In-house domains vulnerability management beta/live

Description

Summary of work CDDO want a supplier to improve how Public Sector organisations with large numbers of domains and subdomains manage vulnerability and ingest external data to monitor and fix their domain-related cyber vulnerabilities. Where the supplied staff will work No specific location (for example they can work remotely) Who the organisation using the products or services is Central Digital and Data Office Why the work is being done This work supports the delivery of the government’s Roadmap for Digital and Data 2022-2025, and the Government Cyber Security Strategy: 2022-2030. We want to reduce the time that domain-related cyber vulnerabilities are open for exploitation, and hence reduce the Government’s overall exposure to cyber risk. We believe that part of the solution is to optimise the processing of vulnerabilities, so we are investigating using organisations' existing SIEM tools or equivalent to ingest vulnerability information from CDDO's public sector domains monitoring platform. This will get the right information to the right teams in a timely manner for a rapid response. The potential impact of a domain-related vulnerability is not always well understood, so we also believe that business changes may be required at working and senior levels to embed the right accountabilities and responsibilities and so ensure domain-related vulnerabilities are fixed quickly. Having an accurate and up-to-date list of all domains and subdomains that an organisation has is a key dependency for finding vulnerabilities, so we want public sector organisations to maintain such lists, understand what their domains are being used for, and share this information regularly with CDDO's domains monitoring platform. This will likely require business changes within the organisation. The business problem To reduce the time that domain-related cyber vulnerabilities are open for exploitation, and hence reduce the Government’s overall exposure to cyber risk, through providing public sector organisations with: - Timely visibility of the internet-facing digital footprint including any domains vulnerabilities and domain-adjacent vulnerabilities; - Clarity on the business impact of the cyber risks that these vulnerabilities carry; - Clarity on what action to take to address these vulnerabilities, and the necessary senior support and resources to execute such action quickly. The people who will use the product or service User type: Domain managers - people with the technical skills to manage domain records correctly; and those that operate SIEM (Security Information and Event Management) tools, Security Operations Centres or otherwise monitor the health and security of their external facing cloud services; Definition: As one of these users, I need to be made aware of and understand the significance of any domain related vulnerabilities in my organisation so that: - I can address these vulnerabilities quickly and so manage my domains properly; - I can manage my domains alongside my other digital assets. User type: Domain name administrators - people with the authority to request significant changes to a ’.gov.uk’ domain name; and Those responsible for digital services that a public sector organisation provides, or someone who works for them; and Those accountable for business risk in a public sector organisation, or someone who works for them; Definition: As one of these users, I need to be made aware of any domain related vulnerabilities in my organisation so that: - I understand and can prioritise the cyber risks associated with my domains; - I can ensure that my organisation has the resources, skills and focus to address these risks quickly; - My organisation's digital services operate effectively and remain available; - My organisation is trusted online by other government organisations, commercial organisations and citizens Which phase the project is in Alpha Existing team The supplier will work alongside our existing development team, to identify improvements to our API (if users want to ingest this intelligence automatically). The team is interested in publishing the data in a standard format that can be ingested by SIEM tooling They will also work with the operations team, who have a wealth of experience in this space and excellent contacts with the wider public sector Address where the work will be done No specific region, they can work remotely. The domains team is normally based at The White Chapel Building 10 Whitechapel High Street, 7th Floor, London, E1 8QS Working arrangements The supplier can rely on CDDO to provide specialist domain knowledge. We expect the supplier to meet with us virtually, using Google Meet or similar platforms. There will be no reimbursement for travel costs to meet stakeholders. Security and vetting requirements Security Check (SC) Latest start date 6 November 2023 Expected contract length Contract length: 1 years 6 months 0 days Optional extension: 0 years 6 months 0 days Budget Indicative maximum: £175000 Indicative minimum: The contract value is not specified by the buyer Further information: Year 1 Nov 2023 -March 2024 - Beta - £175k (6 months) Year 2 1st April 2024 - 31st March 2025 - Beta/Live - £630k (12 months) Funding for FY24/25 will be conditional on the successful completion of the beta phase and internal budget approvals. Contracted out service or supply of resource? Contracted out service: the off-payroll rules do not apply Questions and Clarifications 1. DOS stage 1 answers usually permit 750 character responses excluding spaces. Can you please confirm if "including spaces" is a template typo please? The standard DOS6 rules apply and the limit is 750 characters excluding spaces. 'Including spaces' is a typo in the template which we have raised to be fixed. Last Updated : <strong>15/09/2023</strong>