Only invited sellers can apply for an 'Open to one' or 'Open to selected' opportunity.

Learn more about Open to selected opportunities.

Sign in to continue

Australian Cyber Security Centre - Australian Signals Directorate

Stakeholder Mapping and Cultural Change Services

Important dates

Opportunity ID
Deadline for asking questions
Thursday 31 May 2018 at 6PM (in Canberra)
Closing date for applications
Monday 11 June 2018 at 6PM (in Canberra)
Thursday 24 May 2018


Write a summary of your brief

The Australian Cyber Security Centre, an Australian Signals Directorate organisation, is seeking expert stakeholder mapping and cultural change services to ensure our structures and engagement approach is optimised for maximum impact.

What is the latest start date?
How long is the contract?

12 months to 30 June 2019. The services must be delivered within 2-4 months after commencement date.

Where can the work take place?
Australian Capital Territory
Who will the specialist work for?
Australian Cyber Security Centre - Australian Signals Directorate
Budget range

$350,000 to $600,000 (inc GST)

About the work

Why is the work being done?

The Australian Cyber Security Centre (ACSC) is an important Australian Government initiative to ensure that Australian networks are amongst the hardest in the world to compromise.

The ACSC brings together existing cyber security capabilities from across the Australian Government into a single location. Importantly, it is a hub for greater collaboration and information sharing with the private sector, state and territory governments, academia and international partners to combat the full range of cyber threats.

From 1 July 2018, key ACSC member the Australian Signals Directorate (ASD) will become an independent statutory authority and will take leadership of the ACSC. At the same time, CERT Australia will move from the Attorney-General’s Department to ASD. The ACSC will also be moving to a new, purpose-built facility to enhance collaboration between member agencies.

As part of these changes, the ACSC will evolve to enable increased collaboration across government and industry. This will include a new structure and more defined priorities. Our stakeholders include:

• The Australian Government

• State, territory and local governments

• Existing partner agencies of the ACSC member agencies

• Owners and operators of critical infrastructure and systems of national interest

• Australian businesses and the public

• International CERT partners

• International cyber security agencies, in both public and private sector.

The ACSC mission:

The ACSC will become the national leader in cyber security, providing a range of services to our stakeholders including:

• Establishing a comprehensive digital platform to engage with key stakeholders, including providing:

o a range of best practice and tailored cyber security advice; and

o a suite of self-assessment tools for individuals, business and industry partners to assess their cyber security maturity and inform better risk management;

• Establishing national situational awareness about cyber security through real-time threat detection and enriched information sharing with stakeholders;

• Collaborating with stakeholders to conduct cyber security exercises that assess the effectiveness of incident response arrangements and resilience building;

• Coordinating a rolling program of assessments across critical infrastructure and systems of national interest to identify and remediate vulnerabilities; and

• A range of other activities designed to strengthen cyber security resilience across all sectors, combat the scourge of cyber-enabled incidents, reduce the volume of malicious activity traversing Australian networks and promoting growth in the digital economy and Australian enterprise in cyberspace.

In the new more combined structure, ACSC staff will come from a range of Australian Government departments, each with a different operating style. They will have a range of experiences regarding cyber security matters and come at it from different perspectives. The ACSC will need to bring the staff on a journey to build a culture of unity, inclusiveness, engagement and high-performance.

What's the key problem you need to solve?

The ACSC is seeking services to inform its business practices in its new form:

1. Stakeholder and user mapping, including original quantitative and qualitative research and analysis with a wide range of ACSC users/stakeholders (including individuals, small, medium and large organisations and different levels of government) to determine:

a. each stakeholder/user group’s current state of cyber security engagement;

b. user needs for our services, to determine whether the services we are currently delivering are useful to our customers and, if not, what their expectations and needs are;

c. stakeholder/user engagement preferences; and

d. a prioritisation matrix of identified stakeholders/users of the ACSC that will best meet our objectives to improve cyber security.

2. Service mapping: help ACSC clarify its service offering and levels of support to be offered to each stakeholder group, including where ACSC responsibility starts and ends.

3. Cultural change: assist the leadership team to define the culture for our new organisation, and develop a program to embed cultural change across the ACSC over the next 12 months. This component should provide the ACSC with answers to the following:

a. what culture do we need to create to become a high-performing, unified agency?

b. what are the key barriers/challenges that we should be aware of?

c. how we will get there in the short term?

d. how we can maintain it in the long-term?

Describe the users and their needs

As the Australian Government leader in cyber security, we need to have a comprehensive understanding of the needs and challenges facing our stakeholders in order to provide the most meaningful outreach, assistance and advice.

At a minimum, the Service Provider will complete the following four key activities:

1. Project Management Plan that incorporates a Stakeholder Engagement Plan, implementation schedule, roles and responsibilities, key risks and their mitigations. (Due one month after commencement date.)

2. Prioritised map of stakeholder/user groups based on research and analysis, with:

• recommendations for engagement and content style;

• an analysis of user needs compared with ACSC services;

• recommendations for how the ACSC can meet user needs within its resources. (Due within 2-4 months after commencement date – depending on methodology and breadth of engagement.)

3. ACSC service offering: based on our mission and vision, recommend what types and levels of services we provide to different stakeholder/user groups, and the rationale for these recommendations.

(Due within 2-4 months after commencement date – depending on methodology and breadth of engagement.)

4. Recommendations for a cultural change program:

• In consultation with the leadership team, provide a report that defines the culture and behaviours for our new organisation, including a set of recommended actions and proposed implementation roadmap.

• Subject to negotiation, the Service Provider may be required to deliver a program to embed the recommended actions for cultural change across the ACSC over the next 6-12 months. This could also include the delivery of activities and workshops as part of the program. This component is subject to available funding.

(Due - cultural change report due within 2-4 months after commencement date. Delivery of a cultural change program is subject to negotiation and available funding and would be implemented before 30 June 2019.)

What work has already been done?

The ACSC will provide the Service Provider with the following:

• Details of existing stakeholder mapping from the key member agencies where available;

• Documents relating to the creation of the ACSC, its intent and purpose;

• Previous APS survey results for the relevant agencies or parts thereof;

• Research conducted by CERT Australia in 2017 to understand people’s behaviours, practices, attitudes and understandings of cyber security;

• Relevant documentation about the ACSC’s structure, covering the different business streams, roles and responsibilities; and

• Ongoing consultation throughout the process.

Space will be made available for the Service Provider to work from the ACSC office in Canberra, along with wi-fi access. ACSC will arrange access to stakeholders and data where required.

Who will the work be done with?

The Service Provider is required to work independently. Advice and limited assistance will be provided by the ACSC Executive and relevant line areas.

Any additional relevant information?


What phase is the work in?

Work setup

Where will the work take place?

The services will primarily be undertaken at the Australian Cyber Security Centre in Brindabella Business Park near the airport in Canberra. If required, the Service Provider can also utilise the facilities in any of the ACSC-nodes in Brisbane, Sydney, Melbourne or Perth.

What are the working arrangements?

At a minimum, the Service Provider is required to undertake some face-to-face meetings and workshops with the ACSC Executive, to be organised in consultation with the Service Provider. Otherwise, the Service Provider has flexibility around their working arrangements.

Where the Service Provider and ACSC have prior agreement in writing that interstate travel is required to complete the services, travel and accommodation expenses will be paid by the ACSC. Any payment will be capped at the prevailing rate for non-SES staff provided the travel/accommodation has been arranged and approved in advance by the ACSC.

The ACSC will not pay any expenses or disbursements under this Work Order, including travel and accommodation expenses, unless they have been pre-approved in writing by the appropriate ACSC delegate prior to being incurred by the Service Provider.

Is security clearance required?

The Service Provider's personnel are required to hold a minimum security clearance at the level of ‘Baseline’ and sign individual deeds of non-disclosure.

Additional information

Additional terms and conditions


Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • Have demonstrated experience providing cultural change management services.
  • Have demonstrated experience with stakeholder mapping.
  • Qualitative and quantitative research methods.
Nice-to-have skills and experience

How sellers will be evaluated

How many shortlisted sellers will you evaluate?
Proposal criteria
  • Proposed approach to providing the services
  • Capability to deliver the services, including experience providing similar services
  • Demonstrated capacity to provide the required services and within the timeframes
  • Value for money
Cultural fit criteria
  • Work as a team with our organisation
  • Transparent and collaborative when making decisions
  • Being professional and prepared when engaging with stakeholders
Payment approach
Fixed price
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

Cultural fit


Seller questions

Seller questions
Seller question Buyer answer
1. Q1 - The original RFQ email mentions the closing date for the submission as '2018-06-07', whereas the detailed requirements specify Monday 11 June 2018 as the closing date, which is a public holiday. Can you please clarify which one is accurate? Responses are due by Monday 11 June 2018. The deadline was extended from the 7th to 11th.
2. Q2 - The current submission is through word limited data entry without any provision for attachments whilst the assessment method specifies written proposal, case study and references. Should we assume that only brief responses will suffice at this point and these detailed artefacts will be requested subject to vendors being shortlisted? Potential suppliers should provide as much relevant information about their suitability and experience within the limited data entry fields. Any additional information relevant to a proposal, such as case studies or other written material can be emailed to before 11 June 2018. Please quote ref: 10011034.

Only invited sellers can apply for an 'Open to one' or 'Open to selected' opportunity.

Learn more about Open to selected opportunities.

Log in to continue