CH-1056: CH System: Authentication Digital Delivery Partner

Description

Summary of the work Companies House require a team with expert knowledge and skills of digital authentication standards (OIDC, oAuth 2.0) and ForgeRock to modify existing Java (including Springboot) microservices, Node, Go and Perl code and integrate our digital platform with the ForgeRock Identity Cloud. Expected Contract Length 12 months with option to extend for 6 months Latest start date Monday 9 January 2023 Budget Range £3,700,000.00 Why the Work is Being Done "Our digital services allow users to comply with the Companies Act by registering new companies, informing the registrar of changes and closing exisiting companies. With new legislation requiring company officers to prove their identity being implemented in 2023, our digital platform (known as CHS) must be underpinned by a modern, fit for purpose account access and authentication system. By replacing existing, non-standard authentication code, components and features from CHS with an entirely standards-based approach (an Open ID Connect (OIDC) layer over OAuth2.0), this project will ensure that the CHS platform is ready for Identity Verification (IDV) – a critical feature of both Transformation and Legislative Reform activity. This work will remove technical debt from a complex and critical part of the CHS platform, including some deprecated Perl code. " Problem to Be Solved Users can register for, and sign in to a Companies House user account that provides multi factor authentication and allows authorised users to file for companies. Companies House is able to ensure that all user accounts are managed via the ForgeRock Identity Cloud platform. Who Are the Users "As a company officer or presenter, I need to sign in to my Companies House user account, so that I can file on behalf of companies for which I am authorised. As a developer of third party company secretarial software, I need to be able to request and manage API keys, so that my products can interact digitally with COmpanies House digital services. As a Companies House Information Asset Owner, Data Protection Officer or Senior Information Risk Officer, I need assurance that our users' accounts are secured with modern authentication methods such as multi factor authentication, so that I can be sure that only the account owner can access their account." Early Market Engagement A Request for Information (RFI) was sent via GOV.UK Contracts Finder on 27th August 2022. This informed suppliers of our intention to procure services and provided an outline of the requirement and our intended timeframes. Information received from suppliers has been used to refine our requirements and decide on the most appropriate route to market for this initiative. Work Already Done The project has completed Discovery and has recently began the Alpha phase. Alpha is expected to run until November 2022, with Beta planned to begin in January 2023. Existing Team The existing team consists of a Senior Responsible Owner, Project Manager, Product Manager, Technical Architect, Principal / Lead Developer, Business Analyst, Software Tester, User Researcher and Data Analyst. Further Companies House staff (such as DevOps, Application Support, Content Design, Interaction Design) can be made available to the project team as required. Current Phase Alpha Skills & Experience • Have experience with similar identity / authentication integration projects • Have experience integrating ForgeRock Identity Cloud, including Access Manager, Identity Manager, Identity Gateway, Remote Connector Service, and ForgeRock SDK integration • Experience data modelling, migration and account merging within ForgeRock and connected apps • Ability to provide developers with Java, Springboot and React.JS framework skills and experience • Suppliers should be accredited ForgeRock partners and be listed in the ForgeRock Trust Network partner directory. • Suppliers will have experience of handing over/knowedge transfer of complex developments to in house development teams • Ability to provide teams with relevant skills and experience of working with digital authentication standards (oAuth) and protocols and implementing the ForgeRock platform with existing, live digital platforms and services. • Experience of agile software development and scrum principles Nice to Haves Ability to provide staff with the following skills and experience: 1. Perl. 2. GoLang. 3. Terraform. 4. Concourse migration pipelines. 5. MongoDB Work Location Remote with occasional visits to: "Companies House Crown Way Cardiff CF14 3UZ" Working Arrangments "The supplier staff will work remotely during UK office hours. Expenses not applicable for remote working. They will be required to work independently of Companies House staff, but also collaborating closely as and when required. Companies House will provide supplier staff with laptops and access to all relevant systems and services as required. All supplier staff must be based in the United Kingdom." Security Clearance The awarded supplier will be expected to cover the cost of the SC Clearance if required. We will work with the awarded supplier to prioritise activities in line with SC Clearance roles. Additional T&Cs We do not expect expenses as part of this contract. However, if relevant all expenses must be pre-agreed between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy. All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ No. of Suppliers to Evaluate 3 Proposal Criteria • Technical solution • Cultural fit • Value for Money Cultural Fit Criteria • work as a team with our organisation and other suppliers • take responsibility for their work • challenge the status quo - adaptable, bold and curious • share knowledge and experience with other team members • take responsibility for their work • be transparent and collaborative when making decision Payment Approach Capped time and materials Assessment Method Presentation Evaluation Weighting Technical competence 70% Cultural fit 10% Price 20% Questions from Suppliers 1. “Suppliers should be accredited ForgeRock partners and be listed in the ForgeRock Trust Network partner directory”Will a simple “Yes” suffice to score maximum points or do Companies House expect more for a response? We would like to see some demonstration of the supplier's experience with ForgeRock integrations / implementations. In line with the scoring guidance 2. Would the buyer be open to an onshore and offshore presence? We require resource to be Uk based 3. The evaluation criteria mention “supplier must have forgerock partner accreditation.” Does this apply to the supplier bidding or can it be part of their subcontract supply chain? If part of supply chain will it be evaluated at the same level. We are content this can be a supplier in the supply chain.