Credit: Crown Copyright/Open Government Licence v3.0 [1]

The government agency charged with cleaning up ageing nuclear facilities is planning to appoint a £2m-a-year commercial partner to help oversee an ongoing initiative to bolster its cybersecurity credentials.

The Nuclear Decommissioning Authority has published a contract notice seeking bids from firms that could provide “assurance” services to its Cyber Security Resilience Programme (CSRP). 

The chosen provider will be asked to “independently assure” work undertaken by the authority to support an “improved cybersecurity posture” throughout the NDA and the four operating companies through which it works: Dounreay; Magnox Ltd; Nuclear Waste Services; Sellafield Ltd. 

The NDA wishes to measure its security infrastructure and practices against the guidelines set out in the Cybersecurity Framework of the US government’s National Institute of Standards and Technology (NIST).

“The NDA requires the supplier to independently assure the capability of the NDA group; this will include a review of all the operating companies using the NIST framework as the baseline standard,” the procurement notice said. “The organisation will be required to identify areas for improvement and areas of good practice and help the NDA and its operating companies to improve their capability in line with the risk appetite set by the NDA board.”

Related content

• Government progresses plan to use robots for Sellafield clean-up [2]
• Departments to undergo independent audits of cyber resilience [3]
• Nuclear power control desk heads for second life as movie star [4]

The successful supplier, which will be paid about £2m a year over the course of a 24-month contract, will work with a 70-strong team – comprised of NDA staff, contractors, and representatives of other suppliers – charged with delivering the cyber resilience project.

This team is based in Cumbria, but “assurance activities” will be required across all 17 former nuclear sites throughout England, Wales and Scotland that the NDA is responsible for cleaning up and decommissioning. The facilities owned and managed by the NDA, which include, Sellafield (pictured above), Hinkley Point A and Sizewell A, began operating as long as 80 years ago, in some cases.

“Due to prior Covid restrictions, previous work has been conducted remotely. However due to restrictions now lifted, face-to-face visits to sites will be required,” the procurement notice said. “During these instances, working arrangements will be agreed with the key stakeholders. The supplier… and [its] key personnel will be expected to be routinely available with daily stand-ups by conference call. Online communication is inevitable given the geographic spread of NDA sites. There will be a requirement to attend delivery group meetings… [and] deep dive reviews face to face at the request of the CSRP programme lead.”

Bids are open [5] until midnight on 14 May, after which the NDA expects to evaluate up to five suppliers. Its decision will be based approximately 40% on price, 13% of cultural fit, and 47% on technical competence.

The winning bidder is scheduled to a contract beginning around the start of July.