Beta This is a new service – your feedback will help us to improve it.

Procurement details: RM1043.8-1-MINISTRY OF DEFENCE - Defence Digital - Vulnerability Management Decision Support Tooling

7

Applications submitted

£1600000

Indicative Budget

Outside scope

Off-payroll status

10 March 2023

Application Closing Date

1. Context and requirements

• About adding context and requirements:

  test

• Pre-market engagement:

  A recent market engagement has made the MoD aware of the availability of existing tools that have the capability to deliver some of the key user requirements. However, the market engagement did not identify an existing tool that has all the requirements. It is the MoD's expectation that some level of development / tailoring will be required to achieve all the requirements of this project.

• Work done so far:

  A previous MoD Project has delivered an Alpha version of the tool which has enabled the base set of User requirements to be established. A current project team are developing a Beta version of the tool, from which further User Requirements and insights are being established and which will provide a basis of knowledge on which the contracted project team can build upon.

• Which phase the project is in:

  Beta

• Existing team:

  The Project team is currently lead by a Delivery Manager, with no other direct team members. It does sit within a wider cyber vulnerability fixes team, gaining access to expert users, technical assurance, business change. The supplier will also be working with Cyber Operations across many Defence areas to deliver the outcome.

• Address where the work will be done:

  MoD Corsham, Westwells Road, Corsham, SN13 9GB

• Working arrangements:

  The supplier staff will keep to Cyber Resilience Programme team hours in order to maximise knowledge transfer and integration, which is Monday to Friday. Smart working is the required way of working. This is a combination of remote working, utilising Teams & Skype, and when required face to face engagement. Expenses will be capped at £5,000 for the duration of the contract and all travel and subsistence will require prior approval.

• Provide more information about your security requirements:

  Security Check (SC)

• Provide more information about your security requirements:

  Developed Vetting (DV)

• Provide more information about your security requirements (optional):

  All delivery staff must hold minimum SC clearance for the duration of the contract. There will be the need to access highly classified MOD information and therefore a number of delivery staff must hold DV clearance for the duration of the contract to deliver the requirements.

• Latest start date:

  2023-05-15

• Enter the expected contract length:

  1 year

• Special terms and conditions:

  Additional terms and conditions Potential extension to contract term of up to 24 months dependant on financial approval.

• Special terms and conditions:

  Expenses will be capped at £5,000 for the duration of the contract and all travel and subsistence will require prior approval. Travel will only be to UK MOD sites. T&S will be reimbursable when travelling to alternate locations (Not MOD Corsham). All expenses must be pre-agreed between the parties and must comply with the MOD Travel and Subsistence (T&S) Policy.

• Special terms and conditions:

  Suppliers must use the Authority’s Purchase to Payment Tool CP&F or be prepared to sign up to the tool.

• Special terms and conditions:

  In accordance with DEFCON 658 a Cyber risk assessment has been undertaken. Risk Assessment Ref: RAR-102450037 Cyber risk profile: Moderate

• Are you prepared to show your budget details?:

  Yes

• Indicative maximum:

  1600000

• Provide further information:

  It is estimated that the work can be delivered within the budget range of £1,000,000 to £1,600,000, Non inclusive of VAT.

• Confirm if you require a contracted out service or supply of resource:

  Contracted out service: the off-payroll rules do not apply

• Summary of work:

  The Vulnerability Management Decision Support Project will deliver a Live capability that will use automation to effectively and accurately identify, assess and prioritise cyber vulnerabilities, alerting system managers if risk thresholds are exceeded. A reporting function will enable management to get a real time understanding of cyber vulnerability risk.

• Where the supplied staff will work:

  South West England

• Who the organisation using the products or services is:

  MINISTRY OF DEFENCE - Defence Digital

• Why the work is being done:

  The ever increasing number of cyber vulnerabilities combined with the growing utilisation of cyber warfare presents a significant risk to the cyber security of the MoD and its networks. A recent MoD project has highlighted this risk and demonstrated the value and feasibility of a tool to automate the process of identifying, assessing, and prioritising vulnerabilities, thus enabling cyber security professionals to focus on the highest priority items. This project will deliver a live capability that will enable Analysts, System Owners, Management, and other stakeholders to, in real time, understand the vulnerability risks for a given area of responsibility, highlight any vulnerabilities that require urgent remediation and allow system managers to report the status of any required remediation activity. The capability will be key to the process that manages the vulnerability risks and how system managers demonstrate their effective management of cyber vulnerabilities. Overall, this project will reduce the risk of a successful cyber attack via a cyber vulnerability, through the delivery of a live capability that can accurately provide a real-time view of vulnerability risk and highlight any high priority vulnerabilities that have not been effectively remediated.

• The business problem you need to solve:

  As the modern MoD and armed forces become increasingly reliant on IT systems and other digital technologies, so the risk associated with cyber attack increases. Exploitation of known cyber vulnerabilities is a simple and effective route that many cyber criminals utilise to disrupt the operational effectiveness of their target. The MoD is a large and complex organisation with many IT networks and assets many of which are vulnerable to cyber attack. Currently the MoD has no efficient method to understand, in real time, the overall risk associated with cyber vulnerabilities to all or certain parts of the organisation / network. Furthermore, the increased rate of cyber vulnerability identification is stretching the ability of the current cyber vulnerability management method to effectively assess, prioritise, triage and remediate these cyber vulnerabilities, thus increasing the overall risk to the MoD from a cyber security incident associated with a known cyber vulnerability.

• First user type:

  Senior Operations Manager

• First user type:

  Analyst

• First user type:

  MODCERT Manager

• Enter more details about this user type:

  As a Senior Operations Manager, I need access to a consolidated view of cyber vulnerability risks across my area of responsibility, so that I can take focussed action to address any issues.

• Enter more details about this user type:

  As an Analyst, I need to be able to classify asset vulnerabilities and exposures, so that these vulnerabilities and exposures can be accurately prioritised and remediated (where necessary). I need all vulnerabilities and exposures consolidated from all data sources, with initial risk triage information automatically generated.

• Enter more details about this user type:

  As a MODCERT Manager, I need to be able to alert System Managers to vulnerabilities and exposures that are subject to a MODCERT Directive and I need to be alerted as to when a System Manager has not remediated a vulnerability/exposure within a prescribed period of time.

---

• Select your pricing model:

  Fixed price

• Additional assessment methods:

  Presentation

• Create your scoring criteria:

  3

• How many suppliers to evaluate:

  4

• Technical competence:

  55

• Cultural fit:

  5

• Social value:

  10

• Price:

  30

• Essential skills and experience:

  15

• Nice-to-have skills and experience (optional):

  5

• Technical questions:

  80

• Describe the essential skill or experience:

  Evidence of working with MOD or a similar organisation to deliver cyber vulnerability management solutions.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  40

• Describe the essential skill or experience:

  Evidence of understanding and experience of MOD or a similar organisation's Secure by Design, accreditation, and related processes.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  10

• Describe the essential skill or experience:

  Evidence of understanding and experience of integrating similar products or services into MOD or a similar organisation’s existing IT landscape.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  10

• Describe the essential skill or experience:

  Evidence of understanding and experience of business change required to maximise benefits from new tooling capability within MOD or a similar organisation.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  10

• Describe the essential skill or experience:

  Evidence of understanding and experience of working with MOD or a similar organisation's stakeholders to develop additional features for the same or similar products or services.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  10

• Describe the essential skill or experience:

  All delivery staff must hold minimum SC clearance for the duration of the contract.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  10

• Describe the essential skill or experience:

  There will be the need to access highly classified MOD information and therefore a number of delivery staff dependant on your proposed delivery plan must hold DV clearance for the contract duration.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  10

• Describe the nice-to-have skill or experience:

  Evidence of understanding and experience of vulnerability management within Defence – including the challenges in such a diverse organisation.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  20

• Describe the nice-to-have skill or experience:

  Evidence of working collaboratively to deliver outcomes.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  20

• Describe the nice-to-have skill or experience:

  Evidence of understanding and experience in business analysis on Computer Information System projects in MOD or similar organisation.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  20

• Describe the nice-to-have skill or experience:

  Experience of the rapid mobilisation of a team within the MOD or similar context, the challenges and how you have overcome them, including the ability to start from day 1.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  20

• Describe the nice-to-have skill or experience:

  Evidence of experience in exploiting delivery models that maximise benefit within constrained budgets.

• Enter a weighting for this skill or experience in whole numbers, for example 30:

  20

• Explain the technical question:

  Describe your approach and management of work to meet user needs described in the SOR. Include key features guaranteeing delivery to performance, cost/time and any innovations proposed in delivery, details of any licence model (minus costs) associated with your solution and how you will provide technical support.

• Enter a weighting for this technical question in whole numbers, for example 30:

  40

• Explain the technical question:

  Describe your mobilisation plan including timeline to onboard your delivery team and how you will build momentum to deliver at pace

• Enter a weighting for this technical question in whole numbers, for example 30:

  10

• Explain the technical question:

  Provide your team structure including numbers of staff, a list of the key roles and responsibilities and how they’ll work together and with others

• Enter a weighting for this technical question in whole numbers, for example 30:

  5

• Explain the technical question:

  Provide CV's for the key roles within your team and their relevant qualifications

• Enter a weighting for this technical question in whole numbers, for example 30:

  5

• Explain the technical question:

  Describe how you will manage business change associated with delivery of this capability specific to vulnerability management

• Enter a weighting for this technical question in whole numbers, for example 30:

  5

• Explain the technical question:

  Describe the key risks, issues and opportunities for this project and how you will mitigate them

• Enter a weighting for this technical question in whole numbers, for example 30:

  5

• Explain the technical question:

  Describe the key dependencies and assumptions for your proposal and how you will address and/or manage them

• Enter a weighting for this technical question in whole numbers, for example 30:

  5

• Explain the technical question:

  Evaluation of the product demo will have weighting indicated here. Specifications of the demo to be released with stage 2.

• Enter a weighting for this technical question in whole numbers, for example 30:

  25

• Your question:

  Able to communicate effectively with staff, technical SMEs and senior management to identify pragmatic solutions to problems

• Enter a weighting for this question:

  40

• Your question:

  Recent proven experience of an open, transparent, and collaborative working relationship at all levels with excellent communication skills

• Enter a weighting for this question:

  40

• Your question:

  Suppliers must demonstrate an ability and willingness to work collaboratively within a multi stakeholder environment to achieve outcomes

• Enter a weighting for this question:

  20

• Explain the social value question:

  Social Value - Demonstrate the companies’ approach to Support educational attainment relevant to the contract, including training schemes that address skills gaps and result in recognised qualifications

• Enter a weighting for this question:

  50

• Explain the social value question:

  Social Value - Demonstrate the companies’ approach to delivering additional environmental benefits in the performance of the contract, including working towards net zero greenhouse gas emissions

• Enter a weighting for this question:

  25

• Explain the social value question:

  Social Value - Demonstrate action to identify and tackle inequality in employment, skills and pay in the contract workforce

• Enter a weighting for this question:

  25

---

• Publication of stage 1:

  February 21, 2023, 12:00 AM

• Clarification period closes:

  March 3, 2023, 4:00 PM

• Deadline for suppliers to submit their stage 1 responses:

  March 10, 2023, 4:00 PM

---

Clarification questions and responses

There are no questions and clarifications relating to this opportunity.

---

Help

You can contact us by email, phone or using the enquiry form (opens in a new tab) .

Email:

info@crowncommercial.gov.uk

Telephone:

0345 410 2222

CCS customer services team is available Monday to Friday, 9am to 5pm.