WP1989.2 Technical outcome for single sign on

Description

Summary of the work Professional Services for Digital Identity Unit Develop and implement the architecture and technical elements of the service, and support service migration. The supplier will be able to rapidly onboard a team to meet outcome deliverables for each statement of work within 5-10 days when required. Expected Contract Length The initial term is 18 months, with a break clause at the 12 month point. Latest start date Wednesday 15 September 2021 Budget Range The budget for this outcome is up to £1.95m. The supplier will be asked to deliver statements of work under this outcome, to be agreed throughout the contract. We envisage this work to be done by a multi-disciplinary team comprised of roles such as: technical architect, technical lead, back end developer, front end developer, security architect, site reliability engineer. However the supplier will choose the team based on the deliverables agreed for each statement of work. Why the Work is Being Done Government Digital Service will be letting a series of contracts through the DOS Framework (digital outcomes). The contracts will support the delivery of a single sign-on service which will allow citizens to access any online central government service simply, safely and securely. You can read more about our plans in this recent GDS blog post. https://gds.blog.gov.uk/2021/07/13/a-single-sign-on-and-digital-identity-solution-for-government/ Problem to Be Solved People are still asked to sign in and prove their identity in different ways to access different services. From our own research we know that many users don't understand the differences between these logins, and are confused about which ones they already have. Some services need to carry out digital identity checks to make sure the people wanting to access them are who they claim to be. However, people without easy access to official documents, like passports and driving licences, are too often excluded from these simple, online routes. As government services become increasingly digital and accessing in-person ones now often relies on some kind of online interaction (like booking an appointment), it's vital that access is as inclusive as possible. At the same time, departments delivering government services currently have to build or buy their own sign-on and identity services, resulting in people having to enter the same information time and again when accessing multiple services. Running multiple systems in this way also leads to added cost to the taxpayer and, because it is hard for different services to share information with each other, reduced capability for government to tackle fraudulent access to its services in a joined-up way. Who Are the Users As a citizen I need to create a single sign on account so that I can apply for and access government services without having to hold multiple credentials. Early Market Engagement An email was sent to suppliers on 15/7/21 to let suppliers know this requirement would be published shortly. Work Already Done Our current team has completed the alpha phase of development, and is ready to move into private beta. Existing Team The supplier will be expected to work collaboratively within a wider team of Civil Servants, contractors and suppliers throughout the contract term. Knowledge transfer will be required to enable GDS to improve internal capability to build and support services. Current Phase Beta Skills & Experience • Experience developing and iterating identity verification systems • Experience developing and iterating authentication systems • Experience in fast paced delivery enviornments, with a proven ability to rapidly iterate services based on user experience. • Experience building maintainable, scaleable and secure operational live services for users • Experience working within government digital standards • Experience working with systems using AWS, Lambda and/or Serverless • Confident working in scaled agile delivery environments • Experienced and comfortable with forming and operating highly effective software development teams • Experience of at least one of the following -note the more technologies supplier can demonstrate experience with, the higher they will score: Java, Node.js, TypeScript, JavaScript, Terraform or similar technologies Work Location London Manchester Remote working okay Working Arrangments To be agreed with the supplier. Security Clearance Baseline Personnel Security Standard. Developers, SREs, and technical architects must have, or be able to achieve, SC clearance when requested. Additional T&Cs "All expenses must be pre-agreed with between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy." No. of Suppliers to Evaluate 3 Proposal Criteria • Evidence of developing, launching and iterating identity and authentication services • The proposed approach to making informed decisions based on user needs/experience, available technology and value for money. • Evidence of working within multidisciplinary teams to iterate technical solutions based on user experience and feedback • Describe how you ensure development aligns to the UK Government Design Principles, Service Standard and Service Manual. • Describe your organisational structure and capacity, and how well suited it is to meet the outcome • Outline your approach to managing the delivery of outcomes similar to this one • Evidence of building systems with high security requirements • Your approach to rapidly deploying a team • Sample CVs scored as a set Cultural Fit Criteria • Comfortable using AGILE delivery approach across a broad range of products and services. • Demonstrable experience of working within government digital standards • Transparent and collaborative when making decisions • Welcomes challenges and failure as an opportunity to learn how to do things better • Social Value Payment Approach Time and materials Assessment Method • Case study • Work history • Presentation Evaluation Weighting Technical competence 60% Cultural fit 20% Price 20% Questions from Suppliers 1. Are you 100% set on developing this service in house or are you considering implementing a 3rd party IDaaS solution such as Okta, Ping etc? It's unlikely the service will use an IDaaS product. 2. Is it possible to share the alpha outcomes and service assessment, please? Service assessment outcomes are routinely published at https://www.gov.uk/service-standard-reports, however for the avoidance of doubt we will share the alpha service assessment report with shortlisted suppliers for completeness. Please note that only the authentication component of the service has been through its alpha assessment at this time. 3. Are suppliers permitted to use multiple examples in each 100-word answer? Yes but we do need suppliers to stick to 100 words without any unnecessary dashes or dots. 4. The DOS advert makes reference to the current team having completed Alpha. Is this an internal team or an existing supplier? Is this work related to WP1964 for example? There are incumbent suppliers. This procurement is being run as a fair and open competition. WP1964 is a separate contract for GOV.UK . 5. Will you be confirming the evaluation scheme in detail when you publish the documents to shortlisted suppliers? Specifically, will you be using the CCS standard rules at Evaluation Stage, i.e. each individual Essential and Proposal Criteria (the 16 elements in the DOS advert) each be worth 3.75% of the 60% for Technical, and will each of the 5 Cultural Fit elements each be worth 4% of the 20% for Cultural Fit? You additionally list Case Studies, Work Histories and Presentation as evaluation methods – how will those be scored in light of the initial query? When it comes to the second stage we will explain clearly to those shortlisted suppliers how we will evaluate and end up with one weighted score for Technical Competence (covering all applicable assessment methods), one weighted score for Cultural Fit (covering all applicable assessment methods) and one weighted score for price 6. Is the £1.95m budget for this WP1989.2 technical stream alone, or is the £1.95m the budget for the whole programme, i.e. including WP1989.1 (as both adverts mention the same budget)? up to £1.95m each 7. For Evaluation Stage Cultural Fit, will there be a specific “Social Value” aspect that you will be looking for? We will provide detail to shortlisted suppliers on the specific social value aspect 8. Will suppliers that can offer to deliver both WP1989.1 and WP1989.2, potentially with some cost savings, be looked upon more favourably? Each requirement will be evaluated on their own merit. 9. Where SC is required, will GDS sponsor the applications? For certain roles there will be a need for SC clearance at the outset. Time permitting we will sponsor the application but the cost must be borne by the supplier 10. Can you confirm if more than one example is acceptable for Experience of at least one of the following -note the more technologies supplier can demonstrate experience with, the higher they will score: Java, Node.js, TypeScript, JavaScript, Terraform or similar technologies Yes this is acceptable 11. Instead of building from scratch, would you consider licensing a ready-made service that is more than IDaaS, as in as well as creating and managing a single identity, also supports authentication via any other trusted IdP (e.g. an existing government service), manages a catalogue of services for users to choose from and add to their own “My Services” menu, and allows separate services to be managed separately but accessed with SSO? It's unlikely the service will use an IDaaS product. 12. Instead of building from scratch, would you consider licensing a ready-made service that is more than IDaaS, as in as well as creating and managing a single identity, also supports authentication via any other trusted IdP (e.g. an existing government service), manages a catalogue of services for users to choose from and add to their own “My Services” menu, and allows separate services to be managed separately but accessed with SSO? It's unlikely the service will use an IDaaS product. 13. Please share the link to the video used in the Q&A call The link is here: https://www.youtube.com/watch?v=eQMXvZ36BlI 14. Please share the slides used in the Q&A call The slides are here: https://docs.google.com/presentation/d/1gLXPlKdLYVblrV8s10tAyslwPLxF97av6jXJJTxfY6g/edit?usp=sharing 15. Will you be aligning to GPG45 standards? Yes, we will 16. Is your solution being build in house of are you using COTS solutions? We are building the solution in house, with some discrete components of the service being bought in. 17. How is this aligned to digital identity work being done by DCMS (Department for Digital, Culture, Media & Sport)? We are working closely with DCMS to ensure our product is aligned with their policy, standards and legislation. 18. You mentioned the two user groups being "Citizens" and "consumers of the service" is the intention to support organisations as well as private citizens? Yes, for example our product will provide a solution for individuals acting on behalf of a business. 19. Are we right to assume this replaces Verify? Yes, that is correct. 20. Are you considering the option of using a COTS solution instead? Or is the team set on developing the product in-house? We have decided to build the product in house. 21. Who are the incumbents? We are currently using existing GDS DOS contracts. Our suppliers are LA International and Engine. 22. Can we provide case studies from private sector as well? Or does this have to be public sector? It isn't required to use case studies from the public sector, however the essential criteria for both outcomes asks that suppliers have experience working within government digital standards. 23. Can offshore / near shore resources be used to deliver the project? No, this will not meet our security requirements 24. Are there any other tech products we should be aware of? All relevant technical products being used to deliver the solution are included in the outcome. 25. What is the expected scale of roll out in year 1? This is being agreed with services at the time of writing, however we expect to migrate several services in FY22/23. 26. Please advise if identity proofing solution is also being built in house Yes, the identity proofing solution is also being built in house. 27. Please will you share the outcome of the alpha service assessment? Service assessment outcomes are routinely published at https://www.gov.uk/service-standard-reports, however for the avoidance of doubt we will share the alpha service assessment report with shortlisted suppliers for completeness. Please note that only the authentication component of the service has been through its alpha assessment at this time. 28. Can you please share the outputs from the Q&A session held on 2 August? Yes all questions asked during the session have been published (Questions 13-27). Please note it was a joint Q&A session for this requirement and WP1989.1. 29. Please can you clarify the budget The budget is up to £1.95m over the life of the whole contract - split over more than one FY. A PO will either be raised based on the value of the initial SOW (then topped up) or the likely value up to the end of this FY. Any spend in the next FY may be subject to further governance and approval.