C18477 Digital Data and Technology (DDaT) Central Security Architecture.

Description

Summary of the work The Home Office is looking for a supplier who can provide the necessary knowledge, skills and experience to help meet the demands for Security Architecture Services within the Home Office’s Digital, Data and Technology (DDaT) directorate, on a range of internal and public facing services from discovery to live. Expected Contract Length 24x Months. Latest start date Friday 1 October 2021 Budget Range The Home Office anticipates the total cost for DDaT Security Architecture Services to be in the following range for 24 months £15m - £20m. This is based upon benchmarked costs from existing suppliers providing similar levels of resources. Why the Work is Being Done Home Office customers and employees rightly expect modern technology which helps customers receive the service they require and supports employees in protecting the public. We are increasingly reliant on technology to support the Home Office in its role to lead on immigration and passports, drugs policy, crime policy and counter-terrorism, and to ensure visible, responsive and accountable policing in the UK. We need to design and deliver technology which supports the transformation of the Home Office and the modernisation of our processes making them fit for a digital future. Home Office DDaT requires a Security Architecture Partner to provide SA capability and delivery across all our areas of work (including immigration and passports, borders, policing and counter-terrorism). Problem to Be Solved Supporting the Principal Security Architect by providing specialist security advice, leadership and governance for HO DDaT portfolios, programmes and projects and: • Advising on the evaluation of complex applications and architectures using both manual and automated techniques (e.g. code security scanners, web vulnerability scanners and assessment support tools) to identify security issues • Making and guiding effective decisions on the highest complexity risks, based on information assurance risk assessment methodology, trusted by senior risk owners as an expert in security • Articulating the impact of vulnerabilities on existing and future designs and systems to senior stakeholders, explaining how easy or difficult it will be to exploit the vulnerabilities • Advising on security concepts at a technical level across multiple projects, working with security tools, network security infrastructure technologies, and information security management frameworks • Understanding NCSC information security guidance and architecture patterns • Understanding architecture methodology e.g. SABSA, TOGAF Who Are the Users Home Office service users (staff and external). Early Market Engagement Home Office intends to hold an Overview and Clarification Session via Teams on 14th July 2021. To attend the Overview and Clarification Session potential providers will need to complete, sign and return a non-disclosure agreement (NDA). Suppliers are restricted to a maximum of 2 people per organisation and one NDA copy required to cover one organisation. For further information on the Overview and Clarification Session and NDA bidders should submit an email request to ddatcontracts@homeoffice.gov.uk by no later than 12:00 (noon) 13th July 2021. Non-Disclosure Agreements or request received to attend the event after the deadline will be rejected. Work Already Done NA Existing Team A civil service led mixed team of managed service providers, contractors and civil servants. The successful bidder will be required to engage and collaborate across all groups delivering and maintaining services for the Home Office. Current Phase Not applicable Skills & Experience • Recent experience (within the last 2 years) of placing SFIA level 3-5 architects into delivery teams in government or critical National Infrastructure & understanding how those roles work together. • Evidence of supporting a Principal Security, Lead Security and Security Architect in shaping and leading the overall security architecture for portfolios, programmes and projects using open standards (such as TOGAF) • Evidence of supporting a Principal Security, Lead Security Architect and Security Architect in developing and implementing the end-to-end risk management lifecycle for portfolios, programmes and projects • Evidence of providing operational security advice to portfolios, programmes and projects • Evidence of providing leadership and governance within both the central hub and a spoke of a spoke governance model • Evidence of providing a searchable, collaborative capability for capturing and maintaining key security architecture knowledge • Evidence of developing, documenting and maintaining security-architecture, policies and procedures. Security risk assessments. Security input to project-planning. Conduct internal security-audits/remediation. Manage external security-audit. Ongoing skills-transfer. • Designing, delivering, securing cloud based security architecture. Ensuring security controls are appropriate to mitigate, minimise, treat discovered risks. Technical assurance to ensure compliance with security architecture, covering new/legacy systems. Nice to Haves • Provide evidence of resources that have existing SC clearance that will support the speeding up of on-boarding teams • Demonstrate experience of handing over products to another team, including service transition Work Location The majority of the services are expected to be based at our London, Croydon, Sheffield or Manchester sites. However, the successful supplier must be capable of providing the service nationwide. Secondary locations may include Glasgow, Liverpool, Southport or Hendon. The work will be divided into Statements of Work (SOWs) which will clearly identify the relevant base location. Working Arrangments A flexible approach is required to meet the needs of each individual project and programme. The work will be divided into Statements of Work (SOWs) which will clearly identify the working arrangements. Security Clearance All staff must have Security Clearance (SC) prior to starting work. Staff not in possession of security clearance must be willing to undergo security clearance. Occasionally, NPPV3 or DV clearance is required. Clearance needs to have been achieved and validated by the Customer prior to commencement. Additional T&Cs 1.Travel expenses are payable for journeys outside the M25 (Greater London) or journeys greater than 10 miles from other base locations, where approved in advance and in line with HO Travel policy (subsistence not payable). 2. Professions rate caps will be applied to all roles at all SFIA levels. Caps will be provided to shortlisted suppliers at RFP stage. 3. Seasonal furloughs may be required. 4. Maximum sub-contractor margin caps will be applied 5. Potential Providers participate in the RFP stage will need to complete, sign and return a non-disclosure and ethical walls agreement (NDA) prior to receiving the RFP. No. of Suppliers to Evaluate 5 Proposal Criteria • Essential Skills from Stage 1 • On-boarding and transition • Work packages • Organisation and sub-contractors • Proposed Leadership/Management Team • Thought leadership in Security Architecture • Social Value Cultural Fit Criteria Social Value Payment Approach Capped time and materials Evaluation Weighting Technical competence 60% Cultural fit 10% Price 30% Questions from Suppliers 1. The budget states £15m – £20m over a period of 24 months, can you articulate the number of resources we could be expected to provide? We cannot confirm how many resources will be required concurrently. 2. You state off-pay rules apply, but further state that a SoW per resource or delivery will be provided. This would indicate these roles would be deemed to be outside IR35, can you please clarify? The majority of the requirements are expected to be assessed as 'inside IR35'. Use of a SOW alone is not an indicator of status and SOWs that include direction and control by the client may be determined as 'off-payroll rules apply' 3. Is SC support offered if required via sponsorship? The authority sponsor any required clearance over and above BPSS. 4. You mention TOGAF/SABSA, are we able to leverage other security frameworks as reference architecture exp, e.g. (CIS/AWS Well-Architect)? Yes sure. TOGAF/SABSA were mentioned as examples, we can and should leverage other security frameworks. 5. Considering there are similar Security Architecture functions that exist for individual portfolios, how do you foresee this function operating? Is it to work with the other Security Architecture functions or to eventually replace them? As other Security Architecture contracts expire and if a requirement still exists, then the central contract will be the first option considered. 6. Could you please advise the RFP stage in more detail that will be issued to the 5 suppliers? E.g. Presentations etc. The timings for these activities are indicative and subject to change: RFP to be issued to shortlisted suppliers on 12th Aug, deadline for responses is 1st September, presentations will be held on 16th and 17th September. The RFP evaluation criteria and weightings are shown in the advert. 7. Are suppliers who are currently providing the Security function for other portfolios able to bid for this work or is this a conflict? Yes suppliers currently providing security architecture services to Home Office are able to tender. 8. Will you be selecting a single supplier for this engagement, or between 2-5 of your intended short-list? The Home Office intend to award the contract to one single supplier, we will be shortlisting up to 5 suppliers to go through the final round of the RFP stage. And only one supplier will be selected from this stage to be awarded the contract. 9. Will you be selecting a single supplier for this engagement, or between 2-5 of your intended short-list? The Home Office intend to award the contract to one single supplier, we will be shortlisting up to 5 suppliers to go through the final round of the RFP stage. And only one supplier will be selected from this stage to be awarded the contract. 10. Is there a revenue/income minimum that SMEs need to comply with for this opportunity? "No, but it is important the Authority has confidence in the ability of the bidder to deliver a contract of the proposed value and therefore limits any risk of default during the contract which could cause significant disruption. The Authority will undertake an independent credit check to ensure that the  successful contractor is financially stable." 11. As you confirmed, this contract is outcomes based, with professional service SFIA personnel – not the supply of products. And therefore, if the average rate for a SFIA-4 is £750, then divide into £20m, gives 26,666 man days over 24 months. That works out at 256 per week, or 51+ per day. So can you clarify you are looking for teams of people across multiple locations? If so, have you considered there are not many companies that can provide 51+ dedicated people a day, and it will rule out a lot of small to medium suppliers, by default? Requirements will be mixed with both teams and individuals across multiple locations. We appreciate that for SMEs the numbers may not be manageable and we are supporting the formation of sub-contract / partner arrangements by facilitating introductions. Sub-contractors will very much be known partners in the delivery and will not be white-labelled. 12. Following on from my last question on the number of people required, will you be sharing how you worked out your £20m budget. For example, do you have an idea of the quantity and level of skills required, per location, for 51+ people per day? We've estimated the potential spend using contract data which indicates the spend on security architecture services across DDaT portfolio. 13. In light of the response to question 11 – about how many staff you are looking for and how this might affect the ability of SMBs to respond – your response sounds like there is no point in SMBs responding – is this a correct interpretation? No that’s not correct. SMEs may well be able to deliver the services but the point was made that, should they need to call on sub-contract arrangements to deliver, that would be acceptable. We welcome submissions from all sizes of capable organisations. 14. Regarding Question 1, please clarify what is meant by the term ‘understanding how those roles work together’. Does this refer to how architects work with delivery teams? Correct, understanding how security architects work with delivery teams. 15. Please define ‘operational security’ and how that is distinguished from security architecture advice. Does this refer to day to day advice on the secure handling of information in accordance with classification and operational processes? Operational security and security architecture advice are very similar with the small difference that operational security advice goes beyond the architecture design and touches on to the BAU - basically getting closer to "plumbing" exisiting security products and implementations. 16. Does the hub and spoke governance model refer management/decision making, or to architecture? It refers to architecture. 17. Regarding Question 7, ‘Evidence of developing, documenting and maintaining security-architecture, policies and procedures. Security risk assessments. Security input to project-planning. Conduct internal security-audits/remediation. Manage external security-audit. Ongoing skills-transfer.’ Does the authority expect a general answer, or for each point mentioned to be described? Given the word limit, it will be difficult to cover all points in sufficient detail. A general answer that will enable us understand whether your services will meet our requirements will suffice. 18. Regarding Question 9 – Provide evidence of resources that have existing SC clearance that will support the speeding up of on-boarding teams. Please clarify the question, does this refer to the firm possessing SC cleared staff who can immediately join a project, or is the authority looking for staff who have SC clearance and are able to support the on-boarding of teams (e.g. PMO function). Does ‘on-boarding teams’ refer to our internal teams, or on-boarding other teams? This is to gauge if you already have some SC cleared security architects who can quickly join our project teams if required urgently. Onboarding teams is basically bringing on board teams to assist with a particular project. 19. Where one case study does not fully answer a single response, can multiple case studies be used? We have now finalised our proposal questions and a case study will not be required. 20. Regarding Question 6, ‘Evidence of providing a searchable, collaborative capability for capturing and maintaining key security architecture knowledge’. Does this refer to a knowledge library, playbooks, or a type of collaboration tool? This is basically envidence of providing documented knoweldge base which is shareable with other teams to encourage re-use. 21. What the ethical walls in place to ensure there are fair opportunities when competing against incumbents? Most DDaT contracts are procured via CCS frameworks so the standard framework terms are in place. It should be noted that the proposal questions do not require any Home Office specific knowledge in order to be able to respond fully.