Skip to content

Search the site

HMRC has £7.5m available for help scanning, patching, hardening its IT

Let Nessus be your friend. Try not to break any CNI...

HMRC  is looking for a partner to improve its cybersecurity – including vulnerability scanning, patching, hardening and making sure ~60 services start running with Transport Layer Security (TLS).

The UK’s tax, payments, and customs authority new “cyber remediation” contract is worth up to £7.5 million. It will run from April 2023 to March 2025. Proposals need to be in by December 5, 2022.

HMRC emphasised that many of its services are critical national infrastructure (CNI). These include Real Time Information (RTI), New Tax Credits (NTC) and National Insurance and PAYE Service (NPS).

Officials said in a contract notice that the contract will help deliver “enterprise-wide security improvements and support strategic planning and delivery activities (transformational, remediatory and enabling).”

HMRC cybersecurity contract: What’s needed?

The Cyber Remediation and Cyber Operations Projects (for which partners are being sought) aim to “deliver risk mitigation by remediating known vulnerabilities across our systems and services through the application of patches, configuration changes and encryption, additional access and session monitoring controls as well as strengthening networks/vulnerability assessment security controls/assurance” officials said.

They also aim to “enhance HMRCs capability to mitigate, detect and respond” to security threats.

See also: HMRC tees up £4.5 billion “DALAS” framework

HMRC wants:

  • 135 Services scanned, patched and hardened
  • 60 services to get Transport Layer Security (TLS)
  • 30 services to get Transparent Data Encryption
  • 15 services to get WeLogic and Java updates (to v10.3.6 and v1.7 respectively)
  • Implementation of Oracle Key Vault on to the HMRC Estate
  • Deployment of Skybox onto the HMRC Estate
  • Onboarding and implementation of Tenable vulnerability scanning

Many if not all of these will require close coordination with incumbent suppliers. The HMRC cybersecurity contract will also involve “significant Programme/Project Management type activities co-ordinating delivery management and assurance working with internal HMRC delivery groups and IT suppliers.”

The contract notice comes as HMRC has promised to “deliver a step change in how HMRC delivers IT, works with IT suppliers to procure and utilise technology, and how we work more broadly as an organisation”, under a new Technology Sourcing Programme for £900 million in annual IT run and change spend.

See: Daljit Rehal, CDIO, HMRC, on Raspberry Pis, unstructured data, leadership