MoD appoints £2m cyber specialist to test Army IT vulnerabilities

Written by Sam Trendall on 23 September 2022 in News

Firm will be asked to assess existing and new tech platforms 

Credit: PxHere

The Ministry of Defence has awarded a potential £2m contract to a specialist supplier that will be tasked with testing for cyber vulnerabilities in the Army’s IT infrastructure and applications.

The deal, which comes into effect on 1 October, covers the provision of “code-assisted vulnerability assessments and penetration testing security assessments on both new and in-service applications [and] infrastructure”, according to newly published commercial information. 

These assessments relate to the infrastructure of two hosting facilities run by the Army Digital Services unit – the Joint Server Farm (JSF) and the Army Hosting Environment (AHE) – and all data and programs stored in each.

The JSF contains only information classified at the government's lowest-grade ‘Official’ status and can be accessed from any internet-connected computer via the Defence Gateway online login system.

The AHE, meanwhile, hosts data up to ‘Secret’ classification and other sensitive information. A breach of this environment “could not only be damaging to the Army's reputation, it could jeopardise potential operations [and] could also incur fines from the Information Commissioner”, according to the contract award notice.

Related content

“An attack to disrupt any of the services ADS provides would significantly erode the Army's ability to operate, as many of the systems support day-to-day activities and processes,” it added. “It is, therefore, imperative that vulnerabilities are identified and remedied/mitigated to reduce the risk of these occurrences.”

To help ensure the security of all storage facilities and the data they house, Manchester-based cybersecurity consultancy NCC Group will, over the next two years, be asked to perform a variety of vulnerability assessments and penetration-testing exercises.

“[These] security assessments… are used to identify vulnerabilities in code and infrastructure – networks, servers, operating systems and applications – that could potentially be exploited,” the procurement notice said. “Attackers can be hackers trying to gain access into our network or systems, state sponsored activists or an insider threat. They will aim to either extract information that is held on applications and hosting environments or cause extensive disruption to services.”

All new applications that will be run from either the JSF or AHE environment will be required to undergo a vulnerability assessment, the MoD indicated. 

“Existing applications, hosting environments and platforms must be [assess] on a rolling programme to ensure any changes do not increase vulnerability and potential for being attacked,” it added.

The engagement with NCC will run for an initial term of two years, with a baseline value of £459,000 – plus up to £1.5m extra to be spent on an ad hoc basis. Upon its conclusion on 30 September 2024, the deal can be extended for a further year at the MoD’s discretion.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

‘Extremely concerned and disappointed’ – more councils caught up in Capita breach
24 May 2023

Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk 

Rochford District Council pins data breach on Capita’s ‘unsafe storage’
17 May 2023

Authority claims it is taking ‘swift and decisive action’ in response to incident it claims affected several councils

Cabinet Office invests in ‘honeypot’ cyber traps to help protect network
2 May 2023

Department invests in technology from specialist start-up

Capita admits possible compromise of customer data during cyberattack
20 April 2023

Attackers had unauthorised access for nine days, outsourcing firm announces

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...