Department of Jobs and Small Business (Commonwealth)

Design and implement a refresh of the PROTECTED Environment Solution (FORTRESS) using cloud services

Important dates

Opportunity ID
Deadline for asking questions
Thursday 24 January 2019 at 6PM (in Canberra)
Closing date for applications
Thursday 31 January 2019 at 6PM (in Canberra)
Thursday 17 January 2019


Write a summary of your brief

The department is seeking assistance to build a new cloud environment (Citrix and Office 365), which will be IRAP accredited for providing secure PROTECTED services to multiple agency clients.

What is the latest start date?
February 2019
How long is the contract?

To 30/06/2019

Where can the work take place?
Australian Capital Territory
Who will the specialist work for?
Department of Jobs and Small Business (Commonwealth)
Budget range

The project will be able to support capital expenditure of around $500k, with an operating budget to be determined but probably less than the capital amount.

About the work

Why is the work being done?

The department supports the IT systems for various Commonwealth departments and agencies. The current PROTECTED system is supporting 18 distinct agencies, with over 2000 clients and growing demand from agencies that cannot justify the cost and effort of maintaining a secure, PROTECTED level IT environment. The technical environment has reached end of life and is approaching capacity limits, outgrowing the original design. With the heightened focus on security it is also likely that further client agencies will consider taking advantage of this service for their PROTECTED service needs in future. The work must design and build the environment, and supply the migration roadmap from the existing service, by 30 June 2019. Testing and possible limited pilot will be conducted, but migration services will be excluded from scope for this financial year due to a predicted election period.

What's the key problem you need to solve?

Staff need to collaborate and provide formal sensitive documents through departmental and non-departmental IT systems to executives and parliament, in an accessible and highly secure environment.

Describe the users and their needs

As a policy officer, I need to create a New Policy Proposal, which will feed into the Budget and Cabinet processes.

As a programme officer, I need to provide sensitive advice to cabinet.

As a liaison officer, I need to ensure documents are cleared by the relevant authorities and progressed in a timely manner.

What work has already been done?

The department has engaged a consultant to conduct a user centred design approach. This approach centred around usability of the system, the frustrations of existing users, and IT support teams. The recommendation was to move to a cloud SaaS model where the requirements of IT support teams was less about the infrastructure and more about the service. The "User Experience Conceptual Design Document" will be made available to shortlisted entities.

Who will the work be done with?

As the existing service is IRAP (Information Security Registered Assessors Program) accredited, you will be working with a specialist IT security company to ensure IRAP accreditation is achieved for the new solution. This will start from the design phase to reduce the amount of rework required to meet an IRAP assessment. If this is a quality service you can provide in addition, you may wish to include this.

For the implementation, you'll be working with the Technology and Services Group, in particular the Digital Collaboration team. Regular reporting will be required to supplement the internal project management.

Any additional relevant information?

The current environment is made up of the following

Remote Access

Secure remote access is provided from PCs, Laptops and tablets to the Fortress IT environment to facilitate access by the numerous external agencies and home users.


Servers: 8 X physical servers

Workstations: Not Applicable - Published Desktop

Access Gateways: Citrix

Data Storage: ~2.5 TB in total

Backup Storage: Data Domains



Windows Server

Citrix Netscaler


Citrix XenServer

Citrix XenApp


MS SQL Server

MS Exchange


IBM iBase

IBM Analysts notebook

HP Records Manager

MS Office

Multi Factor authentication

Active Directory Federation Services

Printing software

Accessibility applications

External Applications

Internet web applications

The proposed solution will be built using the Citrix Cloud, Microsoft Azure IAAS (VDI, HP Content Manager, SQL, supporting services), and Office 365 technologies, using the departments Secure Internet Gateway.

What phase is the work in?

Work setup

Where will the work take place?

148 City Walk, Garema Court, Civic, A.C.T.

What are the working arrangements?

This is flexible, however the department expects you to work with both departmental staff and the IT Security vendor during the design. The department would prefer that technical staff were onsite to help transfer knowledge to support staff during the build and test phases.

Is security clearance required?

Baseline clearance required to work on the system design.

NV1 clearance required to work with the existing system (including reviewing the current security documentation) or new system build.

Additional information

Additional terms and conditions

The department will include in this contract an option for a possible extension to cover migration work. This component is currently unfunded and therefore cannot be negotiated at this time.

Suppliers must meet and comply with security requirements outlined in the Australian Government Protective Security Policy Framework (PSPF) and the Australian Government Security Manual (ISM).

The department would like to negotiate with you on Intellectual Property Rights for work conducted under this Work Order.

Any information or Departmental Material provided to the Seller by or on behalf of the department or acquired in the course of performing roles under this Work Order by the Seller or the Seller's Specified Personnel, which is Departmental information, which is not otherwise publically available, is Departmental Confidential Information.

Limitation of Liability Cap - the Seller's liability is capped to three (3) times the value of the Work Order in the aggregate.

The Seller is required to support the Department’s personnel through ongoing skills and knowledge transfer in relation to all services, deliverables and tasks performed throughout the term of this Work Order (including any extensions exercised under this arrangement).

Project Management experience based on an industry methodology. You will be managing the project on behalf of the department with reporting requirements consisting of:

- Weekly progress (traffic light dashboards)

- Monthly review meetings

- Milestone tracking

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • Relevant experience in developing and delivering the desired technologies and services.
  • Ability to partner with a government organisation to deliver an outcome to its customers.
  • Experience developing, and preferably operating, a service delivery model, preferably integrated within an existing ITSM framework.
  • Ability to meet tight timeframes with high quality deliverables such as high-level and detailed designs, project plans, end user documentation. Examples should be provided.
Nice-to-have skills and experience
Demonstrated ability to translate user experience-based requirements into a technology service achieving the business outcomes required

How sellers will be evaluated

How many shortlisted sellers will you evaluate?
Proposal criteria
  • Demonstrated technical ability to deliver - history with PROTECTED enclaves
  • Experience in developing a service delivery model within an existing ITSM frame.
  • Estimated timeframes for the work
  • Value for money
Cultural fit criteria
  • Knowledge transfer to our team
  • Work as a team with our organisation / Interactive nature
  • Transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Be able to operate independently, setting up meetings as needed and collecting information proficiently with minimal intervention from the branch
Payment approach
Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

Cultural fit


Seller questions

Seller questions
Seller question Buyer answer
1. You mention the proposed solution will be built using the Citrix Cloud, Microsoft Azure IAAS and Office 365. You also mention NV1 required to review current system. What classification/certification requirements does the new system need to adhere to? Are the cloud systems required to be on the ASD Certified Cloud Services list? The system will be rated as PROTECTED, following on from the departmental User Access Control Policy, administrators require NV1 clearance to operate (hence the requirement for accessing the existing environment, although we may consider BASELINE clearance for reviewing documentation where no system access is granted). The system will undergo IRAP assessment, be certified and accredited internally. It is highly desirable that cloud systems are on the ASD CCSL, but where they aren’t, sufficient justification can be provided to ensure business requirements are met, and work undertaken to ensure an IRAP assessment will still pass with appropriate mitigations and minimal risk.
2. • Good morning. The opportunity states that a start no later than February is required and that shortlisted sellers will be contacted after 31/01/2019 to submit their proposal if shortlisted. Can you please confirm that the only opportunity for sellers to be assessed for shortlisting is via the Brief Response format and that no other opportunity is being afforded to provide additional information until after the 31/01/2019 when full proposals will be called for from shortlisted sellers. This is correct.
3. • Question 5 in the Brief Response requests examples, can you please confirm that examples are to be provided within the 150 words, as no email address is provided for attachments Please provide titles of artefacts and who the work was done for, and these can be submitted by shortlisted sellers with the full proposal.
4. • Could you please confirm whether pricing information is required at the pre-shortlist stage and if it is intended that sellers provide pricing in the Brief Response, as there does not appear to be a question specifically allowing for this, nor the detail required to qualify any pricing offered (scope, assumptions etc). Pricing order of magnitude will assist the panel in evaluating responses. It is understood that details have not been provided so pricing is purely an estimate, and to assist in departmental budgeting processes for the viability of the solution.
5. • Finally, as the opportunity advises that the start date for the contract is to be February 2019 and the shortlisted sellers will not be asked for proposals until after 31/01/2019, could you kindly provide the Department's expected timeframe for proposal submission, evaluation and expected date of contract award so that we can correctly resource for and provide an earliest possible start date in February in the Brief Response. The Department's procurement timeframe will realistically impact on when sellers can commence the works. Thank you for your time considering our queries. We look forward to responding enthusiastically to this opportunity. We anticipate two weeks (14/2/2019) to evaluate, shortlist and seek approval to continue to second stage. We will then give a further two weeks to provide further information and request proposal submission. Given the timeframe of then evaluating and contract negotiation, actual work is not expected to commence until March.
6. • Good afternoon, Appreciate the opportunity to respond and the amount of additional information provided. I would like to clarify if the required services are solely for specialised project management support to deliver the solution in consultation with the department's ICT division and pre-engaged support (IRAP/User Design), or does the department seek to also engage with a provider to develop the architectural design for the new network as well as the overarching project management? I believe the services require both design, development and project management, however thought to confirm. Thankyou. You are correct, it is for design, development/build and project management services, with the possibility of IT Security (Standard Operating Procedures, SRMP etc but not IRAP) as a value add or we can engage another vendor to provide this component.
7. We have two questions: 1. Will the design and implementation include re-designing and upgrading the Fortress SOE, operating system, office productivity applications and/or group policy? The FORTRESS SOE will hopefully be lifted from the departments Windows 10 unclassified environment to reduce the redesign effort. Additional work will be required to ensure the upgraded server OS, Office 365 productivity suite and Group Policy meet the security requirements of a PROTECTED environment.
8. Will the solution require backups to be taken and stored “on-premise” or outside of the primary cloud services (Azure/Office365)? Yes, backups will be required and ideally will be stored in an alternate cloud environment.

Interested in this opportunity?

Before you can apply for this opportunity, you need to:

  1. Register to join the Marketplace.
  2. Submit a case study and pricing and check your documents are up-to-date.
  3. Request an assessment of your chosen case study.