Ministry of Justice

MOJ Cybersecurity Log Collection and Aggregation Platform

Incomplete applications

15
Incomplete applications
12 SME, 3 large

Completed applications

28
Completed applications
21 SME, 7 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Monday 18 November 2019
Deadline for asking questions Monday 25 November 2019 at 11:59pm GMT
Closing date for applications Monday 2 December 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work To implement, test ant potentially iterate suggested architecture, onboarding tenants and then handing over the documented live production platform in an operable state to the engineering team.
Latest start date Wednesday 1 January 2020
Expected contract length Contract is expected to be a 12 week implementation, with potential for a 12 week extension.
Location No specific location, eg they can work remotely
Organisation the work is for Ministry of Justice
Budget range Bidders to suggest total cost based on requirements up to a total of £280,000 (exc VAT) including the 12 week extension.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Ministry of Justice (MOJ) has a diverse estate with a variety of suppliers and technical systems.

We need a platform to enable log collection, aggregation, storage, analysis and targeted forwarding capabilities.
Problem to be solved The Ministry of Justice is currently constrained in its ability to understand the cybersecurity posture of its current estates due to security logs being held in multiple systems. In many cases these systems are hard to query. The team lacks a single, centralised store of logs that can be queried to help correlate cross-system attacks and track adversarial actors' behaviours.
Who the users are and what they need to do As a Cybersecurity analyst, I need to be able to easily create, edit and execute queries on logs in a variety of formats across a varied estate to convert individual events into actionable security alerts. This will allow me to monitor the estate effectively.

As a member of an operational team, I need to be able to easily create, edit and execute queries across my relevant log sources to identity suspicious events and translate them into actionable security alerts.
Early market engagement None conducted.
Any work that’s already been done The MOJ Security & Privacy team has created a proposed architecture based on the MOJ's Kubernetes cloud hosting environment (on AWS) and commonly used logging tooling (the Elasticsearch, Logstash and Kibana, or Elastic stack). This has been approved by the technical authorities, and is the recommended basis of your implementation.
Existing team MOJ Digital & Technology - Security & Privacy Team
Current phase Alpha

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Supplier location(s) and Petty France, London, SW1H 9AJ
Working arrangements - on-site for an initial onboarding ramp-up period (as mutually agreed) with the vast majority of delivery being completed from supplier location(s)
- use agile working methods
- weekly progress reports
- use of MOJ online collaboration tools such as Slack and Skype for remote working
- use of MOJ productivity tools such as Google G-Suite, Trello, Atlassian Jira for work planning/activity
- the Security & Privacy Team Project Manager to provide reviews, direction and clarification on progress on a required (but at least weekly) basis
Security clearance Baseline Personnel Security Check (BPSS) as a minimum. See https://www.gov.uk/government/publications/government-baseline-personnel-security-standard for further guidance.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions Any agreed Travel or Subsistence costs would be under MoJ's Travel and Subsistence policy

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Provide recent and demonstrable experience of implementing log collection and storage conducted in the last three years
  • Outline recent and demonstrable experience of using the Elasticsearch, Logstash and Kibana (ELK) stack (or directly comparable substitutions) for analyzing logs conducted in the last three years
  • Outline recent and demonstrable experience in building modular scalable technical data analytical platforms conducted in the last three years
  • Provide recent and demonstrable experience in building modular scalable platforms using infrastructure as code principles in Kubernetes/AWS conducted in the last three years
  • Provide recent and demonstrable experience in operating a technical platform, including patching and maintenance conducted in the last three years
  • Provide recent and demonstrable experience of transitioning a technical system to an operations team, explaining how you transferred knowledge to the team, conducted in the last three years
Nice-to-have skills and experience
  • Provide recent and demonstrable experience of Amazon Web Services' Athena and/or Elasticsearch service conducted in the last three years
  • Provide recent and demonstrable experience of using configuration as code to build and operate systems in a cloud-native manner
  • Provide recent and demonstrable experience of Amazon Web Services' Cloudformation conducted in the last three years
  • Provide recent and demonstrable experience of open source development (in particular, well-made and robust code development) and accompanying solution & code documentation conducted in the last three years

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 5
Proposal criteria
  • Describe the method you would propose to use, referencing your experience, on how you would build a multi-tenant log aggregation platform based on the ELK (or directly comparable) stackset
  • Describe the method you would propose to use, referencing your experience, on how you would onboard the logs from target systems
  • Describe the method you would propose to use, referencing your experience, to build dashboards for cybersecurity analysts and how you would ensure that they had ownership of the dashboards
  • Describe how you will ensure that the a developed platform will be flexible to ensure future expansion by any maintainer with sufficient capability
  • Describe how you will ensure a high quality 'production ready' repeatable platform will be provided through your approach and methodology.
Cultural fit criteria
  • Recent and demonstrable experience of working in public sector or highly regulated environment conducted in the last three years
  • Explain how you’ll ensure collaboration at all levels of the project and programme delivery between users, team members and management. Give examples of where you have taken this approach.
  • Explain internal development team planning and quality assurance processes
  • Explain how you provide knowledge sharing and handover at the end of an engagement
Payment approach Capped time and materials
Additional assessment methods
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Our security clearance has expired, will the Moj sponsor to gain security clearance for this project? The MoJ requires the work to be completed in relatively short timescales. While we may consider supporting applications for clearance for a proposed team member, it is unlikely there is time to organise clearance for an entire team.
2. is this project related to https://www.digitalmarketplace.service.gov.uk/digital-outcomes-and-specialists/opportunities/8798 which is published almost 10 months ago. We were selected for the second round then didn't hear back why we were elected. This Q&A is purely for the proposed work. Any queries on other subjects or opportunities should be directed to the appropriate team
3. Would you require our team members to hold SC? If so, can you sponsor it? The baseline required is BPSS, and development in line with the Government Service Standard would not normally entail significant access to live data (which would potentially escalate requirements to SC). If your proposed path would require access to live data, please provide details in your bid and we will assess accordingly
4. What additional assessments would you be looking at in Stage 2? Are you looking for a proposal as well as a presentation? Stage 2 will be a presentation of the submitted proposal with questions that may cover any of your submitted material, and any of the assesment criteria.
5. The DOS guidelines state we can provide only one example. Would you be happy for us to provide more than one project example per question in order for us to show real evidence for skills requested? we do not consider there to be a significant reason to depart from the DOS guidelines. We would recommend presenting your strongest example. You may draw upon other examples in response to questions during Stage 2.
6. Would you consider off-shoring / near shoring some of these services? in the interests of Data Protection the data must be held in accordance with GDPR requirements, which may exclude some forms of off-shoring. We would encourage you to consider your approach in regard to GDPR, The Government Service Standard and published guidance from the Ministry of Justice.
7. Would you consider off-shoring / near shoring some of these services? in the interests of Data Protection the data must be held in accordance with GDPR requirements, which may exclude some forms of off-shoring. We would encourage you to consider your approach in regard to GDPR, The Government Service Standard and published guidance from the Ministry of Justice.
8. Who is the intended user group for the logging platform? Is it for intended for a central cybersecurity team, multiple development teams, or a combination of both? This is a central repository for the Ministry of Justice. Cyber Security is currently supplied through a mixture of in-house and out-sourced contracts. The scope of this contract is for access for our central Operational Security Teams, any solution should be scalable to other partners in future without significant redesign.
9. What is the classification of information that will be held in the logging platform? Expected classification is OFFICIAL only.
10. 1) Currently this is in Alpha, which means a discovery phase under the GDS guidelines has been completed. Can we see the output to ensure that we fully understand the scope, as we would expect more than this in the form of user stories/epic/design.
a. it has a vague proposed architecture on MoJ Kubernetes.
b. two small user stories
This a component procurement rather than a full service. All relevant elements of the wider project will be shared with the successful team. The intent is to provide an open field to suggest options within the terms of this procurement.
11. 2) Can you please confirm that the cost of the hardware/cloud hosting/software/storage is the customer's cost not ours (supplier).
This bid is just for the technical know-how and build/handover of a live service for the implementation work? – it is not for a managed running service where we look at alerts etc.?
Your proposal should include any expected costs to the customer over the course of the build and handover as well as ongoing costs. Ongoing costs will be borne by the customer.
12. 4) Sizing
a. log volumes in messages per second and overall daily size in GB,
b. are there any archives to be imported, how much space is required for this in GB
c. storage length time, 3, 6, 12 months
a. Log volumes will scale over time. Ingestion rates will be mutable. Proposals should account for that fact. b. Other pieces of work are in train to cover existing achives, but this is unlikely to be completed during the period of this contract. Storage should be scalable over time. c. Current storage expectation is 12 months.
13. The Latest start date is stated as Wednesday 1 January 2020. Is this correct given that this date is a UK Public Holiday? It is expected that the first phase of the contract will conclude at the end of the current Financial year. There is no expectation, or preclusion, work will be carried out on a public holiday
14. Our solution will be delivered with an English Language UI. Can we assume that logs are from English Language systems and therefore no language translation is required? If logs are to be received in other languages please list them. At this stage, there is no need to translate text fields into any other language.
15. Please indicate MOJ's Architectural preference to either manage Kubernetes infrastructure end-to-end on AWS, or to utilise a managed Kubernetes service such as Amazon EKS We are open to both options, assuming data processing takes place within the requirements of applicable law and the Government Service Standard.
16. Please confirm acceptance of Defence Business Services National Security Vetting (DBS NSV) Developed Vetting (DV) clearance for this opportunity. Security Vetting accepted or provided by government departments, or by the new National Vetting Service is acceptable.
17. Please confirm that access to source systems (both technical and commercial aspects) will be handled by the Authority as GFx to this opportunity. The GFx needs to provide representative test data in terms of schema and content. In the absence of these will the Authority provide samples of test data from all sources in scope? The Ministry will provide relevant test data for any specialist systems. The platform should be able to ingest data in all standard formats, and the supplier will be expected to source their own test data for those sets.
18. The requirement calls for 'targeted forwarding capabilities', please confirm that the means/tooling for forwarding will be provided as GFx. Consumption of the resource via SIEM or analytical systems should be straightforward, and not require proprietary or significant additional tooling. Means of consumption will depend upon the Ministry's ongoing strategies.
19. 3) Enclaves
a. How many different enclaves across the estate are we expected to pull information from?
b. Can these enclaves reach the AWS Kubernetes or will additional work be needed to get them to talk there. If this requires routing changes or additional connections, are these at MoJ’s cost (i.e. Vodafone need to make a change to a Firewall costing £10K)
c. Are devices being reconfigured to log to the new ELK service, or are they to continue to report to the old service and we simply pull them from the old collection points or via an API?
a) There will be multiple enclaves, maintained via different contracts. As long as the proposal demonstrates scalability to encompass multiple enclaves, that will be sufficient. b) They should all be able to reach the designated environment. Any additional work to feed out of a particular environment will be at the the Department's expense. c) We would expect the service to ingest from any source pointed at it. Your proposal should be capable of dealing with multiple different source points.
20. 5) Toolsets and Timings
a. Are you providing access tools to the MoJ toolsets (via MoJ laptops) or do we need to integrate to them (configure our laptops to create a VPN to get access to the tools)?
b. Who grants access to the AWS Kubernetes instance and are there any controls we need to be aware of.
c. At what point does Change control come into effect in the new system being built?
a) Either option can be made to work.
b) There are potentially multiple Kubernetes instances in scope. Our devs will be able to provide relevant access, but there may be a small amount of configuration involved to make use of them.
c) Change control should not factor in until the conclusion of the project. If you believe there are specific areas, please highlight them as part of your proposal.
21. 6) Who pays for the ITHC? The Government Service Standard requires a reasonable amount of security as part of the development process. As the proposal will determine what is required as part of a health check, it is not possible to answer this question accurately.
22. In light of the short timescales will the Authority confirm whether the 12 week period is to include Design Assurance and UAT, or is it acceptable that these are to be scoped outside of this period? Our preference is for spend to happen in the current Financial Year. It is acceptable to begin work earlier than 1 Jan, and/or to continue up to March 31 as your preference dictates
23. The requirement calls for 'targeted forwarding capabilities', please confirm that the means/tooling for forwarding will be provided as GFx. Consumption of the resource via SIEM or analytical systems should be straightforward, and not require proprietary or significant additional tooling. Means of consumption will depend upon the Ministry's ongoing strategies.