Cyber Resilience Programme (CRP) Client Side Support - Enterprise Patching

Description

Summary of the work The successful supplier will deliver enterprise level changes to support the transformation of the Authorities ICT patching processes. They will co-ordinate multiple work-streams to meet Enterprise patching strategy and objectives. the supplier will deliver against the defined outcomes to support the Programme over a 15 month timescale. Expected Contract Length Initial period of 6 months with option to extend the contract for a further 9 months. Latest start date Monday 14 March 2022 Budget Range The initial 6 month Contract period must not exceed £1.4M inc VAT. The extension option must not exceed £1.65M inc VAT. Why the Work is Being Done Defence faces the same challenges as the global IT industry, whilst also facing the threat of determined adversaries seeking disruptive effects across the five domains. All these threats are persistent in nature and global in scale due to the connected information age. The critical nature of patching to maintain the health and security of systems means that there is a large marketplace available providing off the shelf patch management tools. However, due to the complex and unique nature of the MOD estate, the services available in the marketplace do not realise all MOD requirements within a single solution. The MOD has commissioned the generation of a Enterprise Patching Strategy to plan and direct the way in which Defence approaches the challenge of maintaining and updating its capabilities and systems. Problem to Be Solved The successful supplier will support the CRP Programme in achieving the following: 1 - Set clear ‘outcomes’ of patching for Defence users in terms of standards, timescales, ownership and the expectations on service owners, project teams, suppliers and TLBs. This includes how defence users are expected to update and patch services – with a specific focus on patching of legacy applications to make patching simpler. 2 - Create a modernised patching tool, that will deliver a technical capability that provides secure patch acquisition to meet the evolving needs of the MOD Enterprise. Inclusive of completion of the inflight Alpha Phase and launch of Beta phase. Who Are the Users The CRP programme within Strategic Command are the users. Specialist support is required to sustain the current project delivery and expected increased outputs which lay predominantly at the implementation of the Enterprise Patching Strategy, providing a stable base from which Modernising Patching Project via Alpha & Beta development partners can plan and implement its scope of work Early Market Engagement Not Applicable Work Already Done Technical Authority Technical and business architectures exist (from high to working-level) that the supplier will utilise to deliver desired outcomes. Cloud infrastructure management responsibilities lie with the client side team, along with technical architecture and solution designs. Shared information environments exist with optimal means of architecting to achieve current and future Defence needs. Development Alpha phase development, mobilised with industry partner.Project management and product ownership roles that the industry supplier will support and conduct knowledge transfer with. Tactical work carried out to reduce time to patch. Existing Team The existing team consists of project managers, technical service architects, client-side technical Dev & DevOps resources, Cloud Architects, product owners, security specialists and a Security Assurance Controller. Existing governance structures are mature within CRP with the Programme Manager acting as primary delivery sponsor. Current Phase Alpha Skills & Experience • Extensive understanding of MOD / Major industry defensive cyber capabilities at strategic and operational levels and the interactions between them to enable a proactive cyber posture. • Experience of delivering complex projects / programmes in-line with GDS service design principles. • Demonstrable experience of providing client-side support within transformation programmes. • Proven track record of working with distributed stakeholders to implement transformation across organisational structures, operational governance and information flows for large-scale complex projects. • Proven experience of running a workstream of activity, related to delivering an enterprise-level Cyber Security Operations Capability. • Experience of managing service integration and Service Executive Delivery Model. Nice to Haves • Experience of working within Defence organisations on agile project delivery. • Have ability to think creatively and can articulate innovative ideas to solving complex business and ICT problem. • Understanding of MOD Investment Approvals (JSP 655) and the creation of business cases from refined requirements. Work Location The work can generaly be carried out by remote working but will entail travel to the main site at MoD Corsham, Corsham, Wiltshire. Working Arrangments The primary location will be MoD Corsham and supplier staff will be expected to work in-line with the CRP team hours of work, these normally being Monday -Friday 09.00 - 17.00. Normal work can be carried out remotely however travel to MoD premises to attend meetings and work collaboratively will be required in support of the delivery requirements. All travel and subsistence away from the main site will require prior approval. Travel to other locations may be required which include but not limited to: MOD Abbey wood, Bristol, MOD Main Building, London. Security Clearance To proceed to Stage 2, suppliers must clearly demonstrate ability to view and respond to OFFICIAL SENSITIVE materials. Proposed supplier staff must already hold SC clearance prior to contract commencement. The supplier must have capability to offer staff that are DV cleared for short periods. Additional T&Cs Bid Responses to be submitted on the templates provided and in Microsoft Office Word format only. Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up to the tool. No. of Suppliers to Evaluate 3 Proposal Criteria • Documented proposed approach and methodology, including discovery focus, breakdown of tasks, transfer of knowledge, as well as how they will integrate and work collaboratively with the existing teams. (30%) • Case study of previous experience of embedded client-side support (20%) • Onboarding and Implementation Plan (10%) • Team structure, evidence/confirmation the proposed team have the relevant Security Clearances, role by role competency (20%) • Supporting CVs for individuals which should not be included in the page/word limit for the main proposal but are limited to a maximum of 1 page per person. (10%) • Risk mitigation strategy - (10)% Cultural Fit Criteria • Demonstrate action to identify and manage cyber security risks in the delivery of the contract including in the supply chain.(20%) • Support in-work progression to help people, including those from disadvantaged or minority groups, to move into higher paid work by developing new skills relevant to the contract.(20%) • Working as a team with our organisation and its stakeholders sharing knowledge in a no blame culture to enable learning From Experience.(20%) • Working collborativley and take responsibility for the tasks in hand and adapt quickly, in an ever changing environment to enable completion of tasks in an agile manner.(20%) • Explaining technical issues in a clear and concise manner to ensure all levels of stakeholders can understand.(20%) Payment Approach Fixed price Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. Please could you outline the fixed price deliverables for this contract? This opportunity is outcomes based deliverables, as detailed in the problem to be solved section. The supplier will be required to undertake deliverables and milestones specific to the Programme delivery dates at the point of award. 2. Please provide further details around what has been achieved in the Alpha phase and whether any products have been selected for use. The Technical Authority (TA) has produced a Conceptual Architecture for the patching capability, as well as Cloud Architecture documentation to support hosting within AWS, of which environments have been built out. A development partner has been selected and onboarded in early Jan 22. This is an Agile project and as such requirements are evolving, the design and requirements will continue to evolve in line with this. 3. Can the Authority please confirm if there is an existing patching capability and the tooling/software currently in use? The Authority currently has a patch hosting capability provided by a third service provider, using proprietary software. 4. Can the Authority please provide the scope of the applications/environments that this patching capability will cover? Ultimately everything within the MOD that requires a software or firmware update is in scope for patching, including systems, applications and infrastructure across classification tiers. 5. Can the Authority please confirm if the scope of this contract includes the deployment or management of patches to devices and end points? The client side team are not responsible for deployment or management of patches to devices and endpoints 6. Can the Authority please confirm what the expected capability of the patching tool will be (such as management information, patch collation and/or patch deployment)? The Authority is seeking to deliver through an Agile development, a MOD owned and designed bespoke capability that provides secure patch acquisition and distribution services, across classification tiers, to connected and air gapped systems. 7. Can the Authority please confirm if the patching tool is expected to be custom developed and/or will use COTS products? It is the intention to develop a bespoke capability that incorporates commercially available solutions (e.g. Microsoft Windows Server Update Services (WSUS)) that meet the specific patching needs of the MOD. 8. Could The Authority please clarify what is meant by ‘Service Executive Delivery Model’. Please also confirm whether this is a term from a professional body/best practice, or whether it is an MOD-only term. The term 'Service Executive Delivery Model' is used by SyInfra to deliver services within its portfolio in the future. Utilising the ITIL 4 model, the Authority is interested to understand the suppliers experience in utilising this framework.