Section one: Contracting entity
one.1) Name and addresses
SCOTTISH HYDRO ELECTRIC TRANSMISSION PLC
Inveralmond House,200 Dunkeld Road
PERTH
PH13AQ
Contact
James Pike
Country
United Kingdom
Region code
UKM77 - Perth & Kinross and Stirling
Companies House
SC213461
Internet address(es)
Main address
https://www.ssen-transmission.co.uk/
one.3) Communication
Additional information can be obtained from the above-mentioned address
Tenders or requests to participate must be submitted electronically via
https://sse.app.jaggaer.com/esop/guest/go/opportunity/detail?opportunityId=387
one.6) Main activity
Other activity
IT Services
Section two: Object
two.1) Scope of the procurement
two.1.1) Title
OT and IT Cybersecurity Services framework
Reference number
7648
two.1.2) Main CPV code
- 72600000 - Computer support and consultancy services
two.1.3) Type of contract
Services
two.1.4) Short description
Scottish Hydro Electric Transmission Plc. (SHET) seeks a skilled provider of Operational Technology (OT) cybersecurity assurance services and IT cybersecurity services. The supplier will act as an independent assurance authority, ensuring that OT systems are designed, delivered and managed in a secure manner and in line with SHET and national standards.
Among key responsibilities the prospective supplier would provide design assurance, assurance of onsite installation, security testing, threat-intelligence, and operational assurance. Additionally they may be required to provide ad-hoc projects and support with incident management and response, digital forensics, security, network and infrastructure consulting.
The supplier should be able to provide CREST certified penetration testing services
There may be a future requirement for IT managed services, IT cybersecurity services and project delivery services to be provided by the supplier, so it is desirable that the supplier have the capability to provide IT managed services (for example but not limited to networking, infrastructure, cybersecurity specialisms), cybersecurity services and professional services. This may include implementing new security tools or architectures.
The PIN estimate reflects a combination of day to day capacity, flex contingency, potential ad-hoc projects and support services, and is not a promise or guarantee that the estimate will be reached during the initial or renewal terms.
two.1.5) Estimated total value
Value excluding VAT: £150,000,000
two.1.6) Information about lots
This contract is divided into lots: No
two.2) Description
two.2.3) Place of performance
NUTS codes
- UK - United Kingdom
Main site or place of performance
Onsite delivery services to take place in the UK
two.2.4) Description of the procurement
Detailed description
Among key responsibilities the prospective supplier would provide design assurance, assurance of onsite installation, security testing, threat-intelligence, and operational assurance. Additionally they may be required to provide ad-hoc projects and support with incident management and response, digital forensics, security, network and infrastructure consulting.
SHET seeks suppliers with experience in all of the following;
Audit Review & Compliance
Cyber Security Training & Awareness
Design and Build of Turnkey Cyber Security Services
Digital Forensics
Incident Management & Response
Risk Assessment and Management Services
Security Architecture Services
Security Consultancy
Security Testing
Technical Cyber Assurance
Vulnerability Management
Desirable;
o Infrastructure Managed Service Support
o Network Service Managed Service Support
o IT managed services delivery (including but not limited to networking, infrastructure, cybersecurity)
o Vendor Cyber Assurance Managed Services.
There may be a future requirement for IT managed services, IT cybersecurity services and project delivery services to be provided by the supplier, so it is desirable that the supplier have the capability to provide IT managed services (for example but not limited to networking, infrastructure, cybersecurity specialisms) and professional services. This may include implementing new security tools or architectures.
The PIN estimate reflects a combination of day to day capacity, flex contingency, potential ad-hoc projects and support services, and is not a promise or guarantee that the estimate will be reached during the initial or renewal terms.
two.2.5) Award criteria
Price is not the only award criterion and all criteria are stated only in the procurement documents
two.2.6) Estimated value
Value excluding VAT: £150,000,000
two.2.7) Duration of the contract, framework agreement or dynamic purchasing system
Duration in months
120
This contract is subject to renewal
Yes
Description of renewals
Duration estimate reflects initial term with extension options up to a maximum term of 10 years
two.3) Estimated date of publication of contract notice
19 August 2024
Section three. Legal, economic, financial and technical information
three.1) Conditions for participation
three.1.1) Suitability to pursue the professional activity, including requirements relating to enrolment on professional or trade registers
List and brief description of conditions
Prospective suppliers should be able to commit that they have reasonable procedures in place for the prevention of modern slavery, human trafficking, financial crime and bribery
Prospective suppliers should be able to commit to revealing the identity of any third party subcontractors or solutions upon which their delivery of services would be dependent. SHET may require the right to undertake business probity, financial, cybersecurity and other compliance reviews of subcontractors.
Prospective suppliers may be required to sign a Non-Disclosure-Agreement before security sensitive content is shared with them
Other or additional conditions of participation may be set out in the final tender documents.
three.1.2) Economic and financial standing
List and brief description of selection criteria
Prospective suppliers should have a minimum annual turnover of £50m p.a.
The financial standing of a prospective supplier must give SHET reasonable confidence that they can successfully fund the services for the duration and accept reasonable liability in line with the level of risk their project presents to SHET.
Other/additional requirements may be set out in the final tender documents.
three.1.3) Technical and professional ability
List and brief description of selection criteria
Prospective suppliers should be able to evidence strong knowledge and experience in the delivery of similar services, at scale; ideally in a critical national infrastructure context.
Prospective suppliers should be familiar with major brands of OT and IT equipment
Additional requirements may be set out in the final tender documents.
Minimum level(s) of standards possibly required
Prospective suppliers will be required to be accredited to SOC2 or ISO27001 level (or recognized equivalent)
Prospective suppliers should be able to provide personnel based in the UK (during delivery) who have been through enhanced background vetting or carry current security clearance (SC or above). The same vetting expectation may be required for subcontractors of the supplier who work on the delivery
Prospective suppliers should be knowledgeable in NIST standard SP800-53
Penetration test personnel provided should be CREST accredited.
Additional requirements may be set out in the final tender documents
three.2) Conditions related to the contract
three.2.3) Information about staff responsible for the performance of the contract
Obligation to indicate the names and professional qualifications of the staff assigned to performing the contract
Section four. Procedure
four.1) Description
four.1.3) Information about a framework agreement or a dynamic purchasing system
The procurement involves the establishment of a framework agreement
Framework agreement with a single operator
In the case of framework agreements, provide justification for any duration exceeding 8 years:
The cost, resource effort, complexity and business disruption to change a major support partner is substantial; 10 years reflects and reasonable period through which it is desirable to retain the services of a single supplier. It is desirable to retain a cybersecurity providers services for an extended time so they are deeply familiar with the recent history and practices of the organisation
four.1.8) Information about the Government Procurement Agreement (GPA)
The procurement is covered by the Government Procurement Agreement: No
four.2) Administrative information
four.2.4) Languages in which tenders or requests to participate may be submitted
English
Section six. Complementary information
six.2) Information about electronic workflows
Electronic ordering will be used
Electronic invoicing will be accepted
Electronic payment will be used
six.4) Procedures for review
six.4.1) Review body
SSE Plc.
Perth, Scotland
Country
United Kingdom