Ministry of Defence, JFC - C4ISR Joint User Cyber

Cyber Risk Tooling - Design Phase

Incomplete applications

10
Incomplete applications
6 SME, 4 large

Completed applications

11
Completed applications
4 SME, 7 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 28 June 2019
Deadline for asking questions Friday 5 July 2019 at 11:59pm GMT
Closing date for applications Friday 12 July 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Designing of a tool base that ingests and Analyses all cyber risk data, aligned with the Joint User vision.
Production of a Stakeholder Map.
Understand User Requirements/available data.
Analysis of existing capability.
Creation of costed options for the Development Phase.
Outline of Skills and experience required for the next phase.
Latest start date Monday 26 August 2019
Expected contract length 6 Weeks, plus an additional 1.5 week option to extend (pending financial approval)
Location London
Organisation the work is for Ministry of Defence, JFC - C4ISR Joint User Cyber
Budget range Up to £70,000 (Inc. VAT and T&S)

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Cyber Risk Management Function (part of the MOD’s Cyber Security Operations Capability (CSOC)) requires a set of tools that will allow for automation of the ingestion, storage, analysis and exploitation of Cyber risks, and informing data, to keep pace with the increasing level of cyber risks being discovered. The Cyber Risk tooling capability is required by September 2019 to fall in line with programme expansion and roll out. This Design Phase is to scope what can be delivered by this deadline.
Problem to be solved Additional support is required to fulfil the Design Phase of the project, ensuring that an appropriate solution is defined that will offer a stable foundation and scalable configuration for the growing cyber risk management capability, while providing immediate benefit to users. The foundations will allow for the ingest of all cyber risk-related data such as threats, vulnerabilities, cyber events and incidents data. This will also permit rapid broadening of the data import, analytics and data exploitation capabilities, which will allow the MOD to understand its cyber risk exposure and the prioritised risks that need treatment.
Who the users are and what they need to do Ministry of Defence – primarily the Cyber Risk Management Team in C4ISR & Cyber Joint User and the Defence Assurance and Information Security (DAIS) team, with growth across the MOD in time.
The user’s need includes a design for an automated method of ingesting, storing and analysing of Cyber Risks based on an existing big data platform.
Early market engagement N/A
Any work that’s already been done We have multiple capabilities that have been researched and developed. these would need reviewing to see how they would fit into any new design moving forward. These capabilities cover Data Structure, Analysis and to some extent visualisation.
The core system is the Defensive Cyber Capability with a core data lake CySAFA (Cyber Situational Awareness Fusion Architecture) This has been developed to store and exploit DCO data for a wide range of stakeholders. Any design will need to align to the architectural approach to this system this will include compatibility with HDP3, Hadoop and RESTfulAPI. There is no current incumbent.
Existing team The existing CRM and DAIS team consists of crown servants and military personnel who have a wide range of functions and skillsets. All of which are based in MOD Main Building London and RAF Wyton.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place MOD Main Building London, and occasional visits to: MOD Corsham, RAF Wyton, Andover, Portsmouth, High Wycombe and MOD Abbey Wood Bristol.
Working arrangements Successful team to work from MOD Main Building London, to support the existing team. T&S is available for visits to additional sites, this must be in line with MOD policy. A T&S breakdown is to be included in the costings and must be within overall budget.
Security clearance Applicants must have SC-Clearance at a minimum with at least one UK National Senior team-member with DV clearance. Clearances must be in place prior to submission of Stage 1 evidence.

The Authority WILL NOT sponsor SC/DV Clearance, it must be in place and valid for the duration of the contract.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions • Bid Responses to be submitted on the templates provided and in Microsoft Office Excel/Word 2007-2016 format only.
• T&S will be paid based on receipted actuals and in compliance with MoD Policy, no other expenses are permitted.
• Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up to the tool.
• The intermediaries legislation does not apply to this engagement.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Demonstrable experience of helping organisations achieve an enterprise level view in order to support the delivery of complex projects
  • Experience of System architecture design.
  • Understanding of PaaS and Hadoop based infrastructures.
  • Understanding of the Agile Project Management Methodology for implementation planning.
  • Expertise in Database structures and Data ontology development.
  • Understanding of the latest techniques for data normalisation and analysis.
  • Understanding of how to manage structured and unstructured data.
  • Understanding of Data visualisation techniques and integration.
  • Please confirm valid SC/DV-level Security Clearance is currently in place and will be held for the duration of the contract
Nice-to-have skills and experience
  • Demonstrable and relevant experience of undertaking knowledge transfer
  • Have the ability to think creatively and can articulate innovative ideas to solving complex business and ICT problems.
  • Ability to present and articulate technical risks in a business context
  • Understanding and experience of working with HMG/ MOD policies including JSP 440 and 604
  • Cyber Security Risk management knowledge.

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Documented evidence of essential skills (Limited to 2000 words) plus CVs which are not included in the word count and can be sent as seperate documents. (10%)
  • Documented proposed approach including collaboration with existing teams. (10%)
  • Explanation of how the approach or solution meets user needs. (15%)
  • Estimated timeframes for the work. (10%)
  • Documented evidence of the identified risks and dependencies, offering approaches to effectively manage them. (15%)
  • Evidence of suggested team structure and evidence of SC/DV-Clearance (10%)
Cultural fit criteria
  • Must be able to work in a mixed team of Military, MOD Civil Service and industry partners. (4%)
  • Have excellent interpersonal and influencing skills and a positive approach. (2%)
  • Ability to transfer knowledge and upskill staff. (2%)
  • Values and behaviours in line with MOD core values. (2%)
Payment approach Fixed price
Assessment methods Written proposal
Evaluation weighting

Technical competence

70%

Cultural fit

10%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. We are familiar with Hadoop as a product but haven’t got any experience in its integration with risk tools. How significant is this part of the evaluation? It is essential that the team has experience of delivering solutions with a technology stack that includes Hadoop so that the team may recommend deliverable and optimal solutions that meet our needs. Experience of integration with risk tools specifically is not essential.
2. We are familiar with Hadoop as a product but haven’t got any experience in its integration with risk tools. How significant is this part of the evaluation? It is essential that the team has experience of delivering solutions with a technology stack that includes Hadoop so that the team may recommend deliverable and optimal solutions that meet our needs. Experience of integration with risk tools specifically is not essential.
3. We are familiar with Hadoop as a product but haven’t got any experience in its integration with risk tools. How significant is this part of the evaluation? It is essential that the team has experience of delivering solutions with a technology stack that includes Hadoop so that the team may recommend deliverable and optimal solutions that meet our needs. Experience of integration with risk tools specifically is not essential.
4. Does all of the team need to be co-located onsite in Main Building? Could one of them work remotely from one of our List X site? Working in own premise is expected, but with regular engagement each week with personnel at MOD Main Building.
5. Does all of the team need to be co-located onsite in Main Building? Could one of them work remotely from one of our List X site? Working in own premise is expected, but with regular engagement each week with personnel at MOD Main Building.