Project title: Information Systems Accreditation Programme (Follow-on Contract)
As a consequence of the strategic defence review initiated by the 2010 coalition government the UK Ministry of Defence (MOD) undertook a comprehensive review of all its agencies to identify the most appropriate future model of ownership. At the time DSG (Defence Support Group), responsible for all maintenance and repair of the Armed Forces wheeled and tracked vehicles as well as providing repair and testing of electronic components, was a trading fund agency within DE&S (Defence Equipment & Supply) organisation of the MOD. A ministerial decision was made to sell DSG on the commercial market supported by a guaranteed level of contractual cover to ensure continuity of service.
Following a 2-year public sector procurement programme the UK MOD identified Babcock International as their preferred partner for the third-party delivery of the maintenance, overhaul and repair of all wheeled and tracked vehicle operated by the UK Armed Forces. To enable Babcock to deliver the contractually specified services they had to be given access to all of the key MOD information systems that managed and recorded maintenance and repair of the vehicle fleets. The access of a commercial third-party to sensitive information systems, databases and technical archives presented the UK MOD with a potential risk to their competitive processes, procedures and structures.
In response, the MOD ran a technical consultancy services competition to appoint someone to manage the risks and accreditation issues associated with the transfer of operational responsibility for DSG to Babcock. RED Scientific Ltd supported by AMDS Consultants Ltd won the competition and work started in January 2015. We were responsible for all information systems assurance support throughout the transfer process requiring that we:
- Implement the compliance project developed in a preceding contract (sic case study DSG_01).
- Review existing documentation and develop new processes, procedures and structures related to the production of a Risk Management and Accreditation Document Set (RMADS)
- Facilitate the award to Babcock of UK MOD accreditation for their information systems security structures for DSG based on the developed RMADS.
- Manage the successful transfer of information assurance responsibility to Babcock whilst mitigating ongoing risks to MOD information security.
The work programme had the components described below and was paid for by a combination of days-worked monthly in arrears with further payments against delivered milestones in the project.
The implementation of the sale raised issues that had to be addressed either directly or by influencing and managing the stakeholder community. Among the primary matters of concern were:
- The sale led to a number of mismatches between existing information systems structures and those of the new owner which raised the level of risk that had to be mitigated and required that pragmatic approaches were developed by the MOD “owners” to changes in risk appetite and risk acceptance.
- To deliver the desired outcome of a fully accredited commercial system interfacing with the UK MOD’s classified network a number of stakeholders and system owners had to be reassured through information security assessments that the security of their systems was intact.
- As the analysis of the existing RMADS documentation progressed it became clear that DSG’s own information assurance accreditation was in need of urgent review. Consequently, an additional step of updating the information security cases had to be introduced into the project while maintaining the implementation schedule, this required a significant resource review and realignment.
- To maintain commercial proprietary between a number of different 3rd Party suppliers it was necessary for AMDS Consultants Ltd to maintain compartmentalised records of the commercially sensitive information that was necessary to achieve the projects outcomes. As an organisation therefore, we had to engender confidence that any sensitive information would be handled with all the necessary care and attention and only disclosures that were essential would be made.
All of the project goals were achieved, and specific documentary or accreditation milestones were delivered on schedule.The SWG was a successful vehicle for the progress of all risk amelioration and removal conducted during the project as well as establishing organisational credibility in an information assurance context for both the new commercial owner and the systems transferred from DSG.
In addition to the contracted services and milestones we continued to provide support to the sales process and delivered regular point briefs ahead of major meetings within all customer, stakeholderand supplier organisations in the transaction chain.
As with the previous engagement, the feedback from the customer was excellent indicating that we had met and exceeded his expectations in respect of the delivered outcomes and the flexible, responsive and effective support we provided throughout sales process.
Summarised below are the principle lessons from the project. By its classified nature certain of the lessons and findings from the project cannot be published on an open forum. Consequently, the lessons below are generic.
- The importance of maintaining the currency, accuracy, accessibility and usability of information assurance records is an essential component of securing information systems
- The level of acceptable risk must be seen as a dynamic metric that requires management intervention, data collection and intelligent application throughout a programme