Defence Online

Type of document: Contract Notice
Country: United Kingdom

1. Title: SECURE BY DESIGN (SBD)
2. Awarding Authority: Defence Digital, Ministry of Defence, GB. Web:
3. Contract type: Service contract
4. Description: The Cyber Resilience Programme require a supplier to deliver the Secure by Design outcomes. The SBD project will develop and implement a new approach for security in Defence by embedding security as a fundamental element of the system design process.
5. CPV Code(s): 72000000, 72200000
6. NUTS code(s): UKK, UKK1, UKK15
7. Main site or location of works, main place of delivery or main place of performance: South West England
Address where the work will take place The main base is Corsham, Wiltshire however remote working is acceptable. There should be minimal limitations in attending Corsham, South West locations and Main Building in delivery of the Beta Phase outcomes.
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: It is estimated that the work can be delivered within the budget range of £6.5M – £9M. It is estimated the staffing requirements are between 25-30 personnel during the 15months to deliver the outcomes.
10. Closing date for applications 15.6.2022 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Wednesday 8 June 2022 at 11:59pm GMT
Latest start date Monday 19 September 2022
Expected contract length 15months (outcomes required for Dec 23)
Why the work is being done Defence currently holds an unacceptable cyber risk position and faces an ever-rising wave of malicious cyber activity combined with a growing use of Digital capability therefore increasing MOD’s cyber threat surface. The current MOD approach to security design revolves around accreditation and whilst this approach may have been suitable in the past, it is unable to deal with the scale and complexity of projects across Defence as well as being able to respond to new and emerging technology. Additionally, accreditation can focus security risk ownership in the wrong area of the business, placing ownership with security rather than the owners of the capability / business stream.
Problem to be solved The end state of SbD will be a Continual Assessment approach which will be developed and implemented to replace the current accreditation process. SBD will develop the policy, process, tools, and guidance that can be used by projects to better define their security understanding and develop and implement better security solutions.  It is important to note that policy, process and tools will all be in support of the wider objective of improving the security culture. That is, Secure by Design will change what MOD staff, collectively and individually, perceive as acceptable and desirable behaviour, aligning with best practice in industry. This will make knowledge sharing easier, as well as ensuring that security is commensurate with the Defence Tasks. Whilst this activity will be focused on security, it is likely that this culture shift will also benefit MOD procurement and project management more widely, as has already been evidenced by the Alpha activity.
Who the users are and what they need to do Secure by Design will change what MOD staff, collectively and individually perceive as acceptable and desirable behaviour, aligning with best practice in industry.
Early market engagement
Any work that’s already been done A Discovery, Alpha and transition phase has already been completed for Secure by Design.  The Beta phase will take the outputs from these phases and further test these across Defence to prove that Secure by Design is scalable and delivers the stated benefits and cyber risk reduction to Defence
Existing team The team will be working within the Cyber Resilience Programme, Defence Digital lead by a Civil Servant B1 and Resilient by Design Theme Lead, Civil Servant B2. A number of suppliers are involved across defence supporting IT Projects which may require the chosen supplier to work with during the Beta Phase.
Current phase Beta
Working arrangements The supplier staff will work Mon-Fri at 7.5hours per day.
Possible locations for meeting stakeholders include (but not limited to) Corsham and MOD Main Building.
Security clearance Because of the nature of transformation required SC clearance is required by all personnel working on the project.
Additional information
Additional terms and conditions All expenses must be pre-agreed between the parties and must comply with the authority Travel and Subsistence (T&S) Policy. All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects.
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Evidence will need to be provided describing the companies experience and knowledge in complex business transformation, using waterfall and Agile approaches. (5%)
Experience and knowledge in complex business transformation, using waterfall and Agile approaches. (5%)
3+ years providing project and programme management, Cyber Security, Communications, Business Analysis and Business Change Management roles. (2.5%)
Evidence of understanding and experience of MOD accreditation and other processes.(5%)
Evidence of understanding and experience in Cyber projects and providing essential guidance and SQEP support to improve governance, internal documents and processes (5%)
Demonstrable experience of providing client-side support within transformation programmes. (5%)
Proven track record of working with key stakeholders to implement transformation across organisational structures, operational governance and information flows for large-scale complex projects.(2.5%)
Nice-to-have skills and experience
Experience of working within Defence organisations on agile project delivery. (2.5%)
Experience in recruitment in Cyber SQEP and analysis of processes to improve Cyber Specialists’ recruitment. (2.5%)
Have ability to think creatively and can articulate ideas to solving complex business problems. (2.5%)
Evidence of working collaboratively and take responsibility for the tasks in hand and adapt quickly, in an ever changing environment to enable completion of tasks in an agile manner. (2.5%)
How suppliers will be evaluated
All suppliers will be asked to provide a written proposal.
How many suppliers to evaluate 5
Proposal criteria
Evidence of understanding the SOR through proposed approach and methodology. Supplier should evidence how the approach will meets user needs(20%)
Evidence of experience in business transformation (10%)
Evidence of technical compliance in skills and experience for the roles described (10%)
Proposed approach for onboarding and Implementation Plan (5%)
Proposed approach for transfer of knowledge, how the supplier will integrate and work collaboratively.(5%)
Risk and dependency identification and mitigation approach within the requirement (5%)
Proposed Team structure, including proposed FTE to support peaks.Response should Include retention plan for staffing (5%)
Cultural fit criteria
Evidence of encouraging an environment of inclusivity and diversity. (50%)
Evidence of working as a team with our organisation and its stakeholders sharing knowledge in a no blame culture to enable learning From Experience.(25%)
Evidence of working collborativley and take responsibility for the tasks in hand and adapt quickly, in an ever changing environment to enable completion of tasks in an agile manner.(25%)
Payment approach Fixed price
Additional assessment methods
Evaluation weighting
Technical competence
60%
Cultural fit
10%
Price
30%
TKR-202262-EX-1829125