HM Land Registry

Cyber Security - Delivery Partner

Incomplete applications

21
Incomplete applications
15 SME, 6 large

Completed applications

17
Completed applications
9 SME, 8 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Thursday 6 June 2019
Deadline for asking questions Thursday 13 June 2019 at 11:59pm GMT
Closing date for applications Thursday 20 June 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work HM Land Registry are looking for a cyber security partner to work alongside HM Land Registry’s in-house IT security teams.

The partner will work on selected cyber projects providing leadership, knowledge, strategy and technical resource.
Latest start date Monday 2 September 2019
Expected contract length The expected contract length is up to 24 months.
Location South West England
Organisation the work is for HM Land Registry
Budget range Anticipated value up to £300,000

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done In HM Land Registry’s Business Strategy 2017-2022, we committed to continually strengthen and mature our security defences to address increasingly sophisticated threats. HM Land Registry are investing in a Cyber project to transform our cyber capabilities and the Cyber Partner will assist in shaping and delivering workstreams within this project.
Problem to be solved A partner is required to support the following:

• Manage an IT Security Team.
• Review current team practices and provide suggestions for improvement.
• Provide cyber security strategy and delivery.
• Provide technical resource to help in the delivery of cyber security projects and work packages.
• Provide Security Architecture resource assisting in the development of security patterns and assurance of services.
• Share knowledge and develop security standards for emerging technologies / techniques.
• Perform detailed due diligence verification activities on specific third party suppliers managing or holding key information assets.
Who the users are and what they need to do N/A
Early market engagement
Any work that’s already been done Business as usual activity is currently performed by HM Land Registry’s core security teams. As a partner you will be continually involved in the security of HM Land Registry’s infrastructure and services.

A gap analysis exercise has been completed, this has resulted in the creation of a Cyber project under which 9 workstreams will be delivered to increase security capabilities.
- SIEM
- Password Policy
- 2FA
- Threat Intelligence
- DMARC
- Endpoint Protection
- PAM / PAW
- Code scanning
- Application whitelisting
Existing team The selected supplier will be working as part of the Cyber project alongside internal teams including IT Security, Security Operations and Security Architecture.
Current phase Not applicable

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place HM Land Registry’s security teams are based in Plymouth, UK and this is where the work will take place.
Working arrangements This will be a 5 day per week (Monday to Friday) commitment and, although there may be some scope for remote working, our focus is to build co-located and integrated teams at our offices in Plymouth.
Detailed working arrangements, including team location, size and make-up, will be contained within each statement of work.

The Cyber Security Partner must follow HM Land Registry's IT and security procedures and policies in relation to access, data and equipment use
Security clearance HM Land Registry requires all supplier staff to have baseline personnel security standard clearance. There may be a requirement for some of the work to require security clearance checks. This will be detailed in the statement of work.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The standard terms and conditions of a DOS framework agreement call-off contract apply.

T&S will not be paid for travel to the "home" office which will usually be Plymouth and specified in the SOW.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • • Experience in successful delivery of digital cyber strategy and security models
  • • Experience of providing roles and team structures to meet customer deliverables and as defined in the Statement of Works
  • • Experience in integrating roles and teams’ interplay with the customer and/or other suppliers’ resources, as a single delivery team
  • • Experience of working with customers that are part of Central Government.
  • • Experience of working with customers that run Critical 24x7 secure services.
  • • Technical capability to design, implement and support new security infrastructures.
  • • Proven ability to assist in setting the strategic direction for Cyber Security projects.
  • • Capability to support and assist the Security Architecture team in the assessment and risk identifying, against new services.
  • • Knowledge of a range of security standards including but not limited to ISO27000, SOC 2, CIS & NIST.
  • • Knowledge and Experience of widely used IaaS/PaaS/SaaS environments and the ability to provide ongoing advice on how HM Land Registry secure their existing platforms.
  • • Knowledge and experience of best practice regarding implementing least privilege security models and approaches within cloud and on-premise environments
  • • Ability to provide guidance on appropriate separation of roles across the various operation planes (management, control & data), within cloud and on-premise environments.
  • • Knowledge and experience of best practices to implement scalable and secure methods of storing sensitive data, such as service credentials within cloud and on-premise environments.
  • • Experience of implementing Service based authentication within service and on-premise environments.
  • • Experience of designing and implementing the use of modern device-based authentication methods e.g. Windows Hello and other MFA tools.
  • • Experience of a range of security infrastructures and technologies including but not limited to, LDAP, Modern Authentication tools, End-Point Protection Technologies, Application Whitelisting Technologies.
  • • Experienced in implementing Customer Identity Strategies
Nice-to-have skills and experience

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 4
Proposal criteria
  • • Written response to draft Statement of Work to be shared with shortlisted suppliers. – 20%
  • • Proposed implementation team structure, with CV’s outlining relevant experience of each team member – 10%
  • • Resources – depth and flexibility providing the ability to scale – 10%
  • • Service quality management, including approach to issue management, problem resolution and improving ways of working and commercial and contract management. – 10%
Cultural fit criteria
  • • Establish good working relationships and generate team spirit – 2%
  • • Work collaboratively with permanent staff and other suppliers – 2%
  • • Share knowledge and participate in skills transfer – 2%
  • • Ability to use existing knowledge, experience and lessons learnt – 2%
  • • Adapt to meet changing priorities and take responsibility – 2%
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is it possible to raise a question that is treated as confidential? All questions raised must be able to be published and answered on this portal. Any questions that are raised asking for them to be treated as confidential will not be answered. If you require a response to the question it should be re-submitted without the request to treat as confidential in order that it can be shared with all.
2. Can the Authority please confirm, what are the expectations in terms of delivery team size? Is it just the one resource or a team? We ask because this will give us an indication as how far the specified budget of £300k will stretch This is a call off contract with each SOW having different requirements to be agreed with the partner. At times it is likely more than one resource will be required. There is a possibility that we will run multiple SOW’s concurrently. It is possible that the contract will have a higher utilisation in Yr 1 of the contract term than Year 2
3. Would an alternative approach to meeting the stated objectives be considered? The requirement of suppliers at Stage 1 is to respond to the essential skills and criteria.

At stage 2 suppliers will required to respond to a draft SOW, there is the potential here for suppliers to set out alternative proposals on achieving the objectives stated in the requirements.

To be clear for some SOW’s we will require an onsite presence to aid knowledge transfer and to work alongside our subject matter experts.
4. The requirement refers to 5 days per week, but also to statements of work. Is it 1 resource, full-time for 2 years? Or is it individual ad hoc work packages? Thanks. This will be a call-off contract against which, Statements of work will be created. The commitment from the partner is that the capability to deliver against the skill set defined is available – appropriate lead times will be discussed at the point of agreeing the SOW.
5. "Experience of implementing Service based authentication within service and on-premise environments."

Please could you provide some context or clarity as to what this relates to. We assume that the requirement is to implement a solution allowing user the ability to authenticate the service they are trying to use BUT we want to be certain we are answering in the correct context.
For clarity, we are looking for experience of configuring authentication in systems and services both in cloud and on premise in various ways to fulfill user requirements.
6. "Experience of implementing Service based authentication within service and on-premise environments."

Please could you provide some context or clarity as to what this relates to. We assume that the requirement is to implement a solution allowing user the ability to authenticate the service they are trying to use BUT we want to be certain we are answering in the correct context.
For clarity, we are looking for experience of configuring authentication in systems and services both in cloud and on premise in various ways to fulfil user requirements.
7. Can you please confirm that the contract is for 24 Months, 5 days a week at a total contract cost of £300,000? Therefore £150,000 per year. This is a call off contract with each SOW having different requirements to be agreed with the partner. At times it is likely more than one resource will be required. There is a possibility that we will run multiple SOW’s concurrently. It is possible that the contract will have a higher utilisation in Yr 1 of the contract term than Year 2.
8. Our ideal proposed team structure would consist of 1 senior management consultant and 2 technical consultants for delivery. Given the stated budget of 300,000 over 24 months, this would suggest a monthly budget of 12,500 (based on 20 working days per month, this would equate to a day rate of 625 for all 3 members working on the project). Can I confirm that our understanding of this is correct? This is a call off contract with each SOW having different requirements to be agreed with the partner. At times it is likely more than one resource will be required. There is a possibility that we will run multiple SOW’s concurrently. It is possible that the contract will have a higher utilisation in Yr 1 of the contract term than Year 2.
9. Can you provide indicative size or profile of team to be provided by the successful partner. For example, is it likely to be a single or multiple roles?” It is possible that some of the work packages will require an individual specialist to deliver the outcomes, but anticipated that there may also be SOW’s that require a team to deliver the outcome.
10. Is this a looking for 1 individual or a team continually for 2 years? No, there is no expectation that a team or individual will be onsite for the entirety of the 2-year contract term. For example, it could be that a SOW is developed that requires 1 individual to complete a set of deliverables, and this could run concurrently with a SOW that is supported by a team of individuals.