Cyber Capability

Description

Summary of the work DIT require a supplier to provide cybersecurity expertise with experience to deliver and enhance the DDaT Directorate’s services, through a range of short and long-term projects in accordance with GDS standards. Latest start date Monday 18 July 2022 Budget Range The Buyer will issue a range of work packages. A maximum budget of £2,000,000.00 for a 24 month duration, exclusive of VAT. This budget range excludes any extension options. The value of the optional extension period is £500,000 excluding VAT. Why the Work is Being Done DDaT require a contract specialists to work on a range of short and long-term projects in accordance with GDS standards. We are looking to supplement these existing contracts with one to provide the following Cyber expertise: • Microsoft technology capability / expertise • Risk Management support, for the Information & Risk Assurance Process (IRAP), to ensure and manage supply chain risk • Provide Architectural support • Forensics • Vulnerabity Management This should include relevant expertise in the DDaT Capability Framework ‘Technical Job Family.’ Details at: https://www.gov.uk/government/collections/digital-data-and-technology-profession-capability-framework. This includes a number of portfolios of work, including the below that are in scope for this requirement: • Export and Investment Services Portfolio • Trading Services portfolio • Employee experience portfolio • Data platforms portfolio • Technology platforms portfolio Problem to Be Solved Problem to be solved DIT DDaT are responsible for a number of tools used both within and outside the Department. As a growing team, we have an increasing number of needs. For example, all new digital tools and services used by the department are required to go through our internal Information Risk Assurance Process (IRAP). We would expect the supplier to provide risk management support, to support & manage supply chain risk. In the same way, we are looking for Microsoft tooling capability to boost the security & compliance of our implementation of the M365 suite of applications and supporting toolkits. We likewise have comparable requirements across the wider Microsoft product estate including Azure. Who Are the Users We are looking for a supplier to help our Digital, Data and Technology team deliver against its cyber security security. DDaT is a growing function, and we need extra capacity to support existing & new priorities. DIT services include both staff-facing and public-facing products. Staff-facing services are used by ~4,000 of the Buyer's staff and partners around the world, enabling the Buyer to support UK investment and overseas investors and to inform UK trade policy. The Buyer's public-facing digital services are used by overseas investors and UK exporters to support them in their international trade journey. Existing Team The Buyer's DDAT team consists of a range of multi-disciplinary teams, working across all areas. It is a fast-growing team. There is an existing Cybersecurity team and IRAP team, constituted largely of civil servants. Documenting the work and handing over is a critical part of the contract to ensure that DDaT owns and retains the knowledge created during the work. Current Phase Not started Skills & Experience • Have a range and depth of expertise in providing the required technical roles. • Have proven expertise in security & compliance of M365 suite of applications and supporting toolkits. • Have expertise in business and technical architecture for Security & Compliance assurance across the Microsoft product estate including Azure. • Have experience in supporting organisations in the assessment and management of risk across a broad spectrum of technologies. • Demonstrate the ability to work with stakeholders to refine and validate their ideas. • Have the ability to think creatively and articulate innovative ideas to solving complex business, technology and risk management problems. • Have experience in designing management information and other relevant contributions for audit and risk assurance committees. • Have knowledge and experience of best practice regarding implementing least privilege security models and approaches within cloud environments. • Have knowledge of a range of security standards including but not limited to ISO27000, SOC 2, CIS & NIST. • Demonstrable use and delivery of design artefacts. Work Location Typically, a substantial portion of the work will be performed on-site at DIT’s premises in Westminster, London, unless otherwise agreed. Working Arrangments Typically, a substantial portion of the work will be performed on-site at DIT’s premises in Westminster, London, unless otherwise agreed. However, at the time of publication, government measures to reduce Covid-19 are in operation and as such, work should be done remotely and in observance of social distancing and shielding guidance. DIT will continue to observe all government advice in the coming months aimed at reducing the spread of the disease Security Clearance The expectation is that supplier staff will be required to have SC clearance before they start. A copy of the clearance from the supplier will be required. It is the responsibility of the supplier to ensure clearance is received. Additional T&Cs All expenses must be pre-agreed between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy. The initial SOW will be agreed with the successful supplier following award. No. of Suppliers to Evaluate 3 Proposal Criteria • Please outline how much resource you will be able to provide to meet call-off requests under this contract, including the volume of parallel requests that you could meet. • Explain your approach to onboarding and retaining key resources within changing market conditions. • Explain how you'll meet DIT's need for appropriately skilled-individuals - what internal tests/processing will you undertake to ensure these specialists meet our requirements? How-will-you-measure-and-manage-the-quality-and-speed-of-delivery? (6%) • Please provide outlines of the team profile / work history of the individuals who could be deployed to work on this DIT requirement. • Explain how you will ensure DIT staff are ready to take on operational control and support upon completion of work. Cultural Fit Criteria • Demonstrate your ability to deliver in an open, collaborative, agile way according to the principles outlined in the Government Service Standard and Technology Code of Practice. • Experience in upskilling and mentoring junior members of staff, including from unrepresented groups, helping them in achieving their career objectives. Payment Approach Capped time and materials Evaluation Weighting Technical competence 60% Cultural fit 20% Price 20% Questions from Suppliers 1. You have determined that off-payroll rules do not apply for this engagement. Please would you confirm if you require any small companies to indemnify the Authority against any IR35-related tax charges, should this engagement subsequently be found to be inside the scope of the Intermediaries legislation The engagement is outside the scope of the Intermediaries legislation. 2. There’s a broad reference to the DDaT Technical job family earlier in the advert; please can you be more specific with likely roles required for this contract? We expect cover for all Cyber roles including risk manager, cyber architecture and incident response capabilities. 3. Please may you give examples of design artefacts you refer to in the last question. High level design, low level design, logical data flow diagrams etc. 4. Could we be provided with your interpretation or definition of ‘design artefacts’ as this could be anything from Programme Structures to Architectures. High level design, low level design, logical data flow diagrams etc. 5. DDaT require a contract specialists to work on a range of short and long-term projects in accordance with GDS standards. We are looking to supplement these existing contracts with one to provide the following Cyber expertise:” Can DDaT expand on the range of “existing contracts” referred to? Is it envisaged that resources engaged under this Cyber Capability contract would form part of existing contract project teams? It is expected that if a cyber architecture resource were required, that they would work as a member of the Cyber team, giving advice, help etc to other teams inside DIT allowing them to fulfil their projects. 6. How will the DDaT team manage demand and signal future demand to suppliers? (What notice will suppliers have of demand for specific skills?) We invisage that we will be able to give a few weeks notice, but for incident response or the like, that would be required immediately. 7. Will the Buyer sponsor future new/renewal applications for SC clearance of skilled staff from suppliers? Yes we will. However, we may require SC cleared staff from the outset of the Contract. 8. Where can suppliers access the Cabinet Office (CO) Travel and Subsistence (T&S) Policy? N/A - We aren’t the Cabinet Office and DIT has their own policies around this. This can be shared with the preferred Supplier. 9. Given the range of skills that could be required by the Buyer through the period of the contract, is the Buyer happy if suppliers put forward suitably qualified resources from their own trusted suppliers in order to meet demand in a timely way? Subcontracting is permitted through the Contract. The prime contractor will be held accountable for the delivery of the outcomes. 10. Can the Authority provide more detail on the programme deliverables that are expected over the 2 year contract period ? BAU Cyber work – risk assessment and management, Architecture and Incident response being the main expected items. Vulnerability Management is also expected. 11. Can the Authority estimate the total number of resources required, and the resource type in terms of skillsets that are required and duration of projects to satisfy the Authority’s call off contract ? Currently we have 5 open roles, but if there is an IR response 10+ 12. We would like to know what a typical project looks like and whether the work packages will usually be for a complete delivery or augmentation of existing teams? There is no such thing as a normal project. High level project expectations would include design and rearchitecture of proposed solutions to ensued standards are met, from encryption, logging and alerting (etc). 13. Can you provide more detail on the work? Will it be largely incremental change to existing services or implementing completely new services/software? Both. Redesign and new builds, assessment of exisiting services and new ones. 14. What software/tooling is used for vulnerability management? How many licences are there? If an enterprise license is in place, approximately how many users are there? We are unable to answer this question without an NDA - which can be arranged at stage 2, if required. 15. What software/tooling is in place for Forensics? How many licences are there? If an enterprise license is in place, approximately how many users are there?How many endpoints are there and across what sites? We are unable to answer this question without an NDA - which can be arranged at stage 2, if required. 16. In what area of vulnerability management do you require assistance – execution, analysis and prioritisation or all of these? All of the above – tooling is in place, but not fully utilised. Therefore policy, process, tool, results and reporting required. 17. What is the volume of external IP address ranges in use and web applications for scanning? SaaS based platforms, thus addressed based only. 18. Does DIT expect the IRAP process will need to evolve to accommodate additional areas of risk concerns or focus? We do, but in a limited function within the process itself – no major changes to the cyber function itself.