Ministry of Defence Information Systems and Services

Cyber Security Operating Capability (CSOC) Support

Incomplete applications

22
Incomplete applications
16 SME, 6 large

Completed applications

22
Completed applications
9 SME, 13 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Monday 15 October 2018
Deadline for asking questions Monday 22 October 2018 at 11:59pm GMT
Closing date for applications Monday 29 October 2018 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Client-Side support is required to provide Governance, Strategic Architecture and Data Exploitation support to the CSOC. Work includes producing a programme roadmap, implementation plan, TORs for a new Chief Information Security Officer role, Benefits Management processes, high level requirements and use cases, business architecture and an implementation blueprint for CSOC.
Latest start date Monday 26 November 2018
Expected contract length Until 31 Mar 19 with a 6 month option to extend (pending financial approval)
Location South West England
Organisation the work is for Ministry of Defence Information Systems and Services
Budget range £820,000 including T&S

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done SDSR 2015 concluded that Defence held a capability gap over its ability to conduct Defensive Cyber Operations (DCO) at the scope and scale required to mitigate the evolving threat landscape. The CSOC was included as one of several DCO options funded as the primary risk mitigation activity. The CSOC seeks to deliver a federated and modular operating framework for the defensive cyber force elements from across Defence.
Problem to be solved Support the MOD Cyber Programme in enabling transformation of the conduct of defensive cyber operations at the scope and scale required to achieve Defence outputs. The transformation will cover people, process, information, technology and governance of the CSOC, working with stakeholders from across Defence and synchronised with wider Cyber Programme activity. A surge in capability delivery has driven the requirement for client-side support to the existing crown servant team to achieve programme deadlines by 31 Mar 2019. This task will deliver the planning stage of this transformational work.
Who the users are and what they need to do Ministry of Defence
Early market engagement
Any work that’s already been done Strategy:
Agreed Concept of Operations for the CSOC and initial management structures to enable Defence outputs.

Architecture:
A prioritised set of user & stakeholder requirements, a high-level architecture and the implications for the CSOC federated structure to guide deployment.

Information Architecture:
Understand shared information environments and optimal means of architecting to achieve current and future user needs, allowing MOD to plan delivery and identify early benefits.

Data Science:
Develop understanding of user information needs and criticality of requirements including designing options and methods for exploiting information.
Existing team The existing Programme team consists of Architecture Leads, Project Managers and Technical Support Staff. The user community is distributed across Defence with the core delivery leads based in Corsham and London.
Current phase Alpha

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Expect expertise to work from MOD Corsham and MOD Main Building to support the existing team. T&S is included in the budget.
Working arrangements Expect expertise to work from MOD Corsham and MOD Main Building to support the existing team. T&S is included in the budget.
Security clearance SC Clearance must be in place prior to the contract starting due to the projects the team are required to work with.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • • Extensive understanding of defensive cyber capabilities and the interactions between them to enable a proactive cyber posture. 20%
  • • Proven track record of working with stakeholders to identify requirements, generating programme roadmaps and implementation plans for large-scale complex projects. 20%
  • • Extensive understanding of cyber threats particularly in the context of a large government department with users spread both globally and at differing security tiers. 15%
  • • Previous experience of establishing a CISO within large organisations and implementing cyber risk management structures to support Board-level decisions. 15%
  • • Proven track record of assessing governance procedures for large projects and recommending/implementing improvements. 10%
  • • Previous experience of working on complex cyber defence projects. 5%
Nice-to-have skills and experience
  • • Experience of working with Defence organisations. 5%
  • • Experience of working in cyber security environments. 5%
  • • Have ability to think creatively and can articulate innovative ideas to solving complex business and ICT problems. 5%

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • • Documented evidence of essential skills
  • • Documented proposed approach and methodology
  • • Clear and concise evidence plus CV’s.
  • • Detailed resources plan
  • • Estimated timeframes for the work
  • • Confirmation of existing clearances
Cultural fit criteria
  • • Must be able to work in a mixed team of Military, MOD Civil Service and industry partners. 2%
  • • Able to understand role in the wide context of 'Defence' and national security. 2%
  • • Have excellent interpersonal and influencing skills and a positive approach. 2%
  • • Ability to transfer knowledge. 2%
  • • Values and behaviours in line with MOD core values. 2%
Payment approach Fixed price
Assessment methods Written proposal
Evaluation weighting

Technical competence

70%

Cultural fit

10%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Can the Authority confirm whether it has a desired team size in mind? e.g 1-5 people, 5-10 people, 10-15 people etc The size of the team will depend on the individual supplier’s proposal. However, it is thought that 4 – 6 people would be sufficient
2. Can you confirm if this assignment sits in-scope or out of scope of IR35? This requirement is out of scope of IR35
3. Would the delivery of this client-side task preclude the successful bidder from participating as a supplier in any future CSOC-related tasks. Suppliers will not be precluded for bidding for future CSOC related opportunities.  MOD will allow a supplier to contract for other tasks providing that an actual or potential Conflict of Interest (COI) can be satisfactorily managed to avoid any unfair distortion in competition. Where potential or actual COI are identified, the supplier will be given the opportunity to demonstrate how this can be mitigated and resolved.  Should the COI not be able to be satisfactorily managed and a fair and open competition undermined, the supplier may be excluded from the competition.
4. Please provide the Fujitsu contract start date? [DD/MM/YY] Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
5. Please provide the Fujitsu contract start date? [DD/MM/YY] Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
6. 1. Please confirm the following;
2. UK WAN – 947 sites (725/76% completed to date) = 222 remaining [Yes/No]
3. Overseas WAN – Europe, US & Canada, Rest of the World, Cyprus Total # of sites in scope = NNNNN
4. Point to Point Service – Total # of sites in scope = NNNNN
Does this Service consist of fixed line point to point communications to specific sites [Yes/No]?
{Provide a brief description of the Service}
Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
7. Please confirm the following:
Above Secret – Total # of sites in scope = NNNNN
• Gateways – Total # of sites in scope = NNNNN
Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
8. Please confirm the DFTS Contract Exit Date? [DD/MM/YY] Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
9. What is the main driver behind the 7-month duration specified in the “About the work” definition and do the existing sponsors and stakeholders think this is achievable? There is no reference to a 7 month duration within the advert. The expected contract length is until 31st March 2019 with an option to extend if necessary (subject to approvals).
10. What is the current planned completion date of the GC Implementation Schedule? [DD/MM/YY] Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
11. What is the current planned completion/milestone dates for the following;
UK WAN [DD/MM/YY]
Overseas WAN[DD/MM/YY]
Point to Point Service [DD/MM/YY]
Above Secret[DD/MM/YY]
Gateway Implementations[DD/MM/YY]
Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
12. How many existing technology refresh projects have dependencies on GC Implementation programme of work?
a. LAN Infrastructure upgrades [Yes/No]
i. # of sites NNNN/Not Applicable (NA)
ii. # of ports/total users across the above sites NNNN/NA
b. Telephony upgrades [Yes/No]
i. # of sites NNNN/NA
ii. # of ports/total users across the above sites NNNN/NA
c. Desktop Upgrades [Yes/No]
i. # of ports/total users across the above sites NNNN/NA
ii. # of desktop/productivity applications NNNN/NA
d. Service migrations to Cloud technology [Yes/No]
i. Total IaaS projects? NNNN/NA
ii. Total PaaS projects? NNNN/NA
iii. Total SaaS projects? NNNN/NA
Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
13. Does an existing portfolio/programme governance structure exist today? [Yes/No]
if yes please provide where possible the structure and roles & responsibilities of each steering committee, etc.
Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
14. Will any international travel be required over and above the UK travel specified in the RFP to support this programme of work? [Yes/No] Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
15. 1.Re: the refresh projects and the GC Implementation Programme please confirm the technologies employed today and level of clearance required for engagement;
UK WAN Overseas WAN Point to point Above Secret
Cisco Technology SC SC SC/DV DV
Juniper Networks
Foundry
Ubiquiti
Cato Networks
FortiGate
pfSense
Zone Alarm
Add or delete as appropriate
Unfortunately, we are unsure how your question relates to this requirement and therefore cannot provide a response. Please can you revise and re-submit the question if you still require a response to aid your application
16. What level of security clearance is required. (ie. Is it full DV or only SC)? DV
17. COMMERCIALLY SENSITIVE: Our assumption is that there is no exclusion on bidding for this and FOSM at the same time. Please could you kindly confirm. The supplier will not be excluded from this requirement if they choose to bid on FOSM at the same time.
18. Is there an incumbent supporting the existing team? The current incumbent is KPMG.
19. Please can the Authority confirm the security clearance levels required for staff to deliver this work DV
20. Does this role sit inside or outside IR35? This requirement is out of scope of IR35
21. The opportunity indicates a written, firm-price proposal but there is no place to enter pricing within the online application. Please confirm whether the online application exercise will be used to down select providers. The online application is the 1st stage of the assessment exercise. This stage is used to down select suppliers and those that have met the criteria will be taken through to the 2nd stage of assessments. On the 2nd stage of assessments suppliers will be asked to submit a written proposal in which they will be required to include their firm price.
22. Are there existing materials from the ongoing work that you can release to bidders to better understand the Authorities requirement and work that has already been completed in this area? Unfortunately, we are unable to release these materials due to the sensitivity of the material.
23. Please could you clarify which team the successful bidder will support day to day and which area of ISS are responsible for this requirement? The supplier will be supporting JFC Joint User – London and
ISS Cyber Delivery Team – Corsham. The ISS Cyber Delivery Team are responsible for the requirement.
24. Can I presume that the quoted budget is excluding VAT? The budget is inclusive of VAT
25. Please could you confirm if the stated budget is inclusive or exclusive of VAT? The budget is inclusive of VAT
26. Is the stated budget exclusively for work until 31 March 2018 or does it also include the 6 month extension option? The budget is exclusively for work until 31st March 2019
27. If down selected to the next stage, will the written proposal be the standard 2000 word response? The down selected suppliers will be sent the written proposal template from the Digital Marketplace for their completion for the 2nd stage of assessments.
28. In the questions/answers already published, you state DV Clearance is required. The tender requirement states SC Clearance – can you please clarify which Clearance level is required? The clearance level for this requirement is DV.
29. In the questions/answers already published, you state DV Clearance is required. The tender requirement states SC Clearance – can you please clarify which Clearance level is required? The clearance level for this requirement is DV.
30. Re submitting a Response to the Authority's requirements, can you please confirm that following the Application stage, 3 suppliers will be evaluated and asked to submit written proposals including fixed price details, example CV's and other evidence to satisfy your Proposal and Cultural fit criteria? All suppliers that meet the required criteria will be down selected to the 2nd stage of assessments. At the 2nd stage of assessments suppliers will be asked to submit their written proposal, CVs, and Firm Prices for evaluation.
31. In your response to one of the questions (16) you say that DV clearance is required. However, in the description you say that SC is the requirement. Can you confirm the security clearance required? The clearance level for this requirement is DV.
32. Are we constrained to providing company track record as evidence, or can we use experience gained by our team in previous employment? Evidence provided should be based on the individuals who will be carrying out the work.
33. Will information be shared as to the current Operating Model or those described/inherited from the incumbent? This will help highlight the complexity and any legacy constraints that must be managed/ adhered to. This information cannot be released, due to sensitivity of the material, until after contract award.
34. Are there any key milestones tied to deliverables? if so, what are they and when are they? This will allow for suitable allocation of resources versus risk. All work must be complete by 31st March 2019.
35. What access will be provided to the Customer system and what additional resources will be made available? MODNET accounts and relevant documentation will be provided to the successful bidder after contract award.
36. You describe working with Stakeholders across Defence. Will detail for this be made available as part of tender, including frequency, locations etc and the expected level of interaction? This will help formulate a communication plan and a better understanding for the scale of the engagement. The work will predominantly be based in MOD Main Building, and MOD Corsham, with visits to other MOD sites required but less frequently. Details of stakeholders will be made available to the successful bidder.
37. Please can you clarify what you are looking for when you say ‘establishing a CISO within a large organisation’? As a CISO is a person, are you looking for help embedding them (ways of working etc.) or are you looking for help establishing a CSOC, or, cyber risk management structures? Ways of working/ Terms of Reference
38. Please may the authority confirm the meaning of “defensive cyber”? How does this relate specifically to Defensive Cyber Operations in the context of the Defence, or cyber defence capabiltiies that are industry/sector agnostic? In this context this refers to defensive cyber within the MOD.
39. With the requirement for DV cleared staff to do the work, can they start on SC while awaiting DV clearance? DV must be extant at commencement of the contract.
40. Given the requirement for DV clearances to be sponsored by the organisation specifically, can you please explain how the process will work in this instance? DV must be extant at commencement of the contract.
41. Are there any specific Cyber Security or Architectural frameworks that are mandated or that we would be expected to align with? This information can be provided after contract award to the successful bidder.
42. Are there any critical milestone dates for the onboarding of a new CISO? The TORs for the CISO will need to be in place before recruitment begins, these dates will be confirmed to the successful bidder after contract award.
43. The Security Clearance level in the Bid details mentions SC is required. In your questions, it references that DV is required. Can you please clarify if its SC or DV? The clearance level for this requirement is DV.
44. What is the use case for the Benefits management process? The Benefits management process is one piece of work, producing use cases is a separate piece.
45. The ITT states consultants must be SC cleared however previous answers show client side working must be cleared to DV. Is it possible to include SC cleared persons in the process of becoming DV? DV must be extant at commencement of the contract.
46. Not all of our resources are SC cleared. Would we have to wait for that clearance before they can start? DV must be extant at commencement of the contract.
47. Not all of our resources are SC cleared. Would we have to wait for that clearance before they can start? DV must be extant at commencement of the contract.
48. Not all of our resources are SC cleared. Would we have to wait for that clearance before they can start? DV must be extant at commencement of the contract.
49. Can we access the report mentioned (sdsr 2015), so that we can understand the gaps identified by it? The Strategic Defence and Security Review 2015 is openly available on the internet and can be found on the Gov.uk website.
50. Do you have or plan to obtain ISO27001? This is not essential but it should be used as industry best practice.
51. The reference to CSOC in this case describes the capabilities and planning of the future state target operating model and how it is achieved. Within the ITT, there is wording that describes a roadmap and implementation plan. Do these terms refer to the roadmap to achieve CSOC (centre) maturity and delivery, or refer to definition and delivery of an initial capability plan? The terms refers to definition and delivery of an initial capability plan.