Identity Access Management and Directories Product Owner

Description

Summary of the work The MOD is seeking Product Owners to support the IdAM/Directories projects in development and delivery of solutions across the OFFICIAL/SECRET domains: relying party onboarding, exit from existing brokering and Directory service contracts, Internet facing solutions, people lifecycle management end to end (including an onboarding portal). Expected Contract Length An initial period of 18 months with a 6 month option. Latest start date Monday 27 September 2021 Budget Range Not to exceed £1.659M Ex VAT Why the Work is Being Done Strategic Command UK - Defence Digital needs an Identity and Access Management (IdAM) service for its IT & Digital services; this delivers part of the Ministry of Defence 2010 IDAM strategy (available on gov.uk). This service is to provide: 1. Improved compliance with HMG’s Technology Code of Practice, by providing a reusable service and will simplify maintaining compliance with the General Data Protection Regulation (GDPR). 2. A migration path from current IdAM and directories arrangements. 3. Identity related services that meet the Digital Service Standard, particularly for our partner organisations and external users. Problem to Be Solved Product Owner will manage the technical delivery of the IdAM & Directories, including: • IdAM services (e.g. single-sign-on & advanced authentication); • Directory services (e.g. a master Active Directory and corporate directory); • Manage the delivery of the contractor onboarding people data portal, for lifecycle management; • Initial releases use NetIQ products, focus on IdAM features, OFFICIAL information in the UK, SECRET, overseas, deployed systems and directories. Responsibilities include: • Leading work to define/refine backlog items, acceptance criteria, definitions of done with the team/stakeholders, • Producing feature, release roadmaps to meet dependencies, • Identify & provide the transition plans from existing access brokering services to the replacement identity brokering service. • Ensuring the service is secure, resilient, meets digital service standard. Who Are the Users -As an IT user I want single-sign-on so I can seamlessly access IT&Digital services. -As an App or Service Owner, I want simpler, rule based access to my service so that appropriate users get quicker access to my service and inappropriate ones are refused access. -As a system administrator, I want to maintain trust relationships between systems, so that normal IT operations can continue. -As a Security Officer I want simpler means of securely providing access to IT, more accurate and quicker access, and a greater ability to monitor and scrutinise events. Work Already Done Discovery/alpha phases are complete, using the NetIQ product suite. The beta phase for IdAM is underway for an Identity Brokering Service (IBS) being developed by an onboarded partner. Existing data sources, capabilities and systems that may be used by or form part of the service have been identified and known limitations noted. Work identifying user groups, personas and backlog of Epics and User stories for the beta phase have been done. Direction of travel and backlog entries are mature. Further user research and backlog refinement will be required to accommodate new customer on-boarding requirements. Existing Team The supplier will be working with a mixed team of Crown Servants and other contracted partners delivering Product Management and Business Change and service transition. In addition to User/stakeholder access, there are other subject matter experts working with the team on a part-time/as-needed basis, including: • architects from MOD’s Design Directorate (i.e. Enterprise architecture team) and relying parties • technical leads and DevOps engineers from within the project team and relying parties As the user base grows, so will the Crown Servant staffed Service desk support team. The current team size circa 60 personnel in total. Current Phase Beta Skills & Experience • Evidenced experience of working within a large-scale IT change programme of similar size and complexity to Defence. (10 points) • Evidenced experience of working with multi-disciplinary teams in an agile development/delivery environment. (9 points) • Evidenced experience of prioritising agile product and sprint backlogs to provide maximise returned value. (10 points) • Evidenced experience of setting clear acceptance criteria and working with colleagues to ensure backlog items meet the INVEST criteria. (9 points) • Evidenced experience of obtaining and merging information from a range of sources/systems and addressing data quality issues. (7 points) • Evidenced experience to support the ability to work under pressure and adhere to challenging timescales. (8 points) • Evidenced experience of working with MOD or similar body, including familiarity with JSP 604 (Defence Manual of ICT) and 440 (Defence Manual of Security) or similar guidance. (9 points) • Evidenced experience of successful collaborative working and liaising with Industry Partners and contractors. (7 points) • Experience of delivering Information Services with a high level of cyber, general security threat and very high criticality, and creating documents to achieve accreditation. (8 points) • Evidence of proven and demonstrable organisational skills. (7 points) Nice to Haves • Evidenced experience of product ownership in Agile teams building digital products according to the Government Service Design Manual, applying a range of Agile techniques and practices. (10 points) • Evidenced experience of working with and Knowledge of current Defence Identity Access Management systems. (9 points) • Evidenced experience of setting up and developing Directory Services. (8 points) • Evidenced experience of working with remote operational deployable digital identity capabilities. (8 points) Work Location The work will take place at MOD Corsham, SN13 9NR and remotely using MOD provided IT. Working Arrangments The supplier team will use SAFe and Agile principles. Utilising two-week sprint cycle, 3-month Programme Increments. The product owners are expected to work collaboratively with the Authority's team; infrequent face to face meetings will be required. All work at SECRET will be site based. Delivery solutions will involve working with other MOD teams and third parties. Security Clearance SC clearance required as a minimum, DV clearance will be required for certain aspects of project delivery. Additional T&Cs Cyber Risk Profile: HIGH Risk Assessment Reference: 365593324 Shortlisted suppliers invited to stage 2 will be required to complete a Supplier Assurance Questionnaire. As the Cyber Risk Assessment is HIGH, shortlisted suppliers will need to complete a Risk Assessment for each subcontracted element of the work. No. of Suppliers to Evaluate 3 Proposal Criteria • How you will provide the Authority with a high-quality team that embodies the required skills; in particular, why you believe the team (collectively) will be high performing. (10 points) • How you will balance responsiveness and flexibility to changing demands of the work (skills and capacity) as it progresses with the benefits of a stable and consistent team. (9 points) • Indicative structure (i.e. people or roles in your proposed team and main interrelationships), indicative profile (how the team size and roles might change over time) and start date. (8 points) • How you will identify and keep the organisation informed of risks, dependencies, issues and other considerations relevant to planning. (7 points) • Your proposed approach and methodology for managing the transition planning: particularly how this will inform the backlog entries and prioritisation of the Directories, Core OFFICIAL and SECRET workstreams. (9 points) • Proposed approach and methodology for achieving security/information assurance accreditation and maintaining it through the Agile development, including identifying threats, putting in place controls and engagement with risk owner(s). (8 points) • How you will ensure the service can meet the relevant digital service standard at various phases of development (e.g. closed beta, open beta, live). (8 points) • How you will ensure that the service meets the organisation’s policy goals in terms of providing more secure Identity and Access Management/Directories processes including incorporating existing policy. (7 points) • Your approach to knowledge management, particularly how the Authority and its partners can support and maintain the IdAM/Directories services after they have been developed. (7 points) Cultural Fit Criteria • Evidence of how you foster an inclusive and professional working environment with no place for bullying or discrimination of any form. (8 points) • Evidence of working successfully in an Agile manner within an organisation where some units (in relation to governance and project controls) retain a big-design-upfront/command-and-control perspective. (9 points) • Evidence of working with organisations and stakeholders with differing levels of technical expertise. (7 points) • Evidence of sharing knowledge, experience and expertise with the Authority and other team members. (7 points) • Evidence that you Communicate clearly, selecting appropriately between face-to-face and written forms of communication. (6 points) • Evidence of collaborative approach to problem solving with stakeholders from multiple organisations, including Civil Servants, other contractors and vendors. (8 points) • Evidence of a willingness to take ownership of problems and use initiative to ensure a successful outcome. (6 points) • Evidence to demonstrate how you attract and retain the best talent creating teams reflecting diversity of the country and can deliver a diversity of thought to the Authority. (6 points) Payment Approach Capped time and materials Assessment Method Work history Evaluation Weighting Technical competence 50% Cultural fit 20% Price 30% Questions from Suppliers 1. Should the Supplier assumption on budgetary amounts be based on an 18-month period? Budgetary level is for 18 month 2. What are the volumes within the current backlog? 63 Epics and 499 User stories 3. What is the estimated size of team you would anticipate to deliver these requirements? It is for the supplier to propose what they feel is suitable to meet the requirement 4. We have knowledge of the previous strategy and requirements of your Identity deployment, have there been any significant changes that we should be aware of at this stage? All of the relevant details for this requirement can be found in the Digital Marketplace advert. 5. Could you please confirm if SC Clearance needs to be in place for applying or needs to be in before commencing the work? Would you sponsor Security Clearance? We would expect that individuals are already security cleared to the required level (SC minimum) and that the clearances are in place for the duration of the contract. 6. Will responsibility for managing the operating framework be in scope? No 7. Will SAFe (agile) in its truest form be used, or a hybrid, and what tooling/platforms would support management of this? The project uses SAFe and Agile principles (PI planning and sprints), some areas are a hybrid. 8. The backlog items that have been created for the BETA phase. Do these relate solely to the Identity Brokering Service, or the wider IdAM delivery? They relate to the brokering service and associated contract exit requirements including the management of people data.