Awarded to PA Consulting Services Limited (UK)

Start date: Wednesday 16 October 2019
Value: £1,099,840
Company size: large

Ministry of Defence - Information Systems and Services

IdAM Product Managers & Service Transition Partner (ASDT0092)

7 Incomplete applications

6 SME, 1 large

9 Completed applications

4 SME, 5 large

• Published: Wednesday 26 June 2019
• Deadline for asking questions: Wednesday 3 July 2019 at 11:59pm GMT
• Closing date for applications: Wednesday 10 July 2019 at 11:59pm GMT

Overview

• Summary of the work: To work on the IdAM Beta & transition plan from the existing access broker to the MOD’s product of choice (NetIQ). To inform the build priorities for OFFICIAL/SECRET MOD domains in the UK.
• Latest start date: Monday 30 September 2019
• Expected contract length: Duration: 24 months with an additional 6 month option period.
• Location: South West England
• Organisation the work is for: Ministry of Defence - Information Systems and Services
• Budget range: £0.9 - £1.25 Million (Ex VAT); ; Contract Value includes a Limit of Liability for T&S of £20K.

About the work

• Why the work is being done: The Ministry of Defence (MOD) needs an Enterprise Identity and Access Management (IDAM) service for its IT & Digital services; this delivers part of MOD’s 2010 IDAM strategy (available on gov.uk).; ; This service is to provide:; 1. Improved compliance with HMG’s Technology Code of Practice, by providing a reusable service and will simplify maintaining compliance with the General Data Protection Regulation (GDPR). ; ; 2. A migration path from current IDAM arrangements.; ; 3. Identity related services that meet the Digital Service Standard, particularly for our partner organisations and external users.; It is an essential prerequisite for new IT services from Q2 2019.
• Problem to be solved: The Product Managers will manage the technical delivery of the Defence Identity & Directories services, including:; • Identity & Access Management (IdAM) services (e.g. single-sign-on & advanced authentication);; • Directory services (e.g. a master Active Directory and corporate directory).; • Exit from the existing contracted services requires transition planning for an in house solution. ; Initial releases use NetIQ products, focus on IdAM features and OFFICIAL information in the UK. SECRET, overseas, deployed systems and directories are also on the roadmap.
• Who the users are and what they need to do: All MOD Personnel/Partners/Contractors requiring IT application & services access. ; 1. As an IT user, I want single sign on to seamlessly access IT & digital services.; 2. As an App or Service Owner, I want simpler, rule based access so appropriate users get quicker access to my service and inappropriate ones are refused access.; 3. As a systems administrator, I want to maintain trust relationships between systems, so normal IT operations can continue.; 4. As a Security Officer, I want a simpler means of securely providing access to IT so access is quicker, more accurate and can be scrutinised
• Any work that’s already been done: An IdAM alpha was conducted during 2016 on the Authority's product of choice the MicroFocus NetIQ product suite. This product was selected after a market competition and evaluation were held. Development work has continued with the onboarded development partner in Sept 18 who are working in an Agile manner to deliver incremental releases of the configured IdAM solution including identity log in for defence gateway and the core network at OFFICIAL.
• Existing team: The Project Team consists of IT Design Architects, Project Management professionals (both Agile and APM) various contracted parties working on the development of the product and assessment of further work identification across the Identity brokering and directories areas of concern. The team is a blend of Crown Servants and Contractors. Team size is currently 20 with all following SAFe delivery principles.
• Current phase: Beta

Work setup

• Address where the work will take place: The Project Delivery Team is located at MOD Corsham in Wiltshire (SN13 9NR). Occasional travel to Customers may be required dependent on the need, however this will be kept to a minimum.
• Working arrangements: The Product Managers will be expected to work full time (220 days per year). The IdAM delivery team works in an Agile Scrum environment under the direction of a Scrum Master and Project Manager. Current expectations are that the Product Owner will be at Corsham at least 4 days per week. Travel and subsistence expenses to attend other sites will be payable from Corsham using current Civil Service T&S practices. Locations such as but not limited to: Andover, Farnborough & Gosport.
• Security clearance: Potential suppliers will be expected to hold or be in the process of obtaining SC Clearance. The Authority WILL NOT sponsor SC clearance, it must be in place and remain valid for the duration of the contract.

Additional information

• Additional terms and conditions: Additional information will be provided for successful Suppliers following the short-list stage. ; ; The successful Supplier must request a Security Aspects Letter and provide a Cyber Essentials Certificate. ; ; T&S will be paid on receipted actuals in compliance with MoD policy , no other expenses are permitted.; ; Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up the tool.; ; Suppliers must adhere to the MOD Corsham working policies. ; ; The following Quality Assurance standards will be applicable: ; Concessions Def Stan 05-61 Part 1 Issue 5; Contractor Working Parties Def Stan 05-61 Part 4 Issue 3

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • Proven and demonstrable experience in working within a project or product of similar size and complexity.
  • Proven and demonstrable experience of working with multi-disciplinary teams in an agile development/delivery environment.
  • Proven and demonstrable experience of prioritising agile product and sprint backlogs to provide maximise value returned.
  • Experience setting clear acceptance criteria and working with colleagues to ensure backlog items meet the INVEST criteria.
  • Proven and demonstrable organisational skills.
  • Experience in working in a large scale change programme.
  • Experience in liaising with Industry Partners and contractors.
  • The ability to work under pressure and adhere to challenging timescales.
  • Strong analytical skills.
• Nice-to-have skills and experience:
  • Experience in working within the MOD.
  • Knowledge of current Defence Identity Access Management systems.
  • Experience of working with remote capabilities.
  • Experience of setting up and developing Directory Services.

How suppliers will be evaluated

• How many suppliers to evaluate: 3
• Proposal criteria:
  • How you'll provide the Authority with high-quality team that embodies the required skills; particularly, why you believe the team (as a collective) will be high performing (12%)
  • How you'll balance being responsive and flexible to changing work demands (in terms of skills/capacity) as it progresses with the benefits of a stable and consistent team. (11%)
  • Indicative structure (i.e. people/roles in your proposed team and their main interrelationships), indicative profile (how team size and roles might change over time) and start date. (11%)
  • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning. (11%)
  • Your proposed approach and methodology for managing the transition planning: particularly how this will inform the backlog entries and prioritisation of the Directories, Core OFFICIAL and SECRET workstreams. (11%)
  • Proposed approach and methodology for achieving security/information assurance accreditation and maintaining through the Agile development, including identifying threats, putting in place controls and engagement with risk owner(s). (11%)
  • How you will ensure the service can meet the relevant digital service standard at various phases of development (e.g. closed beta, open beta, live). (11%)
  • How you'll ensure the service meets the organisation’s policy goals in terms of providing more secure Identity and Access Management/Directories processes, incorporating existing policy. (11%)
  • Your approach to knowledge management, particularly how the Authority and its partners can support and maintain the IdAM/Directories services after they have been developed. (11%)
• Cultural fit criteria:
  • Shares knowledge, experience and expertise with the Authority and other team members (11%)
  • Be transparent and collaborative (12%)
  • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form (11%)
  • Evidence that you attract and retain the best talent to create teams that reflect the diversity of the country and can deliver a diversity of thought to the Authority (11%)
  • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome (11%)
  • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors (11%)
  • Evidence of working successfully in an Agile manner within an organisation where some units: (particularly in relation to governance and project control processes) retain a big-design-upfront/command-and-control perspective (11%)
  • Evidence of working with organisations and stakeholders with differing levels of technical expertise (11%)
• Payment approach: Capped time and materials
• Assessment methods:
  • Written proposal
  • Case study
  • Presentation
• Evaluation weighting:

  Technical competence

  50%

  Cultural fit

  20%

  Price

  30%

Questions asked by suppliers

• 1. Can the Authority confirm this contract will be outside of IR35?: Yes, IR35 legislation does not apply to this requirement.
• 2. How do we respond to this requirement?: Bid responses are to be submitted on the DOS templates and in Microsoft Office Excel/Word 2013 format only. The Successful Shortlist Suppliers will receive further additional information and instructions.
• 3. Can the Authority, please confirm the procurement timetable in relation to the written proposal, presentation dates and contract award?: Proposed date for Written and Case Studies submission to the Authority - W/c 12th August.; ; If Presentations are required the dates to be held are between W/c 20th August - 6th Sept at MOD Corsham.; ; Latest Contract Start Date 30th Sept 2019
• 4. Please could the Authority provide the Cyber Risk Assessment Reference for a Supplier to complete the required SAQ?: The Risk Assessment is Low and reference number: RAR-JJZB295A
• 5. What is Identity Access Management (IdAM)?: IdAM, is the creation and management of digital identities which are used to access information, systems and applications and physical access. The programme in ASDT is designing and building systems for the consolidated management of identities- people or things (devices, processes etc.), across MOD. This will enable appropriate access to the systems or applications in the first instance, and to information embedded within these as well. ; ; Simplifying the management of credentials and access privileges across the multiple systems present across Defence, will considerably streamline authentication processes for users, enabling one username and password for sign onto multiple services.
• 6. What are the benefits to the IdAM programme?: The recognised benefits include:; • Minimize Security Risk – control access to the networks and applications and instantaneously update accounts in a complex and ever-changing IT landscape.; • Centralized auditing and reporting – know who did what and report on system usage.; • Reduce IT operating costs – immediate return on investment is realized by simplifying and automating much of the existing process for account management.; • Improved quality of IT services – creating a better user experience simplifying authentication and authorisation:; • Legal compliance – specifically, Data Protection Laws and other government mandates require secure control of access
• 7. Which classifications will IdAM cater for?: The IdAM roadmap will be available for both OFFICIAL and SECRET applications, however, the initial set of work is focusing on OFFICIAL information resources.
• 8. Who can use IdAM services?: We recognise 4 main user groups which are permitted licenses for IdAM Services, these are:; • MOD personnel: civil servants, UK military, Royal Fleet Auxiliary, MOD police, locally engaged civilians; • Other government officials: department civil servants, other public sector employees, crown ministers, special advisers, ministerial assistants, honorary/ ceremonial appointments, non-executive directors, select parliamentary committee members; • Partner organisations: supplier employees, MOD contracted personnel, foreign military allies, international government organisations (IGOs); • Affiliated organisations personnel: Cadet forces, veterans, service personnel dependents
• 9. How does GDPR affect IdAM?: • Lawfulness, fairness and transparency – the MOD policy for data collection is available to all and agreement is through signing SyOps; • Purpose limitation – personal data is held only for IdAM purposes; • Data minimisation – information held is required to support identity and access management only. ; • Accuracy – information is held in one location, easier to keep data accurate; • Storage limitation –linking relevant personal information in one location is easier to delete ; • Integrity and confidentiality – personal data will be held in a secure vault for use in automated processes for access decision making.
• 10. How are IdAM capabilities being rolled out?: The E-IdAM services are being developed following Agile methodology. The technical team is releasing functionality incrementally using sprints to plan and monitor progress. This means that up front planning and stage gate time deadlines associated with PRINCE2/ Waterfall project management will not be applicable to the delivery of IdAM functionality.
• 11. What is Federation/ Federated Access?: Federated access refers to a user’s digital identity and associated attributes from a separate organisation (eg. NATO) to be used by MOD systems and vice versa. This allows trusted partners to create and maintain digital identities for their personnel to gain appropriate access to their respective authorised MOD systems rather than have accounts, credentials or identities manually provisioned by the other party. For trusted partners, the IdAM IBS component would recognise the credentials of a federated individual and allow authentication. This extended access to third parties will only be delivered once IdAM capabilities have been established for the MOD userbase.
• 12. Which Technology is the IdAM solution based on?: To meet the IdAM needs of the various MOD wide populations and corresponding services, several technologies are likely to be needed. A core technology will be NetIQ products, namely: Identity Manager, Access Manager, Advanced Authentication, Access Review, which have been procured. The IdAM project has purchased 440,704 NetIQ licences.
• 13. Where will IdAM be hosted?: IdAM is providing a set of services which applications will interact with, therefore where IdAM will be hosted is not relevant for application owners. IdAM will be utilising MOD Cloud platforms to provide the services. We will be expanding the services into all environments depending on availability and maturity.
• 14. What is the range of anticipated integration mechanisms?: The preferred pattern for applications to integrate with the Identity Brokering service is using Security Assertion Markup Language (SAML) and WS-Federation (WS-FED), widely used industry standards. Teams responsible for building or buying new software (or SaaS services) should ensure their software supports this. Where there is a strong case for doing so, other technologies and patterns such as Kerberos or encrypted storage of legacy application credentials can be supported by exception. ; ; Functions other than authentication and authorisation of users, such as self-service and provisioning, will be made available through Application Programming Interfaces (API) and Graphical User Interfaces (GUI) where appropriate.
• 15. Please can the MOD provide information on the selection rationale from the Alpha phase to NETIQ products?: No, however where not commercially sensitive, information about the business requirements for the Alpha phases will be provided as appropriate to the awarded supplier.
• 16. It is understood that the Discovery and Alpha phase for the project has been completed. Could you MOD confirm which organisation completed this work?: No, however this will be provided where required in order to facilitate handover, as appropriate to the awarded supplier.
• 17. Are you working with a current incumbent supplier?: There is no current supplier fulfilling the Product Manager & Service Transition role, however a close working relationship will be required with the incumbent supplier providing the rest of the delivery roles.
• 18. Given the potential conflict of interest, are we right to assume that any supplier bidding for “IdAM Develpment and Implementation Partner (ASDT0093)” will not be permitted to also bid for “IdAM Product Managers & Service Transition Partner (ASDT0092)?: The adverts ASDT 0092 & 0093 are two separate contracts and the same supplier can bid for both. In this eventuality the Authority will require the provision of two independent teams with specific roles.
• 19. Please could you clarify what is meant by “remote capabilities” in the context of the desirable skills and experience? Is this in the context of working with distributed computing resources such as cloud or hybrid infrastructures, or remote working, such as is enabled by VPNs, laptops and so on?: Remote capabilities refers to meeting the needs of dependent systems that may have unreliable, high-latency or low-bandwidth connectivity (or all of these). These include systems on Permanent Joint Operating Bases or systems deployed into battle-spaces.
• 20. Please could you clarify what is meant by “organisational skills” in the context of the essential skills and experience? Is this in the context of being systematic and efficient, or dealing with organisation related considerations, such as those reflected in DLODs?: Organisational skills relate to the ability to use your time, energy, resources etc. in an effective way so that you achieve desired outcomes.
• 21. Please can you confirm the percentages for the Cultural Fit Criteria?Please note this question is answered in 2 parts - this is part 1.: • Shares knowledge, experience and expertise with the Authority and other team members (13%); ; • Be transparent and collaborative (13%); ; • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form (13%); ; • Evidence that you attract and retain the best talent to create teams that reflect the diversity of the country and can deliver a diversity of thought to the Authority (13%)
• 22. Please can you confirm the percentages for the Cultural Fit Criteria?Please note this question is answered in 2 parts - this is part 2.: • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome (12%); ; • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors (12%); ; • Evidence of working successfully in an Agile manner within an organisation where some units: (particularly in relation to governance and project control processes) retain a big-design-upfront/command-and-control perspective (12%); ; • Evidence of working with organisations and stakeholders with differing levels of technical expertise (12%)