NHS Digital (Health and Social Care Information Centre)

Accelerated Onboarding of Security Feeds into the CSOC

10 Incomplete applications

6 SME, 4 large

8 Completed applications

7 SME, 1 large

Important dates

Monday 12 October 2020
Deadline for asking questions
Monday 19 October 2020 at 11:59pm GMT
Closing date for applications
Monday 26 October 2020 at 11:59pm GMT


Summary of the work
Require a supplier that has significant expertise in Splunk Enterprise Security to enhance the critical operations of the Data Security Centre, CSOC.

Suppliers will be required to engage with NHSD Programmes to carry out discovery to initiate onboarding activity for a service and to onboard new feeds, rules and dashboards.
Latest start date
Monday 23 November 2020
Expected contract length
12 months
Yorkshire and the Humber
Organisation the work is for
NHS Digital (Health and Social Care Information Centre)
Budget range
Budget envelope of £1,500,000 to £2,000,000

About the work

Why the work is being done
NHS Digital’s Data Security Centre (DSC) is integrating data and threat feeds into its Cyber Security Operations Centre (CSOC) to support the following strategic initiatives:
• Supporting the CISOs critical key objective of reducing risk to NHS Digital
• Enhancing cross-functional effectiveness - A DSC-wide process model will enable more effective cross-functional collaboration.
• Driving resilience for the DSC and the NHS – Having a security services in place will enable the DSC to react more effectively to sudden change
• Support for customer and patient outcomes - The health and care system we serve, and its cyber landscape, is not static it changes continuously.
Problem to be solved
NHS Digital require a supplier with significant expertise in data onboarding into Splunk Enterprise Security to append NHS Digital services into the CSOC protective monitoring service.
The supplier will provide discovery teams comprising Playbook and Splunk Engineers working with and dependant on inhouse staff, these discovery teams shall inspect and verify each digital services infrastructure and platform. Using NHS Digital Information Security Policy and the CSOC Charter for reference, they shall verify that the necessary audit material is available and captures the necessary event data, determine which CSOC Security Use Cases can be applied and identify data sources to provide a protective monitoring service, reducing risks.
Who the users are and what they need to do
As a Security Use Case Manager, we need Splunk engineering and expertise to onboard new feeds, rules and dashboards, whilst developing and providing continuous improvements to the CSOC onboarding processes so that we can reduce cyber security risks to the NHS across England, drive maturity and optimisation to achieve the CSOC vision.
Early market engagement
Any work that’s already been done
NHS Digital’s Data Security Centre (DSC) has been working with a supplier to onboard NHS Digital operated services into the Cyber Security Operations Centre (CSOC) as part of a strategy to reduce risk and mature cyber security resilience.
Existing team
You will be working with a full team made up of a Programme director, Programme manager, security architect and security analysts.
Current phase
Not applicable

Work setup

Address where the work will take place
NHS Digital Leeds Offices however remote working is acceptable in line with the current government guidance surrounding COVID-19.
Working arrangements
Supplier is expected to supply resources working within a team made up of staff with Splunk specialist skills. The supplier must be flexible to our needs and able to work with a mixed team across the Leeds sites.

All Supplier resource assigned to milestone 1 must be SC clearable or Security Cleared, Any personnel working on Milestone 2 must be security cleared. Supplier resource shall be required to abide by the current service operating hours of 8am – 6pm Monday –Friday, excluding Bank Holidays. Working patterns will be agreed with the authority’s representatives.
Day rates inclusive of travel and subsistence.
Security clearance
Individuals in the supplier’s team assigned to milestone 1 should be SC clearable or Security Cleared, All personnel working on Milestone 2 must be security cleared.

Additional information

Additional terms and conditions
The initial Statement of Work (SOW) and Draft Order Form/Call-off Terms and Conditions are available at the following link:

Bravo reference: prj_4859

To view the above you must be registered on NHS Digital's e-tendering portal. Suppliers not registered please register using the link above.

The Buyer reserves the right to award future SOWs under this Call-off Contract against all charging methods in the framework.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Evidence of expertise in the use of the Splunk and Splunk Enterprise Security at an administrative level to support the development and build of the Protective Monitoring platform.
  • Evidence of Splunk and Playbook engineers with experience of carrying out Discovery work to onboard services security feeds
  • Evidence of proficiency with implementation and maturity of data onboarding model and the onboarding of key data sources
  • Experience of delivery in highly complex, high volume secure data systems
  • Experience of producing a knowledge transfer framework - including end to end document library of documentation covering discovery, including system design and build and ensuring smooth handover into live service
  • Evidence of recent development and onboarding to the Common Information Model, the creation of correlation searches / saved searches and outputs as alerts, reports and dashboards
Nice-to-have skills and experience
  • Strong understanding of the Amazon AWS platform and experience with Microsoft Azure and/or Google Cloud
  • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments
  • Sound understanding of the NHS infrastructure and programmes or equivalent complex environments
  • Experience of customer and end user engagement across varied health care or equivalent complex environments

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Approach and methodology
  • How the approach or solution meets user needs
  • Team structure
  • Cultural Fit
Cultural fit criteria
  • Approach to functioning effectively and collaboratively in a complex multi-supplier environment.
  • Approach to proactive issue management, problem resolution and improving ways of working
  • Approach to leading by example to keep data secure.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme
  • Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team.
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is there an incumbent organisation looking after this capability?
NHSD are currently working with a supplier to onboard security feeds into the CSOC, however this requirement is directed under a new work stream/project and will remain separate to the current work being undertaken as its own distinct work package
2. In the documentation you refer to playbooks, can you confirm what format of playbook is required? Would they be Splunk Phantom Playbooks; a written procedures document called a playbook; or something bespoke to NHSD?
Please consider a playbook / runbook being the procedure for a tier 1 / tier 2 SOC analyst to follow upon an alert/detection of rule, which in turn is part of a security Use Case. Some ‘use cases’ may have multiple runs, but also only one or many playbooks. Documented within confluence, but also maybe a SOAR playbook where the response can be automated.
3. The service states a 12-month engagement. Across those 12-months are there any major milestones that have presently been planned for? Can you highlight what your key goals are for the first 3-months of the partnership?
Within the first 3 months it is expected that all the service owners will have been contacted and initial feasibility meetings held to determine which 45 services will be onboarded within the 12 month period, with the expectation of a non-linear onboarding of 45 services over the 12 months.
4. What is the total headcount of the central NHS Digital SOC and how many people will require some form of education around the new Splunk solution?
We do not wish to disclose the current headcount for the SOC and there is no requirement for education for analysts but there is the requirement to perform ‘knowledge transfer’ to the resident engineering team who will be required to maintain the onboarding activity once the supplier has completed this assignment.
5. How many Trusts will need to be interacted with as part of this service?
None - this is entirely for work internal to NHS Digital.
6. How many security feeds have been on-boarded as part of the current-state solution?
We do not wish to disclose the current coverage, but there is already hundreds of feeds enabled within the current SOC solutions. Whilst we expect many source types to be re-useable, there is the requirement for the supplier to identify optimisation and change between feeds.
The deadline for asking questions about this opportunity was Monday 19 October 2020.