Provision of Airwave Technical Assurance and Security Architecture Services (Information Assurance) for ESMCP

Description

The Home Office Airwave Security Team intends to re-procure the Technical Assurance and Security Architecture Services that will manage the end-to-end encrypted solution for specialist users as well as the interconnect solution between the Airwave service and the developing Emergency Services Network (ESN). Lot 1: The Home office are re-procuring the Technical Assurance and Security Architecture Services. Estimated date for release of tender is late June 2026 The requirement will be procured through the Government Commercial Agency's Cyber Security Services 3 (DPS) RM3764.3 _____________________________________________________________________________________________________________________ Suppliers will need to be registered to the RM3764.3 DPS and be identifiable against the following DPS filters in order to be invited to the tender exercise: NCSC Assured Services, Cyber Resilience Audit, Audit and Review, Cyber Essentials Plus, Clearance: Security Check, NPPV (Non-Police Personnel Vetting), ISO 27001, Networks, Database, Internet, Cloud, Communications, Government, Critical National Infrastructure, Police, Ambulance, Fire Services, Coast Guard “No Preference” to all other filters. ______________________________________________________________________________________________________________________ Home Office is not responsible for supplier registration. Suppliers will need to contact the Government Commercial Agency and follow its guidance. Suggested links: Government Commercial Agency website: www.gca.gov.uk Become a supplier on a Dynamic Purchasing System: www.gca.gov.uk/how-to-supply/dynamic-purchasing-system-dps Link to Cyber Security Services 3 DPS: https://supplierregistration.cabinetoffice.gov.uk/dps/RM3764.3?nav=0 In addition to registering to the DPS, the tender itself will be run using the Home Office's tender portal (https://homeoffice.app.jaggaer.com/web/login.html) suppliers will need to register to it. Instruction appends the front page to this portal. Overview of requirements The indicative scope of work includes, but not limited to, the following Airwave activities: 1. Provision of independent technical assurance across the Airwave end‑to‑end ecosystem, including TETRA radio services, bearer and transport technologies, and interfaces with ESN and other interconnected systems. This includes assessing availability, capacity, performance, and resilience impacts arising from proposed or implemented changes 2. Understanding encryption algorithms (note: we use TEA2 and AES), lifecycle considerations, and associated cryptographic service models 3. Assessment of customer element architectures, control room environments, gateways, clusters, and high‑impact modifications (e.g. CE refresh or site changes), with a focus on identifying security risks, operational impacts, and emerging dependencies 4. Structured review and assessment of users and suppliers technical submissions, including designs, configuration artefacts, test plans, and assurance or accreditation evidence. This includes identifying security gaps, vulnerabilities, or weaknesses across radio, cryptographic, network, and interworking solutions 5. Production, review, and maintenance of security cases, risk assessments, assurance reports, and risk treatment recommendations. The service includes providing clear, evidence‑based input to governance and decision‑making forums supporting Airwave service continuity and transition activities. 6. Assessment of Airwave‑related services and changes against relevant national and industry frameworks and standards, including the HMG Security Policy Framework, NCSC CAF and Principles‑Based Assurance, ETSI standards, TEA requirements, and recognised risk assessment methodologies. 7. Evaluation of risks associated with data hosting, data residency, and any offshoring proposals linked to Airwave services or supporting environments. This includes assessing legal, regulatory, operational, jurisdictional, and national security risks, and providing objective recommendations aligned with government policy and classification requirements. Additional information: 8. Support to the investigation and triage of security‑related incidents affecting Airwave, including cryptographic issues, configuration anomalies, or suspected misuse. This includes assessing operational impact, interpreting threat or vulnerability intelligence, and supporting follow‑up actions in coordination with relevant stakeholders.