Cyber Security and Resilience Capability Enhancement Framework
To implement the Cyber Security and Resilience Programme.
United Kingdom-Moor Row: IT services: consulting, software development, Internet and support
2017/S 123-249574
Contract notice
Services
Directive 2014/24/EU
Section I: Contracting authority
I.1)Name and addresses
Herdus House
Moor Row
CA24 3HU
United Kingdom
Contact person: Matt McClure
Telephone: +44 1925802061
E-mail: procurement.tenders@nda.gov.uk
NUTS code: UKD11
Internet address(es):Main address: https://www.gov.uk/government/organisations/nuclear-decommissioning-authority
I.3)Communication
I.4)Type of the contracting authority
I.5)Main activity
Section II: Object
II.1.1)Title:
Cyber Security and Resilience Capability Enhancement Framework.
II.1.2)Main CPV code
II.1.3)Type of contract
II.1.4)Short description:
NDA requires the services of one or more framework providers to support NDA, Site Licensed Companies (SLCs) and subsidiaries (the estate) to implement the Cyber Security and Resilience Programme (CSRP). Identification of specific work packages will follow on from the estate-wide Profiling and Risk Assessment activities is currently in progress. These will identify areas where additional investment or support is required. Provision of these support services is intended to facilitate effective and consistent remediation activity and provide demonstrable benefit for stakeholders.
II.1.5)Estimated total value
II.1.6)Information about lots
Lot 1 — Incident Response and Exercises;
Lot 2 — Assurance and Governance.
II.2.1)Title:
Incident Response and Exercises
II.2.2)Additional CPV code(s)
II.2.3)Place of performance
II.2.4)Description of the procurement:
This will be a framework of 1 supplier. The estimated value per annum is 1 100 000 GBP, however, NDA provides no guarantee of committed expenditure.
This support is provided following the escalation of an event to the point where external support and forensics are required, either because of duration (the on-site / NDA estate team is expected to be exhausted after 24 hours) or because of complexity (more analysts required, specialist skills, etc.) — essentially the ‘cavalry’. Based upon experience of the resource needed during a simulated event, a support team of 10 people is estimated. It is assumed that there may be 1 event per year that might require intervention (this is an assumption only — not based on historic information), with a duration of 2 weeks.
It is further assumed that 1 of the 2 training exercises that will be run during the year, 1 of them will be at such a level that the incident response team will be required. Therefore a second 2-week duration event is expected.
Where required, the provider shall:
— Provide rapid, round-the-clock (24/7) engagement following an identified cyber incident;
— Carry out incident analysis, for example:
— Digital Forensic Analysis,
— Traffic Monitoring,
— Malware Analysis (including reverse engineering);
— Assist in minimizing and mitigating any damage caused — e.g. isolate systems, contain any infection;
— Support the client in incident recovery;
— Support the client in post incident review;
— Determine and present ‘lessons learned’.
II.2.5)Award criteria
II.2.6)Estimated value
II.2.7)Duration of the contract, framework agreement or dynamic purchasing system
The contract will be placed for a period of 12 months with NDA option to extend the contract by increments of 12 months, up to a maximum contract extension of 36 months.
II.2.10)Information about variants
II.2.11)Information about options
II.2.13)Information about European Union funds
II.2.1)Title:
Assurance and Governance
II.2.2)Additional CPV code(s)
II.2.3)Place of performance
II.2.4)Description of the procurement:
This will be a framework of 1 supplier. The estimated value is 4 400 000 GBP however; this expenditure may be committed in the first year or spread over the framework term. NDA provides no guarantee of committed expenditure.
Assurance
This is based upon the need for the NDA to independently assure the outcome of work carried out around the estate (including NDA HQ); to evaluate the work and ensure that it provides the level of performance expected and for which funding was provided.
It is assumed that there will be 1 system / product requiring testing per month over a 12-month period. And that a team of 3-4 people will be required to fully test a system / product over a 2-week period.
Where required, the provider shall supply:
— Independent assurance of security within information systems, such as:
o Technical vulnerability assessment,
o Penetration testing, including social engineering and red teaming;
— Assistance with the co-ordination of assurance activities;
— Development of test scenarios and metrics required to gain adequate assurance;
— Workshops to ensure assurance activities are uniform across the estate;
— Auditing of technical, personnel and physical security;
— Assurance of third party activities;
— Independent assurance of project proposals (see also benchmarking).
Governance
The aim of this work stream is for the Organisation to identify critical business assets and thereafter assess, develop, improve and embed the Organisation’s risk management and security policies for these assets.
Expected activity:
Where required, the provider shall:
— Help the organisation create or develop policy;
— Improve the organisation’s risk assessment framework;
— Hold governance workshops;
— Train personnel in governance-related practices and policies.
Resources to be provided:
Where required, the contractor shall provide:
— Technical authors;
— Trainers;
— Subject Matter Experts.
II.2.5)Award criteria
II.2.6)Estimated value
II.2.7)Duration of the contract, framework agreement or dynamic purchasing system
The contract will be placed for a period of 12 months with NDA option to extend the contract by increments of 12 months, up to a maximum contract extension of 36 months.
II.2.10)Information about variants
II.2.11)Information about options
II.2.13)Information about European Union funds
Section III: Legal, economic, financial and technical information
III.1.1)Suitability to pursue the professional activity, including requirements relating to enrolment on professional or trade registers
Relevant insurances to be in place, including professional indemnity. Evidence and details must be supplied as part of your tender submission.
III.1.2)Economic and financial standing
Information and formalities necessary for evaluating if the requirements are met: Information and formalities necessary for evaluating if the requirements are met: 2 year’s audited accounts (most recent) to be provided separately to the tender document in electronic format.
III.1.3)Technical and professional ability
Section IV: Procedure
IV.1.1)Type of procedure
IV.1.3)Information about a framework agreement or a dynamic purchasing system
IV.1.8)Information about the Government Procurement Agreement (GPA)
IV.2.2)Time limit for receipt of tenders or requests to participate
IV.2.4)Languages in which tenders or requests to participate may be submitted:
IV.2.6)Minimum time frame during which the tenderer must maintain the tender
IV.2.7)Conditions for opening of tenders
Section VI: Complementary information
VI.1)Information about recurrence
VI.4.1)Review body
London
United Kingdom
VI.5)Date of dispatch of this notice:
Related Posts
Implementation of New IT Operating Model
IT Consultancy and Development Services Derbyshire
Contact Centre Consultancy Invitation to Tender