Provision of Defence Cyber Protection (DCPP) Tool

Descriptions

Industry specific software package. The United Kingdom Ministry of Defence will be placing a contract to replace the current supplier cyber protection tool, which enables the MOD’s Defence Cyber Protection Partnership (DCPP) cyber security model. The tool provides both risk assessment (RA) and supplier assurance questionnaire (SAQ) functionality, ensuring the process can be flowed down the supply chain. The tool is accessed via the www.gov.uk website and must adhere to UK Government Digital Service (GDS) requirements for design. It uses GDS’ Verify online authentication tool to authenticate some of the users.Users log in using multi-factor authentication and are taken to a dashboard showing their existing submissions and can elect to complete an RA or an SAQ. On completion of an RA, the tool calculates the cyber risk profile (N/A, very low, low, moderate or high) and advises this, together with an RA reference, to the RA author. SAQ authors respond to a specific RA using the RA reference. When flowing down, a contractor’s RA (for a sub-contract) is linked back to their original SAQ response. The combination of linked RAs and SAQs provides visibility of the supply chain, for which subcontractor names will be hidden to all except their immediate customer, and to a small number of super-users within MOD.RA and SAQ authors also have options to save, continue and re-use questionnaires and invite collaboration, and anyone may produce a trial RA or SAQ. Only MOD users may initiate a top-level RA.The initial requirement is for a tool, to be delivered as a managed service, consisting of a workflow and back-end database, to replicate the functionality of the current tool, in terms of the process described above. The new tool will be hosted on the MOD Cloud (see supplementary information attached to the PQQ).Further enhancements to extend the functionality to other areas (including secure by design in product/system design and development) will be sought through the ITT process including, but not limited to, those which might offer updates on the cyber security status of particular suppliers. This is intended to be managed through a staged approach, building on the proven effective and stable operation of the baseline functionality.This requirement is specific to MOD needs, with wider Government having an interest in the output. A commercial exploitation licence will be sought as part of the ITT to reflect this.