Cyber Security and Resilience Capability Enhancement Framework

Cyber Security and Resilience Capability Enhancement Framework
Herdus House
Moor Row
CA24 3HU
United Kingdom
Contact person: Matt McClure
Telephone: +44 1925802061
E-mail: procurement.tenders@nda.gov.uk
NUTS code: UKD11

Internet address(es):Main address: https://www.gov.uk/government/organisations/nuclear-decommissioning-authority

The procurement documents are available for unrestricted and full direct access, free of charge, at: http://procurement.tenders@nda.gov.uk

Additional information can be obtained from the abovementioned address

Tenders or requests to participate must be submitted to the abovementioned address

National or federal agency/office

Other activity: nuclear decommissioning

Cyber Security and Resilience Capability Enhancement Framework.

Reference number: MM000219

Services

NDA requires the services of one or more framework providers to support NDA, Site Licensed Companies (SLCs) and subsidiaries (the estate) to implement the Cyber Security and Resilience Programme (CSRP). Identification of specific work packages will follow on from the estate-wide Profiling and Risk Assessment activities is currently in progress. These will identify areas where additional investment or support is required. Provision of these support services is intended to facilitate effective and consistent remediation activity and provide demonstrable benefit for stakeholders.

Value excluding VAT: 5 500 000.00 GBP

This contract is divided into lots: yes

Tenders may be submitted for all lots

Maximum number of lots that may be awarded to one tenderer: 2

The contracting authority reserves the right to award contracts combining the following lots or groups of lots:

Lot 1 — Incident Response and Exercises;

Lot 2 — Assurance and Governance.

Incident Response and Exercises

Lot No: 1

NUTS code: UK

This will be a framework of 1 supplier. The estimated value per annum is 1 100 000 GBP, however, NDA provides no guarantee of committed expenditure.

This support is provided following the escalation of an event to the point where external support and forensics are required, either because of duration (the on-site / NDA estate team is expected to be exhausted after 24 hours) or because of complexity (more analysts required, specialist skills, etc.) — essentially the ‘cavalry’. Based upon experience of the resource needed during a simulated event, a support team of 10 people is estimated. It is assumed that there may be 1 event per year that might require intervention (this is an assumption only — not based on historic information), with a duration of 2 weeks.

It is further assumed that 1 of the 2 training exercises that will be run during the year, 1 of them will be at such a level that the incident response team will be required. Therefore a second 2-week duration event is expected.

Where required, the provider shall:

— Provide rapid, round-the-clock (24/7) engagement following an identified cyber incident;

— Carry out incident analysis, for example:

— Digital Forensic Analysis,

— Traffic Monitoring,

— Malware Analysis (including reverse engineering);

— Assist in minimizing and mitigating any damage caused — e.g. isolate systems, contain any infection;

— Support the client in incident recovery;

— Support the client in post incident review;

— Determine and present ‘lessons learned’.

Price is not the only award criterion and all criteria are stated only in the procurement documents

Value excluding VAT: 4 400 000.00 GBP

Duration in months: 12

This contract is subject to renewal: yes

Description of renewals:

The contract will be placed for a period of 12 months with NDA option to extend the contract by increments of 12 months, up to a maximum contract extension of 36 months.

Variants will be accepted: no

Options: no

The procurement is related to a project and/or programme financed by European Union funds: no

Assurance and Governance

Lot No: 2

NUTS code: UK

This will be a framework of 1 supplier. The estimated value is 4 400 000 GBP however; this expenditure may be committed in the first year or spread over the framework term. NDA provides no guarantee of committed expenditure.

Assurance

This is based upon the need for the NDA to independently assure the outcome of work carried out around the estate (including NDA HQ); to evaluate the work and ensure that it provides the level of performance expected and for which funding was provided.

It is assumed that there will be 1 system / product requiring testing per month over a 12-month period. And that a team of 3-4 people will be required to fully test a system / product over a 2-week period.

Where required, the provider shall supply:

— Independent assurance of security within information systems, such as:

o Technical vulnerability assessment,

o Penetration testing, including social engineering and red teaming;

— Assistance with the co-ordination of assurance activities;

— Development of test scenarios and metrics required to gain adequate assurance;

— Workshops to ensure assurance activities are uniform across the estate;

— Auditing of technical, personnel and physical security;

— Assurance of third party activities;

— Independent assurance of project proposals (see also benchmarking).

Governance

The aim of this work stream is for the Organisation to identify critical business assets and thereafter assess, develop, improve and embed the Organisation’s risk management and security policies for these assets.

Expected activity:

Where required, the provider shall:

— Help the organisation create or develop policy;

— Improve the organisation’s risk assessment framework;

— Hold governance workshops;

— Train personnel in governance-related practices and policies.

Resources to be provided:

Where required, the contractor shall provide:

— Technical authors;

— Trainers;

— Subject Matter Experts.

Price is not the only award criterion and all criteria are stated only in the procurement documents

Value excluding VAT: 4 400 000.00 GBP

Duration in days: 12

This contract is subject to renewal: yes

Description of renewals:

The contract will be placed for a period of 12 months with NDA option to extend the contract by increments of 12 months, up to a maximum contract extension of 36 months.

Variants will be accepted: no

Options: no

The procurement is related to a project and/or programme financed by European Union funds: no

List and brief description of conditions:

Relevant insurances to be in place, including professional indemnity. Evidence and details must be supplied as part of your tender submission.

List and brief description of selection criteria:

Information and formalities necessary for evaluating if the requirements are met: Information and formalities necessary for evaluating if the requirements are met: 2 year’s audited accounts (most recent) to be provided separately to the tender document in electronic format.

Selection criteria as stated in the procurement documents

Open procedure

The procurement involves the establishment of a framework agreement

Framework agreement with several operators

Envisaged maximum number of participants to the framework agreement: 2

The procurement is covered by the Government Procurement Agreement: no

Date: 02/08/2017

Local time: 12:00

English

Duration in months: 6 (from the date stated for receipt of tender)

Date: 03/08/2017

Local time: 09:00

This is a recurrent procurement: no

Cabinet Office
London
United Kingdom

28/06/2017