Nuclear clean-up agency seeks £2m-a-year partner to help improve cyber-resilience
Specialist firm sought to help identify areas where security could be bolstered
The government agency charged with cleaning up ageing nuclear facilities is planning to appoint a £2m-a-year commercial partner to help oversee an ongoing initiative to bolster its cybersecurity credentials.
The Nuclear Decommissioning Authority has published a contract notice seeking bids from firms that could provide “assurance” services to its Cyber Security Resilience Programme (CSRP).
The chosen provider will be asked to “independently assure” work undertaken by the authority to support an “improved cybersecurity posture” throughout the NDA and the four operating companies through which it works: Dounreay; Magnox Ltd; Nuclear Waste Services; Sellafield Ltd.
The NDA wishes to measure its security infrastructure and practices against the guidelines set out in the Cybersecurity Framework of the US government’s National Institute of Standards and Technology (NIST).
“The NDA requires the supplier to independently assure the capability of the NDA group; this will include a review of all the operating companies using the NIST framework as the baseline standard,” the procurement notice said. “The organisation will be required to identify areas for improvement and areas of good practice and help the NDA and its operating companies to improve their capability in line with the risk appetite set by the NDA board.”
The successful supplier, which will be paid about £2m a year over the course of a 24-month contract, will work with a 70-strong team – comprised of NDA staff, contractors, and representatives of other suppliers – charged with delivering the cyber resilience project.
This team is based in Cumbria, but “assurance activities” will be required across all 17 former nuclear sites throughout England, Wales and Scotland that the NDA is responsible for cleaning up and decommissioning. The facilities owned and managed by the NDA, which include, Sellafield (pictured above), Hinkley Point A and Sizewell A, began operating as long as 80 years ago, in some cases.
“Due to prior Covid restrictions, previous work has been conducted remotely. However due to restrictions now lifted, face-to-face visits to sites will be required,” the procurement notice said. “During these instances, working arrangements will be agreed with the key stakeholders. The supplier… and [its] key personnel will be expected to be routinely available with daily stand-ups by conference call. Online communication is inevitable given the geographic spread of NDA sites. There will be a requirement to attend delivery group meetings… [and] deep dive reviews face to face at the request of the CSRP programme lead.”
Bids are open until midnight on 14 May, after which the NDA expects to evaluate up to five suppliers. Its decision will be based approximately 40% on price, 13% of cultural fit, and 47% on technical competence.
The winning bidder is scheduled to a contract beginning around the start of July.
An annual study has identified core technical and incident-response skills gaps
Chancellor unveils unit that will pursue those who defrauded government of an estimated £5bn during the pandemic
Canadian academics claim that attack on No. 10 using Pegasus software was launched from the UAE
Contract signed with consultancy Mason Advisory