CCT984-Security Assurance Support to Application Services and Development Team services

Description

Summary of the work We are looking for support to develop and deliver packages of work to build our digital Security Assurance capability and capacity. The Supplier will work with our teams, delivering outcomes across our services. Expected Contract Length 31st March 2023 Latest start date Thursday 1 April 2021 Budget Range The budget is up to a maximum ceiling value of £5m including VAT. This is not a commitment to spend up to this value and the Authority reserves the right to consume at its discretion. The intended contract will be treated as an outcome based service solution. IR35 does not apply to this contract. Why the Work is Being Done Specialist Security advice to meet assurance activities is required in order to ensure Application Services and Development Team services deliver key capabilities on time and fit for purpose. Problem to Be Solved Requirement to provide Security Assurance knowledge and expertise for all Application Services and Development Team services. Management of security actions that arise out of the Joint Programme Security Working Groups. Act as chair/secretary on behalf of Application Services and Development Team which will be agreed at commencement of work. Ensure the Accreditation Evidence Statement (AES) is scoped by the project to capture appropriate project requirements this will cover all the security activities required to achieve accreditation and addresses other activities such as GDPR/ DPIAs, Review of Solutions (Apps and Platform builds), Risk Assessments, providing good solid opinions and guidance from a security POV, including at PI Planning and demos. Engagement/ liaison with the Case Officer and Accreditor. Ensure production of Security Management Plan and Accreditation Strategy for the review and approval of Security Working Groups (SWG). Ensure the production of the Risk Management and Accreditation Document Sets (RMADS) and any supporting documentation and evidence is produced as a project deliverable in line with JSP440 and JSP604. Conducting technical risk assessments, including managing RMADS and managing TSIs. Ensure new projects are registered (and entries maintained) on DART to enable an accreditor to be assigned. Skills transfer to nominated project staff. Who Are the Users For the tasks required, the 'users' are the project team and our stakeholders. The IA specialists are required to liaise with the programme teams, key stakeholders in Defence Digital and across MOD as well as working with CyDR or other TLB Accreditors. Early Market Engagement Any work that’s already been done Work Already Done Many items (Projects) have already been started or are in the delivery phase and as such, the tasks are about refinement, further development and operation. Existing Team Application Services and Development Team services Current Phase Live Skills & Experience • Evidence/explain how you will introduce Security policies and templates with a pragmatic approach that allows flexibility for projects; ‘one size fits all approach’ will not satisfy our requirement (20%) • Provide a high- level plan to your approach for identifying and managing Security Risks, Issues and Dependencies in mature business/project area, including evidence of managing RMADS, managing TSIs. (15%) • Evidence/explain how you have provided Security Assurance documentation to enable an organisation to continue the route to full rollout and adoption of policies and templates within delivery areas (20%) • Evidence your ability to mobilise your team quickly and to flex up and down resources to meet the demand of the project, whilst ensuring quality and consistency (5%) • Evidence Communications and Stakeholder Management operating at all levels collaboratively (10%) • Supporting CV’s – These should not be included in the main proposal word count but should be a maximum of 500 words and no longer than 1 page. (10%) • Evidence and explain how you have communicated new policies and change across multi-discipline teams (10%) • Evidence and explain how you have understood and incorporated project requirements whilst ensuring the results remain generic for the business (10%) Nice to Haves • Demonstrate experience of conducting Technical security reviews / approvals of Supplier and MoD Design and Test documentation to ensure that it is compliant with Defence Security policy (15%) • Demonstrate experience of Defence Digital and/or MOD Security Accreditation and MOD Security Assurance process (10%) • Demonstrate previous working experience of Coordinating technical security documentation in support of CyDR to support achievement of accreditation (10%) Work Location Defence Digital, Ministry of Defence Corsham However, at-the-time of-writing, government measures to reduce Covid-19 are in operation and as-such, work should be done remotely and in observance of social distancing and shielding guidance. MOD will continue to observe all government advice in the coming months aimed at reducing the spread of the disease. Working Arrangments Work onsite 4/5 days a week in Corsham as agreed with the Project Manager in order to support Project Teams in all of their Security Assurance activities. Currently with Covid19 until the foreseeable future all activity is likely to be remote. MOD Net UAD/Laptop will be provided to support remote working and there could be a potential to travel to Corsham or other sites whilst in lockdown to enable OS/above discussions to be had until we normalise. Security Clearance Valid DV clearance must be in place prior to the contract starting and for the duration of the contract due to projects required to work with. Additional T&Cs Key personnel will require minimum of three years’ experience in an IA role with a similar sized organisation within the last five years. CCP – Senior Practitioner in one of the following disciplines SIRA or CISM. Chartered Institute of Information Security (CIISec) Certified Information Systems Security Professional (CISSP) Qualification In terms of providing the necessary level of skills with appropriate clearance. Suppliers should attain, maintain and provide assurances around security clearance. The Cyber Risk Profile has been identified as low/medium. Note this will be identified on a project by project basis which will include high risk profiles. No. of Suppliers to Evaluate 3 Proposal Criteria • technical solution • approach and methodology • how the approach or solution meets user needs • how the approach or solution meets your organisation’s policy or goal • how they’ve identified risks and dependencies and offered approaches to manage them • team structure • value for money Cultural Fit Criteria • Experience of outcome based delivery in a complex defence IT environment, understanding the challenges and approaches to delivery (25%) • Work as a team with our organisation and other suppliers, including knowledge and experience of scaled Agile ways of working. (25%) • Remain transparent and collaborative when making decisions (25%) • Excellent communication, presentation, collaboration and client/stakeholder engagement skills with a wide variety of grades/positions. (25%) Payment Approach Capped time and materials Assessment Method • Work history • Reference • Presentation Evaluation Weighting Technical competence 60% Cultural fit 5% Price 35% Questions from Suppliers 1. 1. Can you confirm if any organisations are providing Security Assurance Services to ASDT? AMETHYST and People Source are providing Security Assurance Services to ASDT. 2. Could the Authority confirm whether there is an incumbent? There is no incumbent. 3. Is there an incumbent supplier, and if so, who is it? There is no incumbent supplier. 4. Is there an incumbent supplier, or a mix of supplier’s currently supporting this body of work? Mix of suppliers currently supporting this body of work. 5. Do you require the team to be all DV’d or can there be a blend of DV and SC? There is a definite requirement for DV however this level will not be required on all work packages.A blend of SC and DV, would therefore be acceptable. 6. Can you confirm that the Supporting CV’s are required for Stage 2 only? Yes confirmed. 7. Can you provide any guidance on how many specialists are required to fulfil the requirement? This is based on work packages and discreet pieces of work, as well as some enduring requirements.Our initial funding is based on a team of 3 in the first instance. 8. What level of detail does the authority require with respect to 100 word responses for CVs? As much detail as possible within the 100 words limit. 9. Does the authority want evidence of producing and executing detailed plans or a 100-word description of the plan specific to this task? Evidence of the specific plan to execute this task. 10. Could you confirm the current size and structure of any Information Assurance/Security team that you currently have within ASDT please? Is the team envisaged under this procurement required to integrate with any existing team or will it be wholly responsible for IA activities within ASDT? You also reference the need for skills transfer – could you confirm the number and skillsets of people who you expect skills to be transferred to please? There are 2 contracts servicing ASDT, as far as I am aware there are 4 SACS over 2 contracts. The contract will be for ASDT only and will not be required for other delivery teams. Skills should be transferred to Crown Servants. 11. Could you clarify the certifications required of our team please? You mention CCP at Senior Practitioner level in the SIRA discipline – but also in ‘CISM’ which I believe is an entirely separate certification. Could you confirm which of the six CCP disciplines you require people to be certified in at Senior Practitioner level please? Also do you require everyone in the team to have this level of certification (and CISSP, CIISec) or can these be covered by the team as a whole? We expect certifications to be in place for:-CCPRequire the named individual undertaking the specified security activities to be certified as a Senior Information Risk Advisor (SIRA) to the level of Senior Practitioner.CISMThe CISM indicates a level of expertise in information security governance, program development and management, incident management and risk management and differs from CCP.Whether it is a team or an individual providing the solution it is important to state that the person(s) carrying out the security activities associated with this contract holds the certification. We would expect to see named individuals with verified certifications. 12. Can shortlisting evaluation criteria be clarified? This will be covered in three parts due to the word count. Part 1 of 3Essential skills and experienceDemonstrate with evidence recent working experience(s) of supporting delivery in a large scale IT Environment / Project (150k+ users) in accordance with Civil Service Information Security Skills Framework (5%)Demonstrate experience of working in MOD or other large government organisation, with a good understanding of Defence Digital Services or equivalent and wider business practices (5%)Demonstrate with evidence a clear understanding of the MOD estate or similar government organisation and the difference between Official, Secret and Above Secret environments (5%) 13. Can shortlisting evaluation criteria be clarified? Essential skills and experience Part 2 of 3Demonstrate with evidence a firm understanding of Security Assurance environment in a large corporate deployment (10%)Demonstrate a clear understanding of / recent working experience of JSP 440 and JSP 604 Accreditation (10%)Provide evidence of analysis and evidence gathering experience; ability to understand where potential Security gaps lie based on evidence and producing written analysis (15%)Demonstrate recent experience in producing Security Cases that work in a pragmatic way for both Delivery and Security Teams, including providing evidence (15%) 14. Can shortlisting evaluation criteria be clarified? Nice-to-have skills and experience Part 3 of 3Demonstrate experience of conducting Technical security reviews / approvals of Supplier and MoD Design and Test documentation to ensure that it is compliant with Defence Security policy (15%)Demonstrate experience of Defence Digital and/or MOD Security Accreditation and MOD Security Assurance process (10%)Demonstrate previous working experience of Coordinating technical security documentation in support of CyDR to support achievement of accreditation (10%) 15. Regarding the 1st essential skill criteria, is the Authority seeking evidence of how we will approach this specific task, or evidence of our previous experience conducting similar tasks, thus demonstrating our capability? The Authority would like to see a blend of how the specific task will be approached. Using previous experience to support the approach would be useful.Please see clarification question regarding shortlisting evaluation criteria. 16. Regarding the 2nd essential skill criteria, is the Authority seeking evidence of our specific approach to this task, or are they seeking evidence of our previous experience conducting similar tasks, thus demonstrating our capability? The Authority would like to see a blend of how the specific task will be approached. Using previous experience to support the approach would be useful.Please see clarification question regarding shortlisting evaluation criteria. 17. Can the proposal evaluation criteria be clarified? FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFPEvidence/explain how you will introduce Security policies and templates with a pragmatic approach that allows flexibility for projects; ‘one size fits all approach’ will not satisfy our requirement (20%)Provide a high- level plan to your approach for identifying and managing Security Risks, Issues and Dependencies in mature business/project area, including evidence of managing RMADS, managing TSIs. (15%)Evidence/explain how you have provided Security Assurance documentation to enable an organisation to continue the route to full rollout and adoption of policies and templates within delivery areas (20%) 18. Can the proposal evaluation criteria be clarified? FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFP (continued)Evidence your ability to mobilise your team quickly and to flex up and down resources to meet the demand of the project, whilst ensuring quality and consistency (5%)Evidence Communications and Stakeholder Management operating at all levels collaboratively (10%)Supporting CV’s – These should not be included in the main proposal word count but should be a maximum of 500 words and no longer than 1 page. (10%)Evidence and explain how you have communicated new policies and change across multi-discipline teams (10%) 19. Can the proposal evaluation criteria be clarified? FOR INFORMATION ONLY: APPLICABLE TO 2nd STAGE RFP (Continued)Evidence and explain how you have understood and incorporated project requirements whilst ensuring the results remain generic for the business (10%)Cultural fit criteriaExperience of outcome based delivery in a complex defence IT environment, understanding the challenges and approaches to delivery (25%)Work as a team with our organisation and other suppliers, including knowledge and experience of scaled Agile ways of working. (25%)Remain transparent and collaborative when making decisions (25%)Excellent communication, presentation, collaboration and client/stakeholder engagement skills with a wide variety of grades/positions. (25%)