The Ministry of Defence has awarded a potential £2m contract to a specialist supplier that will be tasked with testing for cyber vulnerabilities in the Army’s IT infrastructure and applications.
The deal, which comes into effect on 1 October, covers the provision of “code-assisted vulnerability assessments and penetration testing security assessments on both new and in-service applications [and] infrastructure”, according to newly published commercial information.
These assessments relate to the infrastructure of two hosting facilities run by the Army Digital Services unit – the Joint Server Farm (JSF) and the Army Hosting Environment (AHE) – and all data and programs stored in each.
The JSF contains only information classified at the government’s lowest-grade ‘Official’ status and can be accessed from any internet-connected computer via the Defence Gateway online login system.
The AHE, meanwhile, hosts data up to ‘Secret’ classification and other sensitive information. A breach of this environment “could not only be damaging to the Army’s reputation, it could jeopardise potential operations [and] could also incur fines from the Information Commissioner”, according to the contract award notice.
“An attack to disrupt any of the services ADS provides would significantly erode the Army’s ability to operate, as many of the systems support day-to-day activities and processes,” it added. “It is, therefore, imperative that vulnerabilities are identified and remedied/mitigated to reduce the risk of these occurrences.”
To help ensure the security of all storage facilities and the data they house, Manchester-based cybersecurity consultancy NCC Group will, over the next two years, be asked to perform a variety of vulnerability assessments and penetration-testing exercises.
“[These] security assessments… are used to identify vulnerabilities in code and infrastructure – networks, servers, operating systems and applications – that could potentially be exploited,” the procurement notice said. “Attackers can be hackers trying to gain access into our network or systems, state sponsored activists or an insider threat. They will aim to either extract information that is held on applications and hosting environments or cause extensive disruption to services.”
All new applications that will be run from either the JSF or AHE environment will be required to undergo a vulnerability assessment, the MoD indicated.
“Existing applications, hosting environments and platforms must be [assess] on a rolling programme to ensure any changes do not increase vulnerability and potential for being attacked,” it added.
The engagement with NCC will run for an initial term of two years, with a baseline value of £459,000 – plus up to £1.5m extra to be spent on an ad hoc basis. Upon its conclusion on 30 September 2024, the deal can be extended for a further year at the MoD’s discretion.