Cyber Risk Programme (CRP) Client Side Support – Enterprise Patching

Type of document: Contract Notice
Country: United Kingdom

2. Awarding Authority: Ministry of Defence – Strategic Command within the MOD, GB. Web:
3. Contract type: Service contract
4. Description: The successful supplier will deliver enterprise level changes to support the transformation of the Authorities ICT patching processes. They will Co-ordinate multiple workstreams to meet Enterprise patching strategy and objectives. the supplier will deliver against the defined outcomes to support the Programme
5. CPV Code(s): 72000000, 72260000, 72212000, 72220000
6. NUTS code(s): UKI, UKI3, UKI32, UKK
7. Main site or location of works, main place of delivery or main place of performance: South West England
Address where the work will take place The work can generally be carried out by remote working but will entail travel to the main site at MoD Corsham.
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Budget range Not to exceed £3.084m Ex VAT
10. Closing date for applications 27.4.2022 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Wednesday 20 April 2022 at 11:59pm GMT
Off-payroll (IR35) determination Contracted out service: the off-payroll rules do not apply
Latest start date Monday 20 June 2022
Expected contract length 15 months
About the work
Why the work is being done The Enterprise Patching Project looks to fill the capability gap by providing a secure Patch Acquisition and Distribution Service (PADS) that meets the evolving needs of the MOD Enterprise. Ensuring it is designed, to assist and support the system owners to implement required patches in a timely fashion. Furthermore, the project will update existing and introduce new processes, investigate technical solutions, and update policies that provide the governance for remediation and reporting of patch management across the enterprise.
Note: This advert is a rerun of the previously unfilled advert ref: 16550
Problem to be solved The successful supplier will support the CRP Programme in achieving the following:
Objective 1. Investigate, understand, and remediate where possible, technical and process issues that delay timely software patches in accordance with Defence policy requirements.
Objective 2. Drive and increase the patch compliance rate by examining patch failures and providing recommendations to remediate.
Objective 3. Deliver technical capability that provides secure patch acquisition and distribution services to meet the evolving needs of the MOD Enterprise.
Who the users are and what they need to do The CRP programme within Strategic Command are the users. Specialist support is required to sustain the current project delivery and expected increased outputs which lay predominantly at the implementation of the Enterprise Patching Strategy, providing a stable base from which Modernising Patching Project via Alpha & Beta development partners can plan and implement its scope of work
Early market engagement
Any work that’s already been done Over FY20/21 the Project received initial approval to commence. The client-side support provided has since developed the definition of the project, ran a supplier tender process, designed a high-level architecture for PADS, created target infrastructure for a patching tool in MOD Cloud ICE S01 and is currently completing the final sprints within an Alpha Development phase, the outcomes of which are forming the Statement of Requirement for the Beta phase.
Existing team The existing team consists of project managers, technical service architects, client-side technical Dev & DevOps resources, Cloud Architects, product owners, security specialists and a Security Assurance Controller. Existing governance structures are mature within CRP with the Programme Manager acting as primary delivery sponsor.
Current phase Alpha
Working arrangements The majority of the work will be carried out by remote working and will entail travel as required to deliver the project at:
a. Main site – MoD Corsham, Westwells Road, Corsham, Wiltshire, SN13 9NR
b. Additional Locations – MOD Abbey wood, Bristol, MOD Main Building, London
Where resources require access to a SECRET workstation, work will be carried out on site, at the following location:
a. MoD Corsham, Westwells Road, Corsham, Wiltshire, SN13 9NR.
Security clearance To proceed to Stage 2, suppliers must clearly demonstrate ability to receive OFFICIAL SENSITIVE materials. Proposed supplier staff must already hold SC, or be sponsored by the supplier to achieve SC. The supplier must have capability to offer staff that are DV cleared for short periods
Additional information
Additional terms and conditions Bid Responses to be submitted on the templates provided and in Microsoft Office Word format only.
Suppliers must use the Authorities Purchase to Payment Tool called CP&F or be prepared to sign up to the tool
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
Extensive understanding of MOD / Major industry defensive cyber capabilities at strategic and operational levels and the interactions between them to enable a proactive cyber posture. (5%)
Experience of delivering complex projects / programmes in-line with GDS service design principles (5%)
Demonstrable experience of providing client-side support within transformation programmes. (5%)
Proven track record of working with distributed stakeholders to implement transformation across organisational structures, operational governance and information flows for large-scale complex projects. (5%)
Proven experience of running a workstream of activity, related to delivering an enterprise-level Cyber Security Operations Capability. (2.5%)
Experience of managing service integration utilising the ITIL 4 model (2.5%)
Nice-to-have skills and experience
Experience of working within Defence organisations on agile project delivery. (5%)
Have ability to think creatively and can articulate innovative ideas to solving complex business and ICT problem (5%)
Understanding of MOD Investment Approvals (JSP 655) and the creation of business cases from refined requirements. (5%)
How suppliers will be evaluated
All suppliers will be asked to provide a written proposal.
How many suppliers to evaluate 7
Proposal criteria
Documented proposed approach against Statement of Requirement (SoR) , including delivery methodology, breakdown of tasks, transfer of knowledge approach, how the supplier will integrate and work collaboratively (20%)
Case study of previous experience of embedded client-side support (10%)
Onboarding and Implementation Plan, (10%)
Team structure, Including proposed FTE / Month to support delivery demand peaks and ramp down to (10%)
Evidence/confirmation that the proposed team have or can be sponsored by the supplier to achieve the relevant Security Clearances (5%)
Risk mitigation approach (5%)
Cultural fit criteria
Demonstrate action to identify and manage cyber security risks in the delivery of the contract including in the supply chain.(2.5%)
Support in-work progression to help people, including those from disadvantaged or minority groups, to move into higher paid work by developing new skills relevant to the contract.(2.5%)
Working as a team with our organisation and its stakeholders sharing knowledge in a no blame culture to enable learning From Experience.(2.5%)
Working collborativley and take responsibility for the tasks in hand and adapt quickly, in an ever changing environment to enable completion of tasks in an agile manner.(2.5%)
Payment approach Fixed price
Additional assessment methods
Evaluation weighting
Technical competence
Cultural fit

The post Cyber Risk Programme (CRP) Client Side Support – Enterprise Patching appeared first on Defence Online.

>> Click to visit source