Refresh of information and cyber security policies for DfT Security Improvement Project

Description

Summary of the work Review information/cyber security policies in DfT/other relevant bodies/other government departments Propose new list of policies designed to be comprehensive/consistent, with some cross-referencing/minimal duplication If agreed, draft new policies in consultation with DfT, conforming to style/layout agreed with DfT Present, persuade, support DfT seeking internal approval to the new policies. Expected Contract Length The policy review will take four months, with a review and break/continuation point after one month. Latest start date Monday 8 February 2021 Budget Range £100k - £150k Why the Work is Being Done We have over 100 policies that relate to information and cyber security. Most are out of date and are no longer wholly appropriate. We need to review and revise them to make them concise, comprehensive, consistent, appropriate and easy to understand. Problem to Be Solved Our policies relating to information and cyber security are difficult to find and out of date, so people don’t follow them, resulting in different approaches, large numbers of requests for advice and guidance. Who Are the Users “As someone working for DfT I need to have easy access to policies that explain simply and clearly how I should handle information of different sensitivities and in different circumstances. I also need to understand what I can and cannot do with the digital equipment and services that DfT provides to help me do my job.” Early Market Engagement N/A Work Already Done A review against the government Minimum Cyber Security Standard has been completed. The final report is awaited but we know there is room for improvement in our policies. Other work is underway as part of the security improvement project. Existing Team The successful supplier will be working with DfT’s Digital Service division and may also work with other DfT and government colleagues. Some of these will be dedicated to the security improvement project, others will be stakeholders who have an interest in influencing the policies and some who will represent consumers of the polices. Current Phase Discovery Skills & Experience • Experience of developing information and cyber security policies for government departments or public bodies in the UK • Familiarity with MCSS, SPF and latest NCSC guidance • Ability to deliver policies that are comprehensive, consistent and clear Nice to Haves • Experience of working with UK central government organisations • Experience of user research and behavioural research Work Location Due to the current COVID-19 situation it is likely the work will be based remotely or at the supplier’s own premises with the use of Teams video/voice conferencing for communication. Suppliers should be able to carry out user research remotely and have approved and tested methods. If the COVID-19 situation changes the supplier may be required to attend DfT Great Minster House office (33 Horseferry Road, London, SW1P 4DR) for presentations and meetings. Working Arrangments The DfT SIP project team will follow normal or flexible working hours, suppliers should be available to discuss progress at Teams meetings during these times. Suppliers will be responsible for providing any digital equipment and services to deliver the work. DfT will provide access to Microsoft Teams sites for collaboration and regular team working. Anyone working on delivering this requirement should follow recognised good practice for handling information. Regular communication with DfT is required including status updates which will detail achievements of key milestones. Any issues that may impact timescales and cost should be discussed with DfT as they occur. Security Clearance Anyone working on the project must have gone through employment checks equivalent to or above BPSS. Additional T&Cs Adherence to the DfT Architecture Principles (to be provided at Stage 2 of Procurement). Adherence to The Technology Code of Practice: https://www.gov.uk/government/publications/technology-code-of-practice/technology-code-of-practice No. of Suppliers to Evaluate 3 Proposal Criteria • Shortlist will be based on 1,500-word initial response submissions • Final selection based on presentation and discussion over Teams (criteria to be communicated if shortlisted) • Experience of developing information and cyber security policies for government departments or public bodies in the UK (250 words) • Familiarity with MCSS, SPF and latest NCSC guidance (250 words) • Ability to deliver policies that are comprehensive, consistent and clear (500 words) • Experience of working with UK central government organisations (250 words) • Experience of user research and behavioural research (250 words) Cultural Fit Criteria • Experience of working with UK central government organisations (10%) • Experience of user research and behavioural research (10%) Payment Approach Capped time and materials Evaluation Weighting Technical competence 60% Cultural fit 20% Price 20% Questions from Suppliers 1. The application proposal criteria states there is a 250/500 word limit for the required answers. However the online application system only allows for 100 words. Please could you clarify which is correct. The 250/500 word criteria limit is made up of the second stage 1500 initial response submissions and forms that. Suppliers will only need to consider this if they are succesful at the second stage. It does not apply to the 100 word Essential and Nice to Have first stage. 2. It states in the notice a 1,500 word limit based on the categories below and yet the application states 100 word limit to each category. Please advise. The 1500 word criteria limit is made up of the second stage 1500 initial response submissions and forms that. Suppliers will only need to consider this if they are succesful at the second stage. It does not apply to the 100 word Essential and Nice to Have first stage. 3. Shortlist will be based on 1,500-word initial response submissions” is ambiguous – are you asking potential suppliers to NOT answer the Essentials and Nice to Haves but instead submit 1500 word response, which will be used to generate the shortlist, or that after being scored against essentials and nice to haves, if successful, we will be asked to submit a 1500 word response to make the shortlist? The 1500 word criteria limit is made up of the second stage 1500 initial response submissions and forms that. Suppliers will only need to consider this if they are succesful at the second stage. It does not apply to the 100 word Essential and Nice to Have first stage. 4. The opportunity requests between 250 and 500 words to provide evidence against each requirement, however the application only allows a maximum of 100 words for each input box. Please can you confirm that 100 words will remain the limit to present a response or advise how supplementary evidence can be submitted? The 250/500 word criteria limit is made up of the second stage 1500 initial response submissions and forms that. Suppliers will only need to consider this if they are succesful at the second stage. It does not apply to the 100 word Essential and Nice to Have first stage. 5. The opportunity wording states ‘We have over 100 policies that relate to information and cyber security…’ Can you please give an estimate on the upper end of the number of policy documents that require review? We have 92 on an old working list, plus two that have been redrafted but not signed off. We suspoect there may be others - perhaps another couple of dozen that haven't come to light yet. Total should be no more than 120. 6. Please may you expand on ‘Experience of user research and behavioural research’. It would be useful to understand why this experience is required, and what the objectives are. Additionally, do you expect any tools or specific methodologies to be used here? DfT's Digital Service includes user researchers and business analysts. An understanding of their approach and terminology would be beneficial, especially in understanding the change management aspects of our cyber security improvements. 7. Please may you clarify whether adherence to DfT Architecture Principles necessary for policy development? The Technology Code of Practice is a set of criteria to help government design, build and buy technology. We would like policies that are aligned where appropriate to both the TCOP and the DfT Architecture Principles. Any inconsistency between proposed policies and architecture principles will need to be raised and discussed with DfT for resolution. 8. What is the current and required format of the policy set (for example word, PDF or a CMS)? Current format is mixed, mostly Word and PDF. Future format to be decided. 9. Are all the policies relevant to OFFICIAL tier or do you have policies for other GSC tiers? Are the polices so old that they refer to the GPMS? Most policies relate to OFFICIAL. Some make reference to higher tiers but do not cover. There should be no current policies that predate the current protective marking scheme, but no guarantees. 10. It feels like that’s a lot of policy documents. Do these cover deeply technical subjects such as Certificate structures, crypto suites etc? Are the policies spread across all 27K domains? Policies are not usually deeply technical. Some may overlap and some may no longer be relevant. 11. Do you realise suppliers are limited to 100-words per criteria when applying for this opportunity? And from that, you need to shortlist down to 3 suppliers? The 100 word criteria is for Stage 1 Essential and nice to have criteria and is in line with the Framework Guidance. There is an increase in word count significantly for Suppliers that are succesful through to Stage 2. 12. We noticed that the DOS Stage 2 evaluation criteria questions with the specified word counts are the same as the 100 word responses requested as part of the DOS Stage 1 Essential and Nice-to-have skills and experience questions.Can you please confirm that the stage 1 part of the process will be based on the 100 word responses to these requirements, and that for suppliers reaching stage 2, you will then be requiring additional information against these questions as indicated by the higher word counts.Thanks. The 250/500 word criteria limit is made up of the second stage 1500 initial response submissions and forms that. Suppliers will only need to consider this if they are succesful at the second stage. It does not apply to the 100 word Essential and Nice to Have first stage. 13. Are there any incumbent suppliers working in this area? No 14. Can the Authority please confirm whether the opportunity is being assessed as inside or outside of IR35? This is an outcome based requirement and thus does not relate to individuals, so IR35 is not a relevant consideration. 15. Is it possible to share a list of titles for the existing set – it’s tricky to estimate skill requirements without knowing how ‘broad and deep’ the set is? The list includes information we do not wish to share in an open forum. Around half of the documents have already been identified as no longer required. Typical length is 1 to 3 pages. Bidders should emphasise their ability to propose a suitable list of policies approriate for a typical government department more than an ability to review outdated documents. 16. Is is possible to estimate the size of the policy portfolio – number of pages of content perhaps? We are having trouble estimating a size for the team The list includes information we do not wish to share in an open forum. Around half of the documents have already been identified as no longer required. Typical length is 1 to 3 pages. Bidders should emphasise their ability to propose a suitable list of policies approriate for a typical government department more than an ability to review outdated documents. 17. Are the 100 policies all separate individual policies or are they a mix of policies, standards, guidance and processes? Can we have a list of the policies or, if not available, can we have a sample under each category (if applicable)? They are listed as policies, but some are indeed guidance. About half have already bneen identified for removal. Of the rest, about half are policies and half guidance.The list includes information we do not wish to share in an open forum. Bidders should emphasise their ability to propose a suitable list of policies approriate for a typical government department more than an ability to review outdated documents. 18. You state the policies are out of date; is this because they haven’t been subject to annual policy review or is it that the terminology needs updating? A mixture of both. 19. With reference to the 100 existing documents, what is the average number of pages of these documents? Not an average, but typically 1 to 3 pages. 20. Across how many teams within the DfT are the existing documents owned/authored? Four 21. Across how many distinct platforms do these documents reside? Three 22. Please can you confirm will the output of the Cyber Security Standard be available to us before the close date of this tender? Assume this refers to the government Minimum Cyber Security Standard, published on GOV.UK in 2018. Gap analysis for DfT has been completed but not yet written up. 23. Has DfT aligned roles and responsibilities as part of this project? No 24. Does DfT align to ISO27001 and other core framework controls, if so, what are they? No 25. Do the existing policies apply to ALBs and is it intended that the revised policy suite also be used by ALBs? No 26. Do the Digital Services team ‘own’ all ~100 policies and are they empowered to make changes? Yes 27. How will DfT measure the success of this piece of work? This will be discussed with the chosen supplier. 28. Do the current policies cover all areas DfT feel should be covered or are there gaps in current policy that this work would seek to fill? Clarifying this is part of the requirement.