CCT984-Security Assurance Support to Application Services and Development Team services

Description

Summary of the work We are looking for support to develop and deliver packages of work to build our digital Security Assurance capability and capacity. The Supplier will work with our teams, delivering outcomes across our services. Expected Contract Length 31st March 2023 Latest start date Thursday 1 April 2021 Budget Range The budget is up to a maximum ceiling value of £5m including VAT. This is not a commitment to spend up to this value and the Authority reserves the right to consume at its discretion. The intended contract will be treated as an outcome based service solution. IR35 does not apply to this contract. Why the Work is Being Done Specialist Security advice to meet assurance activities is required in order to ensure Application Services and Development Team services deliver key capabilities on time and fit for purpose. Problem to Be Solved Requirement to provide Security Assurance knowledge and expertise for all Application Services and Development Team services. Management of security actions that arise out of the Joint Programme Security Working Groups. Act as chair/secretary on behalf of Application Services and Development Team which will be agreed at commencement of work. Ensure the Accreditation Evidence Statement (AES) is scoped by the project to capture appropriate project requirements this will cover all the security activities required to achieve accreditation and addresses other activities such as GDPR/ DPIAs, Review of Solutions (Apps and Platform builds), Risk Assessments, providing good solid opinions and guidance from a security POV, including at PI Planning and demos. Engagement/ liaison with the Case Officer and Accreditor. Ensure production of Security Management Plan and Accreditation Strategy for the review and approval of Security Working Groups (SWG). Ensure the production of the Risk Management and Accreditation Document Sets (RMADS) and any supporting documentation and evidence is produced as a project deliverable in line with JSP440 and JSP604. Conducting technical risk assessments, including managing RMADS and managing TSIs. Ensure new projects are registered (and entries maintained) on DART to enable an accreditor to be assigned. Skills transfer to nominated project staff. Who Are the Users For the tasks required, the 'users' are the project team and our stakeholders. The IA specialists are required to liaise with the programme teams, key stakeholders in Defence Digital and across MOD as well as working with CyDR or other TLB Accreditors. Early Market Engagement Any work that’s already been done Work Already Done Many items (Projects) have already been started or are in the delivery phase and as such, the tasks are about refinement, further development and operation. Existing Team Application Services and Development Team services Current Phase Live Skills & Experience • Demonstrate with evidence recent working experience(s) of supporting delivery in a large scale IT Environment / Project (150k+ users) (5%) • Demonstrate experience of working in MOD or other large government organisation, with a good understanding of Defence Digital Services or equivalent and wider business practices (5%) • Demonstrate with evidence a clear understanding of the MOD estate or similar government organisation and the difference between Official and Secret environments (5%) • Demonstrate with evidence a firm understanding of Security Assurance environment in a large corporate deployment (10%) • Demonstrate a clear understanding of / recent working experience of JSP 440 and JSP 604 Accreditation (10%) • Provide evidence of analysis and evidence gathering experience; ability to understand where potential Security gaps lie based on evidence and producing written analysis (15%) • Demonstrate recent experience in producing Security Cases that work in a pragmatic way for both Delivery and Security Teams, including providing evidence (15%) Nice to Haves • Demonstrate experience of conducting Technical security reviews / approvals of Supplier and MoD Design and Test documentation to ensure that it is compliant with Defence Security policy (15%) • Demonstrate experience of Defence Digital and/or MOD Security Accreditation and MOD Security Assurance process (10%) • Demonstrate previous working experience of Coordinating technical security documentation in support of CyDR to support achievement of accreditation (10%) Work Location Defence Digital, Ministry of Defence Corsham However, at-the-time of-writing, government measures to reduce Covid-19 are in operation and as-such, work should be done remotely and in observance of social distancing and shielding guidance. MOD will continue to observe all government advice in the coming months aimed at reducing the spread of the disease. Working Arrangments Work onsite 4/5 days a week in Corsham as agreed with the Project Manager in order to support Project Teams in all of their Security Assurance activities. Currently with Covid19 until the foreseeable future all activity is likely to be remote. MOD Net UAD/Laptop will be provided to support remote working and there could be a potential to travel to Corsham or other sites whilst in lockdown to enable OS/above discussions to be had until we normalise. Security Clearance Valid DV clearance must be in place prior to the contract starting and for the duration of the contract due to projects required to work with. Additional T&Cs Key personnel will require minimum of three years’ experience in an IA role with a similar sized organisation within the last five years. CCP – Senior Practitioner in one of the following disciplines SIRA or CISM. Chartered Institute of Information Security (CIISec) Certified Information Systems Security Professional (CISSP) Qualification In terms of providing the necessary level of skills with appropriate clearance. Suppliers should attain, maintain and provide assurances around security clearance. The Cyber Risk Profile has been identified as low/medium. Note this will be identified on a project by project basis which will include high risk profiles. No. of Suppliers to Evaluate 3 Proposal Criteria • FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFP • Evidence/explain how you will introduce Security policies and templates with a pragmatic approach that allows flexibility for projects; ‘one size fits all approach’ will not satisfy our requirement (20%) • Provide a high- level plan to your approach for identifying and managing Security Risks, Issues and Dependencies in mature business/project area, including evidence of managing RMADS, managing TSIs. (15%) • Evidence/explain how you have provided Security Assurance documentation to enable an organisation to continue the route to full rollout and adoption of policies and templates within delivery areas (20%) • Evidence your ability to mobilise your team quickly and to flex up and down resources to meet the demand of the project, whilst ensuring quality and consistency (5%) • Evidence Communications and Stakeholder Management operating at all levels collaboratively (10%) • Supporting CV’s – These should not be included in the main proposal word count but should be a maximum of 500 words and no longer than 1 page. (10%) • Evidence and explain how you have communicated new policies and change across multi-discipline teams (10%) • Evidence and explain how you have understood and incorporated project requirements whilst ensuring the results remain generic for the business (10%) Cultural Fit Criteria • FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFP • Experience of outcome based delivery in a complex defence IT environment, understanding the challenges and approaches to delivery (25%) • Work as a team with our organisation and other suppliers, including knowledge and experience of scaled Agile ways of working. (25%) • Remain transparent and collaborative when making decisions (25%) • Excellent communication, presentation, collaboration and client/stakeholder engagement skills with a wide variety of grades/positions. (25%) Payment Approach Capped time and materials Assessment Method • Work history • Reference • Presentation Evaluation Weighting Technical competence 60% Cultural fit 5% Price 35% Questions from Suppliers 1. Could The Authority please confirm how many CVs are expected as part of the 2nd stage submission? And that those individuals are then expected to start the contract, if successful? We based the commitment case on 3 x SACs, but this must be flexible with the ability to demand SAC support based on tasks.It is normal to have 1 SAC working on 1 programme.This will be an outcome based contract so would expect suppliers to provide CVs of those individuals assigned to start the contract. 2. Can you please clarify what is meant by Defence Digital Services? Do you mean Defence Digital Service (DDS) or services undertaken within / provided by Defence Digital as a organisation? Defence Digital Services is the organisation that provides global services to users and had brought together a number of directorates as one team under a shared brand. 3. In regards to Security Assurance in a large corporate environment can you please explain what type of Security Assurance it is that you are requiring? This is covered in the requirements that form part of the advert 4. Please could the Authority kindly give an indication of the desired SFIA grades to do the work? There is no mention of SFIA in the requirements.