Awarded to BAE Systems Applied Intelligence Limited

Start date: Monday 3 August 2020
Value: £3,000,000
Company size: large
The Home Office (National Law Enforcement Data Programme)

NLEDP 154 - Cyber Security Operations Team

17 Incomplete applications

12 SME, 5 large

7 Completed applications

4 SME, 3 large

Important dates

Tuesday 3 March 2020
Deadline for asking questions
Tuesday 10 March 2020 at 11:59pm GMT
Closing date for applications
Tuesday 17 March 2020 at 11:59pm GMT


Summary of the work
In line with Industry Good Practice and HMG Policies the supplier will provide a Cyber Security wrap around applications and services hosted within out commodity cloud environments.

The HO provide first line monitoring of the SIEM tooling.

This team needs to be able to flex and accommodate any growth .
Latest start date
Tuesday 30 June 2020
Expected contract length
2 years
Organisation the work is for
The Home Office (National Law Enforcement Data Programme)
Budget range
£3m total contract. Maximum blended day rate of £850 / day

About the work

Why the work is being done
The Police and Public Protection Technology directorate contains a number of delivery programmes two of which are the National Law Enforcement Data Programme and Law Enforcement Cloud Platform which are hosted on public commodity cloud. In line with Industry Good Practice and HMG Policies there needs to be a Cyber Security wrap around applications and services hosted within our commodity cloud environments.
Problem to be solved
Provide a team to run the day to day BAU cyber security activities.
Who the users are and what they need to do
Police and Public Technology portfolio need a Operational Security team to react to security incidents and manage the day to day activity of security issues in a development programme and operational platforms.
Early market engagement
Any work that’s already been done
The Home Office provide the first line monitoring of the Cyber Security SIEM tooling. This procurement is to establish a Cyber Security Operations team that can undertake the following activities.
Existing team
The team will be working in a multi supplier environment and interactions with other elements of the Home Office, including the Cyber Security Operations Centre, the Portfolio Platform & Service teams and broader Security Management. There is 1 existing resource that will be retained as per the requirements below.
Current phase

Work setup

Address where the work will take place
The team is expected to be at the Home Office Bernard Weatherill House site in Croydon most days, but may be required to travel to other Croydon or London HO locations.
Working arrangements
To run this service and support the delivery & support teams you will need to be on site. Also due to technical lock downs access to the environments remote working under exceptional circumstances will not be possible.

Out of hours incident response will be required, access to the environments will be from agreed locations.

The Initial request is for the following for daytime BAU activity:
1 x Operational Security Manager SFIA Level 5
1 x Deputy Operational Security Manager SFIA Level 4 / 5
1 x Operational Security Practitioner SFIA Level 4
Security clearance
Team members must have Security Clearance (SC) or be prepared to undergo Security Clearance. NPPV Level 3 is also required and new members will be put through this vetting.
NPPV is non-police personal vetting, performed by the police.

Additional information

Additional terms and conditions
The Customer may, if it chooses, use its in-house resources, business units and other framework agreements to deliver specific services. The Customer will consult fully with the Supplier before exercising this right.
o Volume and values
Contract values are indicative only and are not a guaranteed level of expenditure. The Authority reserves the right not to spend the whole budget in each year of the contract.
Programme budgets are subject to annual PIC approval. The Authority will advise on the outcome in March each year.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience in providing a Cyber Security Operations Service with a good understanding of investigating cyber security incidents and operating proactive security incident management
  • The supplier must have knowledge of security managing AWS native Services Eg S3, EC2, DMS Databases, Cloudtrail, Cloudwatch etc.
  • The supplier must have knowledge of security managing Windows, Red Hat and Centos operating Systems.
  • The supplier must have knowledge of Splunk SAAS and Nessus Tenable cyber tooling including Use Case development, configuration, onboarding and operation
  • Experience of identifying and implementing continuous improvements to the Cyber Security Operations service
  • Experience of responding to, and managing to conclusion, Cyber Security incidents as per agreed service level targets and in line with approved procedures.
  • Experience of defining, maintaining and updating any work instructions and operational processes relating to cyber security.
  • Skills in threat vulnerability analysis, prioritisation and remediation/remediation planning and reporting on a regular basis
  • Experience of establishing an Operational Security Working Group to discuss detailed cyber operational issues.
  • Experience of providing assurance and managing the technical teams that remediating, patching and upgrading the infrastructure in line with agreed policies.
  • Experience of implementing and managing the escalation of privilege when required.
  • Experience of managing BAU Cyber Activity.
  • Experience of management of a Privileged Access Management Service.
  • Ability to flex in line with operational requirements.
  • Experience of providing an on call out of business hours service should a Cyber Event occur. This is not expected to be more than 2 events a month.
  • SC level of Security Clearance and Non-Police Personnel Vetting Level 3 or be able to obtain the required vetting.
  • Ability to work from multiple locations, if required.
  • Experience of managing contractor resource. (A contractor will be supplied to you and will be paid for by the authority directly, TUPE is not relevant in this case)
  • Experience of leading onboarding of new services on to the cyber security capabilities.
  • Experience of supporting ITHC or Penetration Testing activities within the estate.
Nice-to-have skills and experience
  • Knowledge of Industry and Government Cyber Security practices & incident response.
  • Experience in working in a Law Enforcement and Government working environment

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Approach to the work, illustrating flexibility in team roles and multi-skilled personnel to meet NLEDP goals.
  • How to be effective in a small focussed team
  • Team structure
  • Demonstrate Value for Money in your approach with transparent costs
  • Ability to plan and anticipate for risks and provide potential mitigations
Cultural fit criteria
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Share knowledge and experience with other team members
  • Be transparent and collaborative with colleagues and Product owners to make informed decisions
  • Work as a team with our organisation and other suppliers
  • Adaptable and flexible people able to deliver against changing security priorities as they evolve
  • Proactive issue management, problem resolution and improving ways of working
Payment approach
Time and materials
Additional assessment methods
  • Case study
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is there incumbent supplier on site providing these services? if so who?
or this is a new service required?
There is no incumbent supplier, we have a set of resources provided by IBM but we have had resources from other suppliers in a mixed team, this is a new service to replace ad hoc resourcing.
2. How many people would you require and what roless, please?
As per the advert we are looking for the roles below as a starting requirement, to work with an exiisting contractor that is being retained on the programme:
1 x Operational Security Manager SFIA Level 5
1 x Deputy Operational Security Manager SFIA Level 4 / 5
1 x Operational Security Practitioner SFIA Level 4
3. Will they all need SC? If so, can you initiate/sponsor it?
They will all need SC and NPPV3 this is the baseline vetting requirement for the environment.
4. What's the procurement timeline?
The procurement timeline is dependent on the level of response from bidders. However, the starting position is:
Opportunity closes 17 March - Stage 1 Evaluation and invitiations to Stage 2 by 20 March
Closing date for Stage 2 proposals 27 March
Supplier presentations w/c 30 March and contract award
5. You've stated a maximum "blended" day rate – does this figure include VAT?
Values are inclusive of fees and exclusive of VAT
6. In addition to the day rate, will suppliers be able to invoice for travel and subsistence costs where appropriate?
Day rates are inclusive of expenses. Where a supplier is required to travel outside of the M25 ring for business needs, reasonble expenses may be claimed in line with HO T&S policy
7. What is the IR35 Status Determination for the roles required to fulfil this outcome?
The roles are outside IR35.
8. Are you planning to expand the working hours of the resource to 24*7, if so when ?
End of April 2020
9. What are the forward plans in running the SOC as a 24*7 operation?
End of April 2020
Q3 for data replication from legacy systems
Q3/4 for go 1st service go live.

All of this will be on call for out of hours resolution for data migration activity.
10. Out of hours incident response – Please confirm what the current working policy is for the required resource is, if they have been working on a security incident through the night – when are they expected to be back at the desks?
No if they are working throughout the night to resolve an issue then they will not be expected to be at their desk the next morning. Heath and Safety and Staff Welfare rules apply.
11. Environment – please define what “exceptional circumstances” means?
Exceptional Curcumstances means where people can't come into the agreed working locations, or they are on call out of hours and responding to a security incidient.
12. Experience of managing contractor resource. –
• What are the roles and responsibilities for the contractor resource?
• Performance management of contractor resource, whose responsibility?
Performance management is the Authorities response
Existing resource is a cyber analyist responding to security incidients highlighted by the CSOC. The role investigates and remediates.
13. “The Home Office provide the first line monitoring of the Cyber Security SIEM tooling” What is the SIEM tool and does this team run 24*7 ?
The SIEM tool used is the programme SIEM tool, not the HO centeral product. The programme uses Splunk.
14. What is the percentage split between “development programme and operational platforms” for the roles advertised
90% Development 10% Data Migration (treated as operational)
15. Please list in priority order the BAU activities you want the new team to operate (problem to be solved). This should be different from the Essential skills and experience?
Some of the activities :
Incident reponse
Escalation of risk
Elevation of permissions management
Management of IMPEX requests
Vunerability scanning and reporting.
SIEM tool tuning and run book updating
Update documentation based on BAU changes (Processes, Desk Instructions etc)
Supporting of additional SIEM use cases
Change / release board attendance
Review roles and responsabilities based on changes
any other activities as identiefied that are needed for effective BAU running of environments.
16. Is the NPPV Level 3 required in advance of the engagement, or would consultants be put through this vetting?
NPPV 3 would be desirable in advance, however resources can be put through it at anytime but this will delay the start of the resource. There are mitigation’s that can be put in place whilst nppv3 is obtained.
17. A cyber attack can happen at anytime, what metrics have you used to reach your expectancy of no more than 2 out of hours incidents or events per month?
The metric is based on the architecture, connectivity methods and number of alerts received to date. This is an estimate and may increase as the amount of business services is increased.
18. A bidder question on the DOS Fwk T&Cs was received
HO are unable to comment, and suppliers should contact the CCS Fwk owners for clarification in relation to DOS T&Cs