Defence Public Key Infrastructure (DPKI) Support Service

Description

Summary of the work Strategic Command requires external assistance with PKI experience in order to run the Defence Public Key Infrastructure (DPKI) service. This work involves operating the DPKI service whilst supporting our customers. Key areas involve identifying and reducing risks, resolving incidents, help desk requests and change request as directed by the authority. Expected Contract Length 24 Months, with the option for a 6-month extension - priced separately as part of this tender Latest start date Monday 11 July 2022 Budget Range Up to a maximum of £95,000 per month excluding VAT for the services listed under the 'problem to be solved' section of the advert. Additional firm pricing is required from the suppliers invited to provide a Stage 2 response, to cover the future works/options. Evidence to state that suppliers can provide these price options is listed in the Stage 1 criteria. Any supplier unable to provide these firm price options will be excluded under the Stage 1 evaluation (pass/fail criteria) Firm Pricing for the options will form part of the pricing evaluation in Stage 2. Why the Work is Being Done Strategic Command provides the MODs PKI service, this is a critical service that supports operational & deployed activities. The PKI service is currently supported by an incumbent supplier. The incumbent supplier has enhanced the service over the current contract period. Processes and procedures for the day-to-day operations and interface with the Governance team are now documented. The MODs critical PKI Solution service will require a SQEP team with experience of managing PKI. This work involves operating the PKI services Registration and Certificate Authorities (RA & CA) whilst supporting our customers via a helpdesk. Key areas involve identifying and reducing risks, resolving incidents, help desk requests and change request as directed by the Authority. The team will need to provide advice and architectural guidance to the project team delivering the updated service. The team will also be required to actively work to continually improve the service provided to the customers. Problem to Be Solved The supplier will take on the support and service delivery in LIVE and disaster recovery environments for: 1 x Level 1 CA, issuing up to 10000 certificates annually and up to 2 CRL’s weekly 10 x LIVE Root CA’s and 10 x DEV root CA’s each processing – 15 new subordinate L1CA’s each, annually. Processing the renewal of certificates for the existing L1CA’s (approximately 30 CA’s) annually across the 10 Root CA’s. Issuing and distributing monthly ARL’s for each root. 1 x BPS (Boundary Protection Service) Issuing up to 100 Certificates annually and quarterly CRL’s Processing of any Root/L1CA/BPS certificate renewal as required. Additional Root will be commissioned around Q3 of 2022, with expected management overheads to be no more than 24 x L1CA certificates with quarterly CRL’s Additional Root will be commissioned around Q3 of 2022, with expected management overheads to be no more than 20 x L1CA certificates with monthly CRL’s Managing the revocation process for all existing and new CA’s Support to cross department and cross nationality certificate signing (approximately 2-3 annually) Who Are the Users The Authority will require certificates to be processed/renewed/revoked and signed so the service provides assurance to customers, as defined under "problem to be solved". In addition, the Authority will need to task the supplier as the service expands (new Roots/L1CAs) and additional requirements are known. Suppliers invited to Stage 2 evaluation will need to provide a ‘call off’ list of service prices based on possible future works/options, with monthly firm pricing: 1xRoot CA Setup issuing up to 5 L1CA’s (to include Certificate Issuance/Revocation) with separate firm price options for weekly, monthly and Quarterly Certificate Revocation Lists (CRL’s) Option to add additional L1CA’s, with separate firm pricing for quantities of 5 and 10. 1xL1CA Setup with management of up to 1000 Certificate requests annually, with separate firm price options for weekly and monthly CRL’s. Firm price option for Additional management of 1000 Certificate requests spread over any L1CA. Firm Price options for day-rate/out-of-hours call-out charge for CA/RA team delivery of urgent requests Note: A pass/fail question is included within the essential skills and experience to ensure suppliers can support these options. A fail score received for any of the listed criteria marked as Pass/Fail, will result in exclusion from the competition. Early Market Engagement Not Applicable Work Already Done This requirement is for the take on of an already in-service solution that issues approximately 10,000 certificates and 5 Root certificates a year. Registration Authorities and Certificate Authorities are already operational along with existing helpdesk services (Uses BMC Remedy). The supplier will not be responsible for the hardware and software for the current DPKI support system (Authority is responsible for this and associated risks). Existing Team The team will be required to work with the existing supplier to transition the service. Throughout service delivery the team will need to work with Crown Oversight who monitor CA activity. There is also an Infrastructure team who are responsible for the hardware layer of the solution, the team will need to work with this team in order to deliver the service. The incumbent supplier also supports the Authority project teams, providing advice and architectural guidance on PKI at an SME level – the new supplier will be required to continue providing this support. Current Phase Live Skills & Experience • Ability and experience of creating and managing PKI systems, Including Entrust/ADCS/EJBCA software and Gemalto/Thales hardware (DOS 0-3 scoring) • Experience and Ability to encode certificate profiles in ASN1 format without internet-based tools (DOS 0-3 scoring) • Experience of building & configuring virtualised environments (DOS 0-3 scoring) • Experience of using command line interaction with utilities such as OpenSSL (DOS 0-3 scoring) • ITIL Service Management and Remedy system knowledge and experience. (DOS 0-3 scoring) • Evidence of ability to provide PKI Advice and architectural guidance to the authority, customers and project team (DOS 0-3 scoring) • Experience and ability of ensuring all work is carried out and documented in accordance with required standards, methods and procedures (DOS 0-3 scoring) • Experience of providing management information on service data and customer interactions (DOS 0-3 scoring). • Proactive Certificate Management, ensuring that customers are advised with plenty of time that certificates are expiring and are chased (DOS 0-3 scoring) • Confirmation that the full team will be available on contract start date (Pass/Fail scoring) • Ability to provide the PKI Service in line with the following Service Level Agreements. (Listed below) • Response & Provisioning times - Acknowledge contact: within 1 hour/Respond to urgent request: within 1 hours (Pass/Fail scoring) • Response & Provisioning times - Respond to routine request: within 4 working hours/Respond to query: within 4 working hours (Pass/Fail scoring) • Routine certificate requests fulfilled within 10 working days of receipt of a valid application and Certificate Signing Request CSR (Pass/Fail scoring) • Notification of rejected application within 1 working day of receipt/Urgent requests fulfilled within 6 hours of the receipt of a valid application and CSR (Pass/Fail scoring) • Routine certificate revocations take place within 5 working days of valid application (Pass/Fail scoring) • Confirmation that support and pricing for the future works/options can be provided (Pass/Fail scoring) • Confirmation that any of the future works/options can be provided within 2 months notification by the authority. (Not including Out of Hours) (Pass/Fail scoring) • Confirmation that the option for out of hours call-out of the CA/RA Team for delivery of urgent requests can be provided if requested by the Authority.(Pass/Fail scoring) Nice to Haves • Experience of supporting IT Services within the Ministry of Defence or a similar organisation (DOS 0-3 scoring) • Experience of Continual Service Improvement of IT Services (DOS 0-3 scoring) Work Location MOD Corsham will be the primary working location. T&S will not apply for travelling to this location. In the event of a disaster recovery scenario, the supplier will be expected (where applicable to the work) to travel to an alternative site. T&S costs can be charged in accordance with standard MoD T&S policy rates, if this should occur and with prior agreement of the Authority Working Arrangments The service will be provided within UK office hours 9-5 (Mon-Fri). The team must have regular on-site access to the hardware (weekly for level 1 Certificate Authority). Some elements of delivery may be delivered remotely if the supplier can prove it won't negatively impact security policy/regulations, delivery or service to customers. Additional pricing for the future/works options are required to cover potential out of hours call outs and call offs over the duration of the contract. The details will be included as part of the Stage 2 evaluation. Security Clearance All members of the team must be a minimum of SC cleared. Those who will support the Certificate Authority and Root will require DV clearance with UKSV. DV/SC clearance must be held prior to the contract award date - evidence of validity is required. Additional T&Cs For Stage 1, withstanding the company name and contact detail on the submission, suppliers are to remove any references to the company name or employee references within their responses to the set criteria questions. This will provide anonymity for evaluation purposes. Suppliers must use the Authority’s Purchase to Payment Tool CP&F or be prepared to sign up to the tool. In accordance with DEFCON 658 a Cyber risk assessment has been undertaken Cyber risk profile: Not Applicable In accordance with CCS Framework T&C suppliers are to notify the Authority of any potential conflicts of interests and plans for management No. of Suppliers to Evaluate 5 Proposal Criteria • Technical ability and knowledge - 40% (the 40% total is made up of the first 6 individually weighted criteria from the following list) • Ability and experience of creating and managing PKI systems, Including Entrust/ADCS /EJBCA soft-ware and Gemalto/Thales hardware - 20% • Experience and ability to encode certificate profiles in ASN1 format with-out internet-based tools - 5% • Experience of building & configuring virtualised environments - 2% • Experience of command line interaction with utilities such as OpenSSL - 3% • ITIL Service Management and Remedy system knowledge and experience - 5% • Evidence of ability to provide PKI Advice and architectural guidance to the Authority, customers, and project team - 5% • Quality and Governance – 12.5% • Staffing approach and team structure – 12.5% Cultural Fit Criteria • Work as a team with our organisation and other suppliers - 1% • Be transparent and collaborative when making decisions - 1% • Take responsibility for their work - 1% • Share knowledge and experience with authority and customers - 1% • Can work with stakeholders with low technical expertise - 1% • Social Value - Demonstrate the companies’ approach to Support educational attainment relevant to the contract, including training schemes that address skills gaps and result in recognised qualifications - 5% • Social Value - Demonstrate the companies’ approach to delivering additional environmental benefits in the performance of the contract, including working towards net zero greenhouse gas emissions - 2.5% • Social Value - Demonstrate action to identify and tackle inequality in employment, skills and pay in the contract workforce - 2.5% Payment Approach Fixed price Assessment Method • Work history • Reference Evaluation Weighting Technical competence 65% Cultural fit 15% Price 20% Questions from Suppliers 1. Can the Authority please confirm who the current incumbent is? Due to the sensitivity of the DPKI Programme, the Authority is unable to reveal the name of the current incumbent. 2. Does TUPE apply to this engagement?What are the timeframes associated with transition?Are there any elements of the MOD Certificate policy that will impact this contract that bidders should be aware of?Can the Authority advise how many days the incumbent have spent providing Architectural guidance? TUPE will not apply to this engagement.The Authority’s expectation is for the transition to be completed within a 3-4 week window.The whole DPKI Service operates within the Authority’s certificate policy. The Authority is not aware of any elements impacting the incumbent or bidding supplier's ability in offering the serviceArchitectural guidance is an ad-hoc/needs basis requirement, the effort (days) required going forward may be less or more than what the incumbent is spending. Please note that in majority of cases, this guidance support can be provided remotely.