706721450 - Cyber as a Service (ND-0284)

Description

Summary of the work "A cyber service is required to implement the changes in the CRIP to progress towards the end state. IOT progress towards the desired end state the following Outcomes have been listed to articulate what is required: Risk Transformation Management System Cyber Risk Identification and Assurance Risk Mitigation DCO development Expected Contract Length 24 Months - With an option to extend by up to 25% in cost/ duration or both. Latest start date Sunday 30 April 2023 Budget Range "The 'Core' elements of this Outcome is deliverable within a budget of £1,666,666 Ex VAT over 24 months. Budget includes £25K p/a for T&S and shouldn't be included in the bid cost. This Outcome has a limit of liability of £4,166,666 Ex VAT, to enable agile and efficient delivery of increased service volumes. At award the 'Core' commitment will be £1,666,666 Ex VAT covering only the 'Core' funded elements. Any increase in activity up to the l.o.l of £4,166,666 Ex VAT will be subject to separate SoW which will include any agreed additional T&S. Why the Work is Being Done Navy Digital requires a Digital technical service to manage the identification and mitigation of cyber security risks and to progress cyber security transformation in accordance with the Royal Navy Data and Digital Plan (specifically Outcome 4, ‘improve Cyber Security and Resilience’). The Cyber Risk Improvement Plan (CRIP) covers all aspects of improvement required in the cyber domain and was created to identify how the RN would achieve Outcome 4. Problem to Be Solved The MOD Cyber Resilience Strategy sets out the headmark to build a cyber resilient Defence. The Royal Navy Data and Digital Plan outcome 4 “Improved Cyber Security and Resilience” sets the end state for the Royal Navy in achieving that strategy. The Cyber Risk Improvement Plan (CRIP) defines the ways and means in achieving the ends.Without a digital technical service, the RN will not be able to mitigate cyber vulnerabilities. There will be reduced cyber risk support to various elements of activity under the CRIP and RN CEMA and Navy Digital strategies. Impacts to maturation of the RN Cyber Defence Operations Centre (CDOC) will result in degraded ability for the RN to respond and manage cyber incidents. Who Are the Users Navy Command. Navy Digital Existing Team There is mixture of RN Service, Civil service and contractors from several other suppliers contributing to this Programme of Work. Current Phase Live Skills & Experience • Have experience of industry standard project management approaches. • Demonstrate a thorough knowledge of risk management strategy, process and related leadership techniques. • Have experience in Penetration testing and vulnerability assessment – cyber qualifications, certifications and/or experience in testing Information Technology and Operational Technology systems • Demonstrate a proven ability to identify and resolve cyber security and risk challenges at organisational level (Joint and FLC). • Have Cyber skills and or experience to baseline culture, awareness and behaviours and develop interventions to make improvements. • Have experience in development of processes for defensive cyber operations. • Have the ability to demonstrate knowledge of incorporating Cyber Security throughout a project delivery lifecycle i.e., from inception through to decommissioning or disposal within a MoD environment. • Demonstrate knowledge of the Cyber threat landscape in the context of the Royal Navy. • The ability to demonstrate dealing with Above Secret Royal Navy and the associated through-life management and security aspects. Nice to Haves • Demonstrate experience in applying MoD security and Cyber Security policy within MoD projects within the maritime environment. • Have experience of the constraints of Naval platforms (equipment and software) Within a MoD context • Demonstrate experience in conducting Cyber Security assurance testing e.g. Software Vulnerability Assessments. • Hold pertinent certifications in Cyber security such as: CISSP; CISM, NCSC CISP. • The ability to demonstrate basic Cyber Security awareness in an MoD environment. • Demonstrate experience in the management of classified assets. Work Location Principally centred in Navy Command Headquarters, Portsmouth. Ability to work remotely. Task dependant travel to other MOD sites and elements of overseas travel may be required. Working Arrangments This service will be working in a team with stakeholders from within Navy Command, MoD, and other government departments to enable capability outcomes in support of MoD and HMG national security objectives. The work will predominately be based at NCHQ, however the service deliverables will direct where tasks are carried out, and travel will be required where necessary. Security Clearance "MoD endorsed SC is required at commencement of work for those personnel assigned to this service. DV will be required for some elements of the service provision. Additional T&Cs All expenses (T&S) must be pre-agreed between the parties and must comply with the MoD Travel and Subsistence (T&S) Policy. All suppliers are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ No. of Suppliers to Evaluate 3 Proposal Criteria • Technical Competence (70 marks) broken down into: • a. Stage 1 relative score (10), • b. Approach and Methodology - how the solution meets our needs (20), • c. Demonstrate relevant skills and experience, and a suitable team structure and composition (10), • d. Understanding of the outcome delivery risks, dependencies, assumptions and mitigations against failure (5), • e. The approach to information capture storage, presentation and archiving to enable delivery of outcomes and long-term preservation for use by the authority. (5). • f. Demonstrate how the service will evolve and innovate to ensure optimisation of outcome. (5). • g. How this service represents value for money (5) • h. Within the scope of the service demonstrate the ability to flex and respond to changing priorities and demands. (5) • i. Demonstrate experience delivering relevant services previously. (5) • (written proposal - 2000 words max, plus Work Histories for key roles - 500 words max) • Cost. (Overall price) (20 marks) - (Financial proposal must be separate to the written proposals) • Cultural Fit/Social Values (10 marks) - 100 words max per criterion Cultural Fit Criteria • Work as a team with our organisation and with other government organisations (2) • Be transparent and collaborative when making decisions and have a no-blame culture and encourage people to learn from their mistakes (2) • Share knowledge and experience with other team members (2) • Able to work with Stakeholders with mixed/low technical expertise (2) • Consider equality & inclusion in thee provision & operation of services, including a workforce that is representative of the communities we serve, where relevant and proportionate (2) Payment Approach Capped time and materials Assessment Method Work history Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. How will T&S be charged and payments made throughout the contract? "The contract value will include up to £35K of T&S to be invoiced as actuals in line with MoD T&S ratesThe £25K for T&S is not to be included within the bid tender.Foreign travel will require Authority approval before these costs are met. T&S throughout the contract will be limited to a maximum liability of £25K.The service delivery will be receipted and invoiced in arrears via C,P&F and EXOSTAR using the method of Capped time and materials." 2. Will this be assessed as inside IR35? It is not expected that IR35 will apply. An assessment will be made after the winning supplier has been selected. 3. Is there a Cyber Risk Assessment? A CRA is currently being produced. 4. Is there an incumbent supplier in the role? Yes, There is already an incumbent. 5. Would you accept a DV cleared candidate? Yes, DV is required for certain elements of this requirement. 6. Will there be any performance indicators within the contract Yes there will be performance indicators, these will be advised following down-selection. 7. How will initial tender submissions be evaluated ( part 1) Each tenderer will be evaluated and allocated 0 (Not Met), 1 (Partially Met), 2 (Met) or 3 (Exceeded) against their responses to each of the essential and nice to have criteria. The points awarded for each criteria will be added together to give the total technical evaluation points. 8. How will initial tender submissions be evaluated (part 2) The Authority reserves the right to consider tenderers non-compliant if their points are below 2 on any criteria. Tenderers may also be considered non-compliant if their proposed start date is after the required start date, if their day rate is above the stated budget or fail to meet submission deadlines. Non-compliant tenderers will be excluded from the competition and their total technical evaluation points will be 0. 9. How will initial tender submissions be evaluated (part 3) Tenderers with the three highest total technical evaluation points from this evaluation will be down selected and invited to take part in stage two. 10. How will final tender submissions be evaluated after initial down selection The submitted proposals and work histories will form the basis of the evidence for selection during the final tender and will be scored using the following weighting: Technical competence 70%. Cultural fit 10%. Price 20%. 11. Can you provide us with the name of the incumbent Carbon60 Limited 12. Can the authority please confirm the size of the incumbent team, and expected team size for this opportunity? There are 5 team member on the incumbent team. There is no set expectation of a team size. Tendering suppliers are expected to provide a team that can fulfil 2640 service days within their proposals. There is significant complexity, autonomy and customer engagement associated with the delivery of this Outcome. 13. Are you looking at mimicking the current structure of the team, or doing something different? Can you confirm what resource you will be requiring for this opportunity at role level? Cyber professional (s?), business analyst? Project manager? Risk Manager? Please see answer to question 12. 14. Can the Authority confirm if TUPE applies to any of the 5 team members on the incumbent team? TUPE does not apply