Nuclear clean-up agency seeks £2m-a-year partner to help improve cyber-resilience

Written by Sam Trendall on 11 May 2022 in News

Specialist firm sought to help identify areas where security could be bolstered

Credit: Crown Copyright/Open Government Licence v3.0

The government agency charged with cleaning up ageing nuclear facilities is planning to appoint a £2m-a-year commercial partner to help oversee an ongoing initiative to bolster its cybersecurity credentials.

The Nuclear Decommissioning Authority has published a contract notice seeking bids from firms that could provide “assurance” services to its Cyber Security Resilience Programme (CSRP). 

The chosen provider will be asked to “independently assure” work undertaken by the authority to support an “improved cybersecurity posture” throughout the NDA and the four operating companies through which it works: Dounreay; Magnox Ltd; Nuclear Waste Services; Sellafield Ltd. 

The NDA wishes to measure its security infrastructure and practices against the guidelines set out in the Cybersecurity Framework of the US government’s National Institute of Standards and Technology (NIST).

“The NDA requires the supplier to independently assure the capability of the NDA group; this will include a review of all the operating companies using the NIST framework as the baseline standard,” the procurement notice said. “The organisation will be required to identify areas for improvement and areas of good practice and help the NDA and its operating companies to improve their capability in line with the risk appetite set by the NDA board.”

Related content

The successful supplier, which will be paid about £2m a year over the course of a 24-month contract, will work with a 70-strong team – comprised of NDA staff, contractors, and representatives of other suppliers – charged with delivering the cyber resilience project.

This team is based in Cumbria, but “assurance activities” will be required across all 17 former nuclear sites throughout England, Wales and Scotland that the NDA is responsible for cleaning up and decommissioning. The facilities owned and managed by the NDA, which include, Sellafield (pictured above), Hinkley Point A and Sizewell A, began operating as long as 80 years ago, in some cases.

“Due to prior Covid restrictions, previous work has been conducted remotely. However due to restrictions now lifted, face-to-face visits to sites will be required,” the procurement notice said. “During these instances, working arrangements will be agreed with the key stakeholders. The supplier… and [its] key personnel will be expected to be routinely available with daily stand-ups by conference call. Online communication is inevitable given the geographic spread of NDA sites. There will be a requirement to attend delivery group meetings… [and] deep dive reviews face to face at the request of the CSRP programme lead.”

Bids are open until midnight on 14 May, after which the NDA expects to evaluate up to five suppliers. Its decision will be based approximately 40% on price, 13% of cultural fit, and 47% on technical competence.

The winning bidder is scheduled to a contract beginning around the start of July.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

ICO hits facial recognition firm with £7.5m fine and order to delete all UK data
25 May 2022

Regulator finds that collection of online images was not fair, transparent or lawful

DfE retains security provider for cyber incident response in £500k deal
25 May 2022

Department signs contract with defence contractor BAE

Boardrooms ‘lack understanding of cybersecurity’, government report finds
5 May 2022

An annual study has identified core technical and incident-response skills gaps

Government puts £25m into ‘elite fraud squad’ to use data and tech to collar Covid criminals
29 April 2022

Chancellor unveils unit that will pursue those who defrauded government of an estimated £5bn during the pandemic