Attachment B-3, Evaluation
Value for Money Details
Contract Change Note 050R1, (CCN050R1)
IDENT1-LANTERN Service Expansion—User Authentication
CCN Name:
CCN Number:
CCN Date:
IDENT1-LANTERN Service Expansion
CCN050R1
31 March 2008
DESCRIPTION
Capability Summary Benefits:
This Contract Change Note 050R1 (CCN050R1) proposes the price for deployment and support
of IDENT1 LANTERN Service Expansion with user level authentication. This attachment
describes the value for money from the addition of user authentication to the security solution as
requested by the Authority. The proposed approach provides strong security through the
implementation of a public key infrastructure (PKI), biometric tokens for each user,
administration of users and devices, and mobility expansion for improved secure
communications. The capabilities and approach for user authentication are more fully set out in
Attachment B-1, Description, IDENT1 LANTERN Service Expansion. The introduction of the
user authentication, with its associated infrastructure support, provides significant contributions
to securing efficiency gains for the Forces, in support of Government strategies and
requirements, such as:
• The devices can more easily be moved between officers, with authentication, and thus the
device is back on the street when officers are tied up with an arrest. This multi-use of
device and technology is a powerful combination
• The use of expanded Lantern service devices will contribute to reduced bureaucracy in
relation to some “stop and search” cases
• The new functionality will be capable of supporting the Flanagan Report recommendations
and in particular it reduces bureaucracy by reducing the need for paper, but still creating
an audit trail.
• There will be new uses developed for these Lantern devices as their availability is
expanded, with particular application to high profile, national security activities.
User benefits:
The purpose and objective of the LANTERN project is to provide police with portable fingerprint
capture and search results from the Unified National Collection at the point of decision. It
features:
•
Efficient capture of fingerprint details suitable for identifying an individual in an
operational environment;
•
Real-time searching of the unified fingerprint collection held on IDENT1 with fast
responses to aid officers in their decision for arrest.
LANTERN saves police officers time by quickly identifying persons of interest at the location
where they are encountered, thereby avoiding unnecessary arrests to establish identity. As a
result, officers are able to immediately continue on patrol without interruption. LANTERN
fingerprint identifications also enhance officer safety by aiding in the recognition of evasion or
National Policing Improvement Agency
falsification of identities by fugitives or other dangerous persons. Anecdotal observation
indicates that the mere presence of the LANTERN capability may actually have the effect of
inhibiting deceptive behaviour. These time saving and officer safety benefits have convinced
Forces not involved in the pilot to request LANTERN services for such uses as: ANPR, anti-
terrorism, drug-related crime, street offences, security at public events, fixed penalty tickets,
warrants, and more.
CCN014R2 “LANTERN Pilot Phase 2–Implementation Phase” and the follow-on extension of
pilot service CCN014R2A proved the viability of the LANTERN Concept of Operations, including
its operational human-computer interface and the interface with Central facilities housing the
fingerprint collection. It validated the technical approach and business case for LANTERN
through the operations of ten (10) pilot Forces equipped with one-hundred (100) hand-held
Mobile Fingerprint Readers (MFRs), and assessed workload implications for the fingerprint
matching capacity.
Based on positive user feedback concerning usability of the solution and validation of the
business process model, an expansion of the scale of the pilot was undertaken and is being
implemented under CCN040. Taking into account the fingerprint matching capacity
requirements for a larger operational deployment of LANTERN, the pilot expansion is doubling
the number of MFRs to two-hundred (200), and deploying them to an additional ten Forces for a
total of twenty (20).
Security for both phases of the pilot was limited to the authentication at the MFR level. Anyone
with an MFR and the necessary PINs/passwords could anonymously submit a search. Security
was highly reliant on physical control of MFR possession. The IDENT1-LANTERN Service
Expansion not only deploys a greater number of MFRs to a greater number of users, but also
handles additional data that mandates more stringent security measures (PNC Warning Flags).
Therefore, the security of LANTERN has been tightened to require user-level authentication,
which assures that the MFR user is of known identity, has a valid certificate to access the
service, and has a role defined that permits the requested operations. User-level authentication
also ensures that each message from a user is effectively signed with that user’s certificate,
enabling tracing/tracking of each transaction to its user, ensuring response only to the bona fide
user, and prohibiting repudiation.
The features required for LANTERN operation have been previously developed under the
aforementioned pilot (CCN014R2). The proposed IDENT1-LANTERN Service Expansion
makes full use of the existing baseline of capabilities, refining them to ensure robust operation
on a larger scale, and expanding their use to a larger user community. In response to the newly
defined security requirements, this proposal includes added efforts to implement and support
user-level authentication including the following components:
• Biometric tokens to authenticate individual users
• Centralised PKI management to keep track of all necessary data on individual users and
integrate the operation with IDENT1 Identity Management
• Administrator Workstations distributed at the Force level to support user-level authentication
functions and associated devices (MFRs and bio-tokens)
- 2 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
• Mobility Expansion for improved communications reliability and speed, consistent with the
user level authentication security, with flexibility to be compatible with foreseeable future
needs. Makes customer furnished Aventail VPN software from SRAS unnecessary.
• Credant Mobile Guardian clients for the MFRs and CMG policy server. Makes customer
furnished CMG software from SRAS unnecessary.
The PKI and the mobility solution together offer a much cleaner path to more general uses of
LANTERN services where mobility is necessary (e.g., for British Transport Police, Borders and
Immigration Agency, special events such as festivals or Olympics, CRB checks and other high
profile missions). With certificate-based authentication and secure Internet access, authorised
users could use the LANTERN service and be billed on a per-use basis over the same
infrastructure. This potential expansion of services, as a matter of policy and practice, further
enhances gains.
This CCN sets up the entire security infrastructure. The cost of adding additional users is not
proportional, but is substantially less; i.e., the cost of a certificate license and the credential that
holds it.
User-level authentication provides a significant benefit for LANTERN by upgrading the security
solution from device-based authentication, as delivered in the pilot, to user-level authentication,
where all users have unique and authenticated identities that follow them to any MFR to which
they are assigned.
PRICING (BASIS OF ESTIMATE)
The scope of services covered by the User Authentication part of this proposal includes
implementation of the features described above and operating them in support of LANTERN
user authentication for a period ending three (3) years from start of the contract. Extensions
beyond the period of performance will be provided through the change control process upon the
Authority’s request.
Northrop Grumman has designed its commercial offer with separate pricing for the User
Authentication costs, as they represent a substantial addition to the balance of the offer
covering services and MFRs. The approach separates the costs into two categories:
• fixed cost—not dependent on MFR quantity
• variable costs—dependent on quantity of MFRs and service
Northrop Grumman provides full project activities, independent of MFR quantity, for technical
engineering, development, and program management to support the IDENT1-LANTERN
Service Expansion implementation and operation of user authentication over the contract term.
The majority of these activities will be expended in the first year to implement the capability and
get it accredited. A majority effort associated with User Authentication is independent of MFR
quantity and is therefore, fixed rather than variable. The number of users, and has been fixed
by the Authority at 12,000 for this CCN. The solution is readily scalable, hence any increases in
the number of users will be handled under Change Control upon request by the Authority.
Northrop Grumman will also operate the user authentication support services provided to
ensure successful LANTERN operations. These include Service Desk incident response /
- 3 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
management and trouble ticket escalation needed to resolve incidents arising from user
authentication operation.
Whilst this is a separate set of incidents and tickets from those pertaining to MFRs and
LANTERN Central functions, they are handled in a coordinated fashion to share Remedy,
staffing, and other resources, where appropriate. Through Northrop Grumman and its suppliers,
support services related to user authentication operations are fully integrated into an expanded
IDENT1 Service Desk providing 24×7 support at Level 2. Additional resource is also allocated
to Level 3 support (the Technical Development team). Operations and maintenance are
provided from the start of deployment through the end of the contract term.
Changes to the Cable and Wireless (C&W) role are included based on the User Authentication
approach and mobility expansion supplanting Aventail and the provision of Credant software
directly under the CCN. The Secure Remote Access Service (SRAS) preciously provided by
C&W through contract with the Authority is no longer part of the approach. C&W connection to
the CJX does continue under CCN050 including added bandwidth that will be procured under
our framework agreement in PNN3.
The proposed price is based on a CCN acceptance date of 1 May 2008, CCN050R1 Payment
Profile and a period of performance of three (3) years concluding on 30 April 2011.
- 4 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
CCN 050R1 –User Authentication
Total Fixed Price: £7,923,108
HARDWARE, SOFTWARE, LICENSES BILL OF MATERIALS (BOM)
Charge: £3,857,288
Hardware Component / Description
Subtotal:
Model #
Quantity
Misc Hardware & Cabling
AR3100
3
APC Secure Rack 42U
AR3100
3
Power Controller Dual Voltage 32amp
V70BF3-F-SL-009
Intl w/16 IEC 320 outlet
6
Sun Fire X4200 M2, Model 2216
2x2.4GHZ CPU, 4x146GB 10K RPM 2.5
SAS Drive, 16GB Memory, DVD, Slide
Rails w/SuSE SLES10 for AMD64, 1
Year Support
A87-BV-16GB
25
SecureStack A2 L2 Switch 24 Port
10/100
A2H124-24
3
ModSecurity Management Appliance
plus 2 additional years maintenance
ModManager
3
PED-AUTH 2HSMP v4.2 FW4.6.1.
Luna SA
3
Cryptographic Module
PED
3
Cryptographic Module
PED Key Set
4
Cryptographic Module
Luna SA Backup Tokens
10
HP Compaq dc5800 Microtower PC,
Intel DualCore E2180 Processor, 1gb
800 MHz DDR2 SDRAM, 80GB 7200
RPM SATA Disk Drive, 16x SATA DVD-
ROM, Windows XP
dc5800
125
Samsung 943T Flat Panel Monitor
943T
125
Log Capture Appliance
LS1010, LS2010
3
Log Warehouse Appliance
ST2010, ST3010
3
4000 Series Switching Module,
48x10/100/1000Bas-T LAN
WS-X4548-GR-RJ45
1
Privaris plusID 75 Security Device
PRI-PID-75
13,215
3 years of 4Mb/s increase
Additional CJX Bandwidth
3
3 years @ £515
CJX Internet Access
36
Software Component / Description
Version #
Quantity
Cisco PIX 515 Firewall Chassis,
PIX-515-UR-BUN
Unrestricted software(includes FO), 2
FE ports
3
CMG Shield Perpetual License
Shield Perpetual License
1510
Gatekeeper Perpetual
CMG Gatekeeper Perpetual License
License
125
CMG Enterprise Server
Enterprise Server
3
Entrust Security Manager
Certification Authority
CA
6
CA License, Administrative Client
Entrust Security Provider
Software, Administrative Services
License (unmanaged) for 3
Server Software
years
61,000
Entrust Authority Enrolment
Web Enrolment Server Software
Server for Web
3
Entrust Adaptor for Sun
Adaptor Software License
Identity Manager
1
- 5 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
Entrust Entelligence Security
Client Software
Provider
125
Windows XP
125
NetBackup Server, Linux, SAN Media
Server License, plus 1 year
maintenance
A15985H
18
Device Management Software - Level 2
PRI-PIDM-L2
2
Device Management Client Software
PRI-PIDM-WC
125
Compliance reporting module for
SOX/COBIT
SOX/COBIT Module
1
Window 2003 Server R2
Window 2003 Server R2
3
Oracle Database Enterprise Edition
Database Enterprise Edition
3
Oracle DataGuard
DataGuard
2
Oracle DataVault
DataVault
12
Maintenance / Description
Version #
Quantity
Device Management Software Annual
Maintenance
PRI-SW-WAR
3
Device Management Client Software
Annual Maintenance
PRI-SW-WAR
125
Extended Device Warranty per year per
device 3yrs
PRI-HW-WAR
13,215
Senior Software Engineer (Project
management, Windows Mobile 6
minidriver)
PRI-LSSE-1
560
Annual Luna Maintenance
Luna Maintenance
9
Entrust Services Silver Support
Silver Support
2
CMG Annual Maintenance
CMG Maintenance
3
Oracle DataGuard Support 1yr
DataGuard Support
6
LogLogic Maintenance
LogLogic Maintenance
2
Miscellaneous / Description
Subtotal:
Version #
Quantity
MWR Additional external penetration
test
External Penetration Test
1
Privaris Senior Software Engineer
(Project Design & Doc, Mobile
Fingerprint Reader, External Intgration
Test & Support)
Senior Software Engineer
640
Application scan penetration
Vizuri Application scan penetration test
test
1
Senior Software Engineer (plusID
Manager, plusID Device, Internal
Intgration Test & Support)
PRI-LSSE-1
480
Professional Services (lot)
Professional Services (lot)
1
LABOUR:
Charge: £2,560,948
A summary description of the required labour hours by the various
labour categories and the basis of estimate required to deliver the
proposed solution.
- 6 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
Description:
• Activities associated with providing the following in the National Lantern Rollout: a strong
security through the implementation of a public key infrastructure (PKI), biometric tokens
for each user, administration of users and devices, and mobility expansion for improved
secure communications.
Task Activity
Hours
Basis of Estimate/Labour Mix
Public Key
18,442
•
Work required to acquire, configure, integrate, document,
Infrastructure
and deploy a dual site (primary and secondary) PKI.
•
Activities include design, implement, validate, deploy,
train, enable, operate and maintain.
The labour required for this work is a mix of the following:
5,332: Technician/Junior Engineer/Operations Specialist
6,521: Senior Technician/Engineer/Senior Operations Specialist
2,086: Master Technician/Lead Engineer/Operations Manager
3,838: Engineering Manager/Product Manager
665: Senior Consulting Engineer/Project Planning Manager
System Engineering
532
•
Define and guide development of the User Authentication
infrastructure, including such activities as:
o
Define Interfaces and write interface control docs
o
Derive requirements and update database
o
Business process analysis
o
Define workflow
o
TIMs on User Authentication approach
The labour required for this work is a mix of the following:
20: Master Technician/Lead Engineer/Operations Manager
331: Consulting Engineer/Senior Operations Manager
126: Engineering Manager/Product Manager
55: Engineer Manager/Product Manager
Central Software
7,270
•
Integrate User Authentication into Lantern for National
Integration
Rollout, including activities:
o
Add SSL client server authentication to DWS web
server
o
Capture authentication event and add the userid to
existing audit logs and messages
o
Change Apache configuration to add security
hardening features
o
Review
Privaris
development
of
user
authentication proxy on MFR.
o
Review Sagem development
o
Add a new user type for Sun IdM. Add workflow
for provisioning of Entrust certificates and Privaris
plusID devices within IdM.
o
Auditing of User Authentication and rollup of MIS
Warehouse.
The labour required for this work is a mix of the following:
3,016 Master Technician/Lead Engineer/Operations Manager
3,016: Consulting Engineer/Senior Operations Manager
1,238: Engineering Manager/Product Manager
- 7 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
Validation and
467
•
Validation and verification of requirements:
Verification
o
Functional requirements
o
Performance / throughput requirements
o
Load-sharing / failover requirements
•
Testing of Privaris plusID devices on MFRs
The labour required for this work is a mix of the following:
315: Senior Technician/Engineer/Senior Operations Specialist
90: Master Technician/Lead Engineer/Operations Manager
62: Engineering Manager/Product Manager
UK Training
594
•
Work required by training resources in the UK
•
Update of user guides and training materials
•
Addition of user authentication to base Lantern CBT
The labour required for this work is a mix of the following:
540: Technician/Junior Engineer/Operations Specialist
54: Engineer Manager/Product Manager
Apollo Anywhere COTS
630
•
Work required for integrating the Apollo Anywhere COTS
mobility and security platform into the Lantern network
architecture.
•
Activities include engineering, integrating, validating, and
supporting.
The labour required for this work is a mix of the following:
10: Technician/Junior Engineer/Operations Specialist
507: Senior Technician/Engineer/Senior Operations Specialist
45: Consulting Engineer/Senior Operations Manager
68: Engineering Manager/Product Manager
Project Management
Included
Management is allocated to cover each of the above categories. It
above
provides for monitoring by the Project Manager and Engineering
Director. Also included are the required allocations for
configuration management, contracts, business, scheduling,
procurement, and finance.
Total Labour
27,935
Other Direct Costs, Travel, and Material Subcontractors
Charge: £1,504,873
A summary description of Other Direct Costs required to deliver
the proposed solution.
Description:
Other Direct Costs (ODCs) and travel are included in this proposal. Sagem costs include
software modification and engineering labour to support user authentication. Brand costs include
Apollo Anywhere Server, Load Balancer, and Licenses, a database server, and 24x7x365
annual support. Phoenix costs include workstation build, installation of CMG gatekeepers, and 3
years maintenance.
Other Direct Costs (ODC), documentation and shipping are included in this CCN.
Other Direct Costs
Approx.
Basis of Estimate/Description
- 8 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
Documentation
Documentation to support internal and external
briefs. Updates to drawings and hardware
configuration. Test Procedures, TRR, ORR and Test
Summary Reports. User Guides and Training
Materials.
Shipping
Shipping costs
Travel
Approx.
Basis of Estimate/Description
International Travel
28 Trips from Fairfax to London, 3 Trips London to
Fairfax
Local Travel
Local UK travel
Material Subcontractors
Approx.
Basis of Estimate/Description
Sagem
Software modification to support User
Authentication, dual chargers and engineering
support.
Phoenix
Workstation build and install
Phoenix
3 years maintenance for workstations
Brand
Apollo Anywhere Server, Load Balancer, Licenses
and Database server
Brand
24x7x365 Annual Support
Total
100.0%
CCN 050R1 – Variable
Total Fixed Price: £1,551,832
LABOUR:
Charge: £1,490,175
A summary description of the required labour hours by the various
labour categories and the basis of estimate required to deliver the
proposed solution.
Description:
• Activities associated with operating and maintaining the public key infrastructure
(PKI), biometric tokens for each user, administration of users and devices, and
mobility expansion for improved secure communications.
Task Activity
Hours
Basis of Estimate/Labour Mix
UK Operations
13,546
• System monitoring
• ITIL compliant management of incidents, problems,
and change
• Provision of 24x7 service desk
The labour required for this work is a mix of the following:
4,105: Junior Technician/Junior Operations Specialist
4,105: Technician/Junior Engineer/Operations Specialist
4,105: Senior Technician/Engineer/Senior Operations
Specialist
1,231: Engineering Manager/Product Manager
- 9 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
System Support
1,287
• Activities required by System Support to provide
engineering documentation and technical support for
the PKI.
o Documentation
of
hardware/software
configuration as part of an engineering
drawing package
o Support for changes to software configurable
items such as Operating System software,
COTS
software,
and
IDENT1
specific
software.
The labour required for this work is a mix of the following:
1,287: Engineering Manager/Product Manager
Security
7,021
• Work required for security related issues on the User
Authentication portion of the Lantern National
Rollout.
o Risk Assessment
o Penetration testing
o Updating documents (RMADs)
o Staying current on security-related software
updates
The labour required for this work is a mix of the following:
7,021: Master Technician/Lead Engineer/Operations
Manager
Project Management
Included Management is allocated to cover each of the above
above
categories. It provides for monitoring by the Project
Manager and Engineering Director. Also included are the
required allocations for configuration management,
contracts, business, scheduling, procurement, and finance.
Total Labour
21,854
Other Direct Costs, Travel, and Material Subcontractors
Charge: £61,657
A summary description of Other Direct Costs required to deliver
the proposed solution.
Description:
Other Direct Costs (ODCs) and travel are included in this proposal, facilities charges for space in
Hendon and
.
Other Direct Costs (ODC) and travel are included in this CCN.
Other Direct Costs
Approx.
Basis of Estimate/Description
Facilities
Consultant charges, Internal modifications
(HVAC, Power, Data Centre)
and
Hendon Rent Charges
Documentation
Documentation to support internal and external
briefs. Updates to drawings and hardware
configuration.
- 10 -
© NPIA (National Policing Improvement Agency)
National Policing Improvement Agency
Total
100.0%
Other: N/A
Charge: N/A
- 11 -
© NPIA (National Policing Improvement Agency)
