Winning a Defra cyber tender requires more than a strong technical baseline. It demands an understanding of how the Department for Environment, Food and Rural Affairs, alongside its five main arm's-length bodies, buys and deploys security services. Defra manages critical national infrastructure, vast data lakes of agricultural and environmental information, and a sprawling legacy IT estate. Their cyber security procurement reflects these complexities, prioritising suppliers who can navigate their specific operational realities while meeting stringent government standards.
This guide breaks down the mechanics of a Defra tender response. It covers the frameworks they use, the accreditations they demand, and the evaluation criteria that decide who wins. For SMB bid managers and directors, the goal is to stop guessing what Defra wants and start structuring responses around their documented priorities. You will leave with a clear view of how to position your firm, which lots offer the most realistic win probabilities, and how to avoid the common mistakes that sink otherwise competent bids.
What this guide covers
- Defra's digital and data transformation strategy and its impact on cyber procurement.
- The primary route to market: the RM3764.3 Cyber Security Services 3 DPS.
- Mandatory accreditations, including Cyber Essentials Plus, CHECK, and GovAssure requirements.
- How Defra evaluates price, quality, and social value in cyber tenders.
- A worked example of a Defra cyber tender response structure.
- Common mistakes SMBs make when bidding for Defra work and how to avoid them.
Defra's cyber security landscape and buying patterns
Defra is not a single entity. It is a core department supported by major arm's-length bodies, including the Environment Agency, the Animal and Plant Health Agency, Natural England, the Rural Payments Agency, and the Marine Management Organisation. When you bid for a Defra cyber contract, you are often bidding to secure systems that span this entire group. The sheer scale of their operations means that any security solution must be adaptable across highly varied operational environments, from field inspectors using mobile devices to complex, data-heavy central processing hubs.
The department's approach to technology is currently driven by the Defra digital and data transformation strategy (2023 to 2030). Mission 4 of this strategy explicitly focuses on "efficient, secure, and sustainable technology and services." For cyber security suppliers, this mission is the blueprint for what Defra values. They are actively seeking to reduce security risks associated with cyber-attacks and operational failure, particularly concerning their legacy IT estate. They have committed to completing resilience audits of Critical National Infrastructure and Nationally Important Systems, establishing a group-wide security strategy, and setting a clear security risk appetite.
Defra buys cyber security services to protect everything from flood warning systems to international trade platforms like the export health certificates service. They operate a hybrid Security Operations Centre model, maintaining an internal SOC for standard business hours while procuring external protective monitoring services for out-of-hours coverage. This pragmatic approach to resourcing creates specific, well-defined opportunities for external suppliers. When bidding, it is vital to demonstrate an understanding of this hybrid approach and how your services integrate seamlessly with their internal teams.
The shift to the Atamis portal
Defra has modernised its procurement infrastructure, moving away from legacy systems like Bravo and Jaggaer. All new contract opportunities over £10,000 are now managed through the Defra eCommercial website, which is powered by Atamis. If your firm was registered on the old portals, you must register anew on Atamis to access tender documents and submit responses. For higher-value contracts, notices are published on the Find a Tender Service, which replaced Contracts Finder as the central digital platform for government contracting under the Procurement Act 2023. Familiarising your bid team with the Atamis interface is a crucial first step to ensure you do not miss deadlines due to technical unfamiliarity with the submission portal.
The RM3764.3 Cyber Security Services 3 DPS
If you want to win cyber security work with Defra, you need to understand the Crown Commercial Service's RM3764.3 Cyber Security Services 3 Dynamic Purchasing System (DPS). This is Defra's preferred route to market for specialist cyber services, including penetration testing, incident response, and security architecture consulting.
Unlike traditional framework agreements with fixed lots and lengthy lock-out periods, a DPS remains open for new suppliers to join at any time. It does not use lots. Instead, buyers like Defra use a filtering system to shortlist suppliers based on specific service categories and accreditations. Once a shortlist is generated, Defra runs a further competition among those suppliers.
The services available through the DPS fall into several key categories:
- NCSC assured services
- Consultancy and advice
- Penetration testing
- Incident response
- Managed security services
For SMBs, the DPS model is highly advantageous. It removes the barrier of having to win a place on a framework every four years. You can register, prove your credentials, and immediately become eligible for shortlisting when Defra runs a competition. The filtering system also means you are only invited to bid on contracts that match your specific capabilities, reducing the time wasted on unsuitable tenders. However, this also means you must ensure your DPS profile accurately and comprehensively reflects your firm's capabilities and current accreditations.
Mandatory accreditations and security clearances
Defra's baseline for cyber security suppliers is uncompromising. Failing to hold the right accreditations at the point of bidding is the fastest way to be disqualified. You cannot promise to acquire these certifications after winning the contract; they are prerequisites for participation.
Cyber Essentials and Cyber Essentials Plus
Since October 2014, the UK government has mandated that all suppliers bidding for contracts involving sensitive information must hold a valid Cyber Essentials certificate. For cyber security services, Defra routinely demands Cyber Essentials Plus. This is not a box-ticking exercise; it is a hard pass/fail criterion. Furthermore, under the Procurement Policy Note (PPN) 09/23 updates, these certificates must be renewed annually. Some tenders may accept ISO 27001 in lieu of Cyber Essentials, but this is increasingly rare for specialist cyber contracts. Assume Cyber Essentials Plus is the minimum price of entry.
The NCSC CHECK scheme
If you are bidding for penetration testing or IT Health Check (ITHC) work, Defra will require your firm to be an NCSC assured CHECK provider. The CHECK scheme governs authorised penetration tests of public sector and CNI systems.
To qualify for CHECK, your company must maintain an in-date Cyber Essentials Plus certification and be able to supply a minimum of two penetration test reports conducted under your company name. Crucially, at least one proposed CHECK Team Leader must hold a UK Cyber Security Council Professional Title in Security Testing at Principal or above. Qualifications such as CREST CCT, Tiger SST, or Cyber Scheme CSTL are the accepted equivalents for Team Leader status.
When Defra awarded its £3.37 million ITHC, Penetration Testing and Associated Services Contract in early 2025, the tender explicitly restricted the award to CHECK qualified suppliers. Three separate contracts were awarded to three different CHECK providers, demonstrating Defra's reliance on this accreditation to assure quality.
GovAssure and the Cyber Assessment Framework
For consultancy and risk assessment roles, suppliers must understand GovAssure. GovAssure is the cyber security scheme for assessing government critical systems against the NCSC's Cyber Assessment Framework (CAF). If a tender involves conducting Independent Assurance Reviews for Defra's critical systems, the supplier must be registered as an Assured Service Provider on the NCSC's Cyber Resilience Audit (CRA) scheme. Even if you are not conducting the audits, any security architecture or consultancy work you propose must align with the CAF principles that Defra uses to measure its own resilience. Your bid must demonstrate fluency in CAF terminology and methodologies.
Security Clearance (SC and DV)
Cyber security work inherently involves access to sensitive network architecture and vulnerability data. Defra requires supplier personnel to hold Security Check (SC) clearance as a standard baseline. For highly sensitive projects, Developed Vetting (DV) may be necessary. Your firm must have the administrative capability to sponsor and maintain these clearances for your deployed staff. A common pitfall for new suppliers is winning a contract but failing to deploy staff quickly because their clearances have lapsed or are pending. You must have a robust internal process for managing the clearance status of your team.
Evaluating price, quality, and social value
Defra evaluates cyber tenders using a structured scoring matrix. While the exact weightings vary by contract, a standard split for complex IT services is 60% Quality (Technical) and 40% Price.
Quality and technical evaluation (60%)
The quality section is where you win the bid. Defra wants evidence of methodology, not just a list of tools. If they are procuring a SOC Out-of-Hours Protective Monitoring Service, they will evaluate how seamlessly your team can hand over incidents to their internal SOC at 09:00 every morning. They will score your incident triage process, your false-positive reduction strategies, and your ability to integrate with their existing SIEM infrastructure.
You must provide specific, relevant case studies. If you are bidding for an ITHC contract, your evidence must demonstrate experience testing complex, legacy public sector environments, not just modern cloud-native startups. Your responses should clearly articulate how your technical approach directly mitigates the risks identified in Defra's digital strategy.
Price evaluation (40%)
Price evaluation in government tenders is usually formulaic. The lowest priced compliant bid receives the maximum score for the price section, and all other bids are scored proportionately against it. However, Defra is wary of abnormally low bids that suggest a misunderstanding of the scope or a risk to service quality. Your pricing schedule must be transparent, detailing day rates, tool costs, and any assumptions you have made about the required effort. Ensure your pricing model aligns with the specific requirements of the DPS and the individual call-off contract.
Social Value (minimum 10% of qualitative score)
Under PPN 06/20, social value must be explicitly evaluated in all central government procurement. In the context of the RM3764.3 DPS, the weighting for social value must be a minimum of 10% of the qualitative assessment.
Defra aligns its social value requirements with its broader departmental goals. While environmental sustainability is an obvious focus for Defra, for cyber security contracts, they often select themes related to tackling economic inequality, equal opportunity, or wellbeing.
You must provide concrete, measurable commitments. Stating that you have a recycling policy in your office will score poorly. Committing to hiring two apprentices from a disadvantaged area specifically to work on the Defra contract, or providing pro-bono cyber security training to a rural charity in Defra's operational footprint, will score highly. Your social value response must be specific, actionable, and directly tied to the delivery of the contract.
Worked example: Structuring a SOC handover method statement
A common requirement in Defra cyber tenders is a method statement detailing operational procedures. Here is an illustrative example of how to structure a response for a SOC handover protocol, based on typical requirements for an out-of-hours monitoring contract.
Requirement: Detail your proposed methodology for ensuring a seamless transition of protective monitoring responsibilities between the Supplier's out-of-hours SOC and the Authority's internal business-hours SOC.
1. Executive Summary (The 'How') We implement a structured, ITIL-aligned handover protocol executed at 08:30 and 16:30 daily. This relies on automated ticketing integration via API, supported by a mandatory 15-minute synchronous analyst briefing to ensure zero loss of context for high-priority incidents. This dual approach guarantees both technical continuity and human oversight.
2. Technical Integration
- Bi-directional API Sync: We will establish a secure API connection between our SIEM/ITSM platform and Defra's instance. All alerts triaged during the out-of-hours period (17:00-09:00) are automatically populated in Defra's queue with our analysts' investigation notes, MITRE ATT&CK mapping, and recommended containment actions.
- Data Sovereignty: All incident data remains within UK-hosted infrastructure, strictly complying with Defra's data residency and security requirements.
3. The Handover Process (Step-by-Step)
- 08:00 - Shift Report Generation: Automated generation of the nightly shift report, detailing alert volumes, blocked threats, and open investigations requiring immediate attention.
- 08:30 - Synchronous Briefing: A secure Teams call between our Shift Lead and the incoming Defra SOC Manager. This focuses exclusively on active P1/P2 incidents and anomalous trends, rather than reading through closed tickets, ensuring efficient use of time.
- 08:45 - Ticket Transfer: Formal transfer of ownership for all open investigations within the ITSM platform, with full audit trails.
- 09:00 - Operational Control: Defra internal SOC assumes primary monitoring responsibility, with our team available for immediate consultation if required.
4. Risk Mitigation
- Risk: Communication failure during handover due to network outage or platform unavailability.
- Mitigation: If the synchronous briefing cannot occur due to technical issues, we maintain monitoring responsibility until formal, written acknowledgement of the shift report is received from the Defra SOC Manager via an out-of-band communication channel, ensuring absolutely no coverage gaps.
5. Evidence of Success This exact protocol is currently deployed for a major central government department, where it has reduced P1 incident response latency during the morning transition period by 40% over a 12-month period, demonstrating its effectiveness in high-stakes environments.
Common mistakes
SMBs often lose Defra tenders not because they lack capability, but because they fail to navigate the procurement mechanics effectively.
- Mistake: Bidding without the required accreditations in place.
- Instead: Do not assume you can acquire Cyber Essentials Plus or CHECK status after winning the contract. Defra evaluates your status at the point of submission. If the tender mandates CHECK, and you are only CREST registered without the specific CHECK Team Leader qualification, you will fail the compliance stage. Ensure your certifications are current and explicitly mentioned in your bid.
- Mistake: Treating social value as an afterthought.
- Instead: Treat the 10% social value weighting with the same rigour as the technical sections. A generic corporate CSR policy will score zero. You must propose specific, measurable initiatives that will be delivered as a direct result of winning this specific contract, aligned with the themes Defra has selected in the ITT. Assign clear metrics and reporting structures to your social value commitments.
- Mistake: Ignoring the complexities of the Defra group structure.
- Instead: Acknowledge that a solution deployed for the core department must often scale to accommodate the Environment Agency or the Rural Payments Agency. Demonstrate experience in federated or multi-agency IT environments. Show how your licensing or service delivery model adapts to complex organisational structures and varying operational needs.
- Mistake: Over-promising on security clearance timelines.
- Instead: Be brutally honest about your current roster of SC-cleared personnel. If you plan to recruit or clear staff post-award, detail the exact timelines and the interim mitigation strategy. Defra knows how long the vetting process takes; unrealistic deployment schedules will damage your credibility and potentially lead to contract termination if you fail to deliver.
- Mistake: Failing to align with the Cyber Assessment Framework (CAF).
- Instead: Use the language of the CAF in your technical responses. When describing your risk management approach, map it to the specific IGPs (Indicators of Good Practice) within the CAF. This proves you understand the regulatory environment Defra operates within and positions your firm as a knowledgeable partner rather than just a vendor.
Frequently asked questions
Do we need to be on a framework to win Defra cyber work?
While Defra occasionally publishes open tenders, the vast majority of their specialist cyber security procurement is routed through the Crown Commercial Service's RM3764.3 Cyber Security Services 3 DPS. Registering on this DPS is the most effective way to access these opportunities. It is highly recommended that any firm serious about working with Defra prioritises DPS registration.
How long does it take to get on the Cyber Security Services 3 DPS?
Because it is a Dynamic Purchasing System, you can apply at any time. The Crown Commercial Service typically assesses applications within 10 to 15 working days. However, you must have your accreditations (like Cyber Essentials) in order before applying. The application process itself is straightforward, provided your documentation is complete and up-to-date.
Will Defra sponsor our staff for Security Clearance (SC)?
Usually, no. Defra expects suppliers bidding for secure contracts to already hold the necessary facility clearances and to deploy staff who are already SC cleared. Relying on the buyer to sponsor clearance post-award is a significant risk and often a reason for bid rejection. You should factor clearance requirements into your resource planning well in advance of bidding.
Can an SMB realistically win a prime contract with Defra?
Yes. Defra has a published SME commercial plan and actively monitors the level of business awarded to smaller firms. The shift toward the DPS model, which avoids the massive, multi-service lots of older frameworks, allows SMBs to bid directly for niche services like penetration testing or specific threat intelligence roles where they have deep expertise. By focusing on your core competencies and leveraging the DPS, SMBs can successfully compete against larger integrators.
What is the difference between GovAssure and Cyber Essentials?
Cyber Essentials is a baseline certification demonstrating you have fundamental technical controls in place to protect against common cyber threats. GovAssure is a rigorous, tailored assessment process used by government departments to evaluate the security of their critical systems against the NCSC's Cyber Assessment Framework. You need Cyber Essentials to bid; you need to understand GovAssure to deliver the work effectively within Defra's operational context.
