Ministry of Defence, Information Systems & Services

Cyber Vulnerability Investigations as a Service (CVIaaS) – Military Maritime Domain

Incomplete applications

Incomplete applications
3 SME, 1 large

Completed applications

Completed applications
4 SME, 5 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 13 February 2019
Deadline for asking questions Wednesday 20 February 2019 at 11:59pm GMT
Closing date for applications Wednesday 27 February 2019 at 11:59pm GMT


Opportunity attribute name Opportunity attribute value
Summary of the work CVI Programme services including:
• Domain Cyber Vulnerability and Risk Analysis
• Programme management
• ToI Scoping
• CVI Delivery
• Specialist CVI activities which may include but are not limited to: Technical Testing, concept demonstrators, code analysis
• Cross Domain information sharing, CVI good practice and lessons learned
Latest start date Monday 6 May 2019
Expected contract length 12 months with 1 x 3 month option to extend (pending financial approval)
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Defence, Information Systems & Services
Budget range Up to £9 million including T&S (Ex VAT) for a 12 month period across all 4 Domains. A DOS competition for Joint will follow in the coming weeks.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The CVI Programme was established to help the MOD better understand cyber risks across all aspects of its systems. The MOD uses COTS and bespoke equipment in a unique way to achieve military effect. This work will identify the cyber risks and vulnerabilities of military platforms/systems and will ultimately help preserve MOD’s freedom of action.

MOD requires a supplier (industry partnering and subcontracting is encouraged) to deliver CVIs on a service based approach predominantly within the Military Maritime Domain. One similar DOS Requirement will follow in the coming weeks to procure CVIs that are sponsored by the Joint Domain.
Problem to be solved A CVI is the socio-technical analysis of any military related system or platform, known as a Target of Investigation (ToI), to understand where it may be vulnerable to cyber-effects.

MOD has historically procured CVI services individually or in packages, limiting agility in response to changing operational and threat demands, and the flexibility in which suppliers can deliver. There is potential for CVI services of up to £9 million over a 12-month period across all 4 Domains. In Stage 2, as part of the assessment shortlisted suppliers will be asked to provide a proposal for a ToI representative of this domain.
Who the users are and what they need to do The CVI User encompasses anyone who has a role in owning, managing and mitigating cyber risks across the MOD. Through the service-based procurement of CVIs within a single Domain, there is potential for more efficient stakeholder engagement and ability for the Military Maritime Domain CVI Programme Supplier to rapidly learn from experience and form an effective collaborative working relationship with the CVI Ops Cell & Domain specific stakeholders.
Early market engagement The adverts for Cyber Vulnerability Investigations as a Service (CVIaaS) – Military Air and Land Domain were published in December 2018 (Air) and February 2019 (Land).
Any work that’s already been done CVIs have been conducted since 2014. Dstl delivered a number of CVIs to establish a methodology. The CVI Ops cell was established within MOD in 2017 to deliver a 10 year programme of CVIs . CVI Tranches 1, 2 and 3 has been delivered in partnership with Industry. Tranche 3 of the CVI Delivery Programme has just commenced delivery.

This phase of work represents a movement away from the ‘Tranche’ based approach in order to employ a service based commercial mechanism. The term ‘CVIaaS’ will therefore replace the Tranche approach.
Existing team There is no existing team that delivers this requirement. You will be delivering this work for and on behalf of the MOD CVI Ops Cell, established by the Cyber Joint User to lead the delivery and management of CVIs.

The user community is distributed across Defence with the core delivery leads based in Corsham, London and RAF Wyton.
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The work will be carried out at a mixture of supplier and MOD locations. User and system visits are expected throughout the duration of the contract.
MOD Locations are likely to include: ISS HQ MOD Corsham, MOD Main Building, London and RAF Wyton.
Working arrangements The bulk of the work will be carried out at Supplier locations. Client Meetings will likely take place in MOD Corsham, MOD Main Building, RAF Wyton and/or the main ToI user’s location.

Technical testing will be performed by agreement (GFE may be provided for testing the movement of equipment should be minimised).

The work is expected to be carried out in the UK. Overseas work required will be addressed by exception and notified to the nominated Domain Manager at the earliest opportunity.

T&S (included in the budget) will be firm priced where possible or reimbursed in line with MOD Policy.
Security clearance Before contract award supplier team member(s) are required to achieve minimum SC clearance and must be UK Nationals. Some TOIs will require DV.

The Authority WILL NOT sponsor clearances, they must be in place and remain valid for the contract duration.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions • We aim to get feedback to you within THREE weeks of the advert closing

• Proposal to be submitted on the templates provided and in Microsoft Office 2016 format only

• Further details will be provided at the Proposal Stage

• Supplier assessment scores will reset at the beginning of the Proposal Stage

• Suppliers must use the electronic procurement tool CP&F

• Tasking process for the service based approach to be defined and released before contract start

• IR 35 information: The intermediaries legislation doesn't apply to this engagement

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Expertise or experience of delivering Cyber Vulnerability Investigations or complex socio-technical cyber vulnerability and risk assessments
  • Expertise & experience of applying human factors to cyber projects, conducting behavioural trials, or analysing cyber behaviours and culture
  • Confirm you have access to facilities with current List-X status for the duration of the contract
  • Please provide your DCPP reference in response to RAR-HA8S6ZMD ( ) Responses from the previous Military Domain adverts will be acceptable where unchanged, please provide the SAQ reference
  • Confirm that you have access to accredited IT, authorised to process OFFICIAL SENSITIVE and SECRET UKEO information for the duration of the contract
  • Experience of managing and delivering projects with a diverse set of stakeholders some with competing objectives
  • Experience of delivering projects where the scope or activities significantly change during the life of the project
  • Experience of resource management where the requirement for particular SQEP may change or surge as the project develops
  • Suitably qualified and experienced personnel required to conduct both the technical and human factors aspects of complex cyber vulnerability and risk assessments
  • Experience of working with the capabilities and operations associated with the Military Martitime Domain
  • Experience of undertaking practical system security testing and vulnerability testing
  • Experience of developing socio-technical and systems of systems models for cyber analysis
  • Experience of Attack Path Analysis and how this technique its applied to cyber analysis
  • Experience of conducting cyber war-gaming or red teaming and its application to cyber analysis
  • Experience of conducting cyber maturity assessments and its application to cyber analysis
  • Experience of using the output of vulnerability identification and impact assessments to generate and quantify evidence-based cyber risks for military and business stakeholders
  • Expertise and experience in conducting open source research, for the purpose of informing cyber vulnerability and risk assessment
Nice-to-have skills and experience
  • Have access to an rli or sli connection enabling email communication at OFFICIAL SENSITIVE or above. Please state your rli email address for future correspondence
  • Experience of accessing information and engaging stakeholders in the Maritime domain
  • Have SQEP and organisational structure to lead and technically assure complex socio-technical cyber vulnerability and risk assessments, such that the outcomes are appropriately focused and reflect the latest cyber-security knowledge
  • Experience developing cyber-risk reports which articulate and quantify risks to complex systems, ensuring the findings and outputs are cognisant of the systems context of operation, utilisation and operating environment

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Describe your understanding of the Domain including the depth of understanding and your ability to access specialist experience and knowledge. (10%)
  • Describe how you will ensure CVI Reports meet objectives of the various stakeholders. Include how you will use the information derived from CVIs in domain analysis and reporting (6%)
  • Explain how the impact and likelihood risk components will be quantified, what information and analysis will justify the scores, and which CVI activities the information is generated from/during (5%)
  • Describe your approach to delivering multiple CVIs and how your team/s will be structured for the Military Maritime Domain CVI Programme (4%)
  • Outline your approach for accessing specialist technical/domain resources either internally or externally (including how small to medium enterprises may be engaged) (2%)
  • Describe your approach to scoping ToIs and developing robust scoping report for both individual CVIs and in a broader programme context. (2%)
  • Propose how you will apply technical assurance and governance to delivering individual and a portfolio of CVIs. Demonstrate the TA activities that will be conducted by SQEP. (5%)
  • Describe how credibility/accuracy of information collected will be assessed, and how limitations in information or uncertainty and inconsistencies will be accounted for during the articulation of cyber risks (5%)
  • Identify the mechanisms that you would employ to resolve issues in delivering the Military Maritime CVI Programme. (5%)
  • Demonstrate how you will use your domain knowledge and experience and suitably qualified and experienced personnel (SQEP) to deliver the example CVI (10%)
  • Describe your activities during the example CVI, using the CVI guidance (currently v4.2) as a handrail but tailoring it to suit the requirement (5%)
  • Using the Example CVI, identify the quantity of Activity Units you propose for the completion of the example CVI. Provide a rationale for your profile. (8%)
  • Clearly describe the purpose, scope, focus of each activity, and the rationale. For each activity the response must clearly cover both socio and technical aspects of the ToI (5%)
  • For the example CVI detail the evidence collected or generated during the activity, and what aspect of the socio-technical analysis undertaken each piece of evidence is relevant to. (5%)
  • Describe the approach, tools and techniques to be used, explaining where they will be applied, and why they are appropriate to objectives and scope of the example CVI (5%)
  • Describe how you will access the information needed to deliver the example CVI. Propose how you would address a shortfall in this information should this be delayed/ unavailable (5%)
  • For the example CVI detail the SMEs and stakeholders required to support the proposed activities, and the nature of the support required (5%)
  • Provide details of personnel you will use to complete the CVI. Describe how your team/s will be structured for the example CVI and the delivery of the domain (6%)
  • Using the Pricing CVI as a guide to the smallest expected CVI, provide your firm priced offer (per code) for the CVI activities described in the pricing matrix (1%)
  • Provide your rate card against the provided grading levels (1%)
Cultural fit criteria
  • Act with honesty, integrity and transparency at all times. (20%)
  • Work collaboratively to solve problems with stakeholders from multiple organisations, including Public Servants, military stakeholders, other contractors and vendors, to support MOD Defensive Cyber Operations. (15%)
  • Support the CVI Ops Cell proactively in all aspects of the CVI delivery; employing agile behaviours. (20%)
  • Demonstrate commitment to the MOD defensive cyber objectives and be proactive in ensuring that the Service fully supports the delivery of the operational requirement. (10%)
  • Exhibit a ‘can-do’ attitude, seeking resolutions rather than problems, when addressing operational and developmental issues. Use initiative to take ownership of problems and issues to ensure a successful outcome. (20%)
  • Prioritise operational imperative ahead of procedural constraint. (15%)
Payment approach Fixed price
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Will the customer accept staffing with NATO member country nationals, possessing NATO Cosmic Top Secret clearances? Security information will be provided at Stage 2. However, the supplier is to be aware that it is highly likely that ToIs will be classified UK Eyes Only and as mentioned in the advert, personnel involved are required to be UK nationals with appropriate security clearances.