Provision of Staff Identity and Security Controls (SISC) Engineering Services

Description

Summary of work Staff Identity and Security Controls (SISC) Engineering Services project covers a number of scope items relating to improvements in the way we manage staff identity and in particular s with enhanced access to systems and data. This Phase includes delivery of the following high-level workstreams: •Active Directory Consolidation – Full service migration including client and servers Migrations •Staff Identity – Recruit itional contractors Replicate access control improvements in Azure •Joiners, Movers, Leavers – Rollout Role Based Access Control and Service Now portal to all Staff •Active Directory Tooling - Fully automate AD access provisioning •Engineer Remote Access – Use AD enhancements to improve engineer remote access methods DVLA requires a supplier to rationalise and consolidate the current Active Directory repositories across the estate. Working closely with the project and cross functional support teams the supplier will analyse the current domain and server instances, plan and deliver migration of all infrastructure services as well as all applications and servers to new Active Directory Domain. Active Directory Consolidation: • Plandeliver migration of all infrastructure services and servers to new Active Directory AD • Plandeliver migration of all applications and application servers to new AD • Scoping will include the analysis of 476 servers across 23 domains. • Knowledge transfer training to DVLA support staff to allow transition into support as well as a web based data base WIKI and support site created to reference all documentation. • Testing, defect management, project reporting for all applications and server migrations. These all need to be recorded, itemised, prioritised and owned by the resources in an effective manner that allows the wider project audience to utilise them. A new Remote Desktop Service and Multi Factor Authentication solution is required for all engineering staff in line with best practice. The supplier is to build, plan, and deliver a solution meeting cyber security needs. Engineer Remote Access: • Plan and deliver a new Remote Desktop Service (RDS) and Multi Factor Authentication (MFA) solution which will be rolled out to all engineering staff, approx. 400 s. • Remove dependency on local admin machines, approx. 400 desktops. Where the supplied staff will work Wales Who the organisation using the products or services is Drivers and Vehicles Licencing Agency Why the work is being done The project aims to simplify and standardise the way in which we control access to systems and services. Significant foundational work has already been delivered including the setup of a new Active Directory and process improvements for Role Based Access Controls and Joiners, Mover, Leavers. Active Directory Rationalisation – There are Multiple existing complex Active Directory repositories. • DVLA want to take opportunity to migrate Servers and Services to the new domain and consolidate old domains • Decommission old infrastructure by removing redundant domains. In ition to the Active Directory Rationalisation to ensure that we capitalise on enhancements, provide our engineering teams with access to new RDS service and deliver our consolidation objectives. Engineering Remote Access (ERA) - currently too many engineers have a reliance on physical admin desktops to complete support tasks and log on to these devices with accounts with elevated privilege. A lack of Multi Factor Authentication (such as a unique code challenge on log on) goes against industry best practice for s with elevated access. • Develop and secure the method of remote access for engineers The business problem The Agency has multiple complex domains throughout the DVLA estate. There are twenty-one Active Directories used for different purposes (some of which are running Legacy services) which s complexity for the support staff operating them. With the consolidation of the estate using new tooling, business process and technical patterns via the SSIM team this will bring consistency, control, and ownership of access across the estate. Reducing the complexity of Active Directory will reduce the number of physical servers, isolate admin accounts, simplify AD related changes and the day-to-day management in the future. With the increase in remote working over the last few years the access to physical admin desktops to complete support tasks does not align with engineering needs or best practice. All physical admin desktops are to be removed and alternative solutions found for support functions. A more secure solution with tighter controls is required meeting best practice guidelines and cyber security requirements. The people who will use the product or service User type: All DVLA staff Definition: All DVLA staff utilise Active Directory and the servers in scope for migration in order to carry out their work duties. User type: Engineers Definition: Engineers require the use of a Remote Desktop Solution to securely carry out their support activities. Any pre-market engagement done NA Work done so far The project has concluded its first phase of building, commissioning, and testing a significant number of new products and service including the creation of new Active Directory Domains and associated infrastructure services. The main focus is to create a migration approach and implementing services on the new domains whilst decommissioning the old. A high-level design for engineering remote access has been completed alongside the build of a new remote desktop solution. Assistance is required on delivering the cyber security requirements in line with best practice. Which phase the project is in Not applicable Existing team The supplier will work directly with the SISC Project team (including Architecture) and the Staff Security and Identity Management (SSIM) team who are responsible for the delivery of the new Active Directory (AD) and migration of Windows 10 s and devices between domains. Resource will also be required to engage with BAU support teams to discuss and plan subsequent application and infrastructure migrations. BAU Support teams will also be engaged to discuss and plan subsequent removal of local admin machines and introduce the new RDS and MFA solution for Engineering Remote Access. Address where the work will be done The work will take place in DVLA offices in Swansea (DVLA, Morriston, Swansea and the DVLA, RLDC, Swansea), and the supplier resource will work both remotely (within the UK) and with requirement to attend site a minimum of 3 days a week, but this may change during the lifetime of the contract. This will be agreed with the DVLA Delivery Manager within Statement of Work iterations. Main Office Address: Longview Road, Morriston, Swansea, SA6 7JL Working arrangements Full Time, 5 days a week The ging mechanism in place for the Call-Off Contract and any agreed Statements of Work will be Time and Materials. Fixed Price may be considered and applied following assessment to the Statement of Work it pertains to. Suppliers shall provide transparency to the Buyer on the rates paid to resources and any third parties in the supply-chain on request. Statements of Work will be issued to define the deliverables. The supplier’s team will need to work effectively with existing and future teams (both civil servants and other suppliers). It’s important to provide continuity of resources on any given SoW, for knowledge transfer-efficiency. The supplier will have regular pipeline-performance reviews with Head of Project and Portfolio Delivery to discuss progress against delivering intended outcomes for each project and suggest-deliver interventions to ensure outcomes are delivered in time, at lowest cost, realising value for the customer. Security and vetting requirements Baseline Personnel Security Standard (BPSS) Security and vetting requirements Security Check (SC) More information about the Security requirements: For Discovery and Alpha, team members will need BPSS clearance at a minimum. All contractors are in procession of the relevant security clearance for the role they are undertaking. Any team member accessing live data need to hold SC clearance. Evidence of clearance must exist before access to accounts and systems can be provided. Contractors should be aware of and understand the respective policies and procedures that apply to them while working for the agency, and only use authorised systems and services. Where contractors will be using DVLA equipment, which should be returned upon termination of the contract or replacement of the contractor (whichever is sooner). The supplier and their staff are to treat all information accessible by them as confidential and not suitable for wider disclosure. Access to personal data, sensitive code and or sensitive areas of the site such as data centres will be restricted to what is necessary for their role on the principle of least privilege. Supplier must ensure that Artificial Intelligence (AI) is not used by the contractor in any work on DVLAs systems, services, data (including personal data), sensitive code and any information without prior consideration and formal approval by DVLAs Information Assurance Group. All contractors must receive a site induction and adhere to agency and security policies Due to the nature of the content and configuration SC Clearance is a mandatory requirement. Latest start date 10 May 2024 Expected contract length Contract length: 1 years 0 months 0 days Optional extension: 0 years 6 months 0 days Special terms and conditions special term or condition: Additional Assessment Method There is a known issue with the CCS e Sourcing portal which prevents us choosing Studies as an Additional Assessment Method. This is notice that studies will be requested in stage 2 of this procurement. special term or condition: Another issue is the portal is not allowing certain words or part words to save. This notice is included to instruct all suppliers they must read the Outcome Requirements attachment to ensure they have accessed the complete information before submitting a response. special term or condition: The successful supplier shall have robust Business Continuity and Disaster Recovery Plans which align to a code of practice such as ISO22301. The successful supplier must supply the contents of these plans to the Agency. The successful supplier will test their business continuity arrangements no less than once per annum and shall inform the Agency when such tests or exercises are scheduled. Outcomes of these tests or exercises must be made available to the Agency in writing upon request. Budget Indicative maximum: £332500 Indicative minimum: £228000 Further information: £228,000 per year Total 1 years plus 6 months extension £332,500 (Inclusive of any Travel and Subsistence and excluding VAT). Contracted out service or supply of resource? Supply of resource: the off-payroll rules may apply Terms and acronyms Term or acronym: AD Definition: Active Directory Term or acronym: BAU Definition: Business as Usual Term or acronym: MFA Definition: Multi-Factor Authentication Term or acronym: RDS Definition: Remote Desktop Services Term or acronym: SSIM Definition: Staff Security and Identity Management