SBRI Quantifying Insider Risk based on Public Information (Phase 1)

Concepts

• security software
• dominic fortescue
• vetting transformation programme
• sbri quantifying insider risk
• public information
• insider risk
• sensitive information
• potential insider risk
• personal information
• categories of risk

Location

Description

Problem Statement The Government Chief Security Officer Dominic Fortescue launched the Vetting Transformation Programme in October 2020. National security vetting, though comprehensive, needs to become more agile, flexible and consistent to mitigate insider risk effectively for staff in especially sensitive roles that require security clearance. "Insider risk" is defined as someone who knowingly or unknowingly misuses legitimate access to sensitive information, equipment or locations to commit a malicious act or damage the reputation of their employer. We are looking to learn how we can better use public information to quantify potential insider risk for existing and prospective employees as part of national security vetting. We would like to assess the extent to which enhanced open source online content provides relevant, unique, legally compliant and potentially actionable information for people risk management purposes. We will do this by prototyping systems that collect, analyse and present this data to users and/or to application programming interfaces (APIs). We would like your feasibility study to demonstrate some or all of the following: Your access to public data sources; Your ability to resolve public digital identities of subjects across platforms; Options for a combination of usable user interfaces and APIs to be directly consumed by a case management system; Options for role-based access control and integration with Single Sign On (SSO); The ability to filter personal information related to protected characteristics such as sexual orientation, gender identity or demographics; The explainability of machine-based determinations of risk; Processes for applying human judgement in assessing and evaluating machine-scored risks; The potential of your solution to support rapid workflows at scale. Key User Need Based on the public information found about an applicant or employee, the user needs to decide which categories of risk to apply to their assessment, guided by machine-scored risks and summarised public information. These risk categories include unintentional or non-malicious risk. For example, open sources might indicate that an employee may be experiencing alcohol, drug or other serious life stressors that could potentially affect their workplace reliability and wellbeing. Our users need to be legally compliant and acting in accordance with public policy as they make these determinations. Who is Eligible Applicants must be legal entities with strong ties to the UK. The contract that will be signed is a non-negotiable pre-market procurement instrument used in other SBRI competitions. Small businesses and woman- and ethnic minority-owned businesses are particularly encouraged to apply.

CPV Codes

• 72212730 - Security software development services

Indicators

• Contract is suitable for SMEs.
• Contract is suitable for VCOs.

Other Information

Other Information: Contract Structure The overall programme will be delivered over two phases; this contract is for the first phase. Up to £250,000 (including VAT) is allocated to phase one of the competition, with potentially a number of simultaneous technical feasibility study contracts awarded of up to £50,000k (including VAT) per project for up to 8 weeks. Phase two will award research and development contracts to Phase one project partners to develop prototypes and undertake field-testing. We target awarding up to two phase two contracts of up to £150,000 each (including VAT) for up to 12 months of research, development and prototyping. Phase one will focus on the assessment of the individual mechanisms (e.g. identity resolution) that make up the total capability. Suppliers may wish to use synthetic, random or anonymised data to present their results. In phase two we will provide personally identifiable information (PII) from a subset of our population to the two successful vendors in order to assess the validity and reliability of their overall capability. The contract will terminate at the end of Phase two, and the chosen business will be expected to pursue commercialisation of their solution. Suppliers will retain intellectual property developed during the contract, but foreground and necessary background IP to exploit the solution must be available to license on equitable, non-royalty terms by the government. Vetting transformation overview: https://www.gov.uk/government/news/we-are-transforming-vetting What is vetting: https://www.gov.uk/government/publications/vetting-explained-and-our-vetting-cha... Vetting Charter: https://www.gov.uk/government/publications/vetting-explained-and-our-vetting-cha... SBRI_CO_PAEI_007_1 Authority Contract V1.0.docx SBRI_CO_PAEI_410_001_1 Invitation to Tender_v1.0.docx SBRI_CO_PAEI_410_002_1 Brief Template_v1.0.docx SBRI_CO_PAEI_410_003_1 Guidance Notes_v1.0.docx SBRI_CO_PAEI_410_004_1 Application Form_v1.0.docx SBRI_CO_PAEI_410_005_1 FAQs_v1.0.docx SBRI_CO_PAEI_410_008_1 Assessor Guidance_v1.0.docx