Secure by Design (SbD)

Description

Summary of the work The Cyber Resilience Programme require a supplier to deliver the Secure by Design outcomes. The SBD project will develop and implement a new approach for security in Defence by embedding security as a fundamental element of the system design process. Expected Contract Length 15months (outcomes required for Dec 23) Latest start date Monday 19 September 2022 Budget Range It is estimated that the work can be delivered within the budget range of £6.5M - £9M. It is estimated the staffing requirements are between 25-30 personnel during the 15months to deliver the outcomes. Why the Work is Being Done Defence currently holds an unacceptable cyber risk position and faces an ever-rising wave of malicious cyber activity combined with a growing use of Digital capability therefore increasing MOD’s cyber threat surface. The current MOD approach to security design revolves around accreditation and whilst this approach may have been suitable in the past, it is unable to deal with the scale and complexity of projects across Defence as well as being able to respond to new and emerging technology. Additionally, accreditation can focus security risk ownership in the wrong area of the business, placing ownership with security rather than the owners of the capability / business stream. Problem to Be Solved The end state of SbD will be a Continual Assessment approach which will be developed and implemented to replace the current accreditation process. SBD will develop the policy, process, tools, and guidance that can be used by projects to better define their security understanding and develop and implement better security solutions.  It is important to note that policy, process and tools will all be in support of the wider objective of improving the security culture. That is, Secure by Design will change what MOD staff, collectively and individually, perceive as acceptable and desirable behaviour, aligning with best practice in industry. This will make knowledge sharing easier, as well as ensuring that security is commensurate with the Defence Tasks. Whilst this activity will be focused on security, it is likely that this culture shift will also benefit MOD procurement and project management more widely, as has already been evidenced by the Alpha activity. Who Are the Users Secure by Design will change what MOD staff, collectively and individually perceive as acceptable and desirable behaviour, aligning with best practice in industry. Work Already Done A Discovery, Alpha and transition phase has already been completed for Secure by Design.  The Beta phase will take the outputs from these phases and further test these across Defence to prove that Secure by Design is scalable and delivers the stated benefits and cyber risk reduction to Defence Existing Team The team will be working within the Cyber Resilience Programme, Defence Digital lead by a Civil Servant B1 and Resilient by Design Theme Lead, Civil Servant B2. A number of suppliers are involved across defence supporting IT Projects which may require the chosen supplier to work with during the Beta Phase. Current Phase Beta Skills & Experience • Evidence will need to be provided describing the companies experience and knowledge in complex business transformation, using waterfall and Agile approaches. (5%) • Experience and knowledge in complex business transformation, using waterfall and Agile approaches. (5%) • 3+ years providing project and programme management, Cyber Security, Communications, Business Analysis and Business Change Management roles. (2.5%) • Evidence of understanding and experience of MOD accreditation and other processes.(5%) • Evidence of understanding and experience in Cyber projects and providing essential guidance and SQEP support to improve governance, internal documents and processes (5%) • Demonstrable experience of providing client-side support within transformation programmes. (5%) • Proven track record of working with key stakeholders to implement transformation across organisational structures, operational governance and information flows for large-scale complex projects.(2.5%) Nice to Haves • Experience of working within Defence organisations on agile project delivery. (2.5%) • Experience in recruitment in Cyber SQEP and analysis of processes to improve Cyber Specialists’ recruitment. (2.5%) • Have ability to think creatively and can articulate ideas to solving complex business problems. (2.5%) • Evidence of working collaboratively and take responsibility for the tasks in hand and adapt quickly, in an ever changing environment to enable completion of tasks in an agile manner. (2.5%) Work Location The main base is Corsham, Wiltshire however remote working is acceptable. There should be minimal limitations in attending Corsham, South West locations and Main Building in delivery of the Beta Phase outcomes. Working Arrangments The supplier staff will work Mon-Fri at 7.5hours per day. Possible locations for meeting stakeholders include (but not limited to) Corsham and MOD Main Building. Security Clearance Because of the nature of transformation required SC clearance is required by all personnel working on the project. Additional T&Cs All expenses must be pre-agreed between the parties and must comply with the authority Travel and Subsistence (T&S) Policy. All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. No. of Suppliers to Evaluate 5 Proposal Criteria • Evidence of understanding the SOR through proposed approach and methodology. Supplier should evidence how the approach will meets user needs(20%) • Evidence of experience in business transformation (10%) • Evidence of technical compliance in skills and experience for the roles described (10%) • Proposed approach for onboarding and Implementation Plan (5%) • Proposed approach for transfer of knowledge, how the supplier will integrate and work collaboratively.(5%) • Risk and dependency identification and mitigation approach within the requirement (5%) • Proposed Team structure, including proposed FTE to support peaks.Response should Include retention plan for staffing (5%) Cultural Fit Criteria • Evidence of encouraging an environment of inclusivity and diversity. (50%) • Evidence of working as a team with our organisation and its stakeholders sharing knowledge in a no blame culture to enable learning From Experience.(25%) • Evidence of working collborativley and take responsibility for the tasks in hand and adapt quickly, in an ever changing environment to enable completion of tasks in an agile manner.(25%) Payment Approach Fixed price Evaluation Weighting Technical competence 60% Cultural fit 10% Price 30% Questions from Suppliers 1. Can the Authority please confirm if there is an incumbent supplier, and if so, who? How long they have been the incumbent? As part of this work, there is an incumbent Supplier, who has been in post ~18 months. The name of that Supplier is not relevant to this competition. 2. The first and second essential criteria questions appear to be largely identical. Can the Authority please confirm if suppliers should submit the same response for both questions? If not, can the Authority please confirm how we should approach each response, and the difference between the two questions/responses? The first and second essential criteria questions are identical. Please only answer the first criterion and please note that this will then represent 10% of the overall score. 3. There is reference to Discovery and Alpha in the tender documents, please could you tell us who completed this work, what work was done and what the findings/outcomes were? The Incumbent completed this work. It explored the problem, engaging with stakeholders to understand areas which needed effort. This led to Alpha Phase which generated Policy,Tools, Processes &Guidance which could then be applied to a selection of projects to prove value. These policies, tools,process &guidance have been taken into the Beta phase where they will continue to be tested while other Epics will focus on developing further policy, processes, tools, guidance, business-change planning to ensure defence culture is changed. Epics currently cover Comms, Big Beasts (CatA Programme), Beta Projects (Cat A-D), Governance, SRO responsibility, CySAAS transformation, Workflow tooling and helpdesk. 4. Has any external supplier been involved in the initial scoping work? The Incumbent have been providing Client Side Support to complete the initial scoping work. 5. Could you confirm if shortlisted suppliers will have the opportunity to present or only written proposal? Shortlisted suppliers will be asked only to provide a written proposal. 6. What sort of roles do you see in a team of 25-30? A range of project management and technical skills will need to be provided in order to meet the outcomes; evidence should be provided for the following roles:Project Management (Waterfall and Agile)Programme ManagementCyber Security SpecialistsCommunications (needs to take into account comms with all levels of the business (Exec/Director level to PM)Policy DevelopmentSystems EngineeringBusiness AnalystBusiness Change ManagementRisk Management 7. What are the outcomes/outputs from the previous phases? The Incumbent completed this work. It explored the problem, engaging with stakeholders to understand areas which needed effort. This led to Alpha Phase which generated Policy,Tools, Processes &Guidance which could then be applied to a selection of projects to prove value. These policies, tools,process &guidance have been taken into the Beta phase where they will continue to be tested while other Epics will focus on developing further policy, processes, tools, guidance, business-change planning to ensure defence culture is changed. Epics currently cover Comms, Big Beasts (CatA Programme), Beta Projects (Cat A-D), Governance, SRO responsibility, CySAAS transformation, Workflow tooling and helpdesk 8. Following on from the response (2) WRT the duplication in Essential Criteria 1 and 2. Please could the authority confirm that we can use both fields to answer this question? So that we can supply a total of 200 words covering that duplicate (10%) criteria – or will anything added to the second entry field be ignored (as could be implied from answer to question 2) The Essential Criteria Point 1 and 2 can both be populated with a response, utilising the given 200 words. If Point 2 is used for additional space, please ensure you refer to Point 1, to ensure the responses link. 9. Question 1 is duplicated in q2, would the same answer suffice? Please refer to Clarification Question 2 and 8. 10. Can you please confirm if any of the services are being delivered by a current supplier and who they are? Please refer to Clarification Question 1 and 4 11. there is an Alpha product that has been developed according to the description and the successful vendor will be tasked with developing a Beta from there. The Alpha phase output led to a discussion with the business stakeholders on the Epics which should be followed for Beta. There are 11 of these at the start of Beta including CySAAS transformation, Comms, Testing policy &process with Cat A-D projects, testing policy &process with large programmes, Security helpdesk, Workflow tooling and portal development. It is expected that the supplier will drive these forward, and use lessons learned to establish activity to deal with arising from these epics in future Programme Increment. 12. May we know the functional elements of the Alpha? Are there logical diagrams available? We don’t have specific logical diagrams. The Alpha was focused on testing hypotheses, the output of which we have captured. We have diagrams relating to extant process, architectures and information flows. These will be made available to the successful supplier 13. Is the expectation that the Beta and subsequent production be based on the Alpha or are vendors able to diversify based on discovery and business process changes, once validated by the business? It is expected the supplier will drive these forward as well as from lessons learned establish activity to deal with arising from these epics in future Programme Increment. 14. Is there a possibility of early engagement for discovery prior to the start date specified in the opportunity description? It is expected on contract award there will be a handover period. Current assumption is that there will be no more than one month to complete the handover from the Incumbent. To support suppliers in their bid during Phase 2, a bidders conference is planned to explain the requirement. 15. Do you also expect supplier to perform cyber review of the other suppliers working with MoD to determine the cyber risks introduced by these suppliers? No, this is not in scope for Secure by Design. There is another project in CRP focused on supplier security. It should be noted that SbD, like other MOD projects will need to be aware of other project and programmes outputs/outcomes to ensure coherency. 16. Is supplier expected to evaluate or recommend the tools MoD will be looking to implement? This is a key outcome for Beta phase. 17. Which activity do you expect supplier to spend most of the time in the Beta phase? For example, in projects management, or providing cyber advisory or assurance services to the project teams. Many products needs to be delivered and refined across policy, process, guidance and tooling. Alpha has developed policy, process, guidance which is now being tested and refined in Beta. This is a transformation project which will need focus throughout beta to deliver the project outcomes. 18. Do you expect supplier to test operating effectiveness of the outputs from discovery, alpha and transformation phase, and work with MoD to close the gaps? The process used focused on capturing existing processes, but the target process (to be) is the existing process with security better aligned, not really a gap analysis. This has been developed considering NIST Framework (where applicable). 19. Are you looking a single provider or a consortium? MOD have no preference providing the supplier is able to provide the quality within time and cost parameters. Any prime will need to ensure they clearly articulate how they will manage sub-contractors so that there is minimal risk to the authority. 20. Which framework was used to performed the gap analysis? The process used focused on capturing existing processes, but the target process (to be) is the existing process with security better aligned, not really a gap analysis. This has been developed considering NIST Framework (where applicable) 21. When and how will the output of the gap analysis will be shared? The SOW which will be released in stage 2 will document the requirement. It focuses on the outcomes that need to be achieved with detail of the eleven Epics which make up the start of Beta phase. 22. Do all 25-30 people need to have SC? Yes