Guidance

Reducing Cyber Risk Across Defence: Competition Document

Updated 5 October 2023

1. Introduction

This Defence and Security Accelerator (DASA) competition is funded by the Cyber Resilience Programme (CRP) in Defence Digital, a part of Strategic Command. It seeks proposals that will help to quantify and reduce the cyber risk across Defence, enhance digital resilience and enable Defence to be secure by default.

In response to operational demands, military networks and systems are becoming more complex and interconnected, both internally and with allies, and with commercial and civilian infrastructure. The Defence Enterprise is an expansive, diverse and continually changing construct with a large integrated network of cyber technologies, many of which are legacy. In parallel, attacks are becoming more sophisticated, with potentially more impact on military operations. 

The risk of cyber-attack is amongst the highest that is managed by the Defence Board and it requires a collective response to address it. Becoming cyber resilient is the first challenging milestone. Remaining resilient will require constant appraisal of our adversaries and ourselves. We are not alone in developing and exploiting technologies and will need to work together across industry, Government, Allies and Partners to maximise our collective capabilities.

The Cyber Resilience Programme seeks to address the need to build a cyber-resilient Defence, in accordance with the Cyber Resilience Strategy for Defence, and comprises four themes:

• Awareness, Behaviour and Culture
• Resilient by Design
• Secure Digital Foundations
• Cyber Vulnerability Fixes

Technology that supports Defence in building cyber resilience is a crucial element of achieving the vision. An ability to constantly assess risk and continuously assure capabilities will inform Defence’s cyber resilience priorities and drive focus to the right places. Defence will also need to have the tools that enable both prevention, and rapid recovery, in the face of disruption from adversaries. Defence also recognises the need to adopt tools that enable adaptable approaches in response to persistently evolving threats.

This competition is part of a broader suite of activity undertaken by the Cyber Resilience Programme that engages industry, academia, partners and allies to build military capabilities with inherent resilience.

This themed competition differs from previous cyber-related Innovation Focus Areas (IFAs). It is distinct in its focus on making resilience integral to design. This competition seeks to reduce inherent risk by building resilient technologies rather than seeking mitigations or responses to risks and issues. This competition is also domain and scenario agnostic, seeking solutions that could be of benefit in any area of defence.

2. Competition key information

2.1 Submission deadline

Midday (GMT) on 31 October 2023

2.2 Where do I submit my proposal?

Via the DASA Online Submission Service for which you will require an account. Only proposals submitted through the DASA Online Submission Service will be accepted.

2.3 Total funding available

The total possible funding available for this competition is £880K (excluding VAT).
This competition is looking to fund up to 5 proposals.

Additional funding for further phases to increase Technology Readiness Level (TRL) may be available. If there will be a future phase, it will be open to applications from all innovators and not just those that submitted successful bids in Phase 1.

3. Supporting events

3.1 Dial-in sessions

19 September 2023 – A dial-in session providing further detail on the problem space and a chance to ask questions in an open forum. If you would like to participate, please register on the Eventbrite page.

20 September 2023 and 21 September 2023 – A series of 20 minute one-to-one teleconference sessions, giving you the opportunity to ask specific questions. If you would like to participate, please register on the Eventbrite page by clicking on the preferred date. Booking is on a first come first served basis.

4. Competition Scope

4.1 Background:

The risk of cyber-attack is amongst the highest that is managed by the Defence Board and requires a collective response to address it . Reducing the risk is accomplished by increasing Cyber Resilience which is defined by NIST as being ‘the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources’.

Defence currently aims to reduce its cyber risk through the Defensive Cyber Programmes, one of which being the Cyber Resilience Programme (CRP). CRP focussed on the National Institute of Standards and Technology (NIST) functions identify, protect, and recover and aims to reduce cyber risk through its seventeen projects split into four main themes:

• Secure Digital Foundations
• Resilient by Design
• Cyber Vulnerability Fixes
• Awareness, Behaviour & Culture

The Cyber Resilience Strategy for Defence states one central aim: for Defence’s critical functions to be significantly hardened to cyber-attack by 2026, with all of Defence’s organisations resilient to known vulnerabilities and attack methods no later than 2030. This strategy aligns with and supports the National Cyber Strategy and the Government Cyber Security Strategy and is the driving force behind Defence’s objectives to reduce cyber risk.

Experimentation, research, and innovation is described in the Cyber Resilience Strategy as a strategic priority for Defence. And Defence recognises that to ensure we stay ahead of the developing cyber threats; we must embrace innovation and collaborate with industry partners.

5. Scope:

5.1 This competition seeks:

• Novel tools that strengthen digital resilience across defence
• Novel approaches that enable security by default
• Novel ways to quantify Operational Technology risk

This competition is interested in innovation projects that will deliver outputs at Technology Readiness Level (TRL) 6 – technology model or prototype demonstration in a relevant environment.

We require solutions to be delivered in a form which can be integrated within a broader enterprise of Information Technology, Operational Technology, networks and systems, encompassing both military and civilian technology.

In the challenges below we are particularly interested in ideas tailored towards Defence specific use-cases. Although MOD has many systems and networks that look similar to other departments and industries; military platforms and the need to operate in harsh environments that may be controlled by an adversary may require different approaches, considerations and technical solutions.

6. Competition Challenges

This competition has three challenges.

6.1 Challenge 1: Digital Resilience

Lack of Cyber Security and Resilience is a major risk that Defence holds. Defence must prioritise digital resilience and obsolescence remediation and all future capabilities must be Resilient by Design. Defence has started its resilience journey by mandating a Secure by Design approach to new systems and there are other activities like Cyber Attack Recovery Planning that have developed a framework, but have not yet rolled it out across Defence.

However, these initiatives are Cyber related and Digital Resilience is broader than that. Defence needs to be more innovative in its approach to digital resilience, both for new systems being developed and for those that are operational.

This competition is seeking innovative ways to strengthen digital resilience across Defence. Examples of these capabilities may include:

• Tools to help Defence understand the resilience risk that we face across a large and complex organisation, so that we can prioritise mitigation efforts . For example tools that will stress test an application, system or network to identify areas of weakness or tools that can simulate attacks or failures.
• Technology to mitigate the resilience risk in new systems and networks, and for those that are already in service. This includes ways to reduce the likelihood of a failure as well as ways to reduce the impact of any failure if it happens e.g. fail safe architecture design and implementation tools.

6.2 Challenge 2: Secure by Default

Defence is currently in the process of moving away from accreditation, ensuring cyber security is at the forefront from the outset through a Secure by Design approach. Defence needs to understand what the future looks like for cyber security and needs to think about the successor to Secure by Design – Secure by Default.

The NCSC defines it in this way: Secure by Default is about taking a holistic approach to solving security problems at root cause rather than treating the symptoms; acting at scale to reduce the overall harm to a particular system or type of component. Secure by Default covers the long-term technical effort to ensure that the right security primitives are built in to software and hardware. It also covers the equally demanding task of ensuring that those primitives are available and usable in such a way that the market can readily adopt them.

This competition is seeking to develop capability to enable Secure by Default approaches to be implemented in the future, for Defence and its industry partners. We are looking for research activities (preferably specifically for a large defence organisation and its supply chain) that will investigate tools and approaches which support the implementation of a Secure by Default approach. Examples of these capabilities may include:

• Tools that support the development of software and/or hardware that is intrinsically Secure by Default
• Tools that support the verification of Secure by Default for the purchaser of such capabilities.

6.3 Challenge 3: Quantifying Operational Technology Risk

Defence has been largely focused on its Information Technology (IT) risk – how to quantify it, manage it, and mitigate it. However, the Cyber Security & Resilience risk that Defence holds includes both IT and Operational Technology (OT) risk.

Defence has a broad and complex OT estate that includes Military platforms (e.g. planes, ships) as well as enabling systems (e.g. fuel supply, building management systems). The threat to OT systems is greater than it has ever been and is growing at an alarming pace. To manage the OT risk that Defence holds, Defence first needs to understand the scale of its OT across the enterprise, the threats and vulnerabilities associated with it and the possible impact of a successful cyber-attack.

This competition is seeking innovative ways to quantify OT cyber risk across Defence. Proposals need to be able to work in an operational environment or in some way take operational scenarios into account. Examples of these capabilities may include:

• Tools that automate aspects of OT risk discovery
• Technology to enable analysis of OT risk data to prioritise areas of greatest weakness
• Capability to remediate identified OT risks and reduce the associated vulnerability

6.4 We are interested in…

We want novel ideas to benefit UK Defence and Security. Your proposal should address one of the three challenges and include evidence of:

• Innovation – we are not looking for proposals that provide solutions that are already commercial products.
• Clear demonstration of how the proposed work applies to any defence and security context
• The ability to scale across the entire Defence enterprise.
• The initial and target TRLs for the project.

6.5 We are not interested in…

We are not interested in proposals that:
Are effective, but are exquisite, need highly technical operators, are expensive, or cannot be scaled.

• Offer no real prospect of out-competing existing technological solutions.
• Offer no real long-term prospect of integration into defence and security capabilities.
• An unsolicited resubmission of a previous DASA bid.
• Constitute consultancy, paper-based studies or literature reviews which just summarise the existing literature.
• Show no awareness of the contemporary military operating environment.
• Come from suppliers who will not be prepared to develop and integrate their solution cooperatively with users and other small and medium enterprises.

7. Accelerating and exploiting your innovation

It is important that over the lifetime of DASA competitions, ideas are matured and accelerated towards appropriate end-users to enhance capability. How long this takes will depend on the nature and starting point of the innovation.

7.1 A clear route for exploitation

For DASA to consider routes for exploitation, ensure your deliverables are designed with the aim of making it as easy as possible for collaborators/stakeholders to identify the innovative elements of your proposal.

Whilst DASA recognises that early identification and engagement with potential end users during the competition and subsequent phases are essential to implementing an exploitation plan, during the competition phase there should be no correspondence between suppliers and DASA other than via the DASA helpdesk email at accelerator@dstl.gov.uk, or their local Innovation Partner.

All proposals to DASA should articulate the expected development in technology maturity of the potential solution over the lifetime of the contract and how this relates to improved capability against the current known (or presumed) baseline.

7.2 How to outline your exploitation plan

A higher technology maturity is expected in subsequent phases. Include the following information to help the assessors understand your exploitation plans to date:

• the intended defence or security users of your final product and whether you have previously engaged with them, their procurement arm or their research and development arm
• awareness of, and alignment to, any existing end user procurement programmes
• the anticipated benefits (for example, in cost, time, improved capability) that your solution will provide to the user
• whether it is likely to be a standalone product or integrated with other technologies or platforms
• expected additional work required beyond the end of the contract to develop an operationally deployable commercial product (for example, “scaling up” for manufacture, cyber security, integration with existing technologies, environmental operating conditions)
• additional future applications and wider markets for exploitation
• wider collaborations and networks you have already developed or any additional relationships you see as a requirement to support exploitation
• how your product could be tested in a representative environment in later phases
• any specific legal, ethical, commercial or regulatory considerations for exploitation

7.3 Is your exploitation plan long term?

Long term studies may not be able to articulate exploitation in great detail, but it should be clear that there is credible advantage to be gained from the technology development.

Include project specific information which will help exploitation. This competition is being carried out as part of a wider MOD programme and with cognisance of cross-Government initiatives. We may collaborate with organisations outside of the UK Government and this may provide the opportunity to carry out international trials and demonstrations in the future.

8. How to apply

8.1 Submission deadline

Midday (GMT) on 31 October 2023

8.2 Where do I submit my proposal?

Via the DASA Online Submission Service for which you will be required to register.

Only proposals submitted through the DASA Online Submission Service will be accepted.

8.3 Total funding available

The total funding available for Phase 1 of this competition £880K (excluding VAT).

8.4 How many proposals will DASA fund

Additional funding for further phases to increase TRL may be available. Any further phases will be open to applications from all innovators and not just those that submitted Phase 1 bids.

8.5 For further guidance

Click here for more information on our competition process and how your proposal is assessed.

Queries should be sent to the DASA Help Centre – accelerator@dstl.gov.uk.

9. What your proposal must include

• the proposal should focus on the Phase 1 requirements but must also include a brief (uncosted) outline of the next stages of work required for commercial exploitation
• when submitting a proposal, you must complete all sections of the online form, including an appropriate level of technical information to allow assessment of the bid and a completed finances section
• completed proposals must comply with the financial rules set for this competition. The upper-limit for this competition is £880K (excluding VAT). Proposals will be rejected if the financial cost exceeds this capped level
• you must include a list of other current or recent government funding you may have received in this area if appropriate, making it clear how this proposal differs from this work
• a project plan with clear milestones and deliverables must be provided. Deliverables must be well defined and designed to provide evidence of progress against the project plan and the end-point for this phase; they must include a final report
• you should also plan for attendance at a kick-off meeting at the start of Phase 1, a mid-project event and an end of project event at the end of Phase 1, as well as regular reviews with the appointed Technical Partner and Project Manager; all meetings will be in the UK. Meetings may also take place virtually.
• your proposal must demonstrate how you will complete all activities/services and provide all deliverables within the competition timescales (maximum contract length of 9 months ). Proposals with any deliverables (including final report) outside the competition timeline will be rejected as non-compliant
• a technical deliverable or milestone to be delivered no later than 31st march 2024

10. What your resourcing plan should include

Your resourcing plan must identify, where possible, the nationalities of proposed employees that you intend to work on this phase.

10.1 If your proposal is recommended for funding

In the event of a proposal being recommended for funding, the DASA reserves the right to undertake due diligence checks including the clearance of proposed employees.

Please note that this process will take as long as necessary and could take up to 6 weeks in some cases for non-UK nationals.

You must identify any ethical / legal / regulatory factors within your proposal and how the associated risks will be managed, including break points in the project if approvals are not received.

MODREC approvals can take up to 5 months therefore you should plan your work programme accordingly. If you are unsure if your proposal will need to apply for MODREC approval, then please refer to the MODREC Guidance for Suppliers or contact your Innovation Partner for further guidance.

Requirements for access to Government Furnished Assets (GFA), for example, information, equipment, materials and facilities, may be included in your proposal. DASA cannot guarantee that GFA will be available. If you apply for GFA, you should include an alternative plan in case it is not available.

Failure to provide any of the above listed will automatically render your proposal non-compliant.

11. Export control for overseas partners

All relevant export control regulations will apply if a company ultimately wants to sell a developed solution to a foreign entity. All innovators must ensure that they can obtain, if required, the necessary export licences for their proposals and developments, such that they can be supplied to the UK and other countries. If you cannot confirm that you can gain the requisite licences, your proposal will be sifted out of the competition.
Additionally, if we believe that you will not be able to obtain export clearance, additional checks may be conducted, which may also result in your proposal being sifted out of the competition.

12. Cyber risk assessment

12.1 Supplier Assurance Questionnaire (SAQ)

On receipt of a ‘Fund’ decision, successful suppliers must prove cyber resilience data before the contract is awarded. The start of this process is the submission of a Supplier Assurance Questionnaire (SAQ). The SAQ allows suppliers to demonstrate compliance with the specified risk level and the corresponding profile in Def Stan 05-138, and the level of control required will depend on this risk level.

To expedite the contracting time of successful suppliers we ask all suppliers to complete the SAQ before they submit their proposal. The SAQ can be completed here using the DASA Risk Assessment RAR-148746130 and answer questions for risk level “very low”. In the form, for the contract name please use the competition title and for the contract description please use the title of your proposal.

12.2 Defence Cyber Protection Partnership

The Defence Cyber Protection Partnership (DCPP) will review your SAQ submission and respond with a reference number within 2 working days. The resulting email response from DCPP should be attached (JPG or PNG format) and included within the DASA submission service portal when the proposal is submitted. You will also be asked to enter your SAQ reference number. Please allow enough time to receive the SAQ reference number prior to competition close at midday on Midday (GMT) on 31 October 2023.

If the proposal is being funded, the SAQ will be evaluated against the CRA for the competition, and it will be put it into one of the following categories:

1. Compliant – no further action
2. Not compliant – if successful in competition and being funded, the innovator will be required to complete a Cyber Implementation Plan (CIP) before the contract is placed, which will need to be reviewed and agreed with the relevant project manager

Innovators can enter a proposal without all controls in place, but are expected to have all the cyber protection measures necessary to fulfil the requirements of the contract in place at the time of contract award, or have an agreed Cyber Implementation Plan (CIP).

The CIP provides evidence as to how and when potential innovators will achieve compliance. Provided the measures proposed in the Cyber Implementation Plan do not pose an unacceptable risk to the MOD, a submission with a Cyber Implementation Plan will be considered alongside those who can achieve the controls.A final check will be made to ensure cyber resilience before the contract is placed. Commercial staff cannot progress without it. This process does not replace any contract specific security requirements.

Additional information about cyber security can be found at: DCPP: Cyber Security Model industry buyer and supplier guide.

13. Public facing information

When submitting your proposal, you will be required to include a title and a short abstract. The title and abstract you provide will be used by DASA, and other government departments, to describe your project and its intended outcomes and benefits. They may be included at DASA events in relation to this competition and in documentation such as brochures. The proposal title will be published in the DASA transparency data on GOV.UK, along with your company name, the amount of funding, and the start and end dates of your contract. As this information can be shared, it should not contain information that may compromise Intellectual property.

14. How your proposal will be assessed

At Stage 1, all proposals will be checked for compliance with the competition document and may be rejected before full assessment if they do not comply. Only those proposals that demonstrate compliance against the competition scope and DASA mandatory criteria will be taken forward to full assessment.

14.1 Mandatory Criteria

The proposal outlines how it meets the scope of the competition

Within scope (Pass) / Out of scope (Fail)

The proposal fully explains in all three sections of the DASA submission service how it meets the DASA criteria

Pass / Fail

The proposal clearly details a financial plan, a project plan and a resourcing plan to complete the work proposed in Phase 1, including a technical deliverable or milestone to be delivered no later than 31st march 2024

Pass / Fail

The proposal identifies the need (or not) for MODREC approval

Pass / Fail

The proposal identifies any GFA required for Phase 1

Pass / Fail

The proposal demonstrates how all research and development activities / services (including delivery of the final report) will be completed within 9 months from award of contract (or less)

Pass / Fail

The bidder has obtained the authority to provide unqualified acceptance of the terms and conditions of the Contract.

Pass / Fail

Proposals that pass Stage 1 will then be assessed against the standard DASA assessment criteria (Desirability, Feasibility and Viability) by subject matter experts from the MOD (including Dstl), other government departments and the front-line military commands. You will not have the opportunity to view or comment on assessors’ recommendations.

DASA reserves the right to disclose on a confidential basis any information it receives from innovators during the procurement process (including information identified by the innovator as Commercially Sensitive Information in accordance with the provisions of this competition) to any third party engaged by DASA for the specific purpose of evaluating or assisting DASA in the evaluation of the innovator’s proposal. In providing such information the innovator consents to such disclosure. Appropriate confidentiality agreements will be put in place.

Further guidance on how your proposal is assessed is available on the DASA website.

After assessment, proposals will be discussed internally at a Decision Conference where, based on the assessments, budget and wider strategic considerations, a decision will be made on the proposals that are recommended for funding.

Innovators are not permitted to attend the Decision Conference.

Proposals that are unsuccessful will receive brief feedback after the Decision Conference.

15. Things you should know about DASA contracts:

15.1 DASA terms and conditions

Please read the DASA terms and conditions which contain important information for innovators. For this competition we will be using the Innovation Standard Contract (ISC), links to the contract: Terms and Schedules. We will require unqualified acceptance of the terms and conditions; if applicable, please ensure your commercial department has provided their acceptance.

More information on DEFCON 705 can be found by registering on the Knowledge in Defence site.

Funded projects will be allocated a Project Manager (to run the project) and a Technical Partner (as a technical point of contact). In addition, the DASA team will work with you to support delivery and exploitation including, when appropriate, introductions to end-users and business support to help develop their business.

We will use deliverables from DASA contracts in accordance with our rights detailed in the contract terms and conditions.

For this competition, £880K is currently available to fund proposals. There may be occasions when additional funding may become available to allow us to revisit proposals deemed suitable for funding. Therefore, DASA reserves the right to keep such proposals in reserve. In the event that additional funding becomes available, DASA may ask whether you would still be prepared to undertake the work outlined in your proposal under the same terms.

16. Phase 1 key dates

Dial-in

19 September 2023

Pre bookable 1-1 telecom sessions

20 September 2023 and 21 September 2023

Competition closes

Midday (GMT) on 31 October 2023

Feedback release

January 2024

Contracting

Aim to start February 2024

17. Help: Contact the DASA Help Centre

Competition queries including on process, application, commercial, technical and intellectual property aspects should be sent to the DASA Help Centre at accelerator@dstl.gov.uk, quoting the competition title. If you wish receive future updates on this competition, please email the DASA Help Centre.

While all reasonable efforts will be made to answer queries, DASA reserves the right to impose management controls if volumes of queries restrict fair access of information to all potential innovators.