Tender to Supply Defence Cyber Protection Tool

Tender to Supply Defence Cyber Protection Tool

The United Kingdom Ministry of Defence will be placing a contract to replace the current supplier cyber protection tool, which enables the MOD’s Defence Cyber Protection Partnership cyber security model.

United Kingdom-Corsham: Industry specific software package

2019/S 226-556012

Contract notice

Services

Directive 2009/81/EC

Section I: Contracting authority/entity

I.1)Name, addresses and contact point(s)

Official name: Ministry of Defence, Information Systems and Services, ISS Commercial Sourcing Team
Postal address: ISS CCT Commercial Team, Spur B2, Building 405, MOD Corsham, Westwells Road
Town: Corsham
Postal code: SN13 9NR
Country: United Kingdom
Contact person: Cheryl Harding
E-mail: isscomrcl-cct-group@mod.gov.uk
Telephone: +44 3067702034

Internet address(es):

General address of the contracting authority/entity: https://www.gov.uk/government/organisations/ministry-of-defence

Further information can be obtained from:
The above mentioned contact point(s)

Specifications and additional documents (including documents for competitive dialogue and a dynamic purchasing system) can be obtained from:
The above mentioned contact point(s)

Tenders or requests to participate must be sent to:
The above mentioned contact point(s)

I.2)Type of the contracting authority

Ministry or any other national or federal authority, including their regional or local sub-divisions

I.3)Main activity

Defence

I.4)Contract award on behalf of other contracting authorities/entities

The contracting authority is purchasing on behalf of other contracting authorities: no

Section II: Object of the contract

II.1)Description

II.1.1)Title attributed to the contract by the contracting authority:

Provision of Defence Cyber Protection (DCPP) Tool

II.1.2)Type of contract and location of works, place of delivery or of performance

Services
Service category No 13: Computer and related services
Main site or location of works, place of delivery or of performance: UNITED KINGDOM.

NUTS code UK

II.1.3)Information on framework agreement
II.1.4)Information on framework agreement

II.1.5)Short description of the contract or purchase(s):

Industry specific software package. The United Kingdom Ministry of Defence will be placing a contract to replace the current supplier cyber protection tool, which enables the MOD’s Defence Cyber Protection Partnership (DCPP) cyber security model. The tool provides both risk assessment (RA) and supplier assurance questionnaire (SAQ) functionality, ensuring the process can be flowed down the supply chain. The tool is accessed via the www.gov.uk website and must adhere to UK Government Digital Service (GDS) requirements for design. It uses GDS’ Verify online authentication tool to authenticate some of the users.

Users log in using multi-factor authentication and are taken to a dashboard showing their existing submissions and can elect to complete an RA or an SAQ. On completion of an RA, the tool calculates the cyber risk profile (N/A, very low, low, moderate or high) and advises this, together with an RA reference, to the RA author. SAQ authors respond to a specific RA using the RA reference. When flowing down, a contractor’s RA (for a sub-contract) is linked back to their original SAQ response. The combination of linked RAs and SAQs provides visibility of the supply chain, for which subcontractor names will be hidden to all except their immediate customer, and to a small number of super-users within MOD.
RA and SAQ authors also have options to save, continue and re-use questionnaires and invite collaboration, and anyone may produce a trial RA or SAQ. Only MOD users may initiate a top-level RA.
The initial requirement is for a tool, to be delivered as a managed service, consisting of a workflow and back-end database, to replicate the functionality of the current tool, in terms of the process described above. The new tool will be hosted on the MOD Cloud (see supplementary information attached to the PQQ).
Further enhancements to extend the functionality to other areas (including secure by design in product/system design and development) will be sought through the ITT process including, but not limited to, those which might offer updates on the cyber security status of particular suppliers. This is intended to be managed through a staged approach, building on the proven effective and stable operation of the baseline functionality.
This requirement is specific to MOD needs, with wider Government having an interest in the output. A commercial exploitation licence will be sought as part of the ITT to reflect this.

II.1.6)Common procurement vocabulary (CPV)

48100000

II.1.7)Information about subcontracting

II.1.8)Lots

II.1.9)Information about variants

Variants will be accepted: no
II.2)Quantity or scope of the contract

II.2.1)Total quantity or scope:

This requirement is intended to be contracted as a 3-year initial commitment, with the potential for two 1-year extension options, which can be exercised individually or collectively by the authority.
Estimated value excluding VAT:
Range: between 1 800 000 and 5 000 000 GBP

II.2.2)Information about options

Options: yes
Description of these options: This requirement will be based on a 3-year initial commitment with 2, one-year extension options for continued delivery of the core scope. The authority reserves its right to exercise each option individually (and prior to expiry of the initial 3-year term or the end of the first extension) or both options at the same time (prior to expiry of the initial 3-year term).
Provisional timetable for recourse to these options:
in months: 35 (from the award of the contract)

II.2.3)Information about renewals

This contract is subject to renewal: no
II.3)Duration of the contract or time limit for completion

Section III: Legal, economic, financial and technical information

III.1)Conditions relating to the contract

III.1.1)Deposits and guarantees required:

The authority reserves its right to request an indemnity, bank bond or guarantee if the supplier does not meet the required standard for economic and financial standing.

III.1.2)Main financing conditions and payment arrangements and/or reference to the relevant provisions governing them:

Payment follows delivery and acceptance of the services.

III.1.3)Legal form to be taken by the group of economic operators to whom the contract is to be awarded:

If a group of economic operators submits a bid, the group must nominate a lead organisation to deal with the authority. The authority shall require the group to form a legal entity before entering into the contract.

III.1.4)Other particular conditions to which the performance of the contract is subject, in particular with regard to security of supply and security of information:

A security aspects letter will apply to this requirement.
The authority reserves the right to amend any condition related to security of information to reflect any changes in national law or government policy. If any contract documents are accompanied by a security aspects letter, the authority reserves the right to amend the terms of the security aspects letter to reflect any changes in national law or government policy whether in respect of the applicable protective marking scheme, specific protective markings given, the aspects to which any protective marking applies or otherwise.
Commercial exploitation levy will apply to any resultant contract.

III.1.5)Information about security clearance:

Candidates which do not yet hold security clearance may obtain such clearance until: 30.4.2020
III.2)Conditions for participation

III.2.1)Personal situation

Criteria regarding the personal situation of economic operators (that may lead to their exclusion) including requirements relating to enrolment on professional or trade registers

Information and formalities necessary for evaluating if the requirements are met: The authority will apply all the offences listed in Article 39(1) of Directive 2009/81/EC (implemented as Regulation 23(1) of the Defence and Security Public Contract Regulations (DSPCR) 2011 in the UK) and all of the professional misconducts listed at Article 39(2) of Directive 2009/81/EC (see also Regulation 23(2) in the DSPCR 2011) to the decision of whether a candidate is eligible to be invited to tender.

A full list of the Regulation 23(1) and 23(2) criteria are at http://www.contracts.mod.uk/delta/project/reasonsForExclusion.html#dspr

Candidates will be required to sign a declaration confirming whether they do or do not have any of the listed criteria as part of the pre-qualification process.
Candidates who have been convicted of any of the offences under Article 39(1) are ineligible and will not be selected to bid, unless there are overriding requirements in the general interest (including defence and security factors) for doing so.
Candidates who are guilty of any of the offences, circumstances or misconduct under Article 39(2) may be excluded from being selected to bid at the discretion of the authority.
Standard declaration of good standing will be sought in the PQQ.

Criteria regarding the personal situation of subcontractors (that may lead to their rejection) including requirements relating to enrolment on professional or trade registers

Information and formalities necessary for evaluating if the requirements are met: N/a

III.2.2)Economic and financial ability

Criteria regarding the economic and financial standing of economic operators (that may lead to their exclusion)

Information and formalities necessary for evaluating if the requirements are met: (b) the presentation of balance-sheets or extracts from the balance-sheets, where publication of the balance-sheet is required under the law of the country in which the economic operator is established;
(c) where appropriate, a statement, covering the 3 previous financial years of the economic operator, of:
(i) the overall turnover of the business of the economic operator; and
(ii) where appropriate, the turnover in respect of the work, works, goods or services which are of a similar type to the subject matter of the contract.
Provision of at least 2 years audited accounts (if available) or equivalent information will be required as part of the pre-qualification questionnaire (PQQ) response.
Minimum level(s) of standards possibly required: The estimated annual contract value is 500 000 GBP (five hundred thousand pounds sterling). If the estimated annual contract value is greater than 40 % of the supplier’s turnover, the Authority reserves the right to exclude the supplier from being selected to tender except where the supplier provides, to the satisfaction of the authority, evidence showing it has sufficient economic and financial capability, for example such evidence may include:
1) Any additional information proving it has sufficient economic and financial resources to deliver the requirement; and
2) Stating whether the supplier is willing to provide the Authority with an indemnity, guarantee or bank bond.
A financial assessment will be undertaken on the supplier’s financial status. An overall pass/fail judgement will be made after considering areas such as turnover, profit, net assets, liquidity, gearing and capacity. This assessment will include the Parent company where applicable. An independent financial assessment obtained from a reputable credit rating organisation may be utilised as part of this process.

Criteria regarding the economic and financial standing of subcontractors (that may lead to their rejection)

Information and formalities necessary for evaluating if the requirements are met: N/a
Minimum level(s) of standards possibly required: N/a

III.2.3)Technical and/or professional capacity

Criteria regarding the technical and/or professional ability of economic operators (that may lead to their exclusion)

Information and formalities necessary for evaluating if the requirements are met:
(a) in the case of a supply contract requiring the siting or installation of goods, a services contract or a works contract, the economic operator’s technical ability, taking into account in particular that economic operator’s skills, efficiency, experience and reliability
(d) a statement of the technicians or technical services available to the economic operator to:
(i) carry out the work under the contract; or
(ii) be involved in the production of goods or the provision of services under the contract, particularly those responsible for quality control, whether or not they are independent of the economic operator.
(e) a statement of the economic operator’s:
(i) technical facilities;
(ii) measures for ensuring quality;
(iii) study and research facilities; and
(iv) internal rules regarding intellectual property.
(i) a statement of the services provider’s or contractor’s average annual number of staff and managerial staff over the previous 3 years
(j) a description of the tools, material, technical equipment, staff numbers, know-how and sources of supply (with an indication of their geographical location when it is outside the territory of the EU) available to the economic operator to perform the contract, cope with any additional needs required by the contracting authority as a result of a crisis or carry out the maintenance, modernisation or adaptation of the goods covered by the contract.
Information will be required to evaluate technical capability in response to the pre-qualification questionnaire stage
Minimum level(s) of standards possibly required
N/a

Criteria regarding the technical and/or professional ability of subcontractors (that may lead to their rejection)

Information and formalities necessary for evaluating if the requirements are met:
N/a
Minimum level(s) of standards possibly required
N/a

III.2.4)Information about reserved contracts
III.3)Conditions specific to services contracts

III.3.1)Information about a particular profession

Execution of the service is reserved to a particular profession: no

III.3.2)Staff responsible for the execution of the service

Legal persons should indicate the names and professional qualifications of the staff responsible for the execution of the service: no

Section IV: Procedure

IV.1)Type of procedure

IV.1.1)Type of procedure

Restricted

IV.1.2)Limitations on the number of operators who will be invited to tender or to participate

Envisaged minimum number 3 and maximum number 5
Objective criteria for choosing the limited number of candidates: 1) Interested suppliers are required to complete the dynamic pre-qualification questionnaire (DPQQ) to provide the authority with information to evaluate the supplier’s capacity and capability against the selection criteria.
The authority will use the DPQQ response to create a shortlist of tenderers who:
1.1) are eligible to participate;
1.2) fulfil any minimum economic, financial, professional and technical standards; and
1.3) best meet, in terms of capacity and capability, the selection criteria set out in this notice and the DPQQ.
2) Selection of applicants to progress to next stage
2.1) Evaluation of responses
Responses will be evaluated in accordance with the PQQ. The objective of the evaluation is to score applicants’ Responses to determine whether the applicant has the required capability to provide the DCPP service and can therefore proceed to the next stage of the procurement.
2.2) Subject to paragraph 3.9 below, an Applicant will be invited to participate in the next stage if the applicant:
(a) is not disqualified or excluded from participation in the procurement;
(b) successfully passes Stage 1 of the evaluation; and
(c) achieves a score in Stage 2 of the evaluation that meets the requirements set out in paragraph 3.6 and which, subject to the tiebreak provisions at paragraphs 3.10 to 3.12, is one of the top (5) scores.
2.3) The scoring methodology is described in more detail in Section 3.
2.4) Provision of information.
During the evaluation process, the authority may ask an applicant to clarify or provide more details about any part of its response. Failure to provide clarification or details as requested may affect the applicant’s evaluation. The authority may also seek independent financial and market advice in order to validate any part of an applicant’s response or any further clarifications and details provided by an applicant.
3) Scoring methodology
3.1) Stage 1: Pass/fail questions
Stage 1 is a pass/fail evaluation of the applicant’s responses to the questions set out in:
(a) Part 1 Form B (grounds for mandatory rejection);
(b) Part 1 Form C (grounds for discretionary rejection); and
(c) Part 1 Form D (economic and financial standing)
3.2) The authority will review applicants’ responses to these questions and determine whether the applicant should, in the opinion of the authority, be rejected;
3.3) Applicants who are not rejected following this evaluation will proceed to Stage 2;
3.4) Stage 2: PQQ specific questions.
In Stage 2, the authority will evaluate the applicant’s responses to specific questions in Part 1 Form E (technical and professional capability), Part 2 Form F (project specific questions) and Part 2 Form G (defence and security) and award a score of between ‘0’ and ‘5’ for those questions which operate on this basis. ‘5’ is the highest, in accordance with the scoring criteria set out in Figure 1 below:
Scoring criteria
Score description
5) The applicant’s response gives the authority high confidence that the applicant can provide the required capability because the response is of high quality and clearly describes comprehensive, relevant evidence of experience at a comparable scale, technical scope and complexity to the procurement;
4) The applicant’s response gives the authority good confidence that the applicant can provide the required capability because, with only minor exceptions, the evidence provided:
A. Is of good quality, detailed, clear and relevant to the question; and
B. Relates to examples which are of a comparable scale, technical scope or complexity to the procurement.
3) The applicant’s response gives the Authority reasonable confidence that the applicant can provide the required capability because the evidence provided:
A. Is of reasonable quality, detail, clarity and relevance to the question; but
B. Relates to examples which are of a less comparable scale, technical scope or complexity to the procurement.
1) The applicant’s response gives the authority limited confidence that the applicant can provide the required capability because the evidence provided:
A. Is of a lesser quality and/or detail, and/or is unclear and/or of limited relevance to the question; and/or
B. Relates to examples which are not comparable in scale, technical scope or complexity to the procurement.
0 The applicant fails to provide a response.
Or
The applicant’s response fails to give the authority any confidence that the Applicant can provide the required capability because the evidence provided:
A. Is of very poor quality and/or detail, and/or is incomprehensible and/or irrelevant to the question; and/or
B. Relates to examples which are of a wholly incomparable scale, technical scope or complexity to the procurement.
3.5) The score of ‘2’ is deliberately omitted from the above scale in order to clearly differentiate between applicants whose responses provide the authority’s required level of confidence (a score of ‘3’ or above) and those which do not (a score of ‘1’ or ‘0’). Responses which fail to meet the requirements for a score of ‘3’ or better will therefore score ‘1’ or ‘0’,
3.6) In order to be invited to participate further in the procurement, applicants must:
(a) not receive a score of ‘0’ for Part 1 Form E, cyber risk profile question and any question in Part 2 Form F;
(b) receive a score of ‘3’ or better for Part 1 Form E, Cyber Risk Profile question and Part 2 Form F project and technical related questions — managed service, databases and workflow capabilities question;
(c) receive a weighted score of at least 2,75 determined in accordance with paragraph 3.7 below; and
(d) subject to the tiebreak provisions in paragraphs 3.10-3.12, receive one of the top five (5) scores.
3.7) For the purpose of paragraph 3.6(c), all Applicants meeting the thresholds set out in paragraphs 3.6(a) and (b) will be awarded a weighted score. The weighted score will be determined by multiplying the score awarded for each relevant question in Part 1 Form E (Technical and Professional Capability), Part 2 Form F (Project Specific Questions) and Part 2 Form G (Defence and Security) against the weighting shown below and adding those weighted figures together.
ID question weighting
E1 cyber risk profile 25 %
F1 managed service, databases and workflow capabilities 30 %
F2 MOD cloud hosting 15 %
F3 use of verify 5 %
F4 project management and quality 20 %
G1 security of supply 2 %
G2 IPR 3 %
Total 100 %
3.8) Subject to paragraph 3.9 below, all Applicants that have not been rejected following Stage 1 evaluation and that have met the requirements specified as part of the Stage 2 evaluation in paragraph 3.6 above will be invited to participate in the next stage of the Procurement;
3.9) If the number of Applicants determined under paragraph 3.8 as qualifying to participate in the next stage of the procurement exceeds five (5), the Authority will limit the number of Applicants invited to participate to five (5). In such circumstances, the applicants invited to participate will be those awarded the highest weighted scores;
3.10) In the event that two or more applicants have the same weighted score such that the number of applicants invited to participate in the next stage of the procurement cannot be reduced to five (5) without excluding one of them, the tied applicants will be eliminated in order of the lowest combined weighted score for questions E1 and F1, until such point as the total number of applicants progressing to the next stage of the procurement is five (5);
3.11) If, despite applying the process described in paragraph 3.10, the number of tied applicants is such that the number of applicants proceeding to the next stage of the procurement still cannot be reduced to five (5), the tied Applicants shall be subject to a further elimination round, where remaining tied applicants shall be eliminated in order of the number of scores of one (1) received for any question, until such point as the total number of applicants progressing to the next stage of the procurement is five (5);
3.12) If, despite applying the process described in paragraph 8.11, the number of tied applicants is such that the number of applicants proceeding to the next stage of the procurement still cannot be reduced to five (5), all such tied applicants will be excluded from the next stage.
IV.1.3)Reduction of the number of operators during the negotiation or dialogue
IV.2)Award criteria

IV.2.1)Award criteria

The most economically advantageous tender in terms of the criteria stated in the specifications, in the invitation to tender or to negotiate or in the descriptive document

IV.2.2)Information about electronic auction

An electronic auction has been used: no
IV.3)Administrative information

IV.3.1)File reference number attributed by the contracting authority:

CCT741

IV.3.2)Previous publication(s) concerning the same contract

Prior information notice

Notice number in the OJEU: 2019/S 154-381132 of 12.8.2019

IV.3.3)Conditions for obtaining specifications and additional documents or descriptive document

Payable documents: no

IV.3.4)Time limit for receipt of tenders or requests to participate

16.12.2019 – 15:00
IV.3.5)Date of dispatch of invitations to tender or to participate to selected candidates

IV.3.6)Language(s) in which tenders or requests to participate may be drawn up

English.

Section VI: Complementary information

VI.1)Information about recurrence

This is a recurrent procurement: no

VI.2)Information about European Union funds

The contract is related to a project and/or programme financed by European Union funds: no

VI.3)Additional information:

The contracting authority considers that this contract may be suitable for economic operators that are small or medium enterprises (SMEs). However, any selection of tenderers will be based solely on the criteria set out for the procurement.The authority reserves the right to amend any condition related to security of information to reflect any changes in national law or government policy. If any contract documents are accompanied by instructions on safeguarding classified information (e.g. a Security Aspects Letter), the authority reserves the right to amend the terms of these instructions to reflect any changes in national law or government policy, whether in respect of the applicable protective marking scheme, specific protective markings given, the aspects to which any protective marking applies, or otherwise. The link below to the Gov.uk website provides information on the Government Security Classification.

https://www.gov.uk/government/publications/government-security-classifications

Advertising Regime OJEU:- This contract opportunity is published in the Official Journal of the European Union (OJEU), the MoD Defence Contracts Bulletin and www.contracts.mod.uk

Electronic Trading Potential suppliers must note the mandatory requirement for electronic trading using the Contracting, Purchasing and Finance (CP&F) electronic procurement tool. All payments for Contractor Deliverables under the contract shall only be made via CP&F. You can find details on CP&F at https://www.gov.uk/government/publications/mod-contracting-purchasing-and-finance-e-procurement-system.

The Cyber Risk Profile for this requirement identified by the Cyber Risk Assessment is Moderate, Reference will be advised at ITT release.
Indicative timescales for the procurement:
— ITT release Jan/Feb 2020,
— Contract Award April 2020.

Suppliers must read through this set of instructions and follow the process to respond to this opportunity. The information and/or documents for this opportunity are available on https://www.contracts.mod.uk/delta. You must register on this site to respond, if you are already registered you will not need to register again, simply use your existing username and password. Please note there is a password reminder link on the homepage.

Suppliers must log in, go to your Response Manager and add the following access code: W2P34A56N4. Please ensure you follow any instruction provided to you here. The deadline for submitting your response(s) is 18.12.2019 10.00. Please ensure that you allow yourself plenty of time when responding to this invite prior to the closing date and time, especially if you have been asked to upload documents.

If you experience any difficulties please refer to the online Frequently Asked Questions (FAQs) or the User Guides or contact the MOD DCO Helpdesk by emailing — support@contracts.mod.uk or call 0800 282 324.

Suppliers must read through this set of instructions and follow the process to respond to this opportunity. The information and/or documents for this opportunity are available on http://www.contracts.mod.uk. You must register on this site to respond, if you are already registered you will not need to register again, simply use your existing username and password. Please note there is a password reminder link on the homepage.

Suppliers must log in, go to your Response Manager and add the following access code: W2P34A56N4. Please ensure you follow any instruction provided to you here.
The deadline for submitting your response(s) is detailed within this contract notice, you will also have visibility of the deadline date, once you have added the access code via DCO as the opening and closing date is visible within the opportunity.
Please ensure that you allow yourself plenty of time when responding to this opportunity prior to the closing date and time, especially if you have been asked to upload documents.

If you experience any difficulties please refer to the online Frequently Asked Questions (FAQs) or the User Guides or contact the MOD DCO Helpdesk by emailing support@contracts.mod.uk or Telephone 0800 282 324.

GO Reference: GO-20191118-DCB-15578973

VI.4)Procedures for appeal

VI.4.1)Body responsible for appeal procedures

Official name: Ministry of Defence, Information Systems and Services, ISS Commercial Sourcing Team
Postal address: ISS CCT Commercial Team, Spur B2, Building 405, MOD Corsham, Westwells Road
Town: Corsham
Postal code: SN13 9NR
Country: United Kingdom
E-mail: cheryl.harding114@mod.gov.uk
Telephone: +44 3067702034
Internet address: https://www.gov.uk/government/organisations/ministry-of-defence

Body responsible for mediation procedures

Official name: Ministry of Defence, Information Systems and Services, ISS Commercial Sourcing Team
Town: Corsham
Country: United Kingdom

VI.4.2)Lodging of appeals
VI.4.3)Service from which information about the lodging of appeals may be obtained

VI.5)Date of dispatch of this notice:

17.11.2019