Information Application Services (IAS) Army Headquarters

DInfoCom/0067 - Provision of Security Architecture Compliance (SAC)

Incomplete applications

6
Incomplete applications
3 SME, 3 large

Completed applications

13
Completed applications
10 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 2 May 2019
Deadline for asking questions Thursday 9 May 2019 at 11:59pm GMT
Closing date for applications Thursday 16 May 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Provision of a cost effective, flexible security architecture compliance service that ensures policy compliance and can meet the demands of IAS’s requirements to support and maintain the current applications services and also provide security architecture compliance services for new requirements that are technology agnostic.
Latest start date Monday 1 July 2019
Expected contract length 2 years
Location South East England
Organisation the work is for Information Application Services (IAS) Army Headquarters
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done IAS is an internal software house that provides hosting and through life application-based Information Services to meet the demands of the Army and wider Defence. There is a requirement to provide security architecture, compliance and information assurance services to ensure all IAS services are coherent with policy. It delivers hosting capability across 3 domains and currently supplies 69 services supporting enterprise resource planning, HR, finance, logistics and asset management.
IAS utilises DevSecOps to deliver applications through a fully automated delivery pipeline to the production environment, using Oracle and Microsoft production platforms on the Army Hosting Environment and Joint Server Farm.
Problem to be solved Provision of a cost effective, flexible security architecture compliance service that ensures policy compliance and can meet the demands of IAS’s requirements to support and maintain the current applications services and also provide security architecture compliance services for new requirements that are technology agnostic.
Who the users are and what they need to do The users of applications are regulars, reserves, civil servants and contractors across the Army and wider Defence. The users are required to log on to the Ministry of Defence Network and browse to the appropriate URL. Access is granted via single sign on.

The users need compliant, secure, highly performant and available application services to provide information in the right context to undertake their business functions to enable the day-to-day operation of the British Army and wider Defence.
Early market engagement
Any work that’s already been done
Existing team The existing team consists of various parties to support the full software development lifecycle. This includes areas such as infrastructure support, support to ops, in-service management, programme management and service transition. These areas are provided by a combination of military personnel, civil servants and personnel from other suppliers.
Current phase Live

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The place of delivery for the contract shall be at such location(s) as agreed between the outcomes supplier and the Authority. The primary location for IAS is Andover, Hampshire.
Working arrangements The supplier will deliver within MoD and IAS standards, policies and processes predominantly in the form of: National Cyber Security Centre advice and guidance, JSP440 (security), JSP604 (joining rules) to gain accreditation, and compliance with Government data guidance policy and legislation regarding information assurance. The technical security assurance requires risk assessment, management and audit capabilities.
Expenses are only to be incurred with the prior agreement of the Authority. All claims are to be in line with MoD Civil Servant rates and or practices.
Security clearance Security Clearance (SC) will be required for the duration of the role. Incumbents are to follow both the letter and spirit of Army Headquarters security regulations.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions DEFCON 5J (Edn 18/11/16) Unique Identifiers
DEFCON 76 (Edn 12/06) Contractors on site
DEFCON 129J (Edn 18/11/16) Electronic business Delivery Form
DEFCON 513 (Edn 11/16) Value Added Tax
DEFCON 516 (Edn 04/12) Equality
DEFCON 518 (Edn 02/17) Transfer
DEFCON 531 (Edn 11/14) Disclosure of Information
DEFCON 534 (Edn 06/17) Subcontracting and Prompt Payment
DEFCON 537 (Edn 06/02) Rights of Third Parties
DEFCON 550 (Edn 02/14) Child Labour and Employment Law
DEFCON 566 (Edn 12/18) Change of control of contractor
DEFCON 642 (Edn 06/14) Progress meetings
DEFCON 658 (Edn 10/17) Cyber
DEFCON 694 (Edn 07/18) Accounting for Property of the Authority

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Proven strong security background with a focus on ICT security complemented by familiarity with general security policy.
  • Demonstrable experience within the last 3-years of the provision of advice and guidance to a Security Assurance Co-ordinator (SAC) as defined in relevant security policy frameworks.
  • Demonstrable experience within the last 3-years of managing the security aspects of the transition of projects into a live environment.
  • Demonstrable experience within the last 3-years of assurance of project security plans and products, such as Security Risk Assessments and Risk Management Accreditation Document Set (RMADS).
  • Demonstrable experience within the last 3-years of co-ordinating with project stakeholders to ensure a common understanding of security requirements, security risk and countermeasures in support of security assurance and approvals.
  • Demonstrable experience within the last 3-years of producing security strategies, policies and supporting documentation
  • Demonstrable experience within the last 3-years of security compliance auditing
  • Proven recent and demonstrable skills covering Security Management; Governance, Risk and Compliance; Information Risk Assurance; Architecture, Network and Application Security; Incident Response and Forensic Investigation and Business Continuity Management.
  • Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to ccoping threat and vulnerability assessments
  • Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to conducting technical risk assessments.
  • Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to vulneralbility / penetration testing planning.
  • Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to control deficiencies.
  • Proven recent and demonstrable experience of providing Information Security assessments including identification of gaps, formulating recommendations on remediation relating to effectively communicating results of assessment findings, rational and recommendations.
  • Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to Cabinet Office IAMM return construction / reviews.
  • Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to Data Protection compliance reviews.
  • Demonstrable experience within the last 3-years of working in a matrix environment and clear evidence of ability to interact with other practice disciplines.
  • Demonstrable experience within the last 3-years of strong written and spoken communication skills supported by strong presentation skills.
  • Proven recent and demonstrable experience of delivering security compliance services into an Agile /DevSecOps organisation.
Nice-to-have skills and experience
  • Experience of working within MoD-specific security architecture, compliance and information assurance services.
  • Professional designation such as an accounting designation or Information Security certification such as CISSP, CISA or CISM that establish credibility and capability in the Information Security market.
  • ISO27001 Lead Auditor.
  • CESG Certified Professional (CCP) (Security and Information Risk Advisor, at Practitioner level).

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 4
Proposal criteria
  • Say how you will meet the buyer's requirements. (4%)
  • Approach and methodology to meeting the requirements outlined in RFP. (4%)
  • Approach for transition of service, running and knowledge transfer. (4%)
  • Give examples of KPIs and SLAs that you would be prepared to commit to for this contract. (2%)
  • Provided an exit plan for the transition to an alternative supplier at the end of the contract and enabled the transition. (2%)
  • Provide evidence of skills/experience of team who’ll be doing the work and how they’ll work together. List roles, responsibilities and the number of people for each role/stage of work. (10%)
  • Provide team structure, CVs and relevant experience of the team who could be part of the service. (8%)
  • Provide two referenceable client-focussed case studies where your company have provided the desired service capability. (4%)
  • Ability to mobilise the team quickly and approach to service continuity. (3%)
  • Explain how you plan to retain key resources/ skills for the duration of the contract and how you can commit to meet IAS’s continuous need for development activities. (3%)
  • Ability to scale up and down resources, whilst ensuring quality and consistency. (2%)
  • How the proposal will optimise costs, and generate savings. In particular minimising transition costs between the current team and the new supplier. (2%)
  • Identification of the risks and dependencies associated with this requirement and potential mitigation. (2%)
Cultural fit criteria
  • Recent proven experience in working with the product owner to ensure compliance. (1%)
  • Recent proven experience of an open and collaborative working relationship at all levels with excellent communication and co-ordination skills when conducting team meetings, presentation and demonstrations. (2%)
  • Has a no-blame culture and encourages people to learn from their mistakes, working as “one team”. (2%)
  • Suppliers must demonstrate an ability and willingness to work collaboratively within a multi-vendor delivery environment. (2%)
  • Able to communicate effectively with all members of IAS and solve issues amongst complex integrations. (2%)
  • Proven ability to added value to IAS through the use of innovation, continuous improvement and cost savings utilising technology. (1%)
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

10%

Price

40%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is there a current incumbent? There is a current incumbent but they are contracted against a different framework.
2. Whats the overall budget? The Authority has a budget but, to ensure we obtain Value for Money, I am not in a position to divulge the budget.
3. Are you looking for a team to provide the security architecture – if so how many consultants are you looking for? As this requirement is an outcome based Contract I am unable to specify the team size however, within the advert, essential skills and expereince, we request demonstrable experience within the last 3 years of numerous ICT security aspects.
4. What are the current application services provided by IAS? IAS provides hosting and through life application-based information services to the Army and wider Defence; predominantly through web applications accessible either on the intranet or on Defence infrastructure. It comprises of a core of circa 107 personnel across Military, Civil Servants and core Tech Sp staff which includes elements from 243 Signal Troop that directly support IAS. This figure increases when new products are in delivery.
5. What are the compliance requirements of IAS? JSP 440, ISO27001, etc Provide security architecture, compliance and information assurance service. Ensures all IAS services are coherent with MoD Policy predominantly in the form of JSP440 (security) and JSP604 (Joining rules) to gain accreditation, and government guidance, policy and legislation regarding information assurance including ISO27001. This requires risk assessment, management and audit capabilities.
6. What type of future projects are expected to be encountered during the contract? This is likely to vary from day to day but will include new hosting requirements similar to those already provided.
7. Are there any other security personnel supporting the project? IAS is established for three security civil servants to support its software house.
8. What type of architecture are these applications hosted on? Please send an e-mail to nigel.rummey399@mod.gov.uk to request a copy of the SoR.