Requirement for an Information Assurance (IA) Specialist and a Security (Sy) Subject Matter Expert (SME)
The requirement for a subject matter expert to cover the following security role.
Every 3 months the Authority hosts a UK A400M Security Working Group, the location of the meeting may vary between RAF Brize Norton or MOD Abbey Wood. The UK SWG is an A400M specific meeting hosted by the Authority Chairman to discuss and action matters relating to security assurance of all A400M systems. The Authority is required to maintain and distribute to stakeholders a record of decisions and actions relating to security matters identified at each monthly Security Working Group (SWG) meeting. It is anticipated that there will be 4 formal SWG meetings per year.
Provide SME IA and Sy technical support to the SWG Chairman, identifying key decisions, provide SME input on risks and recommendations during and after each meeting including assisting the Chairman with the detail within the record of decisions actions. SME Support to the security assurance co-coordinator will be required should a detailed security matter need addressing.
2. Delivery of Ad Hoc Security Meetings
Attend Ad Hoc security related meetings over the course of the contract. It is anticipated that there will be a maximum of 8 Ad hoc Security meetings per year.
Provide SME IA and Sy technical support to the meeting Chairman, identifying key decisions, risks and recommendations during and after each meeting including assisting the Chairman with the detail within the record of decisions actions.
3. Specialist IA & Security Advice
The Specialist IA & Security SME Consultant would be required to provide specialist IA and Security advice as well as deliver specific packages of work.
Provide specialist IA and Security advice to the A400M ISIT team and the accreditor upon their request.
Deliver specific IA and security reports when tasked by the Project Manager. Expected topics include but are not limited to analysis of LRUs & AGE handling SECRET Data, Vulnerability Analysis and research on classified data filtering systems. It is anticipated that there will be 6 discrete reports requiring specialist IA and Security SME input across the period of the contract. However, there is a requirement for several briefs, both written and verbal throughout the duration of the contract to the ISIT Team.
4. Specialist IA Documentation Specific to A400M
The Specialist IA & Security SME Consultant will be required to draft Information Assurance specific documentation.
Where the A400M Accreditor deems it appropriate for the A400M DT to capture security risks held across A400M air and ground systems, the Specialist IA & Security will be required to directly support the A400M SAC in the development and agreement of Risk Balance Case (RBC) paperwork with the Project Manager. It is anticipated that 6 RBC's will be required per year
When required by with the Project Manager, develop Test Security Instructions (TSI) paperwork to the PM's satisfaction. It is anticipated that 4 TSI's will be required per year.
5. Support the Security Assurance Co-ordinator in the Maintenance of the A400M PT Security Risk Register
The A400M Accreditor has deemed it appropriate for the A400M DT to capture and maintain all security risks held across A400M air and ground systems.
Provide the SME input to the A400M SAC on the IA and Sy risks raised and held within the A400M DT Security Risk Register.
Support the SAC in a monthly review of the A400M Sy Risk Register. Support the SAC in the presentation of the A400M Risk Register at the A400M SWG (Reqt 1.1).
6. ITHC Scopes and Mitigation Plans
The A400M Specialist IA & Security SME Consultant is responsible for the multiple systems being delivered to the Authority that will need to undergo I.T. Health Checks (ITHC) in the UK, which will consist of a Vulnerability Analysis (VA) and/or Compliance Audit (CA) tests. It is anticipated that there will be 6 ITHC's requiring this activity per year.
Drafting the ITHC scoping paper and gain agreement from the Project Manager and stakeholders. Completion within 10 working days.
Submit request for an ITHC to Joint Information Assurance Co-ordination Centre (JIACC) and co-ordinate the engagement of their test teams and the resultant ITHC testing.
The Authority requires SME to draft a conclusion report based on the output of the ITHC tests, identifying any risks, issues and recommendations in the system RMADS, this is to be produced within 10 working days unless agreed separately with the Project Manager
Work with JIACC and the ITHC stakeholders to resolve the report findings, monitor resolution progress and update the Project Manager monthly.
7. International Security Meetings
The A400M Specialist IA & Security SME Consultant will be required to provide SME support to the ISIT Team prior to and during International meetings. The requirement to attend overseas meetings will depend on the content of the meetings and is to be agreed with the Project Manager, in most instances with at least 15 working days prior agreement.
The A400M Specialist IA & Security SME Consultant will be required to provide SME support for the following international security meetings:
- A400M Joint Accreditation Board (JAB)
- ISSec Workshop
- CERA Workshop
It is anticipated that there will be 12 international meetings per year.
8. Specialist IA Documentation to A400M
The A400M Specialist IA & Security SME Consultant will be required to produce documentation specific to A400M DT ISIT.
The A400M Specialist IA & Security SME Consultant will be required to develop and maintain documentation specific to A400M DT ISIT such as Business Continuity Plans, Disaster Recovery Plans and Forensic Recovery Plans. It is expected that a maximum of 4 plans per year will be developed and presented to the wider stakeholder community through the Project Manager.
9. Development and Maintenance of Security documentation (RMADS and SyOps)
The A400M Specialist IA & Security SME Consultant will be required to develop and maintain Risk Management Accreditation Document Sets (RMADS) documents and Security Operating Procedure (SyOPs) documents for several different platform and ground based systems.
The Authority requires the development and maintenance of Risk Management Accreditation Document Sets (RMADS) documents and Security Operating Procedure (SyOPs) documents for several different platform and ground based systems. The deliverables will require validation against HMG Information Security (IS) 1&2 methodologies, with recommendations and risks identified to the Authority's Security Assurance Co-ordinator (SAC) in a report. The accreditor will define which of the programmes below will require the RMADS and SyOPs. It is expected that 10 systems will require RMADs and SyOPs during the first 12 months. A further 5 systems will require RMADs and SyOPs during the following 12 months.
The scope of the requirement will cover as a minimum the following:
- A/C Doc set this will include several Aircraft System annexes:
- Filter Based solution
- CTET (Compact End-to-end test)
- MPRS D and PMPRS
- MDS and PMDS
- PID MT
- Flight Data Monitoring
- Anti-Virus Solutions (Sheepdip)
- Other Ground Support Systems identified by the SAC and raised on DART during the contract period
Conduct a review of the RMADs and SyOps security documentation for each GSS and update the documentation in line with system developments and/or changes in operational use, the library of A400M documents will require monthly review to reflect the status, in line with the SAC maintained Accreditation maintenance plan.
A CV shall be provided.
All staff to be involved in Contract delivery must hold a current Security Check (SC) for the duration of the contract.
Reqt. 11.2 The security related nature of the work means that the Contractor must be a British National.
Reqt. 11.3 The CV shall detail experience and evidence gained in your current and previous employment which is relevant to meeting the requirements stated above.
11. Security Vetting and Nationality
All staff to be involved in Contract delivery must hold a current MOD Security Check (SC) and the security related nature of the work means that the Contractor must be a British National.
Reqt 11.1 All staff to be involved in Contract delivery must hold a MOD Security Check (SC) for the duration of the contract.
Reqt 11.2 Be a British National