Adaptive Security Programme Delivery Service

Description

Pre-market engagement None Which phase the project is in Not applicable Existing team The existing team consists of delivery managers (which work across the programme), service managers and technical leads. Address where the work will be done Peel Park, Brunel Way, Blackpool FY4 5ES 2 St. Peter’s Square, Manchester M2 3AA Working arrangements The supplier will be required to work in our Blackpool or Manchester office 2 days per week for face-to-face team meetings, and 3 days remotely. Options are available to work from other DWP Digital Hubs Provide more information about your security requirements: Baseline Personnel Security Standard (BPSS) Provide more information about your security requirements: Security Check (SC) Provide more information about your security requirements (optional): BPSS / SC. All must have BPSS as a minimum. Preference for contractors to already hold SC clearance, however we would be willing to sponsor the SC clearance process at the supplier's expense. Latest start date 2025-04-01 Enter the expected contract length: 2 years Extension period: 1 year Special terms and conditions All expenses must be pre-agreed between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy. All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ Write the term or acronym: ASP = Adaptive Security Programme NIST CSF = National Institute of Standards and Technology Cyber Security Framework CIS = Centre for Internet Security AWS = Amazon Web Services Are you prepared to show your budget details?: Yes Indicative maximum: Indicative maximum £650,000.00 per year Confirm if you require a contracted out service or supply of resource Contracted out service: the off-payroll rules do not apply Summary of work Programme Delivery to drive the build, operational and adoption of the 18 CIS Security controls within the Adaptive Security Programme. Realise the associated business benefits, measured against the programme delivery KPIs. The implementation and operation of teamwork and engineering across Technology Services (TS) to adopt the ways of working and introduce the controls needed to adopt key aspects of the NIST cybersecurity framework. The implementation of the ASP enterprise Delivery Plan against TS Infrastructure, Services and Application capabilities to provide suitable monitoring, alerting and security controls, with security controls aligned to the CIS controls and NIST cybersecurity frameworks Developing stakeholder relationships across TS and Digital to represent Adaptive Security Programme requirements that support the Adoption & Deployment Strategy. Analysis of the engineering team backlog to identify major items in scope for priority workstreams within the Adaptive Security Programme and production of a plan on a page detailing interdependencies. Analysis of the delivery backlog, production of a high-level plan on a page to provide a visual representation of the backlog to support stakeholder communications. Monthly delivery, tracking and reporting against plans, production of stakeholder communications/artefacts. Ongoing delivery of the programme and agreed outcomes and goals as per the Delivery Backlog and plans. Delivery backlog updated with relevant workstreams and key interdependencies. Where the supplied staff will work North West England Who the organisation using the products or services is Department for Work and Pension Why the work is being done Cyber Security remains one of the biggest risks to both the Public and Private Sector, with the risk increasing; financially motivated attacks are increasing, >80% of financially motivated attacks involving the deployment of ransomware or a precursor to ransomware activities. Technology alone is not enough — people, process, configuration, coverage and management matters. DWP needs to evolve to stay ahead of the inherent risk, with continuous work needed to adapt to the ever-evolving cyber threat. Intrusions should not be thought of as a one-time event, requirement is for continuous monitoring and response. A DWP-wide decision has been taken to adopt the NIST Cyber Security Framework (NIST-CSF) and CIS v8 (Centre for Internet Security) controls as a benchmark for security standards (i.e. wider than digital). Technology Services has initiated an initial assessment across digital to establish the current levels of compliance against the NIST Tier-4 “Adaptive” level to create a gap-analysis, and roadmap, followed by a programme to implement the roadmap of appropriate controls across Digital Services. This framework helps define a quantitative set of controls that are continuously evolving and validated to mitigate security threat to the department. The business problem you need to solve There is a risk that internal or external cyber threats could result in: • Breaches in data confidentiality, integrity and availability, disruption of payment services, loss of critical business services, loss of data and bulk data assets marked at “OFFICIAL SENSITIVE” • Loss of personal information and Financial/Payment data, and unauthorised access to DWP systems and services • Severe reputational damage to HMG and DWP, and loss of confidence in DWP and its service provision First user type: This is not a product or Digital Service. We are running a programme to address the risk of cyber threats and the ever-evolving threat landscape.