Adaptive Security Programme Delivery Service

Description

Pre-market engagement None Which phase the project is in Not applicable Existing team The existing team consists of delivery managers (which work across the programme), service managers and technical leads. Address where the work will be done Peel Park, Brunel Way, Blackpool FY4 5ES 2 St. Peter’s Square, Manchester M2 3AA Working arrangements The supplier will be required to work in our Blackpool or Manchester office 2 days per week for face-to-face team meetings, and 3 days remotely. Options are available to work from other DWP Digital Hubs Provide more information about your security requirements: Baseline Personnel Security Standard (BPSS) Provide more information about your security requirements: Security Check (SC) Provide more information about your security requirements (optional): BPSS / SC. All must have BPSS as a minimum. Preference for contractors to already hold SC clearance, however we would be willing to sponsor the SC clearance process at the supplier's expense. Latest start date 2025-04-01 Enter the expected contract length: 2 years Extension period: 1 year Special terms and conditions All expenses must be pre-agreed between the parties and must comply with the Cabinet Office (CO) Travel and Subsistence (T&S) Policy. All vendors are obliged to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects. For further information please see the Information Commissioner's Office website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ Write the term or acronym: ASP = Adaptive Security Programme NIST CSF = National Institute of Standards and Technology Cyber Security Framework CIS = Centre for Internet Security AWS = Amazon Web Services Are you prepared to show your budget details?: Yes Indicative maximum: Indicative maximum £650,000.00 per year Confirm if you require a contracted out service or supply of resource Contracted out service: the off-payroll rules do not apply Summary of work Programme Delivery to drive the build, operational and adoption of the 18 CIS Security controls within the Adaptive Security Programme. Realise the associated business benefits, measured against the programme delivery KPIs. The implementation and operation of teamwork and engineering across Technology Services (TS) to adopt the ways of working and introduce the controls needed to adopt key aspects of the NIST cybersecurity framework. The implementation of the ASP enterprise Delivery Plan against TS Infrastructure, Services and Application capabilities to provide suitable monitoring, alerting and security controls, with security controls aligned to the CIS controls and NIST cybersecurity frameworks Developing stakeholder relationships across TS and Digital to represent Adaptive Security Programme requirements that support the Adoption & Deployment Strategy. Analysis of the engineering team backlog to identify major items in scope for priority workstreams within the Adaptive Security Programme and production of a plan on a page detailing interdependencies. Analysis of the delivery backlog, production of a high-level plan on a page to provide a visual representation of the backlog to support stakeholder communications. Monthly delivery, tracking and reporting against plans, production of stakeholder communications/artefacts. Ongoing delivery of the programme and agreed outcomes and goals as per the Delivery Backlog and plans. Delivery backlog updated with relevant workstreams and key interdependencies. Where the supplied staff will work North West England Who the organisation using the products or services is Department for Work and Pension Why the work is being done Cyber Security remains one of the biggest risks to both the Public and Private Sector, with the risk increasing; financially motivated attacks are increasing, >80% of financially motivated attacks involving the deployment of ransomware or a precursor to ransomware activities. Technology alone is not enough — people, process, configuration, coverage and management matters. DWP needs to evolve to stay ahead of the inherent risk, with continuous work needed to adapt to the ever-evolving cyber threat. Intrusions should not be thought of as a one-time event, requirement is for continuous monitoring and response. A DWP-wide decision has been taken to adopt the NIST Cyber Security Framework (NIST-CSF) and CIS v8 (Centre for Internet Security) controls as a benchmark for security standards (i.e. wider than digital). Technology Services has initiated an initial assessment across digital to establish the current levels of compliance against the NIST Tier-4 “Adaptive” level to create a gap-analysis, and roadmap, followed by a programme to implement the roadmap of appropriate controls across Digital Services. This framework helps define a quantitative set of controls that are continuously evolving and validated to mitigate security threat to the department. The business problem you need to solve There is a risk that internal or external cyber threats could result in: • Breaches in data confidentiality, integrity and availability, disruption of payment services, loss of critical business services, loss of data and bulk data assets marked at “OFFICIAL SENSITIVE” • Loss of personal information and Financial/Payment data, and unauthorised access to DWP systems and services • Severe reputational damage to HMG and DWP, and loss of confidence in DWP and its service provision First user type: This is not a product or Digital Service. We are running a programme to address the risk of cyber threats and the ever-evolving threat landscape. Questions and Clarifications 0. Could you please respond to below clarification questions? 1. Please can the authority confirm if there is an incumbent supplier? And if so, is their current delivery team subject to an Ethical Wall Agreement. 2. No expected contract length has been shared; however, can the authority indicate how they expect funds to be drawn-down? How long is the delivery expected to be? 3. Would the Authority consider a short extension to the Stage 2 submission deadline? Due to the tight turn around time and a pricing aspect to the submission it will be difficult to complete all our required governance approvals before the 14th February deadline. 4. Would the authority please confirm word/character count for the Stage 2 response answers and whether supplier presentations are required 5. Please could the authority confirm that TUPE will not be applicable to this contract? 6. Due to the short turnaround between Stage 1 & 2, would the Authority please provide full requirement, pricing template, and delivery outcome detail prior to Stage 1 shortlisting to allow bidders to effectively solution and complete sign-off related governance please? "1. Yes, the incumbent supplier is Redesmere Limited and an Ethical Walls agreement is in place. 2. The contract is expected to run on a 2+1 years basis.The funds will be drawn on a Statement of Work basis as and when required. 3. There is no plan to extend the stage 2 deadline. 4. Yes, the response limit is 750 character max per requirement. There will not be a requirement for presentations. 5. We do not believe Tupe is in scope for this procurement. 6. We believe we have uploaded all relevant material besides the pricing template (SFIA rate card) onto the system which be shared at stage 2." Last Updated: <strong>2025-01-16T13:36:33.433348Z</strong> 1. We note that the suppliers' responses to the Essential Skills and Experience are limited to 750 characters including spaces. Please will you confirm whether this limit is in respect of each of the four questions individually or if the limit is in respect of the four questions in aggregate. Yes the response limit is 750 character max per requirement/question. Last Updated: <strong>2025-01-16T13:38:29.028687Z</strong> 2. Please can you confirm what is meant by a "Tier-One Programme" as referenced in Q1? Tier One programme is a large programme that has the highest level of priority, profile, scope, resource, etc. Last Updated: <strong>2025-01-16T13:39:52.959343Z</strong> 3. Please find below a few questions that we have: 1. In terms of Q1 Stage 1, “Is the Authority expecting suppliers to have experience of running 20 Tier One programmes at the same time? 2. What specific Security tooling is the Authority wanting the customer to have experience of? "1) It doesn't have to be exactly 20 but we want to know they are able to commit to concurrent projects and understand the dynamic nature of projects, ie. There will be times where one project is quiet but 2 others are really busy so we need to see evidence that they understand this and are used to adapting to differing priorities which may change at short notice. 2) There are no must-haves as the suite of tools can vary depending upon requirements, but there are certain generic tools we would expect them to be aware of (Microsoft Defender suite for example) and then there will be subject-specific tools (so for anti-virus tools like Trend Micro)" Last Updated: <strong>2025-01-16T13:44:09.824057Z</strong> 4. Please could you advise us on the following four questions? 1) What is the anticipated length of the contract? 2) Are expenses chargeable (on top of day rates) if travelling to Blackpool or Manchester? 3) For Q1 in Nice to Haves, should “Experience of AI” be on its own line (ie isn’t specific to Confluence and JIRA)? 4) Do you have a specific technical field in mind in the Automation and Orchestration question? "1) Up to 2 years 2) No 3) No, we will be considering all three nice-to-have requirements in one answer (750 characters) 4) We are unsure about what this questions is asking? If its tooling we would like experience of Palo Alto XSOAR" Last Updated: <strong>2025-01-16T13:45:36.871266Z</strong> 5. Please see below our questions relating to the Adaptive Security Programme Delivery Service for clarification. 1. Will the supplier be required to provide their own membership to the CIS SecureSuite or will DWP be providing access to it? 2. Is there a view at the moment on how many years this programme is envisaged for? The documentation gives an indicative budget per annum, but doesn’t indicate how long the programme is scheduled for 3. Is there a preference for North West based resources to fulfil this commitment? "1) Any memberships will need to be paid for by the supplier, however, this may not be required. 2) No end date but it's been running for nearly 4 years and we currently have milestones well into 2026 3) Not a must-have as a lot of work can be done remotely and our digital hubs are across the UK, but the majority of the teams they would interact with are based in NW" Last Updated: <strong>2025-01-16T13:46:57.661743Z</strong> 6. Please see below our questions relating to the Adaptive Security Programme Delivery Service for clarification. 1. Will the supplier be required to provide their own membership to the CIS SecureSuite or will DWP be providing access to it? 2. Is there a view at the moment on how many years this programme is envisaged for? The documentation gives an indicative budget per annum, but doesn’t indicate how long the programme is scheduled for 3. Is there a preference for North West based resources to fulfil this commitment? "1) Any memberships will need to be paid for by the supplier, however, this may not be required. 2) No end date but it's been running for nearly 4 years and we currently have milestones well into 2026 3) Not a must-have as a lot of work can be done remotely and our digital hubs are across the UK, but the majority of the teams they would interact with are based in NW Last Updated: <strong>2025-01-16T13:47:07.007877Z</strong> 7. Could the authority please confirm if a single response is required for all essential skills, or if a response per essential skill question should be submitted (750 characters incl space). It is not 100% clear in the docs. 2. Could the authority please confirm the format the submission should be sent in? e.g. question followed by answer, or all questions numbered in the one box. 1. The response limit is 750 character max per requirement/question. 2. Please provide the question followed by the answer. Last Updated: <strong>2025-01-16T13:49:48.819792Z</strong> 8. Please may the DWP confirm if this engagement is solely for a specific resource to deliver the programme or more of a project-based partnership that can be engaged with throughout the two years? This is a service based contract, operating on a statement of work basis as and when the need arises. We may require specific resources to deliver certain milestones, and details of this will be provided before each statement of work. Last Updated: <strong>2025-01-16T13:51:06.952523Z</strong> 9. "The supplier understands the opportunity involves the build, operationalisation and adoption of the 18 CIS controls, ***We've split the following into 8 separate questions (A-H) to try and make sense of the ask here*** A) please share the scale (Infrastructure/Application/Endpoint) volumetrics of the DWP environment where this project is to be executed. - B) Will the supplier be responsible for Control implementation at all layers of defense, please clarify - C) Please indicate the proposed operating model from DWP side in terms of the involvement of DWP Security Team. Will the Security Team from DWP be involved in the control design, build and implementation apart from being governance/approving authority - D) Please indicate if ISMS model has been implemented in DWP and the controls do exist even if on a baseline level - E) Will DWP perform the Program management or the Supplier is expected to create the structure and run it - F) Please confirm the duration of the opportunity for the service - G) Is any External Audit/Review certification in scope of this opportunity, please clarify - H) Is there a preferred format of opportunity response DWP is looking for, Word or Powerpoint, please clarify" "A) Across the entire DWP estate B) DWP responsible C) DWP responsible D) Not applicable on this project. E) DWP responsible, but everyone involved will contribute F) Currently up to 2 years G) Any external auditting is not envisaged at this time but may be required on an adhoc basis. H) MS Word" Last Updated: <strong>2025-01-16T13:52:43.63181Z</strong> 10. "The supplier understands the opportunity involves the build, operationalisation and adoption of the 18 CIS controls, ***We've split the following into 8 separate questions (A-H) to try and make sense of the ask here*** A) please share the scale (Infrastructure/Application/Endpoint) volumetrics of the DWP environment where this project is to be executed. - B) Will the supplier be responsible for Control implementation at all layers of defense, please clarify - C) Please indicate the proposed operating model from DWP side in terms of the involvement of DWP Security Team. Will the Security Team from DWP be involved in the control design, build and implementation apart from being governance/approving authority - D) Please indicate if ISMS model has been implemented in DWP and the controls do exist even if on a baseline level - E) Will DWP perform the Program management or the Supplier is expected to create the structure and run it - F) Please confirm the duration of the opportunity for the service - G) Is any External Audit/Review certification in scope of this opportunity, please clarify - H) Is there a preferred format of opportunity response DWP is looking for, Word or Powerpoint, please clarify" "A) Across the entire DWP estate B) DWP responsible C) DWP responsible D) Not applicable on this project. E) DWP responsible, but everyone involved will contribute F) Currently up to 2 years G) Any external auditing is not envisaged at this time but may be required on an adhoc basis. H) MS Word" Last Updated: <strong>2025-01-16T13:52:52.255585Z</strong> 11. "The supplier understands the opportunity involves the build, operationalisation and adoption of the 18 CIS controls, ***We've split the following into 8 separate questions (A-H) to try and make sense of the ask here*** A) please share the scale (Infrastructure/Application/Endpoint) volumetrics of the DWP environment where this project is to be executed. - B) Will the supplier be responsible for Control implementation at all layers of defense, please clarify - C) Please indicate the proposed operating model from DWP side in terms of the involvement of DWP Security Team. Will the Security Team from DWP be involved in the control design, build and implementation apart from being governance/approving authority - D) Please indicate if ISMS model has been implemented in DWP and the controls do exist even if on a baseline level - E) Will DWP perform the Program management or the Supplier is expected to create the structure and run it - F) Please confirm the duration of the opportunity for the service - G) Is any External Audit/Review certification in scope of this opportunity, please clarify - H) Is there a preferred format of opportunity response DWP is looking for, Word or Powerpoint, please clarify" "A) Across the entire DWP estate B) DWP responsible C) DWP responsible D) Not applicable on this project. E) DWP responsible, but everyone involved will contribute F) Currently up to 2 years G) Any external auditing is not envisaged at this time but may be required on an adhoc basis. H) MS Word" Last Updated: <strong>2025-01-16T13:52:53.351764Z</strong> 12. Please could we submit the below questions for clarification please: Could the authority confirm 750 characters is the limit (incl. spaces) for each response within the essential skills and experience questions? Could the authority confirm what is meant by a' tier one project'? Will the awarded supplier their own CIS membership? "Yes, the response limit is 750 character max per requirement/question. Tier One programme is a large programme that has the highest level of priority, profile, scope, resource, etc. Unsure if membership will be a must-have but we will not be providing it, so if they needed it they would have to pay " Last Updated: <strong>2025-01-16T13:56:46.235247Z</strong> 13. Please can we confirm understanding of two of the clarification responses provided yesterday: The first question (broken down into different elements) requested an indication of word count for Stage 2 - the response provided was 750 characters, the same as Stage 1. Please can we confirm this is correct as we would normally expect a larger word/character count to address the stage 2 responses. For the avoidance of doubt the 750 character is for each individual question, including the bullet points? for example for the below 750 covers all points: Please provide evidence of experience in the areas defined below: Experience in Security tooling ServiceNow Confluence & Jira Knowledge Experience of AI Automation and orchestration the use of the word requirement in the response has introduced a question from our team which we would like clarify. I'd like to apologise for the confusion around the word count for Stage 2. The response limit is as follows: Stage 1 - 750 characters per question Stage 2- 750 words per Technical question 500 words Cultural Fit 500 Words Social Value Last Updated: <strong>2025-01-20T12:57:49.584806Z</strong>