02 Jul 2017

United Kingdom-Moor Row: IT services: consulting, software development, Internet and support

Type of document: Invitation to tender
Country: United Kingdom
OJEU Ref: (2017/S 123-249574/EN)
Nature of contract: Service contract
Procedure: Open procedure
Regulation of procurement: EU
Type of bid required: Global bid

Contract notice
Services
Directive 2014/24/EU

Section I: Contracting authority
I.1) Name and addresses
Official name: Cyber Security and Resilience Capability Enhancement Framework
Postal address: Herdus House
Town: Moor Row
Postal code: CA24 3HU
Country: United Kingdom
Contact Person: Matt McClure
Telephone: +44 1925802061
Email: procurement.tenders@nda.gov.uk
Internet address(es):
Main address:

I.3) Communication
The procurement documents are available for unrestricted and full direct access, free of charge,at:@nda.gov.uk
Additional information can be obtained from:
the above mentioned address
Tenders or requests to participate must be submitted:
to the above mentioned address
I.4) Type of the contracting authority
National or federal agency/office
I.5) Main activity
Other activity: nuclear decommissioning

Section II: Object
II.1) Scope of the procurement
II.1.1) Title: Cyber Security and Resilience Capability Enhancement Framework.

Reference number: MM000219
II.1.2) Main CPV code: 72000000
II.1.3) Type of contract: Services
II.1.4) Short Description: NDA requires the services of one or more framework providers to support NDA, Site Licensed Companies (SLCs) and subsidiaries (the estate) to implement the Cyber Security and Resilience Programme (CSRP). Identification of specific work packages will follow on from the estate-wide Profiling and Risk Assessment activities is currently in progress. These will identify areas where additional investment or support is required. Provision of these support services is intended to facilitate effective and consistent remediation activity and provide demonstrable benefit for stakeholders.
II.1.5) Estimated total value:
Value excluding VAT: 5500000.00 Currency: GBPII.1.6) Information about lots:
The contract is divided into lots: Yes
Tenders may be submitted for all lots
Maximum number of lots that may be awarded to one tenderer 2
The contracting authority reserves the right to award contracts combining the following lots or groups of lots:Lot 1 — Incident Response and Exercises;
Lot 2 — Assurance and Governance.

II.2) Description
II.2.1) Title: Incident Response and Exercises

Lot No:1
II.2.2) Additional CPV code(s)
72000000

II.2.3) Place of performance
Nuts code:
II.2.4) Description of the procurement:
This will be a framework of 1 supplier. The estimated value per annum is 1 100 000 GBP, however, NDA provides no guarantee of committed expenditure.
This support is provided following the escalation of an event to the point where external support and forensics are required, either because of duration (the on-site / NDA estate team is expected to be exhausted after 24 hours) or because of complexity (more analysts required, specialist skills, etc.) — essentially the ‘cavalry’. Based upon experience of the resource needed during a simulated event, a support team of 10 people is estimated. It is assumed that there may be 1 event per year that might require intervention (this is an assumption only — not based on historic information), with a duration of 2 weeks.
It is further assumed that 1 of the 2 training exercises that will be run during the year, 1 of them will be at such a level that the incident response team will be required. Therefore a second 2-week duration event is expected.
Where required, the provider shall:
— Provide rapid, round-the-clock (24/7) engagement following an identified cyber incident;
— Carry out incident analysis, for example:
— Digital Forensic Analysis,
— Traffic Monitoring,
— Malware Analysis (including reverse engineering);
— Assist in minimizing and mitigating any damage caused — e.g. isolate systems, contain any infection;
— Support the client in incident recovery;
— Support the client in post incident review;
— Determine and present ‘lessons learned’.
II.2.5) Award criteria

Price is not the only award criterion and all criteria are stated only in the procurement documents

II.2.6) Estimated value:
Value excluding VAT: 4400000.00 Currency: GBP
II.2.7) Duration of the contract,framework agreement or dynamic purchasing system
Duration in months: 12
This contract is subject to renewalyes Description of renewals:The contract will be placed for a period of 12 months with NDA option to extend the contract by increments of 12 months, up to a maximum contract extension of 36 months.

II.2.9) Information about the limits on the number of candidates to be invited
II.2.10) Information about variants
Variants will be accepted: no
II.2.11) Information about options
Options: no
II.2.13) Information about European Union funds
The procurement is related to a project and/or programme financed by European Union funds:no
II.2.1) Title: Assurance and Governance

Lot No:2
II.2.2) Additional CPV code(s)
72000000

II.2.3) Place of performance
Nuts code:
II.2.4) Description of the procurement:
This will be a framework of 1 supplier. The estimated value is 4 400 000 GBP however; this expenditure may be committed in the first year or spread over the framework term. NDA provides no guarantee of committed expenditure.
Assurance
This is based upon the need for the NDA to independently assure the outcome of work carried out around the estate (including NDA HQ); to evaluate the work and ensure that it provides the level of performance expected and for which funding was provided.
It is assumed that there will be 1 system / product requiring testing per month over a 12-month period. And that a team of 3-4 people will be required to fully test a system / product over a 2-week period.
Where required, the provider shall supply:
— Independent assurance of security within information systems, such as:
o Technical vulnerability assessment,
o Penetration testing, including social engineering and red teaming;
— Assistance with the co-ordination of assurance activities;
— Development of test scenarios and metrics required to gain adequate assurance;
— Workshops to ensure assurance activities are uniform across the estate;
— Auditing of technical, personnel and physical security;
— Assurance of third party activities;
— Independent assurance of project proposals (see also benchmarking).
Governance
The aim of this work stream is for the Organisation to identify critical business assets and thereafter assess, develop, improve and embed the Organisation’s risk management and security policies for these assets.
Expected activity:
Where required, the provider shall:
— Help the organisation create or develop policy;
— Improve the organisation’s risk assessment framework;
— Hold governance workshops;
— Train personnel in governance-related practices and policies.
Resources to be provided:
Where required, the contractor shall provide:
— Technical authors;
— Trainers;
— Subject Matter Experts.
II.2.5) Award criteria

Price is not the only award criterion and all criteria are stated only in the procurement documents

II.2.6) Estimated value:
Value excluding VAT: 4400000.00 Currency: GBP
II.2.7) Duration of the contract,framework agreement or dynamic purchasing system
Duration in days: 12
This contract is subject to renewalyes Description of renewals:The contract will be placed for a period of 12 months with NDA option to extend the contract by increments of 12 months, up to a maximum contract extension of 36 months.

II.2.9) Information about the limits on the number of candidates to be invited
II.2.10) Information about variants
Variants will be accepted: no
II.2.11) Information about options
Options: no
II.2.13) Information about European Union funds
The procurement is related to a project and/or programme financed by European Union funds:no

Section III: Legal, economic, financial and technical information
III.1) Conditions for participation
III.1.1) Suitability to pursue the professional activity,including requirements relating to enrolment on professional or trade registers
List and brief description of conditions:Relevant insurances to be in place, including professional indemnity. Evidence and details must be supplied as part of your tender submission.
III.1.2) Economic and financial standing
List and brief description of selection criteria: Information and formalities necessary for evaluating if the requirements are met: Information and formalities necessary for evaluating if the requirements are met: 2 year’s audited accounts (most recent) to be provided separately to the tender document in electronic format.
III.1.3) Technical and professional ability
Selection criteria as stated in the procurement documents

Section IV: Procedure
IV.1) Description
IV.1.1) Type of procedure:
Open procedure
IV.1.3) Information about a framework agreement or a dynamic purchasing system
The procurement involves the establishment of a framework agreement
Framework agreement with several operators
Envisaged maximum number of participants to the framework agreement:2
IV.1.8) Information about the Government Procurement Agreement(GPA)
The procurement is covered by the Government Procurement Agreement: no
IV.2) Administrative information
IV.2.2) Time limit for receipt of tenders or requests to participate
Date: 2017-08-02 Local time: 12:00
IV.2.4) Languages in which tenders or requests to participate may be submitted:EN
IV.2.6) Minimum time frame during which the tender must maintain the tender
Duration in months:6(from the date stated for receipt of tender)
IV.2.7) Conditions for opening tenders
Date: 2017-08-03 Local time: 09:00

Section VI: Complementary information
VI.1) Information about recurrence:
This is a recurrent procurement: no
IV.2) Information about electronic workflows
VI.4) Procedures for review
VI.4.1) Review body
Official name: Cabinet Office
Town: London
Country: United Kingdom
VI.5) Date of dispatch of this notice:2017-06-28