03 Dec 2018

Cyber Vulnerability Investigations as a Service (CVIaaS) – Military Air Domain

Type of document: Contract Notice
Country: United Kingdom

2. Awarding Authority: Ministry of Defence, Information Systems & Services, GB. Web:
3. Contract type: Service contract
4. Description: CVI Programme services including:
Domain Cyber Vulnerability and Risk Analysis
Programme management
ToI Scoping
CVI Delivery
Specialist CVI activities which may include but are not limited to: Technical Testing, concept demonstrators, code analysis
Cross Domain information sharing, CVI good practice and lessons learned.
5. CPV Code(s): 48730000, 72212730, 72000000
6. NUTS code(s): UKK, UKK1, UKK15, UKI,
7. Main site or location of works, main place of delivery or main place of performance: No specific location, eg they can work remotely
Address where the work will take place: The work will be carried out at a mixture of supplier and MOD locations. User and system visits are expected throughout the duration of the contract.
MOD Locations are likely to include: ISS HQ MOD Corsham, MOD Main Building, London and RAF Wyton.
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Budget range: Up to £9 million including T&S (Ex VAT) for a 12 month period across all 4 Domains. DOS competitions for Joint, Land and Maritime will follow in the coming weeks.
10. Closing date for applications 13.12.2018 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions: Thursday 6 December 2018 at 11:59pm GMT
Latest start date: Monday 18 March 2019
Expected contract length: 12 months with 1 x 3 month option to extend (pending financial approval)
Why the work is being done The CVI Programme was established to help the MOD better understand cyber risks across all aspects of its systems. The MOD uses COTS and bespoke equipment in a unique way to achieve military effect. This work will identify the cyber risks and vulnerabilities of military platforms/systems and will ultimately help preserve MOD’s freedom of action.
MOD requires a supplier (industry partnering and subcontracting is encouraged) to deliver CVIs on a service based approach predominantly within the Air Domain. Three similar DOS Requirements will follow in the coming weeks to procure CVIs that are sponsored by Joint, Land and Maritime Domains.
Problem to be solved A CVI is the socio-technical analysis of any military related system or platform, known as a Target of Investigation (ToI), to understand where it may be vulnerable to cyber-effects.
MOD has historically procured CVI services individually or in packages, limiting agility in response to changing operational and threat demands, and the flexibility in which suppliers can deliver. There is potential for CVI services of up to £9 million over a 12-month period across all 4 Domains. In Stage 2, as part of the assessment shortlisted suppliers will be asked to provide a proposal for a ToI representative of this domain.
Who the users are and what they need to do The CVI User encompasses anyone who has a role in owning, managing and mitigating cyber risks across the MOD. Through the service-based procurement of CVIs within a single Domain, there is potential for more efficient stakeholder engagement and ability for the Military Air Domain CVI Programme Supplier to rapidly learn from experience and form an effective collaborative working relationship with the CVI Ops Cell & Domain specific stakeholders.
Early market engagement N/A
Any work that’s already been done CVIs have been conducted since 2014. Dstl delivered a number of CVIs to establish a methodology. The CVI Ops cell was established within MOD in 2017 to deliver a 10 year programme of CVIs . CVI Tranches 1, 2 and 3 has been delivered in partnership with Industry. Tranche 3 of the CVI Delivery Programme has just commenced delivery.
This phase of work represents a movement away from the ‘Tranche’ based approach in order to employ a service based commercial mechanism. The term ‘CVIaaS’ will therefore replace the Tranche approach.
Existing team There is no existing team that delivers this requirement. You will be delivering this work for and on behalf of the MOD CVI Ops Cell, established by the Cyber Joint User to lead the delivery and management of CVIs.
The user community is distributed across Defence with the core delivery leads based in Corsham, London and RAF Wyton.
Current phase: Not applicable
Working arrangements The bulk of the work will be carried out at Supplier locations. Client Meetings will likely take place in MOD Corsham, MOD Main Building, RAF Wyton and/or the main ToI user’s location.
Technical testing will be performed by agreement (GFE may be provided for testing the movement of equipment should be minimised).
The work is expected to be carried out in the UK. Overseas work required will be addressed by exception and notified to the nominated Domain Manager at the earliest opportunity.
T&S (included in the budget) will be firm priced where possible or reimbursed in line with MOD Policy.
Security clearance Before contract award supplier team member(s) are required to achieve minimum SC clearance and must be UK Nationals. Some TOIs will require DV.
The Authority WILL NOT sponsor clearances, they must be in place and remain valid for the contract duration.
Additional information
Additional terms and conditions We aim to get feedback to you within THREE weeks of the advert closing
Proposal to be submitted on the templates provided and in Microsoft Office 2016 format only
Further details will be provided at the Proposal Stage
upplier assessment scores will reset at the beginning of the Proposal Stage
Suppliers must use the electronic procurement tool CP&F
Tasking process for the service based approach to be defined and released before contract start
IR 35 information: The intermediaries legislation doesn’t apply to this engagement
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Skills and experience
Essential skills and experience
Experience of delivering Cyber Vulnerability Investigations or complex socio-technical cyber vulnerability and risk assessments
Experience of undertaking practical system security and vulnerability testing, behavioural assessments, and business analysis activities
Knowledge and experience of the capabilities and operations supporting the Military Air domain
Confirm you have access to facilities with current List-X status for the duration of the contract
Please provide your DCPP reference in response to RAR-HA8S6ZMD ( )
Confirm that you have access to accredited IT, authorised to process OFFICIAL SENSITIVE and SECRET UKEO information for the duration of the contract
Experience of management and delivery of multiple concurrent complex cyber projects
Experience of management and delivery projects with a diverse set of stakeholders
Experience of delivering projects where the scope and activities evolve or significantly change and where skills and experience required by delivery personnel changes throughout the life of the project
Experience of resource and workload management where a limited pool of suitably skilled and experienced resources are utilised to deliver multiple, concurrent complex socio-technical cyber vulnerability and risk assessments
SQEP required to lead and technically assure complex socio-technical cyber vulnerability and risk assessments, such that the outcomes are appropriately focused, comprehensive, accurate and reflect the latest cyber-security knowledge
Proven knowledge and experience of developing Socio-Technical and System of Systems models for cyber analysis
Proven knowledge and experience of applying human factors, behavioural and cultural assessment to cyber analysis
Proven knowledge and experience of Attack Path Analysis and how the technique is applied to cyber analysis
Proven knowledge and experience of conducting cyber war-gaming or red teaming
Proven experience in conducting cyber maturity assessments and its application to cyber analysis
Experience delivering outcome focused cyber security vulnerability and risk assessments which evolve in an iterative manner to ensure the desired outcomes are delivered
Experience of undertaking vulnerability identification and impact assessments, and generating and quantifying evidenced cyber risks for MOD’s military and business users
Experience of conducting Open Source Research and Intelligence to support and underpin cyber vulnerability risk analysis
Nice-to-have skills and experience
Ability to receive and send emails classified at OFFICIAL SENSITIVE or have an RLI/SLI connection
Expertise and experience in Cyber Security / Information Assurance, Human Factors, System Engineering and Design, Computing/IT, technical security and vulnerability testing and evaluation, practical behavioural and business analyst assessments
Experience developing cyber-risk reports which articulate and quantify risks to complex systems, ensuring the findings and outputs are cognisant of the systems context of operation, utilisation and operating environment
How suppliers will be evaluated
How many suppliers to evaluate 3
Proposal criteria
Demonstrate how you will use your experience and suitably qualified and experienced personnel (SQEP) to deliver the example CVI (10%)
Describe your understanding of the Domain including the depth of understanding and your ability to access specialist experience and knowledge. How will this be applied to the example CVI? (10%)
Using the Pricing CVI as a guide to the smallest expected CVI, provide your firm priced offer (per code) for the CVI activities described in the pricing matrix (1%)
Provide your rate card against the provided grading levels (1%)
Using the Example CVI, identify the Activity Units you propose for the completion of the example CVI. Provide details of the personnel you will use to complete the CVI (8%)
Identify the mechanisms that you would employ to resolve issues in delivering the Military Air CVI Programme. Identify the potential challenges and associated mitigations in delivering the example CVI (4%)
Describe how you will ensure CVI Reports meet the objectives of the various stakeholders. Include how you will use the information derived from CVIs in domain analysis and reporting (6%)
Propose how you will apply technical assurance and governance to delivering the example CVI and a portfolio of CVIs. Demonstrate the TA activities that will be conducted by SQEP. (5%)
Describe your approach to delivering multiple CVIs. Describe how your team/s will be structured for the example CVI and the Military Air Domain CVI Programme (3%)
Outline your approach for accessing specialist technical/domain resources either internally or externally (including how small to medium enterprises may be engaged) (2%)
Describe your approach to scoping ToIs and developing robust scoping report for both individual CVIs and in a broader programme context (5%)
Describe how you will access the information needed to deliver the example CVI. Propose how you would address a shortfall in this information should this be delayed and/or unavailable (5%)
Describe your activities during the example CVI, using the CVI guidance (currently v4.2) as a handrail but tailoring it to suit the requirement (5%)
Clearly describe the purpose, scope and focus of each activity, and the rationale. For each activity the response must clearly cover both socio and technical aspects of the ToI (5%)
Describe the approach, tools and techniques to be used, explaining where they will be applied, and why they are appropriate to the objectives and scope of the example CVI (5%)
For the example CVI detail the evidence collected or generated during the activity, and what aspect of the socio-technical analysis undertaken each piece of evidence is relevant to. (5%)
Where the CVI Guidance mandates a specific assessment approach and/or scoring criteria to be used please confirm your compliance. Describe how these will be applied to the example CVI (5%)
For the example CVI detail the SMEs and stakeholders required to support the proposed activities, and the nature of the support required (5%)
Describe how credibility/accuracy of information collected will be assessed, and how limitations in the information or uncertainty and inconsistencies will be accounted for during the articulation of cyber risks (5%)
Explain how the impact and likelihood risk components will be quantified, what information and analysis will justify the scores, and which CVI activities the information is generated from/during (5%)
Cultural fit criteria
Act with honesty, integrity and transparency at all times. (20%)
Work collaboratively to solve problems with stakeholders from multiple organisations, including Public Servants, military stakeholders, other contractors and vendors, to support MOD Defensive Cyber Operations. (15%)
Support the CVI Ops Cell proactively in all aspects of the CVI delivery; employing agile behaviours. (20%)
Demonstrate commitment to the MOD defensive cyber objectives and be proactive in ensuring that the Service fully supports the delivery of the operational requirement. (10%)
Exhibit a ‘can-do’ attitude, seeking resolutions rather than problems, when addressing operational and developmental issues. Use initiative to take ownership of problems and issues to ensure a successful outcome. (20%)
Prioritise operational imperative ahead of procedural constraint. (15%)
Payment approach Fixed price
Assessment methods
Written proposal
Case study
Evaluation weighting
Technical competence
Cultural fit