Type of document: Contract Awards
Country: United Kingdom
OJEU Ref: (2017/S 163-336652/EN)
Nature of contract: Service contract
Procedure: Open procedure
Regulation of procurement: EU
Type of bid required: Not applicable
Contract award notice
Services
Directive 2014/24/EU
Section I: Contracting authority
I.1) Name and addresses
Official name: Cyber Security & Resilience Capability Enhancement Framework
Postal address: Herdus House
Town: Moor Row
Postal code: CA24 3HU
Country: United Kingdom
Contact Person: Matt McClure
Telephone: +44 1925802061
Email: procurement.tenders@nda.gov.uk
Internet address(es):
Main address:
I.4) Type of the contracting authority
National or federal agency/office
I.5) Main activity
Other activity: nuclear decommissioning
Section II: Object
II.1) Scope of the procurement
II.1.1) Title: Cyber Security & Resilience Capability Enhancement Framework.
Reference number: MM000219
II.1.2) Main CPV code: 72000000
II.1.3) Type of contract Services
II.1.4) Short Description: NDA requires the services of one or more framework providers to support NDA, Site Licensed Companies (SLCs) and subsidiaries (the estate) to implement the Cyber Security and Resilience Programme (CSRP). Identification of specific work packages will follow on from the estate-wide Profiling and Risk Assessment activities is currently in progress. These will identify areas where additional investment or support is required. Provision of these support services is intended to facilitate effective and consistent remediation activity and provide demonstrable benefit for stakeholders.
II.1.6) Information about lots:
The contract is divided into lots: yes
II.1.7) Total value of the procurement(excluding VAT)
II.2) Description
II.2.1) Title: Incident Response & Exercises
Lot No:1
II.2.2)Additional CPV code(s)
Main CPV code: 72000000
II.2.3) Place of performance
Nuts code:
II.2.4) Description of the procurement
This will be a framework of one supplier. The estimated value per annum is 1 100 000 GBP however; NDA provides no guarantee of committed expenditure.
This support is provided following the escalation of an event to the point where external support and forensics are required, either because of duration (the on-site/ NDA estate team is expected to be exhausted after 24 hours) or because of complexity (more analysts required, specialist skills, etc.) — essentially the ‘cavalry’. Based upon experience of the resource needed during a simulated event, a support team of ten people is estimated. It is assumed that there may be one event per year that might require intervention (this is an assumption only — not based on historic information), with a duration of two weeks.
It is further assumed that one of the two training exercises that will be run during the year, one of them will be at such a level that the incident response team will be required. Therefore a second two week duration event is expected.
Where required, the provider shall:
— Provide rapid, round-the-clock (24/7) engagement following an identified cyber incident
— Carry out incident analysis, for example:
— Digital Forensic Analysis
— Traffic Monitoring
— Malware Analysis (including reverse engineering)
— Assist in minimizing and mitigating any damage caused — eg isolate systems, contain any infection
— Support the client in incident recovery
— Support the client in post incident review
— Determine and present ‘lessons learned’.
II.2.5)Award criteria
II.2.11) Information about options
Options no
II.2.13) Information about European Union funds
The procurement is related to a project and/or programme financed by European Union funds: no
II.2.1) Title: Assurance and Governance
Lot No:2
II.2.2)Additional CPV code(s)
Main CPV code: 72000000
II.2.3) Place of performance
Nuts code:
II.2.4) Description of the procurement
This will be a framework of one supplier. The estimated value is 4 400 000 GBP however; this expenditure may be committed in the first year or spread over the framework term. NDA provides no guarantee of committed expenditure.
Assurance
This is based upon the need for the NDA to independently assure the outcome of work carried out around the estate (including NDA HQ); to evaluate the work and ensure that it provides the level of performance expected and for which funding was provided.
It is assumed that there will be one system / product requiring testing per month over a 12 month period. And that a team of 3-4 people will be required to fully test a system / product over a two week period.
Where required, the provider shall supply:
— Independent assurance of security within information systems, such as:
o Technical vulnerability assessment
o Penetration testing, including social engineering and red teaming
— Assistance with the co-ordination of assurance activities
— Development of test scenarios and metrics required to gain adequate assurance
— Workshops to ensure assurance activities are uniform across the estate
— Auditing of technical, personnel and physical security
— Assurance of third party activities
— Independent assurance of project proposals (see also benchmarking)
Governance
The aim of this work stream is for the Organisation to identify critical business assets and thereafter assess, develop, improve and embed the Organisation’s risk management and security policies for these assets.
Expected activity:
Where required, the provider shall:
— Help the organisation create or develop policy
— Improve the organisation’s risk assessment framework
— Hold governance workshops
— Train personnel in governance-related practices and policies
Resources to be provided:
Where required, the contractor shall provide:
— Technical authors
— Trainers
— Subject Matter Experts.
II.2.5)Award criteria
II.2.11) Information about options
Options no
II.2.13) Information about European Union funds
The procurement is related to a project and/or programme financed by European Union funds: no
Section IV: Procedure
IV.1) Description
IV.1.1) Type of procedure
Open procedure
IV.1.3) Information about a framework agreement or a dynamic purchasing system
The procurement involves the establishment of a framework agreement
IV.1.8) Information about the Government Procurement Agreement(GPA)
The procurement is covered by the Government Procurement Agreement: no
IV.2) Administrative information
IV.2.1) Previous publication concerning this procedure
Notice number in the OJ S:2017/S 123-249574
Section V: Award of contract
Lot No: 1
Title: Incident Response & Exercises
A contract/lot is awarded no
V.1) Information on non-award
The contract/lot is not awarded
Other reasons(discontinuation of procedure)
Contract No: 2
Lot No: 2
Title: Assurance & Governance
A contract/lot is awarded no
V.1) Information on non-award
The contract/lot is not awarded
Other reasons(discontinuation of procedure)
Section VI: Complementary information
VI.4) Procedures for review
VI.4.1) Review body
Official name: Cabinet Office
Town: London
Country: United Kingdom
VI.5) Date of dispatch of this notice:
2017-08-25
