MONKTON GROUP UK LIMITED

Collaborative Working Environment (CWE)

The Collaborative Working Environment (CWE) platform boosts productivity for global national security, defence and law enforcement agencies. Integrating multiple communication tools into one platform, it's field-tested with Five Eyes and industry partners, ensuring reliability. CWE can be hosted in a controlled cloud environment or managed as a service.

Features

• Real-time messaging with secure direct and group channels.
• End-to-end encrypted one-to-one voice calls via WebRTC.
• On-demand video conferencing with screen-sharing, fully encrypted.
• Protected collaboration spaces for secure team interactions.
• Collaborative editing and sharing of Microsoft Office documents.
• Low-code framework-based app store for easy customisation.
• Responsive, web-based interface accessible on multiple devices.
• User experience modelled on popular social networking tools.
• Navigation dashboard with quick access to all features.
• Public or private workspaces with adjustable privacy settings.

Benefits

• Streamlines secure communication across organisations and teams.
• Ensures confidentiality with advanced encryption for all communications.
• Facilitates effective remote meetings with comprehensive tools.
• Promotes secure, trusted collaboration environments.
• Enhances productivity through seamless document collaboration.
• Simplifies application deployment and management.
• Offers consistent performance on desktop and mobile.
• Minimises training time with intuitive social-media-like interface.
• Provides immediate access to essential tools and information.
• Allows customisation of workspaces to fit project needs.

£3,800,000 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at shirley.herron@monkton.io. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

322029846064417

Contact

Shirley Herron
+44 7866 566 141
shirley.herron@monkton.io

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: The CWE can be extended through AWS API services and integrated with third-party open-source products. GitLab, an open-core DevOps software package combines the ability to develop, secure, and operate software in a single application is built in.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: The CWE encompasses a Security and Compliance Baseline which includes a complete System Security Plan tailored for the FISMA Moderate and FedRAMP Moderate baselines that can be easily adapted for implementation by any FVEY member nation. The solution includes quarterly patches and security updates delivered via Terraform scripts integrated with Gitlab. Security and Compliance Baseline is delivered as a managed service and is backed by a Tier 3 support contract for resolving any product related issues.
• System requirements: N/A

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Within the working day, we aim to respond within two hours. At weekends, a line of communication is available.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Baseline support for all access is included within the contract. Extra support to be discussed on a contractual basis depending on customer requirements.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a structured and comprehensive training program tailored to meet organisational needs.; ; Virtual Training: We provide digital training sessions that are accessible remotely. These sessions are conducted live to allow real-time interaction and are recorded for on-demand access. The virtual training is designed to cover all fundamental aspects of our platform and Q&A sessions to enhance understanding.; On-site Training: We can provide on-site training sessions for organisations that request in-person instruction. These sessions are conducted by experienced trainers and are customised to address the specific operational needs of users.; User Documentation: Comprehensive user manuals and quick-start guides are available in both digital and print formats. These documents provide detailed step-by-step instructions for using the platform effectively.; ; Interactive Learning and Support Tools:; Getting Started Guide: Upon signing up, users receive an interactive guide that walks them through the initial setup process, from account creation to basic operations, ensuring a smooth start.; Platform Wiki: The platform features a dedicated wiki that includes a variety of learning materials such as how-to videos, instructional guides, and best practices. This resource is continuously updated and available directly within the platform, allowing users to learn and troubleshoot at their own pace.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: For the customer-hosted CWE, data is stored within the customer's own AWS environment, allowing full control over their information. Upon annual license subscription expiry, access to the CWE platform is discontinued, and users cannot log in.; ; Before the subscription expires, customers receive detailed instructions on securely extracting and migrating their data from the CWE. This process adheres to best practices for data handling to ensure all data remains protected during the transition.; ; In the managed CWE scenario, our team directly handles data management and access within a secure and compliant framework. When the license subscription ends, access to the CWE platform is terminated. Customers are notified in advance about the expiration and provided with the necessary support for data extraction. The CWE platform will notify the administrator that the license has expired and will give the administrator permission to export all data to an S3 bucket.
• End-of-contract process: At the conclusion of the contract, our process is designed to ensure a smooth and transparent transition, addressing all necessary aspects of service discontinuation and data management. Customers are given the opportunity to retrieve all their data from our platform. We provide comprehensive support to assist with data extraction, ensuring that clients can securely download or transfer their data to a preferred location. Following the data retrieval period, and in compliance with legal and contractual obligations, all customer data stored on our systems will be securely erased. Confirmation of data deletion is provided to the customer to ensure that no residual data remains on our servers. Customer accounts are formally closed, and all access rights are revoked to safeguard against unauthorised access post-contract. For customer hosted the CWE platform will notify the administrator that the license has expired and will give the administrator permission to export all data to an S3 bucket.; ; Additional costs incur for data migration services at the end of the contract if customers require technical assistance beyond the standard data retrieval processes. Knowledge transfer documentation and specialist support during the transition can be purchased.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Full functionality on mobile and desktop device.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The CWE platform is delivered using a single-pane-of-glass web-based user interface that is responsive on both desktop and mobile form factors. The user experience is modelled after popular social networking tools to minimise field training requirements. Each module is designed with usability and accessibility in mind to ensure easy adoption by both headquarters and field personnel. The home page provides easy navigation to all the key functions within the platform, including spaces, people, chat, files, calendar, tasks, and apps. Users receive alerts of messages and notifications in the upper right navigation bar.
• Accessibility standards: None or don’t know
• Description of accessibility: No accessibility standards are met at present, but this is on the immediate roadmap
• Accessibility testing: None at present
• API: No
• Customisation available: Yes
• Description of customisation: Any user can create protected spaces to organise their work across organisations, projects, or mission areas. Spaces can be designated as either public (open to the entire community) or private (requiring others to request to join) as required. Spaces can also optionally be hidden from the directory for increased privacy. Users can build web-based apps implemented using a low-code development framework. Modules can be enabled/disabled.

Scaling

• Independence of resources: Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. Services which provide virtualised operational environments to customers ensure that customers are segregated via security management processes/controls at the network and hypervisor level. We continuously monitor service usage to project infrastructure needs to support availability commitments/requirements. We maintain a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently. In addition, we provide capacity planning model which supports the planning of future demands to acquire and implement additional resources based upon current resources and forecast requirements.

Analytics

• Service usage metrics: Yes
• Metrics types: Yes, we provide detailed service usage metrics accessible through PDF and HTML. These metrics include user activity, resource utilisation, performance indicators, and error rates.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: The platform has an in-built function for exporting to .csv the user-defined results with appropriate file size limits for the size of data being requested. As a cloud-based service the export query is queued against other incoming requests and processed sequentially.; ; The CWE can be extended via AWS API systems to export both current and snapshot data.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Json
• Data import formats:
  • CSV
  • Other
• Other data import formats: Json

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: For customer hosted workloads, refer to the AWS Legal Terms and Conditions that governs a customers usage. https://aws.amazon.com/legal/; ; For managed services, we align with the customers AWS Support Tier - https://aws.amazon.com/premiumsupport/plans/
• Approach to resilience: Our service is rigorously designed for resilience to ensure high availability and robust performance, with deployment options tailored to specific needs. For managed services, we typically deploy in the AWS London region or AWS US GovCloud. These regions are chosen for data sovereignty, redundancy, security, and compliance capabilities, providing a resilient infrastructure that withstands a variety of operational challenges.; ; For customers managing their own deployments, we offer detailed blueprints and guidance to support a resilient setup. Our professional cloud support services are available to help implement a fully resilient deployment of the CWE platform. This service includes integration patterns for multi-domain integration, data interoperability, or for establishing secure connections with FVEY, AUKUS, NATO allies, and partner organisations.; ; In the US, the CWE can be deployed in both the UK and US GovCloud regions with configured cross-nation data replication to support US/UK interoperability. The US GovCloud region has native access to US Department of Defense Gateway Services such as C2S, SIPRNet, and NIPRNet. This dual-region approach enhances operational continuity and secures data handling across different jurisdictions, ensuring that our service meets the highest standards of global data security and operational reliability.
• Outage reporting: Our service employs several methods to ensure transparent and effective reporting of any outages. ; ; The CWE operates on AWS, which provides a comprehensive health dashboard. Users can directly access this dashboard if the service is hosted in a customer's AWS environment, allowing real-time monitoring of service status. For managed services, we issue email alerts to all affected users during an outage. These alerts detail the outage scope, expected resolution timeline, and user impact. We maintain continuous communication throughout the outage to keep users informed of ongoing progress. For administrators who require deeper oversight, we offer integrations with Security Operations Centers (SOC) or Security Information and Event Management (SIEM) solutions. This allows admintrators to monitor the platform directly or pull logs into their own dashboards. In the event of critical incidents, we collaborate closely with administrator technical/security teams and AWS service teams to manage and resolve issues. This partnership ensures that we provide swift and coordinated responses to minimise downtime and disruption. These mechanisms ensure that users are promptly informed of service interruptions, enabling effective planning and minimising disruption while enhancing communication and transparency during incidents.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: OAuth 2.0/OIDC
• Access restrictions in management interfaces and support channels: Our approach to access restrictions in management interfaces and support channels is grounded in the principles of Role-Based Access Control (RBAC). This method ensures that only authorised personnel have access to specific levels of information and functionality, based on their roles within the organisation.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: We use OAuth 2.0 with OpenID Connect (OIDC) for secure, token-based user authentication and authorisation before allowing access to management interfaces. OAuth2.0's framework ensures authentication requests are handled securely. We enforce 2FA for all users accessing management interfaces. After initial login, users must verify their identity through another method, (eg mobile device notification/ a text message/ security key) providing a dynamic token that must be entered to gain access. We support FIDO standards for additional security, allowing authentication via biometric devices or FIDO security keys. This enhances security and simplifies the authentication process by leveraging universal second factor (U2F) technology.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: -
• ISO/IEC 27001 accreditation date: -
• What the ISO/IEC 27001 doesn’t cover: -
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • AWS Cloud Professional
  • GCP Cloud Professional

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We adhere to stringent information security policies and processes, designed to protect data integrity, secure our infrastructure, and comply with industry standards. Our security policies include:; ; Two-Factor Authentication and Zero Trust: We enforce mandatory two-factor authentication and adhere to the Zero Trust model, ensuring robust identity verification for network access and minimising unauthorised access risks.; Workforce Education: All employees undergo regular security awareness training to strengthen adherence to our security standards and enhance overall awareness.; Data Encryption: To safeguard sensitive information, we encrypt all data at rest, ensuring protection even in the event of physical security breaches.; Sensitivity Assessment: We classify data and projects by sensitivity, applying tailored security controls to each category to adequately protect information.; Our security framework is continuously managed according to current industry standards. Regular audits and systematic reviews help maintain the effectiveness of our policies and adapt to emerging threats. These comprehensive measures ensure the security of our operations and sensitive information, aligning with best practices in information security.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Using Gitlab for version control provides comprehensive audit trails ensuring modifications are tracked (including who/what/when) enabling easy rollback and accountability in our development process.; ; Infrastructure as code (IaC) allows automated setup and maintenance of environments ensuring consistency and reducing mistakes. Configurations are declarative and are automatically enforced and maintained.; ; Advanced observability tools monitor infrastructure and configurations continuously alerting to unexpected or unauthorised changes. This maintains security, stability and compliance of environments.; ; Configuration and change management are aligned with industry best practice ensuring secure, scalable and maintainable infrastructure. Our process is responsive and controlled, supporting rapid development while ensuring rigorous oversight.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our vulnerability management strategy proactively identifies and mitigates risks to secure our applications. We integrate SAST, DAST, Container, and Dependency Scanning in our workflows, use cryptographically signed artefacts, and embed threat modelling in development to ensure early vulnerability detection. Patches are rapidly deployed after rigorous testing in a test environment and moved to production without downtime. Updates failing user acceptance testing are reverted. We source threat intelligence from diverse databases, advisories, and community partnerships, continually adapting to evolving threats to maintain robust protection.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our protective monitoring processes are designed to promptly identify and respond to potential security compromises, ensuring the integrity and security of our systems. We use advanced security tools to continuously monitor our network and systems for unusual activities that may indicate a compromise. Through anomaly detection, our systems are configured with baseline security profiles. Any deviation from these configured baselines is flagged for further investigation. We integrate the latest threat intelligence into our monitoring systems to identify potential threats proactively. Upon detection of a potential compromise, affected systems are immediately isolated to prevent further unauthorised access or damage.
• Incident management type: Supplier-defined controls
• Incident management approach: Customer management support process will escalate any incident according to its criticality, assessed by our CSM team member on call. This will be relayed to our Engineering team on-call. Our security team conducts a thorough analysis to understand the scope and impact of the incident. We implement necessary remediations based on the incident’s nature, followed by strategies to prevent future occurrences. Relevant stakeholders are informed of the incident according to the severity and escalation protocols. Incident reports are provided. Our approach ensures that we are well-prepared to handle security incidents swiftly and efficiently, minimising potential impacts and maintaining trust.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Tackling economic inequality

  We strive to tackle economic inequality by creating opportunities for new businesses, fostering entrepreneurship, and enhancing skills development. Our services are delivered with a strong emphasis on economic inclusivity, engaging SMEs, start-ups, and social enterprises in our supply chain to promote diverse economic growth. Innovation is at the heart of our strategy to modernise delivery and increase productivity. ; ; We invest in disruptive technologies and support our supply chain partners in adopting these innovations, thereby enhancing their capacity and resilience. We also prioritise cybersecurity, ensuring that all partners in our supply chain are equipped to manage these risks effectively. Our approach to economic inequality is holistic, involving every stakeholder from employees and suppliers to customers and community members, ensuring that the benefits of our contracts extend beyond traditional business metrics to foster genuine economic change and resilience.

  Equal opportunity

  We are committed to fostering a workplace that supports the diverse needs of all employees by adjusting workplace policies, enhancing tool accessibility, and improving productivity. Our dedication extends beyond internal practices to include closing the disability employment gap through inclusive hiring practices that prioritise accessibility and fairness. We also promote these values among our suppliers, partners, and customers to encourage a network-wide commitment to diversity. ; ; We strive for equal treatment in all aspects of employment and cultivate an inclusive culture where varied perspectives and experiences are valued. This commitment enriches our service quality and strengthens our team through shared diverse experiences. To attract top talent, we use direct recruitment and select third-party recruiters who align with our diversity goals. Our strategy leverages platforms like LinkedIn to reach beyond our traditional networks, ensuring a diverse range of candidates and supporting our broader commitment to inclusion.

  Wellbeing

  Our commitment to wellbeing is integral to our operational philosophy, designed to support both the physical and mental health of our employees. We provide extensive health benefits, access to mental health resources, and conduct workshops focused on stress management, work-life balance, and healthy living. Flexible working hours, remote work options, and wellness days are part of our approach to promote a healthy work environment. ; ; We encourage our team to prioritise their wellbeing and seek support when needed, fostering a culture of openness, inclusivity, and respect. This comprehensive approach ensures that all team members can perform at their best, effectively balancing professional and personal lives while contributing positively to broader societal goals. Our efforts create a supportive and integrated working environment that meets the immediate needs of our team and customers and enhances overall community wellbeing.

Pricing

• Price: £3,800,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at shirley.herron@monkton.io. Tell them what format you need. It will help if you say what assistive technology you use.