05 Dec 2018

The Provision of Technical Support to Assess the Adequacy of Cyber Security and Information Arrangements

Type of document: Contract Notice
Country: United Kingdom

2. Awarding Authority: Office for Nuclear Regulation, GB. Web: www.onr.org.uk/ (Gary Owens)
3. Contract type: Service contract
4. Description: Regulation of the Civil Nuclear Industry’s Supply Chain, and specifically holders of Sensitive Nuclear Information (SNI) outside of nuclear facilities, falls under Regulation 22 of the Nuclear Industries Security Regulations (NISR) 2003. With approximately 350 registered dutyholders it is not practical or sustainable for awarding authority to conduct inspections across the entire community and thus a targeted and sampling approach is adopted, based upon available regulatory intelligence.
Unlike licenced nuclear facilities, Regulation 22 dutyholders have no legal duty to evidence their security plans, and awarding authority has no duty to approve them. The awarding authority does have a duty to ensure compliance with Regulation 22; however it is not the only party conducting assurance activities in this area. Regulation 22 dutyholders are also subject to assurance by their respective Contracting Authorities, who are themselves regulated by awarding authority in respect of their supply chain arrangements. Evidence has demonstrated that standards often vary given the diverse nature of contractors. Therefore not withstanding the assurance regime delivered by Contracting Authorities, direct regulatory sampling interventions are an essential element of the regulatory regime delivered by awarding authority.
Following the introduction of the Security Assessment Principles (SyAPs) and the move to outcome focused regulation, awarding authority took the opportunity to revise the methodology and approach to Regulation 22 dutyholders. In order to support this process ONR, supported by specialist contractors defined a risk based, SyAPs aligned regulatory methodology and conducted assessments under that methodology to determine the adequacy of cyber security and information assurance arrangements across selected dutyholders.
In order for a dutyholder to demonstrate evidence of effective arrangements in this area, and noting that SNI always accompanies a Government Security Classification (GSC), ONR considers the expectations and requirements articulated within the HMG Security Policy Framework (SPF) to be relevant good practice. As such ONR have directly mapped 5 of the 10 Fundamental Security Principles (FSyP) from the SyAPs to HMG SPF in order to provide a framework for dutyholders to evidence their arrangements and for inspectors to make judgements on their adequacy. It is these 5 FSyPs (1, 2, 3, 7 and 8) which form the basis of the revised methodology:
5. CPV Code(s): 71356300, 79419000
6. NUTS code(s): UKD, UKD7, UKD72
7. Main site or location of works, main place of delivery or main place of performance: North West (England), Merseyside, Liverpool.
8. Reference attributed by awarding authority: ONR/T383
9. Estimated value of requirement: Not provided.
10. Date documents can be requested until 11.1.2019 (13:00:00).
11. Address to which they must be sent: For further information on the above contract please visit Web:
12. Other information: OJEU Notice : 2018/S 233-533675
Process : OJEU