Defence Online

Type of document: Contract Notice
Country: United Kingdom

1. Title: IDENTITY ACCESS MANAGEMENT SERVICE (IAMS) DEVELOPMENT TEAM 1
2. Awarding Authority: Defence Digital – Ministry of Defence, GB. Web:
3. Contract type: Service contract
4. Description: Support MOD to build and configure the technology changes needed to establish the Official and internet facing capabilities for the IAMS. These capabilities will be delivered via a number of work packages, defined in the IAMS backlog. Produce design and policy documentation, support Close Client Side Support team with assurance.
5. CPV Code(s): 72000000, 72260000, 72212331, 72224000
6. NUTS code(s): UKK, UKK1, UKK15
7. Main site or location of works, main place of delivery or main place of performance: South West England
Remotely & at MoD sites, primarily MoD Corsham, Westwells Road | Corsham | Wiltshire | SN13 9NR
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Up to 9.7M to deliver IOC inclusive of T&S.
10. Closing date for applications 16.12.2022 (23:59:00).
11. Address to which they must be sent: For further information regarding the above contract notice please visit:
12. Other information: Deadline for asking questions Friday 9 December 2022 at 11:59pm GMT
Overview
Off-payroll (IR35) determination Contracted out service: the off-payroll rules do not apply
Latest start date Monday 27 February 2023
Expected contract length 18 months
About the work
Why the work is being done The MOD’s Identity and Access Management Service (IAMS) Programme is now moving into the Delivery Phase, to establish an Initial Operating Capability (IOC) by February 2024 (building on existing identity and AAD services) with a start date of Jan 23. This will provide new Identity and Access Management services for the Official domain.
MOD Defence Digital currently has insufficient suitably qualified and experienced staff to provide in-house technical delivery teams to configure the technical platform nor the capacity / experience to manage the change programme. Development Teams made up from contractor resources are therefore required to design, build, configure produce policy, and manage the core, internet connected, Identity and Access Management Service at Official / Official Sensitive. This will serve the majority of the current 250,000 users and act as a pattern for delivery of similar capabilities at Full Operating Capability in the deployed arena and at higher classifications.
Problem to be solved
The MoD had several disparate and ageing identity services, the Identity Access Management (IdAM) and Directories programme created a centralised identity service taken significant steps to improve and refine the identity data. The IAMS programme goal is to build upon this and modernise and establish a centrally managed and assured single identity for use across the wider MoD estate.
The IAMS solution will support the modernisation the identity and authentication services, Multi-Factor Authentication (MFA), Single Sign On (SSO), application and resources access and control mechanisms and enable the progression to a Zero Trust Architecture within the MoD estate.
The technical delivery team (Development Team) will design, build, configure, and manage the MOD.GOV.UK Azure Active Directory (AAD) instance in conjunction with the other stakeholders identified to deliver the core Official IdAM Service.
The delivery team will also be responsible for further supporting the development of policy and standards and reviewing this as part of a lifecycle process.
Who the users are and what they need to do Groups require secure controlled access (not limited to):
Military Services Personnel – to MOD services and resources for operational, planning and communications. Required MOD administration and training. Access to comms, data capture, geo data, decision support, land environment consumer apps and more.
MOD Civil Servants – to support MOD programs and projects. Access collaboration, comms, productivity, finance and more.
Reserves and Cadets – required learning and relevant information. Access eLearning, planning and corporate apps.
Civilians Contractors and Consultants – require controlled access to support MOD programs, projects and collaboration. Access Productivity Comms, Collaboration and other defined applications.
Non-Person entities – service accounts and APIs. Support IOT and technology, exchange data/enable automation. Access defined IOT and technology.
Other Government Department Personnel – collaboration and support MoD services/operations. Access Comms, Collaboration, Productivity and professional community.
Veterans – resettlement and support, other relevant services. Access veteran services.
Allied Military and Civilian Personnel – collaboration allied activities and information sharing. Access Collaboration, Comms and professional community. Locally engaged civilians’ provision of local services. Access Corporate.
Families of MOD Personnel – resettlement, advice and support, benefits, and community. Access veteran services, pay, vouchers and benefits apps.
Early market engagement
Any work that’s already been done The IAMS architecture has been agreed, including existing identity lifecycle management and MOD.GOV.UK AAD. Design and governance stakeholders have been identified and documentation produced to provide direction for the delivery teams.
High-level Designs have been prepared, requirements gathered, and user functions established for the Identity Service. Governance bodies are in-place supporting all activities to achieve final approval to operate.
The AAD and mature identity store is in place. However, there is currently no enterprise level service management to maintain and innovate this technology. The Operational Service Management capability acts as a front door for other defence capabilities and onboarding services.
Existing team The service owner for AAD manages the whole of the M365 domain, other technology suppliers configure and manage neighbouring technologies. There is no current incumbent with responsibility for an identity and access management service in AAD.
The development teams will work to the IAMS Close Client Side Support Partner on behalf of the Senior Responsible Owner. They will also need to work closely with existing delivery teams and service owners within MOD.
Finally, the contractor will need to work closely with Technical and Service Design authority and teams managing existing services to be transitioned.
Current phase Discovery
Work setup
Address where the work will take place Remotely & at MoD sites, primarily MoD Corsham, Westwells Road | Corsham | Wiltshire | SN13 9NR
Working arrangements Development teams will be expected to attend meetings within standard office hours. The vast majority of which will be held virtually.
A hybrid arrangement will be in place with onsite and remote working.
As the central Identity and Access Management Service is developed and transitioned into live production, there will be a requirement to provide 24/7 service management. This is subject to the development and agreement of appropriate Service Level Agreements (SLA).
Security clearance The Supplier shall provide all staff with a minimum of Security Check clearance for anyone actively engaged in the delivery of services within the contract from the contract start date. The Authority will not hold or sponsor clearances.
Additional information
Additional terms and conditions DEFCONS 5J, 76, 129J, 522, 602B, 609, 627, 642, 658, 660
In accordance with DEFCON 658 a Cyber risk assessment has been undertaken
Cyber risk profile: Moderate
All expenses must be pre-agreed between the parties and must comply with the authority Travel and Subsistence (T&S) Policy.
Options to call-off sub-services
Conflict of Interest
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Demonstrate capability to create High-level, Low-level Design documentation and technical configuration/assurance documents such as Implementation Guide and produce scripts to support the implementation, for complex environments – 15 points
Demonstrate Business Analysis (BA) capability that has been applied to develop business, user and technical policies in conjunction with other teams – 5 points
Experience of Azure Active Directory (AAD) implementation and maintenance in complex hybrid cloud environment – 12 points
Experience of implementation and maintenance of AAD services such as: 1. MFA; 2. SSO; 3. Conditional Access; 4. Role Base and Policy Based access management – 10 points
Experience of Identity and Access Management capabilities for implementation and maintenance of such services in complex and secure environments – 10 points
Experience of Integration of Identity and Access Management services and AAD with protective monitoring tools, including those external to Azure – 7 points
Experience of Integration of AAD to externally hosted modern and legacy applications – 8 points
Testing & Accreditation – Experience of developing scope of testing and accreditation, management testing and accreditation, proving the service you delivered meets functional and security requirements – 6 points
Experience of rapidly employing appropriate mitigation/fix process for requirement and functional, gaps and/or threats and vulnerabilities from testing phases – 7 points
Experience of Development Lifecycle capabilities aligned with first delivering and then managing complex hybrid cloud architectures – 6 points
Demonstrable experience of configuring and implementing approved designs to meet operational and security requirements – 6 points
Experience of managing the configuration and maintenance of an enterprise scale instance of AAD including evidence of identity lifecycle management – 8 points
Nice-to-have skills and experience
MoD or other secure customer delivery and/or service management capabilities – 8 points
Understanding and delivery capability for Zero Trust Architecture – 3 points
Understanding and experience of implementation aligned with NCSC guidance and principles – 7 points
Experience in Policy Enforcement Point and application gateway services implementation – 5 points
Experience working in complex dynamic programmes – 7 points
How suppliers will be evaluated
All suppliers will be asked to provide a written proposal.
How many suppliers to evaluate 5
Proposal criteria
Describe how you would deliver the technical solution as described in the SOR – 17 points
Outline your approach and methodology to delivery and service management – 12 points
Demonstrate how the approach or solution meets user needs, and how is this evidenced (UAT, delivery review, other) – 8 points
Provide estimated timeframes for the work, including provision of a plan of work to deliver services outlined in SOR – 16 points
Explain how you will identify risks and dependencies and approaches to manage/mitigate them – 12 points
Provide your team structure and staffing approach including how options will be staffed – 5 points
Demonstrate how your proposal ensures value for money – 6 points
A model of how you will manage quality and governance both in delivery and lifecycle management – 10 points
Detail your proposed approach for knowledge transfer to technical and business teams throughout the life of the contract – 14 points
Cultural fit criteria
Work collaboratively as a team with our organisation and other suppliers, adapting quickly to changing environments, enabling completion of tasks in an agile manner – 1 point
Take responsibility for their work – 1 point
Share knowledge and experience with other team members, the Authority and customers – 1 point
Challenge the status quo – 1 point
Can work with stakeholders with a range of technical expertise – 1 point
Social Value – Tackling economic inequality MAC3.5 Demonstrate action to identify and manage cyber security risks in the delivery of the contract including the supply chain – 5 points
Social Value – Fighting climate change MAC4.2. Influence staff, suppliers, customers and communities through the delivery of the contract to support environmental protection and improvement – 2.5 points
Social Value – Equal opportunity MAC6.1. Demonstrate action to identify and tackle inequality in employment, skills and pay in the contract workforce – 2.5 points
Payment approach Fixed price
Additional assessment methods
Case study
Work history
Evaluation weighting
Technical competence
65%
Cultural fit
15%
Price
20%
TKR-2022123-EX-1513250