MoD appoints £2m cyber specialist to test Army IT vulnerabilities

Written by Sam Trendall on 23 September 2022 in News

Firm will be asked to assess existing and new tech platforms 

Credit: PxHere

The Ministry of Defence has awarded a potential £2m contract to a specialist supplier that will be tasked with testing for cyber vulnerabilities in the Army’s IT infrastructure and applications.

The deal, which comes into effect on 1 October, covers the provision of “code-assisted vulnerability assessments and penetration testing security assessments on both new and in-service applications [and] infrastructure”, according to newly published commercial information. 

These assessments relate to the infrastructure of two hosting facilities run by the Army Digital Services unit – the Joint Server Farm (JSF) and the Army Hosting Environment (AHE) – and all data and programs stored in each.

The JSF contains only information classified at the government's lowest-grade ‘Official’ status and can be accessed from any internet-connected computer via the Defence Gateway online login system.

The AHE, meanwhile, hosts data up to ‘Secret’ classification and other sensitive information. A breach of this environment “could not only be damaging to the Army's reputation, it could jeopardise potential operations [and] could also incur fines from the Information Commissioner”, according to the contract award notice.

Related content

“An attack to disrupt any of the services ADS provides would significantly erode the Army's ability to operate, as many of the systems support day-to-day activities and processes,” it added. “It is, therefore, imperative that vulnerabilities are identified and remedied/mitigated to reduce the risk of these occurrences.”

To help ensure the security of all storage facilities and the data they house, Manchester-based cybersecurity consultancy NCC Group will, over the next two years, be asked to perform a variety of vulnerability assessments and penetration-testing exercises.

“[These] security assessments… are used to identify vulnerabilities in code and infrastructure – networks, servers, operating systems and applications – that could potentially be exploited,” the procurement notice said. “Attackers can be hackers trying to gain access into our network or systems, state sponsored activists or an insider threat. They will aim to either extract information that is held on applications and hosting environments or cause extensive disruption to services.”

All new applications that will be run from either the JSF or AHE environment will be required to undergo a vulnerability assessment, the MoD indicated. 

“Existing applications, hosting environments and platforms must be [assess] on a rolling programme to ensure any changes do not increase vulnerability and potential for being attacked,” it added.

The engagement with NCC will run for an initial term of two years, with a baseline value of £459,000 – plus up to £1.5m extra to be spent on an ad hoc basis. Upon its conclusion on 30 September 2024, the deal can be extended for a further year at the MoD’s discretion.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

EXCL: Government red team security unit to test departmental defences with hostile reconnaissance
2 December 2022

Specialist supplier will support in searching – and then attempting to take advantage of – ‘vulnerabilities and exploitable information’

Foreign Office signs £7.5m two-year deal to support cyber transformation
12 October 2022

Department signs deal with defence contractor

MoD brings in Amazon to boost tech skills of Armed Forces leaders
30 November 2022

Ministry claims that MoU is a first-of-its-kind deal

Scottish Prison Service doubles digital team
28 November 2022

Organisation has also made significant use of contractors