This opportunity is closed for applications

The deadline was Tuesday 25 September 2018
Ministry of Defence Information Systems & Services

CySAFA(D) Technical Design Review

9 Incomplete applications

7 SME, 2 large

8 Completed applications

3 SME, 5 large

Important dates

Published
Tuesday 11 September 2018
Deadline for asking questions
Tuesday 18 September 2018 at 11:59pm GMT
Closing date for applications
Tuesday 25 September 2018 at 11:59pm GMT

Overview

Summary of the work
To perform an evaluation of the CySAFA(D) project including the processes used, decision made and technical design to ensure appropriate design for future delivery.
Latest start date
Wednesday 31 October 2018
Expected contract length
3 Months
Location
South West England
Organisation the work is for
Ministry of Defence Information Systems & Services
Budget range
NTE £220k (Inc VAT) inclusive of all T&S costs.

About the work

Why the work is being done
CySAFA(Deployed) will be the primary Defensive Cyber platform for deployed operations, allowing Cyber Protection Teams (CPTs) to monitor and protect standalone networks. CySAFA(D) has been delivered in small numbers to CPTs and is currently being trialled to understand how it can support their expected missions. CySAFA(D) is based on the CySAFA(Fixed) architectural pattern which utilises Big Data Storage and Analytics.
Significant investment is planned from Mar 19 to increase the fleet. Prior to this, and in support of an investment appraisal, a technical review is required to ensure the design is the best solution for expected operational use cases.
Problem to be solved
A technical design review of CySAFA(D) is required to prove the value and effectiveness of the current design, considering the CPT requirements and use cases. This study should, as a minimum include;
- Engagement with CPTs, single service capability leads, Jt User and ISS project staff to understand the future requirements of CySAFA(D);
- Reviewing the design pattern and providing recommendations on the appropriateness of the current design;
- Conducting a cost benefit analysis of the current design, including understanding the utilisation of development in the fixed version against delivering a separate Deployed work stream.
Who the users are and what they need to do
The users are single service CPTs – Army (Bath), RAF (Digby), RN (Portsmouth). They require engagement to help the project team understand their future requirements and use cases to ensure the most appropriate technology is delivered to them.
Early market engagement
N/A
Any work that’s already been done
CySAFA (D) has been developed and delivered to users at an Alpha capability.
Existing team
The existing team consists of Architecture Leads, Project Managers, and Technical Support staff.
Current phase
Alpha

Work setup

Address where the work will take place
- MOD Corsham
- CGI, Reading (Prime Contractor)
- Single Service CPTs (engagement), Bath, Portsmouth, Digby
Working arrangements
Engagement is required across the user community. It is expected that the majority of the engagement will happen at MOD Corsham, but there are no requirements to work on-site by default.

Access to MOD sites (other than being booked in for visits) and corporate IT will not be provided for this task.
Security clearance
SC Clearance must be in place prior to the contract starting due to the projects the team are required to work with.

The Authority WILL NOT sponsor SC or DV Clearance, it must be in place and remain valid for the duration of the contract.

Additional information

Additional terms and conditions
• Any report / review documentation will attract the classification of OFFICIAL-SENSITIVE.
• We aim to get feedback to you within one week of the advert closing.
• Bid Responses to be submitted on the templates provided and in Microsoft Office Excel/Word 2013 format only.
• T&S will be paid based on receipted actuals and in compliance with MoD Policy, no other expenses are permitted.
• Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up to the tool.
• IR35 does not apply to this requirement.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Knowledge of MOD Defensive Cyber Operations Tools, Techniques and Procedures (Fixed and Deployed) - 20%
  • Experience of reviewing technical architecture against known requirements - 20%
  • Knowledge of Big Data Architectures generally, and the CySAFA project specifically - 20%
  • Experience of eliciting user experiences in order to inform benefit analysis - 20%
Nice-to-have skills and experience
  • Have ability to evaluate information and present in such a way that is easily understood by the target audience, including through written and oral communication - 10%
  • Have ability to think creatively and be able to articulate innovative ideas to solving complex business and IT problems - 10%

How suppliers will be evaluated

How many suppliers to evaluate
3
Proposal criteria
  • Documented evidence of essential skills
  • Documented proposed approach and methodology
  • Documented proposal of how the approach or solution meets user needs
  • Clear and concise evidence limited to 6 pages plus CV’s
  • Detailed resources plan
  • Estimated timeframes for the work
  • Confirmation of existing clearances
  • Value for money
Cultural fit criteria
  • Have excellent interpersonal and influencing skills and a positive approach - 5%
  • Have the people skills to work with senior stakeholders to secure access to people in their working environment - 5%
  • Values and behaviours in line with MOD core values - 5%
Payment approach
Fixed price
Assessment methods
Written proposal
Evaluation weighting

Technical competence

60%

Cultural fit

15%

Price

25%

Questions asked by suppliers

1. Is the technology fully compliant?
We are unsure of the context of this question. Please could you specify against what standards you would measure compliance?
2. What would you envisage the make up of the team being?
We very much hope the proposed team would be able to deliver our primary requirement; conduct a technical evaluation of a current capability and provide recommendations on the design and architecture. We would rather suppliers propose the best possible team to achieve our desired outcome, and do not wish to constrain proposals through potentially influencing the team make-up.
3. We have a specialist who has worked on CySAFA previously and is available within the required timeframes, however his Enhanced SC has lapsed in May, would you still consider him?
Due to the information that will be required to be assimilated during this task, SC Clearance must be in place prior to the contract starting.
4. Please could you confirm that responses should be made via the DOS2 platform at this point and that the reference to "Bid Responses to be submitted on the templates provided and in Microsoft Office Excel/Word 2013 format only." is for a later stage?
We can confirm that responses should be made via the DOS2 Platform at this stage, and the reference to "Bid Responses to be submitted on the templates provided and in Microsoft Office Excel/Word 2013 format only." is for the later ‘Written Proposal' stage
5. 1. What UK MOD enterprise assets are being monitored with the CySAFA platform?
2. What types of security tools or applications does the CySAFA platform use to monitor the UK MOD enterprise assets?
3. What types of Big Data tools or applications does the CySAFA deploy to monitor the UK MOD enterprise assets?
4. What asset types does the CySAFA platform collect? Infrastructure, Network Appliances, Firewalls, Other Security Solutions, Application Servers, Data Servers, Web Servers, Weapon Systems, etc.
5. What data types does the CySAFA platform collect? e.g. Log data, Netflow, Full Packet data, etc.
1. CySAFA(Deployed) is in Beta testing, connected to test LANs. CySAFA(Fixed), utilised across the Enterprise, is out-of-scope
2. CySAFA provides SOC functionality. Specifics on tooling will be provided at contract award, once security clearance is determined
3. CySAFA is based on Hadoop. Specifics on monitoring tools will be provided at contract award
4. CySAFA is designed to ingest any data types including, where required, those specified. Specifics on data requirements will be provided at contract award
5. CySAFA is designed to ingest any data type including, where required, those specified. Specifics on data requirements will be provided at contract award
6. 1. What UK MOD enterprise assets are being monitored with the CySAFA platform?
2. What types of security tools or applications does the CySAFA platform use to monitor the UK MOD enterprise assets?
3. What types of Big Data tools or applications does the CySAFA deploy to monitor the UK MOD enterprise assets?
4. What asset types does the CySAFA platform collect? Infrastructure, Network Appliances, Firewalls, Other Security Solutions, Application Servers, Data Servers, Web Servers, Weapon Systems, etc.
5. What data types does the CySAFA platform collect? e.g. Log data, Netflow, Full Packet data, etc.
1. CySAFA(Deployed) is in Beta testing, connected to test LANs. CySAFA(Fixed), utilised across the Enterprise, is out-of-scope
2. CySAFA provides SOC functionality. Specifics on tooling will be provided at contract award, once security clearance is determined
3. CySAFA is based on Hadoop. Specifics on monitoring tools will be provided at contract award
4. CySAFA is designed to ingest any data types including, where required, those specified. Specifics on data requirements will be provided at contract award
5. CySAFA is designed to ingest any data type including, where required, those specified. Specifics on data requirements will be provided at contract award
7. 1. What data collection appliances are used to collect the data for the CySAFA platform?
2. What types of data filtering are conducted on the CySAFA platform?
3. What is the quantity of data collected/ingested into the CySAFA platform per day? E.g. 50 Gb’s data per day.
4. How is the data on the CySAFA platform correlated?
5. How many security use cases or rules does the CySAFA employ to monitor potential cybersecurity events on their enterprise assets?
6. What outside/third party data is applied or integrated with the CySAFA platform?
1. CySAFA (D) utilises log forwarders and network taps to collect data
2. Data is manipulated in accordance with Operational needs. Specifics on data filtering will be provided at contract award
3. The current and future data ingest requirements for CySAFA (D) will be investigated as part of this task
4. Specifics on data correlation will be provided at contract award
5. Understanding the user requirements of CySAFA (D) is key to this task. This includes understanding how CPTs will utilise rule based detection
6. Specifics on third party data will be provided at contract award
8. 1. What types of Cyber Threat Intelligence is applied or integrated with the CySAFA platform?
2. What types of Threat Actor TTP’s (Tactics, Techniques, and Procedures) and/or Threat Actor Playbooks are applied to the CySAFA platform?
3. What types of data compression are applied to the CySAFA platform?
4. What types of data encryption are applied to the CySAFA platform?
5. What types of Analytics tools are deployed on the CySAFA platform?
6. What types of Artificial Intelligence and Machine Learning are deployed on the CySAFA platform?
1. Specifics on threat intelligence will be provided, if required, at contract award
2. Specifics on TTPs will be provided, if required, at contract award
3. Possible data compression techniques should be investigated as part of this task in accordance with the data requirements
4. Specifics on data encryption will be provided, if required, at contract award
5. CySAFA provides Security Operations functions including data analytics. Specifics on tooling will be provided at contract award
6. Specific information on AI and ML techniques utilised will be provided at contract award
9. 1. How many types of Predictive Algorithms are deployed on the CySAFA platform?
2. What types of reporting is deployed on the CySAFA platform?
3. What type of visualizations are deployed on the CySAFA platform? E.g. Portal, Console, etc.
4. What security standards govern the CySAFA platform?
1. Specific information on predictive algorithms utilised will be provided, if required, at contract award, once security clearance has been determined
2. Reporting is possible via CySAFA incident management tooling and standard productivity tooling
3. Specific information on visualisation tools will be provided, if required, at contract award, once security clearance has been determined
4. Security standards are in line with the Defence Manual of Security JSP 440. The system is accredited by Defence Assurance and Information Security (DAIS) to HMG standards for holding classified data