MDDS Security as a Service (ND-0182)

Description

Summary of the work The provision of Security as a Services across a full spectrum of programmes and projects delivering digital outcomes that enable current and future information-based capabilities supporting Navy Command Information, MoD and HMG defence and national security outputs. Expected Contract Length 24 Months Latest start date Tuesday 3 January 2023 Budget Range The 'Core' elements of this Outcome can be delivered within a budget of £3.68M Inc VAT over 24 months. This budget includes £25K per year for travel = £3.63M for delivery of the 'Core service. This Outcome has a limit of liability of £7.36M in order to provide a mechanism to enable agile and efficient delivery of increased service volumes. At award the 'Core' commitment will be up to £3.68M covering only the 'Core' funded elements of the Outcome. Increase in activity up to the limit of liability is subject to separate SoW which will include any agreed additional T&S. Why the Work is Being Done Navy Command - Navy Digital requires digital Security delivered as a Service for all Maritime Digital projects and Digital installations, to ensure compliance with HMG, MoD and RN security policies. Problem to Be Solved Navy Digital is required to deliver and sustain digital and information security services that enable the secure operation of Information Communication Technology (ICT) equipment, services, and applications. In order for Navy Digital to achieve this goal in an agile and effective manner, a central security service must be established. This service will establish a single coherent approach to Navy Digital's requirements to prevent duplication and improve efficiency. Who Are the Users Navy Command - Navy Digital CDIO, executive teams, desk officers, delivery teams. All users of the Security as a Service function must be able to call upon suitable Digital Security knowledge and experience to provide through life support to RN Digital Programmes and Projects. Work Already Done The RN has historically delivered and sustained digital and information security services in a manner which is siloed, across multiple projects, programmes and organisations. In order to address the challenges associated with this approach, and provide coherence across all capability areas, in a sustainable and scalable manner which can more effectively respond to existing and emerging requirements, a central Security As A Service function will be established. Existing Team There is mixture of RN Service personnel, Civil service and contractors from several other suppliers contributing to Programmes of Work that this service will support. This service will be expected to integrate with, support and draw upon this existing team to deliver this service. Current Phase Discovery Skills & Experience • Have experience in providing ICT security assurance for MoD and RN digital delivery within a maritime context. • Have experience in delivering Information Assurance across all HMG security classification tiers (OFFICIAL, SECRET & TOP SECRET) for ICT systems and services within the maritime domain. • Demonstrate knowledge and understanding of the threat landscape in the context of the Royal Navy and maritime C5ISR. • Demonstrate the ability to understand and apply complex security requirements to C5ISR solutions across the maritime domain. • Demonstrate experience of managing the security aspects of maritime digital capabilities and the associated operating environment constraints. • Demonstrate experience understanding and applying MoD policy and processes which impact the through-life management and security of Royal Navy digital capability e.g., JSP 604, JSP 440, & JSP 441. • Demonstrate experience communicating and managing information security matters across senior stakeholders within MoD & RN e.g., MoD Cybersecurity Assessors; PSyA; CISO and IAOs. • Demonstrate knowledge and experience of extant RN and MoD security-related policy and processes, which includes fixed MoD estates and RN Platforms. • Demonstrate knowledge and experience of embedding security throughout a project delivery lifecycle i.e., from inception through to decommissioning or disposal within a MoD context • Demonstrate knowledge and experience of applying MoD policy and processes which impact the through-life management and security of RN digital capability. • Demonstrate knowledge and experience of manging the security of current in-service RN Digital capabilities • Demonstrate the ability to understand how through-life digital security will need to be embedded and support the current MoD digital strategy. • Demonstrate experience of communicating complex digital security related matters to senior and non-technical stakeholders. • Demonstrate knowledge and understanding of the MoD Secure by Design process. Nice to Haves • Demonstrate knowledge and experience of applying DevSecOps within a MoD environment. • Demonstrate experience in defining software related security requirements and threat modelling. • Demonstrate experience of managing of cryptographic material and associated security-related aspects. • Demonstrate experience of using common security risk management frameworks used within the context of MoD. • Hold pertinent Information Assurance certifications within digital security e.g., NCSC, CISP, CISSP, CISM. • Demonstrate knowledge and experience in dealing with security aspects relating to big-data and hyper-scale hosting environments in a MoD context. • Demonstrate security knowledge and experience in key MoD digital delivery areas. Work Location Primarily based within NCHQ, Portsmouth. Across all UK MoD/RN locations and some overseas travel, all task dependent. Working Arrangments This service will be working in a team with stakeholders from within Navy Command, MoD, and other government departments to enable capability outcomes in support of MoD and HMG national security objectives. The work will predominately be based at NCHQ, however the service deliverables will direct where tasks are carried out, and travel will be required where necessary. Security Clearance MoD approved SC is required at contract start for all personnel assigned to this service. A minimum of 3 DV cleared personnel will be required for undertaking roles which require it e.g. Above Secret. Additional T&Cs All expenses (T&S) must be pre-agreed between the parties and must comply with the MoD Travel and Subsistence (T&S) Policy. All suppliers are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ No. of Suppliers to Evaluate 3 Proposal Criteria • Technical Competence (70 Marks) broken down into: • Stage 1 relative score (10 marks) • Approach and Methodology - how the solution meets our needs particularly with regards to the Essential and Desirable criteria (25 marks) • The demonstratable skills and experience and a sutiable team structure and composition (20 marks) • Understanding of the outcome delivery risks, dependencies, assumptions and mitigations against failure (5 marks) • Demonstrate how the service will evolve and innovate to ensure optimisation of future security outcomes (5 marks) • Ability to respond to surge/change in work force composition during the contract term, including access to the whole range of skills and clearances, in a suitable timeframe. (5 marks) Cultural Fit Criteria • Work as a team with our organisation and other suppliers and have a no-blame culture that encourages people to learn from their mistakes. (2%) • Take responsibility for their work. (2%) • Share knowledge and experience with other team members. (2%) • Can work with customers with low technical expertise. (2%) • Consider equality & inclusion in the provision & operation of services, including a workforce that is representative of the communities we serve, where relevant and proportionate (2%) Payment Approach Capped time and materials Assessment Method Work history Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. How will T&S be charged and payments made throughout the contract? "The contract value will include up to £25K of T&S per year to be invoiced as actuals in line with MoD T&S ratesThe £25K per year for T&S is not to be included within the bid tender.Foreign travel will require Authority approval before these costs are met. T&S throughout the contract will be limited to a maximum liability of £25K per year.The service delivery will be receipted and invoiced in arrears via CP&F and EXOSTAR using the method of Capped time and materials." 2. Will this be assessed as inside IR35? It is not expected that IR35 will apply. An assessment will be made after the winning supplier has been selected. 3. Is there a Cyber Risk Assessment? The Cyber Risk Level is low. Suppliers that are down selected will be required to complete a SAQ. 4. Is there an incumbent supplier in the role? Yes, there is an incumbent delivering this requirement at this time. 5. Would you accept a DV cleared candidate? Yes, we would accept a candidate with a DV. 6. Will there be any performance indicators within the contract Yes, there will be performance indicators, these will be advised following down-selection. 7. How will initial tender submissions be evaluated ( part 1) Each tenderer will be evaluated and allocated 0 (Not Met), 1 (Partially Met), 2 (Met) or 3 (Exceeded) against their responses to each of the essential and nice to have criteria. The points awarded for each criteria will be added together to give the total technical evaluation points. 8. How will initial tender submissions be evaluated (part 2) The Authority reserves the right to consider tenderers non-compliant if their points are below 2 on any criteria. Tenderers may also be considered non-compliant if their proposed start date is after the required start date, if their bid is above the stated budget or fail to meet submission deadlines. Non-compliant tenderers will be excluded from the competition and their total technical evaluation points will be 0. 9. How will initial tender submissions be evaluated (part 3) Tenderers with the three highest total technical evaluation points from this evaluation will be down selected and invited to take part in stage two. 10. How will final tender submissions be evaluated after initial down selection The submitted proposals and work histories will form the basis of the Technical and Cultural Fit evidence for selection during the final tender and will be scored using the following weighting: Technical competence 70%. Cultural fit 10%. Price 20%. 11. Is there an opportunity for remote working within this service. The majority of this work will be based in Navy Command Headquarters, with remote working as dictated by the tasks 12. If down selected to the final 3, what will be the maximum word count criteria for Phase Two’s question sets? Written proposal – A maximum of 2000 words.Work histories – Up to 500 words each.A cultural fit statement – A maximum of 100 words for each of the cultural criteria and in the STAR format. 13. Will any TUPE apply to this?If so, how many people and what rolls? TUPE should not apply to this requirement