Type of document: Contract Notice
Country: United Kingdom
1. Title: QUANTUM REPLACEMENT
2. Awarding Authority: Ministry of Justice, GB. Web:
3. Contract type: Service contract
4. Description: Update risk reviews, assess compliance with CS standards and best supplier security practice recommendations, check deployment configurations, recommending remedial actions, on-going testing processes. Focus on TTP Enterprise, EUCS Client, COPE mobile, firewall domains. Replace Accreditation with an Assurance perspective. Structure the work as component deliverables that are highly cohesive.
5. CPV Code(s): 72200000, 72210000, 72000000, 72222300
6. NUTS code(s): UKI, UKI3, UKI32
7. Main site or location of works, main place of delivery or main place of performance: Location No specific location, eg they can work remotely
Address where the work will take place Primarily at 102 Petty France London SW1H 9AJ
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Budget range Bidders to suggest total cost based on requirements, total budget of £500,000 (inc VAT) has been forecast.
We have assumed the team will be made up of at least a Security Architect, Security Consultant, and Business Analyst. The MoJ are willing to consider an alternative team make-up if a suitably strong case is made.
10. Closing date for applications 29.8.2019 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Thursday 22 August 2019 at 11:59pm GMT
Latest start date Monday 14 October 2019
Expected contract length 12 Months
Why the work is being done The Ministry of Justice has a number of technology improvement and transition projects for online access to information and applications. An example is a programme to renew and update the underlying enterprise technology used by 20k+prison workers at 100+ sites. Other projects include the EUCS (End User Computing Solution), and migration to Cloud-based environments. A critical success factor is to ensure users have a coherent, consistent, and easy-to-use experience.
The systems must deploy and function within a security enviroment that delivers high-levels of assurance and rigour across essential characteristics such as Confidentiality, Integrity, Availability, and Identity (ID) and Access Management.
Problem to be solved The problem is how to best ensure that current, updated, and new end user devices and services, along with the supporting infrastructure, are all (re-)designed, implemented and operated securely. Challenges in solving the problem include: reviewing and understanding risks from across the IT estate; measuring, reporting, and monitoring core and critical systems; checking configurations for best-practice compliance and implementing necessary remedial mitigation; benefitting from flexible operating models such as COPE (Corporate Owned, Personally Enabled); ensuring safe and secure operation in a potentially hostile environment; and demonstrating on-going security standard assurance and compliance throughout.
Who the users are and what they need to do The users include anyone with authorisation to access information or services that are available within the MoJ IT Estate.
Of particular importance are key stakeholders: the CISO (Chief Information Security Officer), the SSA (Senior Security Advisor), and the DPO (Data Protection Officer). Each needs to see current and on-going evidence that data and services are protected against applicable passive and active cyber security threats, so that they can provide all users and other stakeholders with confidence that the MOJ technology and information infrastructure can be trusted for effective and safe access and handling of sensitive material.
Early market engagement None conducted.
Any work that’s already been done Previous solutions were accredited using the legacy HMG IS1/2 approach. The existing Security and Privacy team have performed initial assessments as part of the task, and are looking to expand and enhance the delivery.
Existing team Digital and Technology Security & Privacy Team
Current phase Discovery
Working arrangements Following Agile methodology.
Working on site / remote, but assuming remote as default.
Use of standard on-line collaboration tools Slack, Hangouts, Skype, Google G-Suite or Office 365. Report deliverables can also use PDF.
Supplier to use their own equipment; MoJ equipment to be provided on an exceptional, case-by-case basis.
Access to the Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a daily basis.
Access to SMEs for insights and environment-specific details, by arrangement.
Access to colleagues and suppliers working on other (new) IT systems, by arrangement.
Security clearance Baseline Personnel Security Check (BPSS) as a minimum. See for further guidance.
Additional terms and conditions Standard Digital Outcomes and Specialist contract and MoJ’s Travel and Subsistence policy.
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Evidence of recent, demonstrable, and successful experience in advising on security designs for complex enterprise IT systems, conducted in the last three years.
Evidence of recent, demonstrable and successful experience in providing security assessment(s) of a supplier, and their proposed solutions, meeting business needs, conducted in the last three years.
Evidence of recent, demonstrable, effective, and successful experience communicating security risk information to decision makers, enabling them to take appropriate action with positive outcomes, conducted in the last three years.
Evidence of recent, demonstrable and successful experience designing successful and pragmatic security features for compliant technology solutions based on user and organisational (business) needs, conducted in the last three years.
Evidence of recent, demonstrable and successful identification and application of legislation and guidance to secure information in a compliant form, within modern enterprise IT systems, in the last three years.
Nice-to-have skills and experience
Evidence of successfully securing Windows 10 end user devices at an Enterprise scale, in the last three years.
Evidence of successfully securing O365-based solutions, at an Enterprise scale, in the last three years.
Evidence of successfully following, implementing and assessing offerings to standards set-out in the GDS Service Assessment Framework, technology code of practice and Cabinet Office spend-controls, in the last-three years.
Knowledge of relevant regulations and guidance relating to security matters in HM Prisons.
Evidence of successfully securing mobile (‘phone) devices at an Enterprise scale, in the last three years.
How many suppliers to evaluate 5
Describe the method you would propose to use, referencing your experience on how you would conduct research and assessment to meet our user needs and develop pragmatic security designs.
Describe the method you would propose to use, referencing your experience on how you would develop and present security risks to decision makers. to meet the department’s needs successfully.
Describe how you will ensure that the recommendations meet applicable legislation, standards, and best practices in cyber security.
Describe how you would ensure that designed and implemented solutions meet the security expectations placed on them, both at initial deployment, and through life.
Cultural fit criteria
Show how you have worked successfully and effectively in the public sector or a highly regulated environment.
Explain how you’ll ensure collaboration at all levels of the project and programme delivery between users, team members and management. Give examples of where you have successfully applied this approach.
Explain how you’ll ensure productive and successful collaboration with suppliers to understand how their technology aligns with MOJ business needs, and to ensure the technology addresses those needs.
Payment approach Capped time and materials