Awarded to 2T Security Ltd

Start date: Tuesday 5 June 2018
Value: £432,000
Company size: SME
Her Majesty’s Passport Office

Her Majesty's Passport Office - Information Assurance Architect

12 Incomplete applications

9 SME, 3 large

10 Completed applications

8 SME, 2 large

Important dates

Wednesday 16 May 2018
Deadline for asking questions
Friday 18 May 2018 at 11:59pm GMT
Closing date for applications
Wednesday 23 May 2018 at 11:59pm GMT


Specialist role
Cyber security consultant
Summary of the work
Supporting development & maintenance of Security architecture
Developing Information Risk Assurance Reports
Risk discovery, treatment & analysis
Technical assessments and assurance of IT products & services
Latest start date
Tuesday 5 June 2018
Expected contract length
24Months total-Initial 12months-further period up to 12months depending on business need&performance
Organisation the work is for
Her Majesty’s Passport Office
Maximum day rate

About the work

Early market engagement
Who the specialist will work with
You will work as part of a Technical Design Authority who are responsible for specific domains.
They will need to collaborate closely with delivery teams in a multi-supplier environment.
HMPO is moving from a large outsourced SI arrangement to an in-house, largely cloud based and open source based solutions delivered iteratively. Legacy technologies inc Oracle and Tibco. Strategic technology stack is based on Microservices architecture including Java, Node JS, ELK, Postgres, MongoDB, AWS, Puppet, Chef
What the specialist will work on
The resource will be required to:
1. Ensure that specified security controls or other counter-measures they specify to mitigate, minimise, or treat discovered risks are pragmatic (in order to meet the requirements of the business), appropriate (i.e. commensurate with the classification and sensitivity of information assets) and cost effective (whilst appropriately technically mitigating threats to assets)
2. Lead information assurance activities against solution designs to ensure they are appropriately secure.

Work setup

Address where the work will take place
London, Westminster
Working arrangements
Typically on-site with wider team and clients in an Agile environment. Some site visits. Use of Confluence, Jira and ardoq are the tools used to track progress against deliverables.
Security clearance
SC Clearance is required. HM Passport Office will support the clearance process.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Have proven track record of risk assessing and assuring cloud based architectures for large and complex organisations ensuring information assets are securely managed
  • Have in-depth understanding of cloud based and traditional security technologies and an in depth understanding of security specific protocols (e.g. TLS, Kerberos and SAML)
  • Experience with using attack tree methods for conducting risk assessments
  • Have in-depth understanding of outcome based approach to risk identification, management and mitigation using techniques such as risk trees
  • Good understanding of Identity management, identity lifecycle management
  • Hold CCP IA Architect and LCCP
Nice-to-have skills and experience
  • Experience of Home Office/ HMPO systems or similar government operational systems
  • Experience of GDS best practices

How suppliers will be evaluated

How many specialists to evaluate
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative
  • Be comfortable standing up for their discipline
  • Have a no-blame culture and take responsibility for their work
Assessment methods
Work history
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is this the same task that was removed yesterday? What is the IR35 status? Is there a current incumbent?
Yes - Minor changes to the skills and summary section.
We expect this engagement to be outside IR35, however status is assessed on a case-by-case basis.
There is currently an incumbent in the role.
2. Please can you confirm if there is an incumbent in this position ? If so, is the incumbent looking to leave or will they be re-tendering for this position?
There is currently an incumbent in the role.
3. Can you confirm if this role has been assessed as inside or outside of IR35?
We expect this engagement to be outside IR35, however status is assessed on a case-by-case basis.
4. Can you confirm if this role is inside or outside of the IR35 regulations?
We expect this engagement to be outside IR35, however status is assessed on a case-by-case basis.
5. Is this a new requirement or is there an incumbent in place?
There is currently an incumbent in the role.
6. Can you confirm that the Lead CCP is for the Security & Information Risk Adviser (SIRA) role, as this is not listed. If not, to which IA role does it relate?
That is confirmed it is for a lead SIRA role.
7. Can you clarify the qualification required. Hold CCP IA Architect and LCCP Does the architect no longer need to be a lead? In which qualification discipline is LCCP referring to.
This refers to the NCSC CCP scheme, LCCP refers to a SIRA.
8. Can the Authority please confirm what is meant by "hold LCCP"?
It is referring to a SIRA.
9. Can the Authority please confirm whether 'Lead CCP' is a requirement?
It is referring to a SIRA.