17 Jul 2019

Security Support for New Prison IT Proposal

Type of document: Contract Notice
Country: United Kingdom

1. Title: SECURITY SUPPORT FOR NEW PRISON IT PROPOSAL
2. Awarding Authority: Ministry of Justice, GB. Web:
3. Contract type: Service contract
4. Description: Security design and assurance support for a MoJ programme to replace 20k end user devices for prison workers
5. CPV Code(s): 72210000, 72200000, 72000000
6. NUTS code(s): UKI, UKI3, UKI32
7. Main site or location of works, main place of delivery or main place of performance: Location London
Address where the work will take place 102 Petty France
London SW1H 9AJ
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Budget range Bidders to suggest total cost based on requirements, total budget of £500,000 (inc VAT) has been forecast.
We have assumed the team will be made up of at least a Security Architect, Security Consultant, and Business Analyst. The MoJ are willing to consider an alternative team make-up to provide an accurate evidence based recommendation.
10. Closing date for applications 29.7.2019 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Monday 22 July 2019 at 11:59pm GMT
Latest start date Monday 2 September 2019
Expected contract length 12 Months
Why the work is being done Over FY19/20, the Ministry of Justice will be renewing and updating the enterprise technology used by over 20k prison workers at over a hundred sites. This work will deliver new hardware and a radically improved experience for users.
It is important to us that this new system is designed and implemented with effective and pragmatic security in-mind, helping to ensure the protection of our data at all times. We need assistance from cyber security specialists to help our teams get the design right, help assure what is implemented, and help us implement effective operational security processes for these new systems.
Problem to be solved We need to ensure that the new end user devices and supporting infrastructure for prison workers are designed, implemented and operated securely. We need to understand the risks of our new solution, and work with those delivering the new technology to ensure these are appropriate for our environment. It is important to us that prison workers are able to take full advantage of modern technology in a safe and secure fashion.
Who the users are and what they need to do As the CISO I need to know that the information in the new solution is protected against applicable cyber security threats, so that I can reassure those using the solution and entrusting it with sensitive information, and implement effective through-life monitoring activities.
Early market engagement None Conducted
Any work that’s already been done As the CISO I need to know that the information in the new solution is protected against applicable cyber security threats, so that I can reassure those using the solution and entrusting it with sensitive information, and implement effective through-life monitoring activities.
Existing team Digital and Technology Security & Privacy Team
Current phase Discovery
Working arrangements On site for approximately 3 days for face to face meetings and clarifying needs.
Use Agile working methods
Weekly progress report to Senior Stakeholders
Use of on line collaboration tools such as Slack and Skype for remote working.
The Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a daily basis.
Close working with colleagues and suppliers working on the new IT system.
Security clearance Baseline Personnel Security Check (BPSS) as a minimum. See for further guidance.
Additional terms and conditions Standard Digital Outcomes and Specialist contract and MoJ’s Travel and Subsistence policy.
Please see:

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Provide recent and demonstrable experience in advising on security designs for complex enterprise IT systems conducted in the last three years
Outline recent and demonstrable experience for providing a security assessment of a supplier and their proposed solutions to meet business needs conducted in the last three years
Outline recent and demonstrable experience for effectively communicating security risk information to decision makers, enabling them to take appropriate action, conducted in the last three years.
Outline recent and demonstrable experience of designing pragmatic security features for technology solutions based on user needs, conducted in the last three years
Outline recent and demonstrable experience in knowledge of legislation and guidance relevant to securing information in modern enterprise IT systems conducted in the last three years
Nice-to-have skills and experience
Provide recent and demonstrable experience of securing Windows 10 end user devices conducted in the last three years
Provide recent and demonstrable experience of securing O365-based solutions conducted in the last three years
Provide recent demonstrable experience of passing through standards set-out in the Government Digital Services’ service assessment framework, technology code of practice and Cabinet Office spend-controls conducted in the last-three years
Knowledge of relevant regulations and guidance relating to security matters in HM Prisons
How many suppliers to evaluate 5
Proposal criteria
Describe the method you would propose to use, referencing your experience on how you would conduct research and assessment to meet our user needs and develop pragmatic security designs
Describe the method you would propose to use, referencing your experience on how you would develop and present security risks to decision makers to meet the department’s needs
Describe how you will ensure that the recommendations meet applicable legislation and general good practice in cyber security.
Describe how you would ensure that designed and implemented solutions meet the security expectations you have placed on them, both at initial deployment, and through life.
Cultural fit criteria
Recent and demonstrable experience of working in public sector or highly regulated environment.
Explain how you’ll ensure collaboration at all levels of the project and programme delivery between users, team members and management. Give examples of where you have taken this approach.
Explain how you’ll ensure collaboration with vendors to understand how their technology aligns with our business needs.
Payment approach Time and materials
Assessment methods Written proposal
Evaluation weighting
Technical competence
70%
Cultural fit
5%
Price
25%
TKR-2019716-EX-1110574