Host, manage, maintain and running of The National Security Vetting System

Concepts

• industry specific
• nsvs
• running of the existing nsvs system
• running of the national security vetting system
• critical security system
• significant component of this legacy system
• nsvs system
• cabinet office's uk security vetting
• new vetting system
• agency's national security vetting system

Location

LONDON

Description

This Voluntary Ex Ante Transparency (VEAT) notice relates to the provisions of services to host, manage, maintain and run Cabinet Office's UK Security Vetting (UKSV) Agency's National Security Vetting System (NSVS). This is a direct award for the services provided by the incumbent in the running of the existing NSVS system, which is a critical security system used by HMG and a significant component of this legacy system's IP is owned by the incumbent. The NSVS system sits in a highly secured accredited environment. This legacy system is about 10 years old and is in need of transformation. The transformation programme to develop a new vetting system is separately being looked at by UKSV.

Total Quantity or Scope

This Voluntary Ex Ante Transparency (VEAT) notice relates to the provisions of services to host, manage, maintain and run Cabinet Office's UK Security Vetting (UKSV) Agency's National Security Vetting System (NSVS). This is a direct award for the services provided by the incumbent in the running of the existing NSVS system, which is a critical security system used by HMG and a significant component of this legacy system's Intellectual Property (IP) is owned by the incumbent. The NSVS system sits in a highly secured accredited environment. … NSVS is faced by highly sophisticated attacks conducted by nation-states with near-limitless resources. A complex set of specific requirements are needed to help keep NSVS (and more importantly the vetting data that it holds) safe and secure, which are being developed as part of the planning for a replacement system and service. The current system is held in a high trust environment in the MoD estate, accredited to a set of standards set by the UK Government's National Technical Authorities including the National Cyber Security Centre and the National Protective Security Authority (NPSA, formerly CPNI). The system is subject to monitoring and access control procedures that are conducted by the MoD, tailored to the configuration of the NSVS system and platform. The National Security Vetting System (NSVS) was built by the incumbent, who was consequently awarded the contract to host, manage, maintain and run NSVS. Built around its predecessor, NSVS was launched into service in 2015. The current contract includes the NSVS service provision and management approach, underpinned by their delivery model below. The NSVS service comprises the following features: ● Service governance; ● In service management; ● Service desk; ● Information Technology Infrastructure Library (ITIL shared services); ● Data centres; ● Hosting services and event management; ● Security Operations Centre monitoring; ● Application management; ● Management of change. In addition, the new contract provides enhanced performance management and reporting, clear exit obligations and a value for money commercial model. These new provisions will mean that the UKSV transformation programme can open up options for a long-term replacement solution for NSVS.

Award Detail

CPV Codes

• 72212100 - Industry specific software development services
• 72212170 - Compliance software development services

Indicators

Legal Justification

NSVS is the only IT platform available to process requests for national security vetting that meets the requirements of both UKSV and its customers. UKSV is an important apparatus protecting the UK from attack by ensuring that suitably qualified people are appropriately vetted during the appointment process. A surge in demand caused by the war in Ukraine and a backlog due to Covid-19 placed increased pressure on the system which has delayed any meaningful transformation work. Cabinet Office has resumed work on transformation but it is not practically possible for a replacement system for NSVS, supplied by an economic operator other than the incumbent, to be procured and operational in time for the expiry of the current contract in February 2024 because: • there are no suitable commercial off the shelf products available that would support a quick re-procurement exercise; • replacing the incumbent with another supplier would mean replicating a very specific set of security controls and building a new environment to manage that complexity, which cannot be done before February 2024; and • The incumbent owns essential intellectual property that interfaces with another supplier's software and systems. Any new supplier would need to build a similar interface solution to connect to multiple sources and translate data into suitable formats for the rest of the system to process which would require a considerable length of time.