Ministry of Defence, Information Systems & Services

Cyber Vulnerability Investigations as a Service (CVIaaS) – Military Joint Domain

Incomplete applications

3
Incomplete applications
0 SME, 3 large

Completed applications

10
Completed applications
4 SME, 6 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 21 February 2019
Deadline for asking questions Thursday 28 February 2019 at 11:59pm GMT
Closing date for applications Thursday 7 March 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work CVI Programme services including:
• Domain Cyber Vulnerability and Risk Analysis
• Programme management
• ToI Scoping
• CVI Delivery
• Specialist CVI activities which may include but are not limited to: Technical Testing, concept demonstrators, code analysis
• Cross Domain information sharing, CVI good practice and lessons learned
Latest start date Monday 13 May 2019
Expected contract length 12 months with 1 x 3 month option to extend (pending financial approval)
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Defence, Information Systems & Services
Budget range Up to £9 million including T&S (Ex VAT) for a 12 month period across all 4 Domains.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The CVI Programme was established to help the MOD better understand cyber risks across all aspects of its systems. The MOD uses COTS and bespoke equipment in a unique way to achieve military effect. This work will identify the cyber risks and vulnerabilities of military platforms/systems and will ultimately help preserve MOD’s freedom of action.

MOD requires a supplier (industry partnering and subcontracting is encouraged) to deliver CVIs on a service based approach predominantly within the Military Joint Domain. All four of the Domain DOS Requirements have now been published on the Digital Marketplace.
Problem to be solved A CVI is the socio-technical analysis of any military related system or platform, known as a Target of Investigation (ToI), to understand where it may be vulnerable to cyber-effects.

MOD has historically procured CVI services individually or in packages, limiting agility in response to changing operational and threat demands, and the flexibility in which suppliers can deliver. There is potential for CVI services of up to £9 million over a 12-month period across all 4 Domains. In Stage 2, as part of the assessment shortlisted suppliers will be asked to provide a proposal for a ToI representative of this domain.
Who the users are and what they need to do The CVI User encompasses anyone who has a role in owning, managing and mitigating cyber risks across the MOD. Through the service-based procurement of CVIs within a single Domain, there is potential for more efficient stakeholder engagement and ability for the Military Joint Domain CVI Programme Supplier to rapidly learn from experience and form an effective collaborative working relationship with the CVI Ops Cell & Domain specific stakeholders.
Early market engagement The adverts for Cyber Vulnerability Investigations as a Service (CVIaaS) – Military Air, Land and Maritime Domains were published in December 2018 (Air), February 2019 (Land and Maritime)
Any work that’s already been done CVIs have been conducted since 2014. Dstl delivered a number of CVIs to establish a methodology. The CVI Ops cell was established within MOD in 2017 to deliver a 10 year programme of CVIs . CVI Tranches 1, 2 and 3 has been delivered in partnership with Industry. Tranche 3 of the CVI Delivery Programme has just commenced delivery.

This phase of work represents a movement away from the ‘Tranche’ based approach in order to employ a service based commercial mechanism. The term ‘CVIaaS’ will therefore replace the Tranche approach.
Existing team There is no existing team that delivers this requirement. You will be delivering this work for and on behalf of the MOD CVI Ops Cell, established by the Cyber Joint User to lead the delivery and management of CVIs.

The user community is distributed across Defence with the core delivery leads based in Corsham, London and RAF Wyton.
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The work will be carried out at a mixture of supplier and MOD locations. User and system visits are expected throughout the duration of the contract.
MOD Locations are likely to include: ISS HQ MOD Corsham, MOD Main Building, London and RAF Wyton.
Working arrangements The bulk of the work will be carried out at Supplier locations. Client Meetings will likely take place in MOD Corsham, MOD Main Building, RAF Wyton and/or the main ToI user’s location.

Technical testing will be performed by agreement (GFE may be provided for testing the movement of equipment should be minimised).

The work is expected to be carried out in the UK. Overseas work required will be addressed by exception and notified to the nominated Domain Manager at the earliest opportunity.

T&S (included in the budget) will be firm priced where possible or reimbursed in line with MOD Policy.
Security clearance Before contract award supplier team member(s) are required to achieve minimum SC clearance and must be UK Nationals. Some TOIs will require DV.

The Authority WILL NOT sponsor clearances, they must be in place and remain valid for the contract duration.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions • We aim to get feedback to you within THREE weeks of the advert closing

• Proposal to be submitted on the templates provided and in Microsoft Office 2016 format only

• Further details will be provided at the Proposal Stage

• Supplier assessment scores will reset at the beginning of the Proposal Stage

• Suppliers must use the electronic procurement tool CP&F

• Tasking process for the service based approach to be defined and released before contract start

• IR 35 information: The intermediaries legislation doesn't apply to this engagement

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Expertise or experience of delivering Cyber Vulnerability Investigations or complex socio-technical cyber vulnerability and risk assessments
  • Expertise & experience of applying human factors to cyber projects, conducting behavioural trials, or analysing cyber behaviours and culture
  • Confirm you have access to facilities with current List-X status for the duration of the contract
  • Please provide your DCPP reference in response to RAR-HA8S6ZMD ( https://supplier-cyber-protection.service.gov.uk/login?qlid=%40RnPT0%3DNjJNT08%3DUFZsRV ) Responses from the previous Military Domain adverts will be acceptable where unchanged, please provide the SAQ reference
  • Confirm that you have access to accredited IT, authorised to process OFFICIAL SENSITIVE and SECRET UKEO information for the duration of the contract
  • Experience of managing and delivering projects with a diverse set of stakeholders some with competing objectives
  • Experience of delivering projects where the scope or activities significantly change during the life of the project
  • Experience of resource management where the requirement for particular SQEP may change or surge as the project develops
  • Suitably qualified and experienced personnel required to conduct both the technical and human factors aspects of complex cyber vulnerability and risk assessments
  • Experience of working with the capabilities and operations associated with the Military Joint Domain
  • Experience of undertaking practical system security testing and vulnerability testing
  • Experience of developing socio-technical and systems of systems models for cyber analysis
  • Experience of Attack Path Analysis and how this technique its applied to cyber analysis
  • Experience of conducting cyber war-gaming or red teaming and its application to cyber analysis
  • Experience of conducting cyber maturity assessments and its application to cyber analysis
  • Experience of using the output of vulnerability identification and impact assessments to generate and quantify evidence-based cyber risks for military and business stakeholders
  • Expertise and experience in conducting open source research, for the purpose of informing cyber vulnerability and risk assessment
Nice-to-have skills and experience
  • Have access to an rli or sli connection enabling email communication at OFFICIAL SENSITIVE or above. Please state your rli email address for future correspondence
  • Experience of accessing information and engaging stakeholders in the Joint domain
  • Have SQEP and organisational structure to lead and technically assure complex socio-technical cyber vulnerability and risk assessments, such that the outcomes are appropriately focused and reflect the latest cyber-security knowledge
  • Experience developing cyber-risk reports which articulate and quantify risks to complex systems, ensuring the findings and outputs are cognisant of the systems context of operation, utilisation and operating environment

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Describe your understanding of the Domain including the depth of understanding and your ability to access specialist experience and knowledge. (10%)
  • Describe how you will ensure CVI Reports meet objectives of the various stakeholders. Include how you will use the information derived from CVIs in domain analysis and reporting (6%)
  • Explain how the impact and likelihood risk components will be quantified, what information and analysis will justify the scores, and which CVI activities the information is generated from/during (5%)
  • Describe your approach to delivering multiple CVIs and how your team/s will be structured for the Military Joint Domain CVI Programme (4%)
  • Outline your approach for accessing specialist technical/domain resources either internally or externally (including how small to medium enterprises may be engaged) (2%)
  • Describe your approach to scoping ToIs and developing robust scoping report for both individual CVIs and in a broader programme context. (2%)
  • Propose how you will apply technical assurance and governance to delivering individual and a portfolio of CVIs. Demonstrate the TA activities that will be conducted by SQEP. (5%)
  • Describe how credibility/accuracy of information collected will be assessed, and how limitations in information or uncertainty and inconsistencies will be accounted for during the articulation of cyber risks (5%)
  • Identify the mechanisms that you would employ to resolve issues in delivering the Military Joint CVI Programme. (5%)
  • Demonstrate how you will use your domain knowledge and experience and suitably qualified and experienced personnel (SQEP) to deliver the example CVI (10%)
  • Describe your activities during the example CVI, using the CVI guidance (currently v4.2) as a handrail but tailoring it to suit the requirement (5%)
  • Using the Example CVI, identify the quantity of Activity Units you propose for the completion of the example CVI. Provide a rationale for your profile. (8%)
  • Clearly describe the purpose, scope, focus of each activity, and the rationale. For each activity the response must clearly cover both socio and technical aspects of the ToI (5%)
  • For the example CVI detail the evidence collected or generated during the activity, and what aspect of the socio-technical analysis undertaken each piece of evidence is relevant to. (5%)
  • Describe the approach, tools and techniques to be used, explaining where they will be applied, and why they are appropriate to objectives and scope of the example CVI (5%)
  • Describe how you will access the information needed to deliver the example CVI. Propose how you would address a shortfall in this information should this be delayed/ unavailable (5%)
  • For the example CVI detail the SMEs and stakeholders required to support the proposed activities, and the nature of the support required (5%)
  • Provide details of personnel you will use to complete the CVI. Describe how your team/s will be structured for the example CVI and the delivery of the domain (6%)
  • Using the Pricing CVI as a guide to the smallest expected CVI, provide your firm priced offer (per code) for the CVI activities described in the pricing matrix (1%)
  • Provide your rate card against the provided grading levels (1%)
Cultural fit criteria
  • Act with honesty, integrity and transparency at all times. (20%)
  • Work collaboratively to solve problems with stakeholders from multiple organisations, including Public Servants, military stakeholders, other contractors and vendors, to support MOD Defensive Cyber Operations. (15%)
  • Support the CVI Ops Cell proactively in all aspects of the CVI delivery; employing agile behaviours. (20%)
  • Demonstrate commitment to the MOD defensive cyber objectives and be proactive in ensuring that the Service fully supports the delivery of the operational requirement. (10%)
  • Exhibit a ‘can-do’ attitude, seeking resolutions rather than problems, when addressing operational and developmental issues. Use initiative to take ownership of problems and issues to ensure a successful outcome. (20%)
  • Prioritise operational imperative ahead of procedural constraint. (15%)
Payment approach Fixed price
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is there incumbent already completing this work or is this a new piece of work? We can confirm there is not an incumbent for this requirement. As described in the advert, this work has been advertised for four Domains – Air, Land and Maritime have already been advertised and this is the final Domain advert (Joint).
2. Can a bidder win more than one of the CVIaaS domains? The CVIaas Domains have been published as separate requirements, so it is possible for a single bidder to win more than one of the contracts.
3. Your requirement says you require SC clearance and MOD will not sponsor.
However, DOS framework rules state "You shouldn’t exclude suppliers if they don’t currently have the security clearance you need" and CCS have stated that "[DOS] Buyers cannot exclude prospective suppliers for not holding a security clearance. If they were to require security clearance, they must state that the buyers will sponsor them if they are to be awarded the contract."
Can you explain why you are not following the framework rules for this procurement and excluding suppliers from bidding for this work?
Due to the nature of this requirement, it is necessary for all suppliers to have a minimum of SC clearance in place prior to applying for the work in order for the Supplier to review the Stage 2 documentation and to begin tasking from Day 1 of the contract – CCS have agreed this approach in these circumstances.
4. 1. Please can you confirm what the Military Joint domain includes e.g. does this include systems and processes at DE&S, AWE and other agencies
2. Please confirm the locations in-scope within this domain.
Targets of Investigation (ToI) and locations cannot be provided at this point due to their classification. An example ToI will be provided for those suppliers who reach Stage 2, this should give an idea of the type of ToIs that will be included in the Joint Domain. Further ToIs will not be discussed until after Contract Award.