This opportunity is closed for applications

The deadline was Friday 19 June 2020
Health and Social Care Information Centre (known as NHS Digital)

Delivery of Security Feeds into the CSOC

8 Incomplete applications

6 SME, 2 large

9 Completed applications

6 SME, 3 large

Important dates

Published
Friday 5 June 2020
Deadline for asking questions
Friday 12 June 2020 at 11:59pm GMT
Closing date for applications
Friday 19 June 2020 at 11:59pm GMT

Overview

Summary of the work
NHS Digital require a supplier that has significant expertise in Splunk Enterprise Security to enhance the critical operations of the Data Security Centre, CSOC.

The suppliers will be required to onboard new feeds, rules and dashboards, whilst developing and providing continuous improvements to the CSOC onboarding processes through to maturity.
Latest start date
Tuesday 4 August 2020
Expected contract length
8 months with option to extend for up to 2 months
Location
Yorkshire and the Humber
Organisation the work is for
Health and Social Care Information Centre (known as NHS Digital)
Budget range

About the work

Why the work is being done
NHS Digital’s Data Security Centre (DSC) is integrating additional data and threat feeds into its Cyber Security Operations Centre (CSOC) to support two critical strategic initiatives:

• Supporting the healthcare sector’s response to COVID-19 to counter related ransomware and phishing efforts and other malicious activity.

• Supporting the Government Security Group to strengthen the security of Critical National Infrastructure (CNI) assets owned and operated by the Arm's Length Bodies (ALBs) of the Department of Health and Social Care (DHSC).

This work will deliver improvements in the DSC’s ability to deliver enhanced threat hunting and to mitigate and remediate identified risks and vulnerabilities.
Problem to be solved
NHS Digital require a supplier with significant expertise in Splunk Enterprise Security to enhance the critical operations of the Data Security Centre, CSOC.
This enables Key national services to be onboarded onto CSOC Splunk ES providing a view of how services are performing for end users along with the ability to better identify when user impacting issues are occurring and provide the ability to increase the SCOC maturity score.
The impact and consequences of this consultancy requirement not being achieved could reduce the threat hunting capabilities of the CSOC jeopardising the security of systems and may impact front line services.
Who the users are and what they need to do
As a Security Use Case Manager, I need Splunk engineering and expertise to onboard new feeds, rules and dashboards, whilst developing and providing continuous improvements to the CSOC onboarding processes so that I can reduce cyber security risks to the NHS across England, drive maturity and optimisation to achieve the CSOC vision.
Early market engagement
Not Applicable
Any work that’s already been done
Onboarding of security feeds for NHSD Programmes into Splunk ES
Existing team
You will be working with a full team made up of a Programme director, Programme manager, various CSOC team members
Current phase
Not applicable

Work setup

Address where the work will take place
NHS Digital Leeds Offices however remote working is acceptable in line with the current government guidance surrounding COVID-19.
Working arrangements
The supplier is expected to supply resources working within a team made up of staff with Splunk specialist skills. We expect the supplier to be flexible to our needs and able to work with a mixed team across the Leeds sites.

The resources must be co-located with the Authority in Leeds and must be Security Cleared (SC)

Day rates to be inclusive of travel and subsistence
Security clearance
Individuals in the supplier’s team must be SC cleared or clearable

Additional information

Additional terms and conditions
Draft Order Form, the initial Statement of Work (SOW) and Draft Order Form/Call-off Terms and Conditions are available at the following link:
https://nhsdigital.bravosolution.co.uk/web/login.html

Bravo reference: pre_220 - Delivery of Security Feeds into the CSOC

To view the above you must be registered on NHS Digital's e-tendering portal. Suppliers not registered please register using the link above.

The Buyer reserves the right to award future SOWs under this Call-off Contract against all charging methods in the framework.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Evidence of expertise in the use of the Splunk and Splunk Enterprise Security at an administrative level to support the development and build of the Protective Monitoring platform.
  • Evidence of proficiency with implementation and maturity of data onboarding model and the onboarding of key data sources
  • Experience of delivery in highly complex, high volume secure data systems
  • Experience of producing a knowledge transfer framework - including end to end document library of documentation covering discovery, including system design and build and ensuring smooth handover into live service
  • The supplier must provide evidence of the ability to create a Centre of Excellence comprising a dedicated in-house onboarding function for the CSOC during the transition to inhouse onboarding.
  • Evidence of recent development and onboarding to the Common Information Model, the creation of correlation searches / saved searches and outputs as alerts, reports and dashboards
Nice-to-have skills and experience
  • Strong understanding of the Amazon AWS platform and experience with Microsoft Azure and/or Google Cloud
  • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments
  • Sound understanding of the NHS infrastructure and programmes.
  • Experience of customer and end user engagement across varied health care Programmes

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Written Proposal
  • Case Study
  • Work History
  • Reference
Cultural fit criteria
  • Approach to functioning effectively and collaboratively in a complex multi-supplier environment.
  • Approach to proactive issue management, problem resolution and improving ways of working
  • Approach to leading by example to keep data secure.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme
  • Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team.
Payment approach
Fixed price
Additional assessment methods
Evaluation weighting

Technical competence

55%

Cultural fit

5%

Price

40%

Questions asked by suppliers

1. Please can you advise an indicative budget for this outcome opportunity (aligned to contract duration of 8 months)?
We have an indicative budget range of £1,000,000.00 to £1,500,000.00
2. Please can you advise whether an incumbent is currently in place?
We have previously employed the services of a Splunk engineering company to provide support and complete a number of tasks, however this is a new specified piece of work.
3. Please can you advise what sized team and types of roles you expect to be provided by any successful suppliers?
The supplier would put forward the projected team size and roles based on the essential and nice to have skills published on the Digital Marketplace and against the SOW milestones.
These milestones can be found at https://nhsdigital.bravosolution.co.uk/web/login.html
Bravo reference: pre_220 - Delivery of Security Feeds into the CSOC
4. The deadline on Bravo portal is 22/06/2020 12:00:00 and the DOS portal states Friday 19 June 2020 at 11:59pm – please advise?
The submission deadline is Friday 19th June 2020 at 11:59. This has now been changed on the Bravo portal to reflect the DOS portal.
5. If you have previously employed the services of a Splunk engineering company, then why are you going out to tender?
As stated we have previously employed the services of a Splunk engineering company to provide support relating to our Splunk deployment. The new requirement is to complete specified work and therefore, aligned to public sector regulations, we are executing a procurement exercise to source a supplier to complete the milestones outlined in the Statement of Work.
6. Could we have access to details of the new data sources required?
Annex A: Required Feeds for Protective Monitoring to the CSOC charter has now been added for information to Bravo pre_220 - Delivery of Security Feeds into the CSOC in Section 1.2.3 of the Response Form
This is an high level example of the types of feeds that the Supplier will have to onboard.
This can be found at https://nhsdigital.bravosolution.co.uk/web/login.html
7. Could we see details of the new feeds?
Annex A: Required Feeds for Protective Monitoring to the CSOC charter has now been added for information to Bravo pre_220 - Delivery of Security Feeds into the CSOC in Section 1.2.3 of the Response Form
This is an high level example of the types of feeds that the Supplier will have to onboard.
This can be found at https://nhsdigital.bravosolution.co.uk/web/login.html
8. Are there any details available on expected data volumes?
At this stage we do not have that information.
9. Could we see the Common Information Model?
This information is available and updated on the Splunk Docs website. The Common Information Model can be accessed at:

https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview
10. The Draft SoW appears, but the Draft Order Form/Call-off Terms and Conditions don't appear to be there.
Can these be made available please.
The Call-Off will be made available via Bravo to the suppliers shortlisted for Stage 2 Evaluation
11. Are non-SC cleared resources permitted to work on the project?
All resources must be SC cleared to work on this project.
12. Is there an onsite requirement?
The supplier will be required to work onsite at NHS Digital’s Leeds offices when it is appropriate to do so in line with Government guidelines surrounding Covid-19. The work can be undertaken remotely in the meantime until the offices are open to staff and suppliers.
13. Is SC cleared necessary OR SC clearable okay as well? What exactly does SC clearable mean?
All resources must be SC cleared to work on this project. Information on SC clearance can be found with the following link: https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels
14. Do we have to organize a use case workshop OR is a list already developed of use cases to be completed in each sprint?
A list of Use Cases will be supplied for the sprints.
15. Is the tuning of use cases also part of each development sprint? And the number of use cases in subsequent sprints include the tuning of previous ones?
Tuning will be part of the sprint activity.
16. In addition to Splunk Enterprise Security, are you able to list any additional licenced premium Splunk Security apps, such as Phantom and/or User Behaviour Analytics?
This is not being disclosed at this time.
17. Is the use of sub-contractors permitted for this contract?
Sub-contractors are permitted, however any sub-contracted resource must be SC cleared and any sub-contractors must be declared in the submission.
18. Does the skills matrix already exist, is it available
It does not already exist
19. Does training need to meet any accredited standards
No it needs to deliver to an operational standard. There can be recommendations for accredited training to be highlighted to the NHS Digital team to do in tandem with the onsite training.
20. How many log sources need to be onboarded vs are already onboarded
There is a continuous stream of onboarding to be completed, with this work package to address the highest priority. The amount exceeds the contract term.
21. How many organisations are there from which logs will be collected.
One - Only logs from NHS Digital are expected to be onboarded
22. What threat monitoring content/ use cases currently exists within the analytical stack
We would not normally disclose what we are / are not monitoring for
23. Is the threat monitoring mapped to a framework like MITRE ATT&CK
Yes we use MITRE
24. Does the CSOC already know what threat monitoring content they want created, or is the requirement to inform the content of detection use cases in addition to their creation
We will have a threat based approach and provide threats and MITRE elements that we are interested in and the CSOC input into the use case factory. However we will also expect some SME advice and guidance of successful use cases to be presented.
25. Will existing NHS threat monitoring and Splunk engineering resources be available to work on the project
Yes, it is an integrated team of Splunk SME and security SMEs.
26. What platform should be used to document the processes for the Centre of excellence
No document platform has been identified.
27. Have the CSOC organisational testing standards already been defined and are these available
Testing acceptance criteria are currently set by the incumbent project and we are looking to mature the standards over the duration of this assignment.
28. Testing acceptance criteria are currently set by the incumbent project and we are looking to mature the standards over the duration of this assignment.
The governance process authorises and approves Work Packages (deliverables of onboarding / rules development) ahead of the sprint planning. It is internal to the Data Security Centre.