Defence Online

Type of document: Contract Notice
Country: United Kingdom

1. Title: SECURITY ASSURANCE SUPPORT TO APPLICATION SERVICES AND DEVELOPMENT TEAM SERVICES
2. Awarding Authority: Defence Digital, Ministry of Defence Corsham, GB. Web:
3. Contract type: Service contract
4. Description: The Awarding Authority are looking for support to develop and deliver packages of work to build our digital Security Assurance capability and capacity. The Supplier will work with our teams, delivering outcomes across our services.
5. CPV Code(s): 72000000, 72212730, 72212000
6. NUTS code(s): UKK, UKK1, UKK15
7. Main site or location of works, main place of delivery or main place of performance: Location South West England
Address where the work will take place Defence Digital, Ministry of Defence Corsham
However, at-the-time of-writing, government measures to reduce Covid-19 are in operation and as-such, work should be done remotely and in observance of social distancing and shielding guidance. MOD will continue to observe all government advice in the coming months aimed at reducing the spread of the disease.
8. Reference attributed by awarding authority: CCT984
9. Estimated value of requirement: Budget range The budget is up to a maximum ceiling value of £5m including VAT.
This is not a commitment to spend up to this value and the Authority reserves the right to consume at its discretion.
The intended contract will be treated as an outcome based service solution. IR35 does not apply to this contract.
10. Closing date for applications 1.2.2021 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Monday 25 January 2021 at 11:59pm GMT
Latest start date Thursday 1 April 2021
Expected contract length 31st March 2023
About the work
Why the work is being done Specialist Security advice to meet assurance activities is required in order to ensure Application Services and Development Team services deliver key capabilities on time and fit for purpose.
Problem to be solved Requirement to provide Security Assurance knowledge and expertise for all Application Services and Development Team services.
Management of security actions that arise out of the Joint Programme Security Working Groups. Act as chair/secretary on behalf of Application Services and Development Team which will be agreed at commencement of work.
Ensure the Accreditation Evidence Statement (AES) is scoped by the project to capture appropriate project requirements this will cover all the security activities required to achieve accreditation and addresses other activities such as GDPR/ DPIAs, Review of Solutions (Apps and Platform builds), Risk Assessments, providing good solid opinions and guidance from a security POV, including at PI Planning and demos.
Engagement/ liaison with the Case Officer and Accreditor.
Ensure production of Security Management Plan and Accreditation Strategy for the review and approval of Security Working Groups (SWG).
Ensure the production of the Risk Management and Accreditation Document Sets (RMADS) and any supporting documentation and evidence is produced as a project deliverable in line with JSP440 and JSP604.
Conducting technical risk assessments, including managing RMADS and managing TSIs.
Ensure new projects are registered (and entries maintained) on DART to enable an accreditor to be assigned.
Skills transfer to nominated project staff.
Who the users are and what they need to do For the tasks required, the ‘users’ are the project team and our stakeholders. The IA specialists are required to liaise with the programme teams, key stakeholders in Defence Digital and across MOD as well as working with CyDR or other TLB Accreditors.
Early market engagement Any work that’s already been done
Any work that’s already been done Many items (Projects) have already been started or are in the delivery phase and as such, the tasks are about refinement, further development and operation.
Existing team Application Services and Development Team services
Current phase Live
Working arrangements Work onsite 4/5 days a week in Corsham as agreed with the Project Manager in order to support Project Teams in all of their Security Assurance activities.
Currently with Covid19 until the foreseeable future all activity is likely to be remote. MOD Net UAD/Laptop will be provided to support remote working and there could be a potential to travel to Corsham or other sites whilst in lockdown to enable OS/above discussions to be had until we normalise.
Security clearance Valid DV clearance must be in place prior to the contract starting and for the duration of the contract due to projects required to work with.
Additional terms and conditions Key personnel will require minimum of three years’ experience in an IA role with a similar sized organisation within the last five years.
CCP – Senior Practitioner in one of the following disciplines SIRA or CISM.
Chartered Institute of Information Security (CIISec)
Certified Information Systems Security Professional (CISSP) Qualification
In terms of providing the necessary level of skills with appropriate clearance. Suppliers should attain, maintain and provide assurances around security clearance.
The Cyber Risk Profile has been identified as low/medium. Note this will be identified on a project by project basis which will include high risk profiles
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Evidence/explain how you will introduce Security policies and templates with a pragmatic approach that allows flexibility for projects; ‘one size fits all approach’ will not satisfy our requirement (20%)
Provide a high- level plan to your approach for identifying and managing Security Risks, Issues and Dependencies in mature business/project area, including evidence of managing RMADS, managing TSIs. (15%)
Evidence/explain how you have provided Security Assurance documentation to enable an organisation to continue the route to full rollout and adoption of policies and templates within delivery areas (20%)
Evidence your ability to mobilise your team quickly and to flex up and down resources to meet the demand of the project, whilst ensuring quality and consistency (5%)
Evidence Communications and Stakeholder Management operating at all levels collaboratively (10%)
Supporting CV’s – These should not be included in the main proposal word count but should be a maximum of 500 words and no longer than 1 page. (10%)
Evidence and explain how you have communicated new policies and change across multi-discipline teams (10%)
Evidence and explain how you have understood and incorporated project requirements whilst ensuring the results remain generic for the business (10%)
Nice-to-have skills and experience
Demonstrate experience of conducting Technical security reviews / approvals of Supplier and MoD Design and Test documentation to ensure that it is compliant with Defence Security policy (15%)
Demonstrate experience of Defence Digital and/or MOD Security Accreditation and MOD Security Assurance process (10%)
Demonstrate previous working experience of Coordinating technical security documentation in support of CyDR to support achievement of accreditation (10%)
How suppliers will be evaluated
All suppliers will be asked to provide a written proposal.
How many suppliers to evaluate 3
Proposal criteria
technical solution
approach and methodology
how the approach or solution meets user needs
how the approach or solution meets your organisation’s policy or goal
how they’ve identified risks and dependencies and offered approaches to manage them
team structure
value for money
Cultural fit criteria
Experience of outcome based delivery in a complex defence IT environment, understanding the challenges and approaches to delivery (25%)
Work as a team with our organisation and other suppliers, including knowledge and experience of scaled Agile ways of working. (25%)
Remain transparent and collaborative when making decisions (25%)
Excellent communication, presentation, collaboration and client/stakeholder engagement skills with a wide variety of grades/positions. (25%)
Payment approach Capped time and materials
Additional assessment methods
Work history
Reference
Presentation
Evaluation weighting
Technical competence
60%
Cultural fit
5%
Price
35%
TKR-2021118-EX-1538249