Department of Foreign Affairs and Trade

Agile software dev team to develop infrastructure for cyber security automation environment

Important dates

Opportunity ID
1582
Deadline for asking questions
Monday 20 August 2018 at 6PM (in Canberra)
Closing date for applications
Monday 27 August 2018 at 6PM (in Canberra)
Published
Monday 13 August 2018

Overview

Write a summary of your brief

The Department is seeking to engage an agile development team who can take our project from the Discovery phase to Beta - to prototype, test, build and document the end to end environment for data capture, storage and processing with a focus on integration, usability, automation, cyber security and integrity.

What is the latest start date?
Jan-19
How long is the contract?

Initially 12 months.

Where can the work take place?
  • Australian Capital Territory
  • Offsite
Who will the specialist work for?
Department of Foreign Affairs and Trade
Budget range

DFAT has approved budget for this activity and initial scoping indicates the activity may require a team of up to 10 people for up to 12 months.

About the work

Why is the work being done?

DFAT has adopted an innovative approach for delivery of technology projects, including through use of external development teams to take projects from the Discovery phase through Alpha, Beta and into production by performing technical prototyping, software development, software and hardware integration, testing and documentation.

DFAT require an agile team to prototype and build cyber security automation environment for data capture and processing. The project must commence by early 2019, with regular milestone deliveries over the (estimated) 12 month project, including a prototype system mid year.

The work can take place at any Australian location within reasonable commute time from Canberra.

What's the key problem you need to solve?

DFAT requires an enterprise system to capture and process diverse data sources to ensure it is safe (from a cyber risk perspective) with a focus on integration, usability, automation, cyber-security and integrity.

Describe the users and their needs

DFAT is a global organisation with many user needs within a complex cyber security environment. This package of work will asssist in supporting DFAT's underlying infrastructure for a security automation environment.

What work has already been done?

The Department has undertaken a series of discovery activities, which have highlighted that many tools and systems exist but there is no off the shelf system that satisifies every requirement. The Department has concluded that much of the work to deliver this enterprise capability requires the integration of software components with a focus on automation and dev ops capabilities.

Who will the work be done with?

DFAT technical specialist(s) will work as project executive with the vendor's development team, to prioritise the work required to deliver the environment over the contract period. DFAT prefers an agile development model, using sprints, based on a clear agreed scope, including quality requirements, with clear delineation of responsibility.

Any additional relevant information?

Please send your responses to jessica.ong@dfat.gov.au referencing the RFQ number.

DFAT will conduct shortlisting based on written responses received. Written responses should include:

Cover letter consisting of a 1-2 page summary of the proposed project approach (overall team skillset, project phase and delivery process).

Details of the named resources put forward for the project. For example, if the provider nominates 8 named resources as a potential team, they might have the following mix of skills: python developers, dev ops & automation specialists, UI specialists, OS configuration and automation specialists, documentation as code specialist and a scrum master. DFAT requires providers to name specific professionals with the expectation that DFAT will select the composition of the final team.

For each named resource provide:

- Skills and experience (full CV, role on previous projects)

- Rate card inc GST ( daily rate, incl. of all overheads for working in your office space)

Up to 4-10 pages addressing cultural fit criteria and organisational capability:

- Address cultural fit criteria

- Abilility to provide replacement team members if required

- Case studies of previous cyber security and automation projects delivered with references where available.

Based on providers' written responses, DFAT expects to short list at least 3 providers after conducting reference checks.

For those providers short listed, a final run-off will be conducted. To facilitiate this run-off, DFAT will provide a high level requirements and concept design for the project, developed during DFAT's discovery work.

These should be used by the short listed providers to develop an initial work estimate for the project, and as the basis for contract negotiations if the provider is selected as successful.

Additionally, DFAT technical specialists would also like to visit your premises to conduct short interviews with the named resources including a walk through of previous work / code they have delivered and a 1-2 hour session with the whole team to discuss the high level requirements and concept design.

What phase is the work in?
Discovery

Work setup

Where will the work take place?

DFAT preference is for the work to happen at the vendors premises.

What are the working arrangements?

The vendor will provide a team for the period of the contract who will work in agile sprints based on priorities provided by the nominated DFAT technical specialist(s) who will spend a portion of each week working at the vendor's office embedded with the team. The work will be conducted at the UNCLASSIFIED DLM (FOUO) level and the use of commercial cloud services (as agreed by DFAT) is expected.

Is security clearance required?

Personnel working on the project may be required to hold, or be able to obtain, an Australian Government security clearance. DFAT will sponsor named persons for clearance as required. A clearance is not required to commence activity.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • Python software development of API based services (est 35% of the work required)
  • Development automation / dev ops (est 20% of the work required)
  • Responsive web user interface design and development (est 20% of the work required)
  • Configuration, administration and automation for Linux and Windows platforms (est 15% of the work required)
  • Automated testing and automatic code review (est 10% of the work required)
Nice-to-have skills and experience
  • SELinux
  • OpenStack or equivalent automation / orchestration platform
  • Ceph, Swift or equivalent object storage system
  • Puppet and or / Ansible
  • x86 hardware and BIOS configuration
  • Documentation as code
  • Infrastructure as code
  • Docker, Kubernetes, OpenShift or similar
  • Applying Material Design or similar language of design

How sellers will be evaluated

How many shortlisted sellers will you evaluate?
3
Proposal criteria
  • Quality of software development work
  • Experience and success of automation of Linux and Windows tasks and OS deployment
  • Experience and success of continuous integration pipelines
  • Experience and success at building responsive web UIs
  • Code test coverage
  • Code documentation coverage
  • Data engineering competency
  • Cyber security competency
  • Experience with "nice-to-have"s
Cultural fit criteria
  • Cyber security maturity
  • Sophistication in use of cloud / IaaS
  • Ability to rapidly prototype and innovate
  • Ability to learn and adapt from failure
  • Use of open source
  • Team cohesion
Payment approach
Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence
60%

Cultural fit
20%

Price
20%

Seller questions

Seller questions
Seller question Buyer answer
1. Can DFAT please clarify if a written response is required at the same time as providing 150 word answers to the evaluation questions (which would appear to be outside the standard DTA marketplace procurement process) or will DFAT be short listing sellers from the 150 word answers and only require those sellers to provide a written response? and Are DFAT expecting applications to respond via both a written proposal and the DTA panel itself? Shortlisting will be conducted based on responses received by the deadline - where the DTA marketplace word limit does not allow a full response (as per the requested information outlined under the section “Any additional relevant information”) sellers should submit their full response directly to the nominated DFAT contact via email. This email must identify the seller and be received by the deadline. Where sellers feel that they can respond fully within the DTA marketplace form they do not need to also send their response to the nominated contact, but can do so if they would like.
2. Would an Adelaide based vendor be considered given the desire to embed DFAT resources within the vendor’s office? Adelaide is acceptable.
3. What is the anticipated travel requirement for vendor representative(s) to engage with or support stakeholders in Canberra (or other locations) throughout the project? What is the preferred method for handling this in the quotation ie: budgeted amount or reimbursable expense? DFAT expects there will be minimal travel requirements for vendor representatives to engage with stakeholders in Canberra. DFAT would anticipate handling such expenses as reimbursable expenses and sellers are not required to outline a travel budget in their response.
4. In the opportunity overview section it mentions that the RFQ number be stated. Is the RFQ number the DTA panel number ie: 1582 or is there another RFQ number? Apologies for the confusion, the RFQ number is the DTA marketplace opportunity ID 1582. DFAT has not placed this opportunity elsewhere.
5. Is DFAT open to the use of public cloud platforms (such as AWS) and associated services for hosting, orchestration and object storage? The use of public cloud platforms is expected during the prototyping and development activities but the production environment will need to function across multiple clouds, including clouds without access to public clouds, hence the list of technologies in the “nice to haves” such as OpenStack and OpenShift for orchestration and Ceph or Swift for object storage.
6. Is the Department currently adopting an agile approach? For this project, yes.
7. Will the Department provide an SME who will act as the Product Owner? Yes – it is envisaged that this SME will be spending at least a day each sprint with the development team.
8. Will the Department consider hosting tools in a cloud which is outside of Australia? No, we expect to use a major cloud provider with a physical presence in Australia
9. What products, systems and tools does the Department plan to use to integrate its diverse data sources? Approximately how many systems will need to be integrated? Are these systems all SIEM related software tools and systems? Please see “essential skills and experience” and “nice-to-have skills and experience”
10. Is the Department open to approaches where the local team are supported by developers based near shore (in regional centres for example) and offshore (for discrete tasks)? No, we require the team to be located in Australia. We have a preference for a completely co-located team but would be open to a core dev team in one Australian location supported by SMEs elsewhere in Australia. See also “What are the working arrangements?” and “Is security clearance required?”.
11. What type of data are you looking to capture? Do you have internal requirements? What systems will we need to talk to? What are people using the system for, and who are the end users? DFAT requires an enterprise system to capture and process diverse data sources from a variety of existing corporate and internet connected systems including data that requires anti-virus scanning. The primary users of the system will be internal cyber security staff. As outlined under “Any additional relevant information?” more detailed system requirements will be provide to the shortlisted vendors.

Interested in this opportunity?

Before you can apply for this opportunity, you need to:

  1. Register to join the Marketplace.
  2. Submit a case study and pricing and check your documents are up-to-date.
  3. Request an assessment of your chosen case study.