Provision of Security Architecture Compliance (SAC)
Type of document: Contract Notice
Country: United Kingdom
1. Title: PROVISION OF SECURITY ARCHITECTURE COMPLIANCE (SAC)
2. Awarding Authority: Information Application Services (IAS) Army Headquarters, GB. Web:
3. Contract type: Service contract
4. Description: Provision of a cost effective, flexible security architecture compliance service that ensures policy compliance and can meet the demands of IAS’s requirements to support and maintain the current applications services and also provide security architecture compliance services for new requirements that are technology agnostic.
5. CPV Code(s): 72000000, 72260000
6. NUTS code(s): UKJ, UKJ3, UKJ36
7. Main site or location of works, main place of delivery or main place of performance: Location South East England
Address where the work will take place The place of delivery for the contract shall be at such location(s) as agreed between the outcomes supplier and the Authority. The primary location for IAS is Andover, Hampshire.
8. Reference attributed by awarding authority: DInfoCom/0067
9. Estimated value of requirement: Not provided.
10. Closing date for applications 16.5.2019 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Thursday 9 May 2019 at 11:59pm GMT
Latest start date Monday 1 July 2019
Expected contract length 2 years
Why the work is being done IAS is an internal software house that provides hosting and through life application-based Information Services to meet the demands of the Army and wider Defence. There is a requirement to provide security architecture, compliance and information assurance services to ensure all IAS services are coherent with policy. It delivers hosting capability across 3 domains and currently supplies 69 services supporting enterprise resource planning, HR, finance, logistics and asset management.
IAS utilises DevSecOps to deliver applications through a fully automated delivery pipeline to the production environment, using Oracle and Microsoft production platforms on the Army Hosting Environment and Joint Server Farm.
Problem to be solved Provision of a cost effective, flexible security architecture compliance service that ensures policy compliance and can meet the demands of IAS’s requirements to support and maintain the current applications services and also provide security architecture compliance services for new requirements that are technology agnostic.
Who the users are and what they need to do The users of applications are regulars, reserves, civil servants and contractors across the Army and wider Defence. The users are required to log on to the Ministry of Defence Network and browse to the appropriate URL. Access is granted via single sign on.
The users need compliant, secure, highly performant and available application services to provide information in the right context to undertake their business functions to enable the day-to-day operation of the British Army and wider Defence.
Existing team The existing team consists of various parties to support the full software development lifecycle. This includes areas such as infrastructure support, support to ops, in-service management, programme management and service transition. These areas are provided by a combination of military personnel, civil servants and personnel from other suppliers.
Current phase Live
Working arrangements The supplier will deliver within MoD and IAS standards, policies and processes predominantly in the form of: National Cyber Security Centre advice and guidance, JSP440 (security), JSP604 (joining rules) to gain accreditation, and compliance with Government data guidance policy and legislation regarding information assurance. The technical security assurance requires risk assessment, management and audit capabilities.
Expenses are only to be incurred with the prior agreement of the Authority. All claims are to be in line with MoD Civil Servant rates and or practices.
Security clearance Security Clearance (SC) will be required for the duration of the role. Incumbents are to follow both the letter and spirit of Army Headquarters security regulations.
Additional terms and conditions DEFCON 5J (Edn 18/11/16) Unique Identifiers
DEFCON 76 (Edn 12/06) Contractors on site
DEFCON 129J (Edn 18/11/16) Electronic business Delivery Form
DEFCON 513 (Edn 11/16) Value Added Tax
DEFCON 516 (Edn 04/12) Equality
DEFCON 518 (Edn 02/17) Transfer
DEFCON 531 (Edn 11/14) Disclosure of Information
DEFCON 534 (Edn 06/17) Subcontracting and Prompt Payment
DEFCON 537 (Edn 06/02) Rights of Third Parties
DEFCON 550 (Edn 02/14) Child Labour and Employment Law
DEFCON 566 (Edn 12/18) Change of control of contractor
DEFCON 642 (Edn 06/14) Progress meetings
DEFCON 658 (Edn 10/17) Cyber
DEFCON 694 (Edn 07/18) Accounting for Property of the Authority
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Proven strong security background with a focus on ICT security complemented by familiarity with general security policy.
Demonstrable experience within the last 3-years of the provision of advice and guidance to a Security Assurance Co-ordinator (SAC) as defined in relevant security policy frameworks.
Demonstrable experience within the last 3-years of managing the security aspects of the transition of projects into a live environment.
Demonstrable experience within the last 3-years of assurance of project security plans and products, such as Security Risk Assessments and Risk Management Accreditation Document Set (RMADS).
Demonstrable experience within the last 3-years of co-ordinating with project stakeholders to ensure a common understanding of security requirements, security risk and countermeasures in support of security assurance and approvals.
Demonstrable experience within the last 3-years of producing security strategies, policies and supporting documentation
Demonstrable experience within the last 3-years of security compliance auditing
Proven recent and demonstrable skills covering Security Management; Governance, Risk and Compliance; Information Risk Assurance; Architecture, Network and Application Security; Incident Response and Forensic Investigation and Business Continuity Management.
Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to ccoping threat and vulnerability assessments
Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to conducting technical risk assessments.
Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to vulneralbility / penetration testing planning.
Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to control deficiencies.
Proven recent and demonstrable experience of providing Information Security assessments including identification of gaps, formulating recommendations on remediation relating to effectively communicating results of assessment findings, rational and recommendations.
Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to Cabinet Office IAMM return construction / reviews.
Proven recent and demonstrable experience of providing Information Security assessments including the identification of gaps and formulating recommendations on remediation relating to Data Protection compliance reviews.
Demonstrable experience within the last 3-years of working in a matrix environment and clear evidence of ability to interact with other practice disciplines.
Demonstrable experience within the last 3-years of strong written and spoken communication skills supported by strong presentation skills.
Proven recent and demonstrable experience of delivering security compliance services into an Agile /DevSecOps organisation.
Nice-to-have skills and experience
Experience of working within MoD-specific security architecture, compliance and information assurance services.
Professional designation such as an accounting designation or Information Security certification such as CISSP, CISA or CISM that establish credibility and capability in the Information Security market.
ISO27001 Lead Auditor.
CESG Certified Professional (CCP) (Security and Information Risk Advisor, at Practitioner level).
How many suppliers to evaluate 4
Say how you will meet the buyer’s requirements. (4%)
Approach and methodology to meeting the requirements outlined in RFP. (4%)
Approach for transition of service, running and knowledge transfer. (4%)
Give examples of KPIs and SLAs that you would be prepared to commit to for this contract. (2%)
Provided an exit plan for the transition to an alternative supplier at the end of the contract and enabled the transition. (2%)
Provide evidence of skills/experience of team who’ll be doing the work and how they’ll work together. List roles, responsibilities and the number of people for each role/stage of work. (10%)
Provide team structure, CVs and relevant experience of the team who could be part of the service. (8%)
Provide two referenceable client-focussed case studies where your company have provided the desired service capability. (4%)
Ability to mobilise the team quickly and approach to service continuity. (3%)
Explain how you plan to retain key resources/ skills for the duration of the contract and how you can commit to meet IAS’s continuous need for development activities. (3%)
Ability to scale up and down resources, whilst ensuring quality and consistency. (2%)
How the proposal will optimise costs, and generate savings. In particular minimising transition costs between the current team and the new supplier. (2%)
Identification of the risks and dependencies associated with this requirement and potential mitigation. (2%)
Cultural fit criteria
Recent proven experience in working with the product owner to ensure compliance. (1%)
Recent proven experience of an open and collaborative working relationship at all levels with excellent communication and co-ordination skills when conducting team meetings, presentation and demonstrations. (2%)
Has a no-blame culture and encourages people to learn from their mistakes, working as “one team”. (2%)
Suppliers must demonstrate an ability and willingness to work collaboratively within a multi-vendor delivery environment. (2%)
Able to communicate effectively with all members of IAS and solve issues amongst complex integrations. (2%)
Proven ability to added value to IAS through the use of innovation, continuous improvement and cost savings utilising technology. (1%)
Payment approach Capped time and materials