Awarded to Airbus Defence and Space Limited

Start date: Wednesday 15 May 2019
Value: £2,250,000
Company size: large
Ministry of Defence, Information Systems & Services

Cyber Vulnerability Investigations as a Service (CVIaaS) – Military Air Domain

25 Incomplete applications

16 SME, 9 large

9 Completed applications

4 SME, 5 large

Important dates

Thursday 29 November 2018
Deadline for asking questions
Thursday 6 December 2018 at 11:59pm GMT
Closing date for applications
Thursday 13 December 2018 at 11:59pm GMT


Summary of the work
CVI Programme services including:
• Domain Cyber Vulnerability and Risk Analysis
• Programme management
• ToI Scoping
• CVI Delivery
• Specialist CVI activities which may include but are not limited to: Technical Testing, concept demonstrators, code analysis
• Cross Domain information sharing, CVI good practice and lessons learned
Latest start date
Monday 18 March 2019
Expected contract length
12 months with 1 x 3 month option to extend (pending financial approval)
No specific location, eg they can work remotely
Organisation the work is for
Ministry of Defence, Information Systems & Services
Budget range
Up to £9 million including T&S (Ex VAT) for a 12 month period across all 4 Domains. DOS competitions for Joint, Land and Maritime will follow in the coming weeks.

About the work

Why the work is being done
The CVI Programme was established to help the MOD better understand cyber risks across all aspects of its systems. The MOD uses COTS and bespoke equipment in a unique way to achieve military effect. This work will identify the cyber risks and vulnerabilities of military platforms/systems and will ultimately help preserve MOD’s freedom of action.

MOD requires a supplier (industry partnering and subcontracting is encouraged) to deliver CVIs on a service based approach predominantly within the Air Domain. Three similar DOS Requirements will follow in the coming weeks to procure CVIs that are sponsored by Joint, Land and Maritime Domains.
Problem to be solved
A CVI is the socio-technical analysis of any military related system or platform, known as a Target of Investigation (ToI), to understand where it may be vulnerable to cyber-effects.

MOD has historically procured CVI services individually or in packages, limiting agility in response to changing operational and threat demands, and the flexibility in which suppliers can deliver. There is potential for CVI services of up to £9 million over a 12-month period across all 4 Domains. In Stage 2, as part of the assessment shortlisted suppliers will be asked to provide a proposal for a ToI representative of this domain.
Who the users are and what they need to do
The CVI User encompasses anyone who has a role in owning, managing and mitigating cyber risks across the MOD. Through the service-based procurement of CVIs within a single Domain, there is potential for more efficient stakeholder engagement and ability for the Military Air Domain CVI Programme Supplier to rapidly learn from experience and form an effective collaborative working relationship with the CVI Ops Cell & Domain specific stakeholders.
Early market engagement
Any work that’s already been done
CVIs have been conducted since 2014. Dstl delivered a number of CVIs to establish a methodology. The CVI Ops cell was established within MOD in 2017 to deliver a 10 year programme of CVIs . CVI Tranches 1, 2 and 3 has been delivered in partnership with Industry. Tranche 3 of the CVI Delivery Programme has just commenced delivery.

This phase of work represents a movement away from the ‘Tranche’ based approach in order to employ a service based commercial mechanism. The term ‘CVIaaS’ will therefore replace the Tranche approach.
Existing team
There is no existing team that delivers this requirement. You will be delivering this work for and on behalf of the MOD CVI Ops Cell, established by the Cyber Joint User to lead the delivery and management of CVIs.

The user community is distributed across Defence with the core delivery leads based in Corsham, London and RAF Wyton.
Current phase
Not applicable

Work setup

Address where the work will take place
The work will be carried out at a mixture of supplier and MOD locations. User and system visits are expected throughout the duration of the contract.
MOD Locations are likely to include: ISS HQ MOD Corsham, MOD Main Building, London and RAF Wyton.
Working arrangements
The bulk of the work will be carried out at Supplier locations. Client Meetings will likely take place in MOD Corsham, MOD Main Building, RAF Wyton and/or the main ToI user’s location.

Technical testing will be performed by agreement (GFE may be provided for testing the movement of equipment should be minimised).

The work is expected to be carried out in the UK. Overseas work required will be addressed by exception and notified to the nominated Domain Manager at the earliest opportunity.

T&S (included in the budget) will be firm priced where possible or reimbursed in line with MOD Policy.
Security clearance
Before contract award supplier team member(s) are required to achieve minimum SC clearance and must be UK Nationals. Some TOIs will require DV.

The Authority WILL NOT sponsor clearances, they must be in place and remain valid for the contract duration.

Additional information

Additional terms and conditions
• We aim to get feedback to you within THREE weeks of the advert closing

• Proposal to be submitted on the templates provided and in Microsoft Office 2016 format only

• Further details will be provided at the Proposal Stage

• Supplier assessment scores will reset at the beginning of the Proposal Stage

• Suppliers must use the electronic procurement tool CP&F

• Tasking process for the service based approach to be defined and released before contract start

• IR 35 information: The intermediaries legislation doesn't apply to this engagement

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of delivering Cyber Vulnerability Investigations or complex socio-technical cyber vulnerability and risk assessments
  • Experience of undertaking practical system security and vulnerability testing, behavioural assessments, and business analysis activities
  • Knowledge and experience of the capabilities and operations supporting the Military Air domain
  • Confirm you have access to facilities with current List-X status for the duration of the contract
  • Please provide your DCPP reference in response to RAR-HA8S6ZMD ( )
  • Confirm that you have access to accredited IT, authorised to process OFFICIAL SENSITIVE and SECRET UKEO information for the duration of the contract
  • Experience of management and delivery of multiple concurrent complex cyber projects
  • Experience of management and delivery projects with a diverse set of stakeholders
  • Experience of delivering projects where the scope and activities evolve or significantly change and where skills and experience required by delivery personnel changes throughout the life of the project
  • Experience of resource and workload management where a limited pool of suitably skilled and experienced resources are utilised to deliver multiple, concurrent complex socio-technical cyber vulnerability and risk assessments
  • SQEP required to lead and technically assure complex socio-technical cyber vulnerability and risk assessments, such that the outcomes are appropriately focused, comprehensive, accurate and reflect the latest cyber-security knowledge
  • Proven knowledge and experience of developing Socio-Technical and System of Systems models for cyber analysis
  • Proven knowledge and experience of applying human factors, behavioural and cultural assessment to cyber analysis
  • Proven knowledge and experience of Attack Path Analysis and how the technique is applied to cyber analysis
  • Proven knowledge and experience of conducting cyber war-gaming or red teaming
  • Proven experience in conducting cyber maturity assessments and its application to cyber analysis
  • Experience delivering outcome focused cyber security vulnerability and risk assessments which evolve in an iterative manner to ensure the desired outcomes are delivered
  • Experience of undertaking vulnerability identification and impact assessments, and generating and quantifying evidenced cyber risks for MOD’s military and business users
  • Experience of conducting Open Source Research and Intelligence to support and underpin cyber vulnerability risk analysis
Nice-to-have skills and experience
  • Ability to receive and send emails classified at OFFICIAL SENSITIVE or have an RLI/SLI connection
  • Expertise and experience in Cyber Security / Information Assurance, Human Factors, System Engineering and Design, Computing/IT, technical security and vulnerability testing and evaluation, practical behavioural and business analyst assessments
  • Experience developing cyber-risk reports which articulate and quantify risks to complex systems, ensuring the findings and outputs are cognisant of the systems context of operation, utilisation and operating environment

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • Demonstrate how you will use your experience and suitably qualified and experienced personnel (SQEP) to deliver the example CVI (10%)
  • Describe your understanding of the Domain including the depth of understanding and your ability to access specialist experience and knowledge. How will this be applied to the example CVI? (10%)
  • Using the Pricing CVI as a guide to the smallest expected CVI, provide your firm priced offer (per code) for the CVI activities described in the pricing matrix (1%)
  • Provide your rate card against the provided grading levels (1%)
  • Using the Example CVI, identify the Activity Units you propose for the completion of the example CVI. Provide details of the personnel you will use to complete the CVI (8%)
  • Identify the mechanisms that you would employ to resolve issues in delivering the Military Air CVI Programme. Identify the potential challenges and associated mitigations in delivering the example CVI (4%)
  • Describe how you will ensure CVI Reports meet the objectives of the various stakeholders. Include how you will use the information derived from CVIs in domain analysis and reporting (6%)
  • Propose how you will apply technical assurance and governance to delivering the example CVI and a portfolio of CVIs. Demonstrate the TA activities that will be conducted by SQEP. (5%)
  • Describe your approach to delivering multiple CVIs. Describe how your team/s will be structured for the example CVI and the Military Air Domain CVI Programme (3%)
  • Outline your approach for accessing specialist technical/domain resources either internally or externally (including how small to medium enterprises may be engaged) (2%)
  • Describe your approach to scoping ToIs and developing robust scoping report for both individual CVIs and in a broader programme context (5%)
  • Describe how you will access the information needed to deliver the example CVI. Propose how you would address a shortfall in this information should this be delayed and/or unavailable (5%)
  • Describe your activities during the example CVI, using the CVI guidance (currently v4.2) as a handrail but tailoring it to suit the requirement (5%)
  • Clearly describe the purpose, scope and focus of each activity, and the rationale. For each activity the response must clearly cover both socio and technical aspects of the ToI (5%)
  • Describe the approach, tools and techniques to be used, explaining where they will be applied, and why they are appropriate to the objectives and scope of the example CVI (5%)
  • For the example CVI detail the evidence collected or generated during the activity, and what aspect of the socio-technical analysis undertaken each piece of evidence is relevant to. (5%)
  • Where the CVI Guidance mandates a specific assessment approach and/or scoring criteria to be used please confirm your compliance. Describe how these will be applied to the example CVI (5%)
  • For the example CVI detail the SMEs and stakeholders required to support the proposed activities, and the nature of the support required (5%)
  • Describe how credibility/accuracy of information collected will be assessed, and how limitations in the information or uncertainty and inconsistencies will be accounted for during the articulation of cyber risks (5%)
  • Explain how the impact and likelihood risk components will be quantified, what information and analysis will justify the scores, and which CVI activities the information is generated from/during (5%)
Cultural fit criteria
  • Act with honesty, integrity and transparency at all times. (20%)
  • Work collaboratively to solve problems with stakeholders from multiple organisations, including Public Servants, military stakeholders, other contractors and vendors, to support MOD Defensive Cyber Operations. (15%)
  • Support the CVI Ops Cell proactively in all aspects of the CVI delivery; employing agile behaviours. (20%)
  • Demonstrate commitment to the MOD defensive cyber objectives and be proactive in ensuring that the Service fully supports the delivery of the operational requirement. (10%)
  • Exhibit a ‘can-do’ attitude, seeking resolutions rather than problems, when addressing operational and developmental issues. Use initiative to take ownership of problems and issues to ensure a successful outcome. (20%)
  • Prioritise operational imperative ahead of procedural constraint. (15%)
Payment approach
Fixed price
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. The deadline for the down select phase is stated as "Thursday 13 December 2018 at 11:59pm GMT.". Please can you highlight the deadline for the full bid submission (if down selected).
We are aiming for the down selected suppliers from the first stage to be asked to submit their bids for the second stage w/c 28th January, however all suppliers will be made aware if this date changes
2. Please can you clarify the role of Atkins, as we are told they are working in a client-side bid support function.
Atkins currently support the Authority in a client-side function. All suppliers that bid need to adhere to MOD policy which allows a supplier to operate on both client and supply side providing that an actual or potential Conflict of Interest (COI) can be satisfactorily managed to avoid unfair distortion in competition. Where potential or actual COIs are identified, the supplier will have the opportunity to demonstrate in their bid how this can be mitigated and resolved.  If the COI is unable to be satisfactorily managed and a fair and open competition undermined, the supplier may be excluded from the competition.
3. Can you please confirm the timescales following the submission on the 13th December? Including when suppliers will be notified if they have been successful/unsuccessful in getting to the next stage, and contract award. Thank you.
We are aiming for the down selected suppliers from the first stage to be asked to submit their bids for the second stage w/c 28th January, and all other dates will be released during the competition with a current aim for the successful supplier to begin work w/c 18th March, however all suppliers will be made aware if these dates change
4. Please can you provide a copy of the CVI Guidance V4.2 referred to in the bid documentation.
A copy of the CVI Guidance V4.2 will be sent as part of the second stage to down selected suppliers, no further information can be sent to suppliers at this stage
5. We are an SME with CVI specialists with a range of SC and DV clearances, but we do not believe that we are large enough in turnover terms or have enough specialists to fully meet this requirement. The customer will be aware that specialist CVI resources are rare and it is unlikely that one supplier will be able to support all of the domains.
We would like to approach a larger bidder to offer our support. How do various bidders identify each other in order to collaborate and thereby secure best access for the customer to this limited resource pool?
To clarify, this DOS advert is only for the Air Domain and the other three Domain adverts will be released at a later date (as mentioned in the advert). Therefore, for this advert we are not asking for one supplier to be able to support all of the domains, only the Air Domain. Given the nature of DOS3, we are unable to identify interested bidders.
6. Can you please confirm that the Risk Assessment Reference (RAR) for the Supplier Assurance Questionnaire (SAQ) is RAR-HA8S6ZMD?
When entering this reference number into the SAQ, an error message appears: "Reference must be for a published, non-sample RA and should not be for a Not Applicable Cyber Risk Profile".
The RAR has been checked and should now be available – apologies for any inconvenience
7. Can you please confirm the marking criteria for this stage? Thank you.
The marking criteria for the first stage will be the suppliers evidence against the Nice to Have and Essential Skills evaluated using the DOS standard 0,1,2 and 3 marking system
8. Could you confirm that the RAR reference is valid? As this report has yet to be published then we aren't able to process the DCPP with that RAR reference which is preventing the submission of our response. Thank you.
The RAR has been checked and should now be available – apologies for any inconvenience
9. We are very interested in this opportunity and believe we are extremely well-placed to deliver against the requirements. However, we would like to confirm that this is an opportunity best-served by a multi-disciplinary team, rather than being a manpower substitution-type role.
We can confirm this is not a manpower substitution type of role, the requirement is for a supplier to deliver CVIs on a service based approach as described in the advert.
10. The security clearance requirement lists that the contract awarded supplier is required to have a minimum SC clearance in place, which the authority will not sponsor. It is best practice for a government department to sponsor a supplier to obtain the required clearance level, unless it is absolutely necessary to have before the contract starts. If this is the case, please state why the supplier will need to have clearances in place.
Due to the nature of this requirement, it is necessary for all suppliers to have a minimum of SC clearance in place prior to applying for the work. A number of the criteria focus around areas such as List X status. In Stage 2 suppliers will be sent Official Sensitive information to complete the proposal and case studies, and due to timescales, the successful supplier will be expected to begin tasking on Day 1 of the contract – therefore, for this to be achieved clearances need to be in place for suppliers to view/receive relevant information and begin tasking.