Identity and Access Management Discovery

Description

Summary of the work User-focused research into the as-is, pain points and opportunities of related programs. Expert recommendations, providing insight from robust technical domain experience, actions to improve identity governance and administration - enabling development of a robust Identity-based security strategy, resolving the pain points and enabling future delivery. All within our regulatory/security requirements. Expected Contract Length 8 Week Discovery (+ 8 week Alpha discretionary) Latest start date Monday 11 October 2021 Budget Range Discovery: £200k - £250k Alpha/Initial actions: £200k - £250k Why the Work is Being Done Identity is a core element of our security and interoperability strategies and one of the Cabinet Office priorities. A robust and effective identity and access management platform and strategy will be a central pillar enabling effective secure delivery of our services both internally, within the wider DfT family, with central government colleagues and for our suppliers and customers. Problem to Be Solved We have both pressures and opportunities to improve how identity is managed within the department, our wider family and for our services. Our position has grown organically to date and so a robust discovery and exploration is needed to determine the future direction and to realise better and more effective ways of managing identity, meeting challenges and exploiting the opportunities in the best way possible. Who Are the Users • All members of DfT(c) staff • DfT Family / cross-government who need to collaborate with the central department • Suppliers and customers who need to access our (DfTc) services Early Market Engagement N/A Work Already Done • Pre-project exploration and research. • Initial user research within DfT(c) Existing Team Suppliers undertaking this requirement will work remotely but in partnership with the Department for Transport’s Digital service team. The core team will be: • Jim Scott – Security Architect, Digital Service • Simon Harris – Security Programme Manager and IDAM Project manager, Digital Service • Sarah Norman – Head of Information & Cyber Security Current Phase Not started Skills & Experience • Demonstrate experience delivering discovery project(s) and their outcomes:- cover a broad scope of identity challenges for an enterprise, including privilege access management, identity governance and administration, and customer/supplier identity management. • Demonstrate experience of delivering discovery project(s) and their outcomes that:- support the formulation of identity and access management strategy in an enterprise setting • Demonstrate experience of delivering discovery project(s) and their outcomes that:- formulate actionable recommendations and plans to improve the identity and access management • Demonstrate experience of delivering discovery project(s) and their outcomes that:- have been conducted according to GDS guidelines for a government department Nice to Haves • Experience in Microsoft based identity management in a multi-cloud environment with explicit experience of interoperability between Microsoft and Google cloud platform • Experience in working with federated identity across multiple organisation units • Experience working with organisations moving towards zero trust security architecture and supporting that journey through robust identity management. • Find solutions that balance the needs of the user against security and regulatory standards Work Location We expect this work will be done remotely for the foreseeable future. Should official guidance change during the duration of this engagement, you may be expected to attend meetings across England. Working Arrangments We expect full-time engagement from delivery teams to deliver the required outcomes. We would expect the discovery to be completed within 8 weeks, which should comprise several sprints, in accordance with Agile project management, to determine user needs. Additional sprints for Alpha activity, deeper dives, further investigation or initial actions will be at the customer’s discretion. Exact milestones will be determined with the supplier post-appointment. Security Clearance All contractors’ personnel must be working toward security clearance level of SC as a minimum (United Kingdom Security Vetting: clearance levels - GOV.UK (www.gov.uk)). Evidence of clearance or working toward clearance will be requested at the written proposal stage. Additional T&Cs The contract is limited to discovery only. Continuation into Alpha, actions to achieve initial recommendations/quick-wins may be approved by negotiation with the supplier. Please note: In the event that Discovery moves onto Alpha there is likely to be a short amount of downtime whilst the appropriate approvals are sought to progress. No. of Suppliers to Evaluate 5 Proposal Criteria • Approach and methodology – 20% • Technical solution – 20% • Value for money – 10% • Team structure – 20% Cultural Fit Criteria • Experience working in a public sector/government context, including awareness of governmental standards and requirements in terms of security and information protection. 5% • Experience working and communicating with security, assurance and technical professionals, business users and VIPs in championing the importance of robust identity and access management and control, where appropriate. 5% Payment Approach Capped time and materials Assessment Method • Case study • Work history • Presentation Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. Do you have a size of team or specific roles in mind? The proposed makeup of the team is one of the selection criteria and so we are looking for you to propose the size and make up of the team you deem to be appropriate against the requirement. 2. Do you want the team to be 100% self-contained? Will you be providing roles to augment the team? Is there a wider project / programme that the team will be reporting into? The supplier will be responsible for the outcomes of the project. There will be close working with our security/technical architects as well as other colleagues. The project is part of a wider security improvement program, managed by a program manager and will report to our Project Deliver Group. 3. Is DfT prepared to sponsor the SC applications? Yes – the department will sponsor SC applications. 4. Has there been any previous work conducted in this area? If so, what was done and who was this carried out by? As per the specification – some pre-discovery user research was conducted to understand the baseline position within the organisation. Scoping and work to communicate the program has been completed. This initial work was completed by a user researched and a security architect . 5. “All contractors’ personnel must be working toward security clearance level of SC as a minimum“ Does this mean DfT won’t sponsor people for SC clearance if we are successful?Do all roles require SC?In our experience we would only require SC if working with live data which we wouldn’t expect to do during discovery, is this correct?Although appreciated this would be needed for alpha We will sponsor as per Q2 above.It is feasible to mix between SC and non-SC depending on roles and access however we would need the supplier to demonstrate how this would work in practise.Due to the nature of identity data subject to research there is likely to be a requirement for at least some roles to have SC during discovery (there isn’t really test data). 6. Please can you clarify the expectations for “working toward clearance”. Will DfT be able to sponsor clearance for appropriate staff to work on this project? See Clarification Answer 3. 7. If successful at the Discovery phase, will companies be excluded from subsequent phases or free to participate? Free to participate. At our discretion, Alpha may be in scope of this bid. Any subsequent phases, depending on agreed outcomes, will be subject to a fresh procurement with no exclusions. 8. We are interested in providing a response to this proposal -Initial Question – Is this a services delivery requirement?Also, are you looking at different IAM/MFA/PAM Technology providers and looking for a solution deployment? Is this a services delivery requirement? – Not at this stage, a services delivery requirement may be an outcome of discovery.Also, are you looking at different IAM/MFA/PAM Technology providers and looking for a solution deployment? – Again, not at this stage although we are aware there are various Identity, authentication, and privilege access management providers. The requirement for these may be an outcome of discovery but isn’t being explored yet. 9. Users mentions “Suppliers and customers”, does this include members of the general public? Yes we have some public facing services which are used by members of the public. The majority of these provide open data and do not have identity management. For clarity - the larger public facing services associated with DfT (Driving licenses etc) are managed by our agencies and aren’t in scope for this discovery. Suppliers should note the answers to Q10 (GDS identity program) and Q11 – (decentralised identity management for suppliers and customers). 10. How does this fit with the GDS Cross-Government Identity project? GDS identity program is one of the ‘opportunities’ referred to in the spec. 11. Approximately how many internal and external users? We have 4.5k internal users there are 20k (approx.) in the wider DfT family and colleagues form other government departments. Our supplier and customers (external) identity management is decentralised and has grown organically. I don’t have a figure for the numbers of suppliers and customers but expect this to be in the thousands.