers, Security and delivery / project managers.
Current phase Beta

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Exact address to be provided on contract award.
Working arrangements The work will be required to be completed on-site during normal working hours, this will include face-to-face interaction and presence at a stand-up and wash-up session.
Security clearance This contract will require every member of the test team is DV cleared and a UK national. This is a fundamental and essential requirement of this competition. Due to the time scales involved proposed staff for the initial test must hold DV clearance to apply at time of application.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The following conditions will apply to this contract, full text can be found here: https://www.gov.uk/guidance/acquisition-operating-framework

DEFCON 5J (Edn 18/11/16)
DEFCON 76 (Edn 12/06)
DEFCON 501 (Edn 11/17)
DEFCON 502 (Edn 05/17)
DEFCON 513 (Edn 11/16)
DEFCON 522 (Edn 11/17)
DEFCON 658 (Edn 10/17) please see technical competence criteria.
DEFCON 659A (Edn 02/17)
DEFCON 660 (Edn 12/15)
DEFCON 703 (Edn 08/13)

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • CHECK Accredited
  • Microsoft System Centre ‘Suite’ 2012
  • Active Directory
  • Windows 10 (inc Kiosk Mode)
  • Windows Orchestrator
  • Out of Band Management
  • Reference Management LAN
  • Must complete the Supplier Assurance Questionnaire at: http://supplier-cyber-protection.service.gov.uk/ using assesment reference: RAR-24BBRHGS Risk profile: Moderate
Nice-to-have skills and experience
  • WSUS
  • Hyper-V
  • App-V
  • WEF
  • RBAC

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Evidence of previous security testing activities
  • Work history and experience of the proposed testing team
  • Approach and methodology to penetration testing task
  • Value for Money
Cultural fit criteria
  • Work with our team including other contractors.
  • Share knowledge and experience freely across the team.
  • Be comfortable standing up for this discipline and behind their recommendations.
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Work history
Evaluation weighting

Technical competence

65%

Cultural fit

5%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Please can you confirm whether the requirement of CHECK Accreditation applies to the organization generally or, specifically to the DV cleared personal or team carrying out the required works? The supplier must hold CHECK Accreditation, however in order to operate under the CHECK scheme at least one individual from the test team must be CHECK Accredited to CHECK Team Leader status. This gives the company 'Green Light' status from the National Cyber Security Centre which we require.
2. Does a supplier have to be a "Green Light" organisation or can a CHECK Team Leader with DV Clearance, if they are able to complete a Penetration test within 35 days, meet the criteria? The supplier must be a 'Green Light' organisation. The requirement is for a ‘CHECK Accredited Test Team’ as per the definition on the NCSC website (https://www.ncsc.gov.uk/scheme/penetration-testing). An individual CHECK team leader does not satisfy the requirement for a 'Test Team'.