Awarded to Mastek (UK) Ltd

Start date: Monday 10 September 2018
Value: £1,742,900
Company size: large
Ministry of Defence, Joint Forces Command - Information Systems & Services

CCT571 - Identity and Access Management (IDAM) Implementation Partner

7 Incomplete applications

4 SME, 3 large

11 Completed applications

2 SME, 9 large

Important dates

Published
Tuesday 5 June 2018
Deadline for asking questions
Tuesday 12 June 2018 at 11:59pm GMT
Closing date for applications
Tuesday 19 June 2018 at 11:59pm GMT

Overview

Summary of the work
MOD seeking partner to develop Identity and Access Management service through Beta Phase, until able to pass the digital service standard for live services and achieve security accreditation. It is to be built around NetIQ products and will focus initially on systems handling OFFICIAL information in the UK.
Latest start date
Monday 3 September 2018
Expected contract length
Contract End Date:31/01/20, with extension Option 1: 1/2/20-31/5/20. Option 2: 1/6/20-31/8/20.
Location
South West England
Organisation the work is for
Ministry of Defence, Joint Forces Command - Information Systems & Services
Budget range
We expect a spend of between £1Million - £2Million, with a T&S limit of liability set at £166,666.00 ex VAT.

About the work

Why the work is being done
The Ministry of Defence (MOD) needs an Enterprise Identity and Access Management (IDAM) service for its IT & Digital services; this delivers part of MOD’s 2010 IDAM strategy (available on gov.uk).

This service is to provide:
1. Improved compliance with HMG’s Technology Code of Practice, by providing a reusable service and will simplify maintaining compliance with the General Data Protection Regulation (GDPR).

2. A migration path from current IDAM arrangements.

3. Identity related services that meet the Digital Service Standard, particularly for our partner organisations and external users.
It is an essential prerequisite for new IT services from Q2 2019.
Problem to be solved
MOD has many IT systems and applications that use different credentials and identities. Users need fewer ‘sign-on’s in their daily work and the burden of managing system access reduced. Other users need a means to build greater trust in the identities of users and more accurately control access to systems/information.

MOD is seeking a partner to provide the skills and experience to develop the service through a beta phase until it can pass the digital service standard for a live service. The service will be for UK users handling OFFICAL information, but will be reused where appropriate for other domains.
Who the users are and what they need to do
1. As an IT user, I want single sign on, so that I can seamlessly access IT & digital services.

2. As an App or Service Owner, I want simpler, rule based access to my service so that appropriate users get quicker access to my service and inappropriate ones are refused access.

3. As a systems administrator, I want to be maintain trust relationships between systems, so that normal IT operations can continue.

4. As a Security Officer, I want a simpler means of securely providing access to IT so that access is quicker, more accurate and can be scrutinised.
Early market engagement
Any work that’s already been done
The discovery and an alpha phase are completed.

The alpha phase proved the technical feasibility and resulted in the selection and procurement of the NetIQ product set to form the core of the IDAM service.

Existing data sources, capabilities and systems that may be used by or form part of the service have been identified and some known limitations noted. Preliminary work to identify user groups, personas and write an initial backlog of Epics and User stories for moving into a beta phase has been done.

Further user research by and backlog refinement with the incoming team will be needed.
Existing team
The supplier will be working with a full-time project manager (Crown-Servant). Depending on start date, work will initially be alongside two contracted architects/analysts involved in discovery/alpha phase work.

In addition to user/stakeholder access, there other subject matter experts working with the team on a part-time/as-needed basis, including:
• architects from MOD’s Design Directorate (i.e. Enterprise architecture team)
• technical leads and DevOps engineers from the Defence as a Platform hosting team (noting that this is for advice/guidance and teams should expect to have their own DevOps capability).

As the user base grows, some interim help-desk personnel may join the team.
Current phase
Beta

Work setup

Address where the work will take place
The people will be based at MOD Corsham, SN13 9NR.
Working arrangements
The supplier team will use an Agile approach. A two-week sprint cycle and 3-month Programme Increment are usual, so that work in the wider unit can coordinate using Scaled Agile Framework (SAFe) techniques.

The supplier is expected to be onsite at least 3 days a week for face to face communication. T&S will be paid on receipted actuals in compliance with MoD Policy. We support flexible arrangements that improve wellbeing, effectiveness and inclusion in the team.

Work with other (pre-agile) MOD teams to help them assure this service and manage their dependencies on IdAM will also be required.
Security clearance
Contractors will be expected to obtained Security Clearance (SC) and maintain it throughout the life of the contract.

Access to certain data sets will also require Developed Vetting (DV) clearance.

Additional information

Additional terms and conditions
Please note: The Authority will not sponsor or pay for obtainment of SC or DV Clearance, this will remain the responsibility of the suppler.

Successful suppliers after the short list stage, will be issued a Security Aspects Letter and all elements of security are to be covered within their written proposal.

Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up to the tool.

More detail will be provided at the tender stage, for suppliers that pass the shortlisting stage.

This requirement is outside of IR35 (Intermediaries Legislation doesn’t apply).

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of successfully delivering an IdAM service through a full project or development lifecycle in a large or complex organisation (including testing and deployment).
  • Experience of creating services built around the NetIQ products: Identity manager, Sentinel, Advanced Authentication, Access manager; including design, test, configuration and deployment of those products.
  • Experience developing large digital services that meet the Digital Service Standard for a growing community of users applying appropriate digital (Agile and user centric) methods, techniques and skills.
  • Experience obtaining and merging information from a range of sources/systems and addressing data quality issues to provide identity, role and security attribute data supporting attribute based access control.
  • Experience of building and testing an end-to-end digital service demonstrating a high level of quality.
  • Experience of DevOps Engineering – particularly deploying builds, increments and releases through Continuous Integration and Deployment pipelines, as well as scripting environment builds and changes.
  • Experience of designing and delivering Information Services with a high level of cyber and general security threat and very high criticality, and creating documents to achieve accreditation.
  • Experience of providing solution, service and technical architecture and architectural roadmaps in a complex, security critical environment supporting an Agile release cycle and addressing migration considerations.
  • Experience of effecting business change in a large organisation through the development, provision and promotion of transactional digital services - particularly Identity and Access Management.
Nice-to-have skills and experience
  • Experience integrating with wider business functions using NetIQ’s APIs and scripting environment to provide a service that delivers an excellent user experience whilst meeting business policy goals.
  • Experience of creating an IdAM service, based around NetIQ’s products, but incorporating other technologies where appropriate, including Covertix SmartCipher such that an optimised set of maintainable technology underpins the service.
  • Experience of digitising transactional processes and services internal to a large enterprise by applying good practices for: usability, user research, interaction, user-centric and graphic & content design.
  • Experience of delivery management in Agile teams building digital products according to the Government Service Design Manual, applying a range of Agile techniques and practices.
  • Experience of designing and building assisted digital elements of a service, where it is not practical or desirable to fully digitise aspects of the service.
  • Experience of providing data and/or information architectures and dictionaries for complex information services, ideally including a range of identity related entities, attributes and concepts.
  • Experience merging and migrating data from and exporting data to multiple systems using data engineering techniques, including familiarity with Extract Transform and Load technologies.
  • Experience in the administration and management of common platforms and components related to identity including Windows Server, Red Hat and Debain Linux, SQL Databases and Active Directory.
  • Capability to use test driven development to create software in Java and other languages that bridges gaps in necessary user journeys including creating Web user interfaces, APIs, RESTful architecture.
  • Experience of testing iteratively, including test data creation and test automation in the context of a mature DevOps approach.
  • Experience of integration testing in a large enterprise, including with legacy systems, and producing formal test documentation that makes maximum use of the quality assurance provided by the iterative testing.

How suppliers will be evaluated

How many suppliers to evaluate
3
Proposal criteria
  • How you will provide the Authority with a high-quality team that embodies the required skills; in-particular, why you believe the team(as a collective) will be high-performing. 10%
  • How you will balance being responsive and flexible to changing work demands(in terms of skills and capacity) as it progresses with the benefits of a stable and consistent team. 9%
  • Indicative structure (people/roles in your proposed team, their main interrelationships), indicative profile (how the team size and roles might change over time) and when they can start. 9%
  • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning. 9%
  • Your proposed approach and methodology to the digital service development: particularly how the various Digital, Data & Technology Roles will work together and how users will be involved. 9%
  • Proposed approach and methodology for achieving security/information assurance accreditation and maintaining it through the Agile development, including identifying threats, putting in place controls and engagement with the risk owner(s). 9%
  • How you will ensure the service can meet the relevant digital service standard at various phases of development (e.g. closed beta, open beta, live). 9%
  • How you will ensure that the service meets the organisation’s policy goals in terms of providing more secure Identity and Access Management processes including incorporating existing policy. 9%
  • Your approach to knowledge management, particularly how the Authority and its partners can support and maintain the IdAM service after it has been developed. 9%
  • How you will optimise costs for the Authority and deliver value for money though the development and the lifetime of the service (total cost of ownership of the service.) 9%
  • Technical proposal for a DevOps pipeline and suitable environments to enable rapid, modern development of the system. 9%
Cultural fit criteria
  • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form.
  • Evidence that you attract and retain the best talent to create teams that reflect the diversity of the country and can deliver a diversity of thought to the Authority.
  • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome.
  • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors.
  • Evidence of working successfully in an Agile manner within an organisation where some units: (particularly in relation to governance and project control processes) retain a big-design-upfront/command-and-control perspective.
  • Evidence of working with organisations and stakeholders with differing levels of technical expertise.
Payment approach
Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

1. The closing date for applications is given as Tuesday 19th June and the expected start date as Monday 3rd September. Could you confirm the key dates in between please so that we can ensure we have the right resources in place over the summer holiday period?
Supplier Proposals/Tender (after shortlisting is complete) will be due 16/07/18.
Presentations are expected to be held on the 20th and 23rd of July.
2. You mention that the work will initially be alongside two contracted architect/analysts involved in discovery/alpha phase work. Could you confirm for how long these two people will continue to be involved in the project and whether we are expected to have any responsibility for their work and the outputs they produce please?
You will not be responsible for their work. The current incumbents will be handing over to the awarded supplier.
3. What is the pay rate?
The budget range has been identified in the advert of a spend between £1M - £2M with a T&S Limit of Liability of £166,666.00. The pay rate will form part of your tender.
4. What is the location of the work?
MOD Corsham however there will be travel to other sites as required
5. Can the MOD share the selection rationale from the Alpha phase for NetIQ products ?
No. However where not commercially sensitive, information about the business requirements for the Alpha phase will be provided as appropriate to the awarded supplier.
6. We understand the Discovery and Alpha phase for the project has been completed. Could the MOD confirm which organisation completed this work?
No. However this will be provided where required in order to facilitate handover, as appropriate to the awarded supplier.