With an array of agencies and a technology estate containing hundreds of legacy apps, the environment department requires a group of cyber suppliers to run the rule over its systems
The Department for Environment, Food and Rural Affairs is planning a multimillion-pound deal for specialist suppliers to test the cyber defences of “an extremely diverse and complex IT estate”.
A newly published commercial notice reveals the department’s intent to put in place a second – and expanded – iteration of its IT Health Check (ITHC), Penetration Testing and Associated Services deal. The incumbent contract, which is held by consultancy CGI, is valued at around £3.4m expires in March 2025 after a three-year term.
The notice outlines that the replacement contract, which will feature three suppliers, will play a key role securing a vast technology infrastructure – which encompasses various arm’s-length agencies and, according to a report published last year, includes hundreds of applications that are no longer supported by their supplier.
The winning bidders for the deal will “offer security testing and exercising services for new, operational and legacy systems” across the central department and the entities that comprise the wider Defra Group.
“Defra Group has an extremely diverse and complex IT estate which presents significant cybersecurity risks,” the notice says. “Security testing is a pre-requisite to internal approval for projects and programmes within the organisation.”
The chosen providers will be tasked with delivering services encompassing “ITHCs, penetration testing and red/blue and purple teaming”. To win a spot on the agreement, suppliers must possess government security clearance, as well as accreditation under the National Cyber Security Centre’s CHECK scheme, which certifies that “assured companies can conduct authorised penetration tests of public sector and CNI (critical national infrastructure) systems and networks”.
Related content
- Defra to spend £43m this year on addressing ageing apps
- Defra to create UK-wide digital system to collect rubbish information
- Defra launches developer recruitment drive
“Testers are required to produce CHECK certified reports and communicate any vulnerabilities to the project and risk owner for mitigations/fixes,” the notice adds.
The new version of the Defra security deal will be awarded via the Crown Commercial Service’s Cyber Security Services 3 purchasing agreement, from which a trio of featured suppliers will be chosen. Over the course of an initial three-year term, the engagement is expected to worth up to £5.4m, although “actual spend depends on the number of Security Tests required by the organisation which will be issued to suppliers via work orders”.
The notice adds: “Work orders will be issued by individual business units across core Defra and its arm’s length bodies that are in-scope of this agreement: Natural England; Rural Payments Agency; Marine Management Organisation; and the Environment Agency. Defra proposes to issue work orders to suppliers on rotation, through a taxi system to ensure an even distribution of orders where possible.”
In the coming days, Defra will create a longlist of suppliers featured on the CCS cyber framework that meet the department’s requirements. These firms will then be invited to complete a capability assessment. Those that are given the green light following this review will asked to submit a formal bid.
The plan is award contracts in January, with the deals to take effect in the first week of March.
