The Secretary of State for the Home Department

Cyber Security Project Delivery Partner

Incomplete applications

Incomplete applications
10 SME, 10 large

Completed applications

Completed applications
4 SME, 10 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 27 February 2019
Deadline for asking questions Wednesday 6 March 2019 at 11:59pm GMT
Closing date for applications Wednesday 13 March 2019 at 11:59pm GMT


Opportunity attribute name Opportunity attribute value
Summary of the work To work on selected cyber projects funded by the Cabinet Office and Cyber Programme. Requirement is to provide cyber expertise to government departments to pilot and implement initiatives in Threat Hunting, Digital Risk & Intelligence and Cloud SSO to reduce cyber risks. Additional Cyber projects may commence at later stages.
Latest start date Monday 20 May 2019
Expected contract length Up to 2 years (the initial Statement of Work will be for 10 months)
Location London
Organisation the work is for The Secretary of State for the Home Department
Budget range Up to £2.5m for the contract (the initial phase of projects will be for up to £830k exclusive of VAT)

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The National Cyber Security Strategy details the UK government’s investment in to cyber security, with the vision for 2021 that the UK will be secure and resilient to cyber threats while prosperous and confident in the digital world. To achieve this, it is required to:
• Continue projects across the Cyber Security Programme that demonstrate cyber risk reduction
• Investigate, research and apply cyber security best practices from across government departments and industry partners
• Plan, build and implement a strategy for the delivery and pilot launch of the capabilities
Problem to be solved A supplier is required by the customer to complete the next phase of threat hunting, digital risk and intelligence, cloud Single sign on (SSO) projects and additional planned cyber projects. Deliverables include but are not limited to:
• Delivery plans to launch each capability
• Production of a target operating model
• Build and implementation of a strategy for each area
• Regular updates on progress and share of outcomes
• Pilot launches with a subset of users or functions
Who the users are and what they need to do As an internal user, I want to use one set of authentication details for my work station so that I can access all authorised applications without needing to enter further credentials.
As a security manager, I want to introduce the threat hunting activity, so that I can understand and remediate how existing internal security controls can be evaded across the organisation.
As a cyber-risk owner, I want to understand any potential threats in the public domain so that I can minimise cyber risk to the organisation.
Early market engagement None
Any work that’s already been done The initial discovery phase has resulted in:-
• Key recommendations and early suggestions made for capability adoption across the organisation
• Initial capability maturity models created
• Priority research areas identified
• White paper reports
• Recommendations paper on implementation of SaaS SSO across government including product offering
• Initial delivery plans for piloting capabilities
The on- boarded supplier will receive full details on the existing work and access to documentation.
Existing team The selected supplier will be working as part of the Cyber Security Programme (CSP) alongside existing suppliers. Key stakeholders from the Cabinet Office and National Cyber Security Centre, in addition to the Customer, will be involved in delivery acceptance and approvals.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The team will work as part of the CSP, located in Croydon and Central London. Close collaboration with CSOC teams in Manchester will be required and potentially travel to other Departmental locations in the UK on occasion.
Working arrangements The supplier’s team will be required to be located on site for five days (40 hours) per week, whether alongside the programme team in Croydon, or at a Departmental location around the UK.
Occasional travel to regional sites may be required. Day rates will be inclusive of travel and subsistence expenses within M25/Greater London. Travel and subsistence expenses incurred from travel outside of the M25/Greater London will be subject to Home Office Travel and Subsistence Policy.
Security clearance Individuals in the supplier’s team will require Home Office SC clearance, or be willing to undergo Home Office SC clearance checks. The clearance needs to have been achieved before work can commence.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Standard DOS framework and call-off terms and conditions will apply.
This contract will consist of multiple phases and a statement of work will be created for each phase.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience in successful delivery of digital cyber strategy and security models.
  • Experience in writing white papers advising central government departments on cyber security.
  • Experience in successful pilots and implementations (including testing, deployment and transition to live) of cyber security solutions in medium to large organisations.
  • Experience of providing single sign on (SSO) to cloud applications in medium to large sized organisations.
  • Experience of Access Management and SSO technologies and offerings including Ping Identity, Okta and Microsoft AAD.
  • Experience of mobilising an experienced team with required skills within short timescales and to manage their performance over the duration of the contract.
  • Experience of digital cyber security tools and frameworks for threat intelligence and digital risk, specifically open source scraping services and open source tooling, as well as strategies and best practices.
  • Experience of implementing and standardising new working processes and providing a full knowledge transfer to the end customer.
Nice-to-have skills and experience
  • Experience of working in delivery of a cyber programme consisting of multiple suppliers.
  • Experience of options for Network Access Control (NAC) implementation and associated costs.
  • Experience of current endpoint protection tools and solutions.
  • Experience of containerised services, infrastructure and security best practices.
  • Experience of security best practices and vulnerability assessments for third party code adoption.
  • Experience in use of SOC tooling including SIEM and open source scraping tools.

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Proposed technical solution and implementation plan.
  • Proposed implementation team structure, with CVs outlining relevant experience of each team member.
  • Implementation approach of SSO for cloud applications.
  • Supplier solution, including key considerations, for developing threat hunting and digital risk and intelligence capability.
  • Proposed quality measures and standards on supplier’s deliverables and outputs including testing approach and information on how supplier will implement checks and reviews of their outputs.
  • Recommended solution for transitioning from functional pilot to organisational launch.
  • Proposed KPIs and service levels to measure success
  • Proposed approach to mobilisation of the on-boarded team.
  • Approach to ensuring value for money.
Cultural fit criteria
  • Ability to have effective communication and collaborate within a large programme with multiple suppliers and multiple customers.
  • Work as a team with CSP suppliers, demonstrating a willingness to co-operate/collaborate, with practical mechanisms suggested to achieve this.
  • Approach to issue management, problem resolution and improving ways of working.
  • Approach to commercial and contract management.
  • Ability to use the existing knowledge, experience and lessons learnt from previous similar engagements.
Payment approach Capped time and materials
Assessment methods Written proposal
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Will this engagement be inside or outside IR35? Outside IR35
2. Can you say which supplier(s) were involved in the discovery phase for this project? BAE Systems Applied Intelligence
3. Will all team members be expected to be employed on the project fulltime or may the supplier assign resources based upon requirement and/or on a part time basis? This will be dependent on work-package scope/requirements. Supplier can assign resources based upon requirements and/or on a part time basis for fixed price work-packages. For time and material work-packages, bidders will be expected to propose price based on estimated days for specified SFIA grades. Some of the key staff members may be expected to be deployed full-time.
4. For Threat Hunting: Have you a defined scope for external threats e.g. Dark web and peer-to-peer networks or are you only looking at internal threats? Internal only.
Our definition of Threat Hunting as defined in the initial research paper is: “Threat Hunting is the proactive, iterative and human-centric identification of cyber threats that are internal to an IT network and have evaded existing security controls.”
5. For Digital Risk, do you wish to implement a BYOD policy? We are not looking to implement a BYOD policy as part of the digital risk and intelligence project.
Our definition of Digital Risk & Intelligence as defined in the initial research paper is: “Digital Risk and Intelligence is the process of monitoring, detecting and remediating threats within the public domain, through the control of an organisation’s digital footprint. This is so that issues can be mitigated before threat actors exploit this information, in order to reduce the likelihood of intrusion, and limit the effects of successful attacks when they occur.”
6. For cloud SSO, do you have a preferred provider e.g. Amazon or are you open to suggestions based upon services, security profile and OS The next phase of work will comprise two independent elements:
a) A pilot implementation of SSO for a SaaS application, using Microsoft Azure AD.
b) A wider discovery analysis of the practical issues with deploying IDaaS solutions. For this wider discovery analysis, a selection of IDaaS solutions should be trialled.
7. What payment mechanism(s) will be used for this contract? A Combination of fixed price and capped time and material will be used. The requirements will be broken into work-packages. Each work-package, depending upon the scope and planned milestones, will be either fixed price paid on milestone achievement or capped time and material.