Awarded to CGI

Start date: Wednesday 30 May 2018
Value: £182,000
Company size: large
Defence Equipment & Support

Security Testing

6 Incomplete applications

2 SME, 4 large

4 Completed applications

1 SME, 3 large

Important dates

Thursday 12 April 2018
Deadline for asking questions
Thursday 19 April 2018 at 11:59pm GMT
Closing date for applications
Thursday 26 April 2018 at 11:59pm GMT


Summary of the work
We have a requirement for penetration testing on a complex bespoke network and it's component systems. We will require approximately 2-3 tests per year over the next two years by CHECK accredited, DV cleared testing team.
Latest start date
Monday 28 May 2018
Expected contract length
2 years
West Midlands
Organisation the work is for
Defence Equipment & Support
Budget range
Each penetration Test task will consist of a capped time and materials value of 35 man/days with a maximum day rate of £1100 Ex VAT and inclusive of T&S.

We estimate approximately 2-3 tests per year with a minimum of 2 months notice before each test.

About the work

Why the work is being done
The Authority has a requirement for several penetration tests in order to provide evidence for the ongoing accreditation of a bespoke computer network, approximately 2 tests per calender year. The first the first of these is currently scheduled to happen in June of this year.

Subsequent tests would be at dates mutually agreed between the parties with a minimum of 2 months notice. The second test is estimated to be required towards the end of 2018.
Problem to be solved
Penetration testing a fundamental requirement of ongoing system accreditation.
Who the users are and what they need to do
So that the System Design Authority are able to continue to develop and operate the network there is an ongoing requirement for penetration testing.
Early market engagement
Any work that’s already been done
The systems development is ongoing and there have been 2 previous penetration tests. These have been illustrative in determining the scale of this requirement and the estimated number of days for each penetration testing task.
Existing team
The supplier will be performing security tests in support of the system design authority, this a multi-disciplinary team dedicated to the delivery and support of system capability; the team is comprised of system engineers, QA, network engineers, Security and delivery / project managers.
Current phase

Work setup

Address where the work will take place
Exact address to be provided on contract award.
Working arrangements
The work will be required to be completed on-site during normal working hours, this will include face-to-face interaction and presence at a stand-up and wash-up session.
Security clearance
This contract will require every member of the test team is DV cleared and a UK national. This is a fundamental and essential requirement of this competition. Due to the time scales involved proposed staff for the initial test must hold DV clearance to apply at time of application.

Additional information

Additional terms and conditions
The following conditions will apply to this contract, full text can be found here:

DEFCON 5J (Edn 18/11/16)
DEFCON 76 (Edn 12/06)
DEFCON 501 (Edn 11/17)
DEFCON 502 (Edn 05/17)
DEFCON 513 (Edn 11/16)
DEFCON 522 (Edn 11/17)
DEFCON 658 (Edn 10/17) please see technical competence criteria.
DEFCON 659A (Edn 02/17)
DEFCON 660 (Edn 12/15)
DEFCON 703 (Edn 08/13)

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • CHECK Accredited
  • Microsoft System Centre ‘Suite’ 2012
  • Active Directory
  • Windows 10 (inc Kiosk Mode)
  • Windows Orchestrator
  • Out of Band Management
  • Reference Management LAN
  • Must complete the Supplier Assurance Questionnaire at: using assesment reference: RAR-24BBRHGS Risk profile: Moderate
Nice-to-have skills and experience
  • WSUS
  • Hyper-V
  • App-V
  • WEF
  • RBAC

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • Evidence of previous security testing activities
  • Work history and experience of the proposed testing team
  • Approach and methodology to penetration testing task
  • Value for Money
Cultural fit criteria
  • Work with our team including other contractors.
  • Share knowledge and experience freely across the team.
  • Be comfortable standing up for this discipline and behind their recommendations.
Payment approach
Capped time and materials
Assessment methods
  • Written proposal
  • Work history
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Please can you confirm whether the requirement of CHECK Accreditation applies to the organization generally or, specifically to the DV cleared personal or team carrying out the required works?
The supplier must hold CHECK Accreditation, however in order to operate under the CHECK scheme at least one individual from the test team must be CHECK Accredited to CHECK Team Leader status. This gives the company 'Green Light' status from the National Cyber Security Centre which we require.
2. Does a supplier have to be a "Green Light" organisation or can a CHECK Team Leader with DV Clearance, if they are able to complete a Penetration test within 35 days, meet the criteria?
The supplier must be a 'Green Light' organisation. The requirement is for a ‘CHECK Accredited Test Team’ as per the definition on the NCSC website ( An individual CHECK team leader does not satisfy the requirement for a 'Test Team'.