This opportunity is closed for applications

The deadline was Friday 12 February 2021
The Crown Prosecution Service (CPS)

Design and Implement a Centrally Managed Cloud based MS Windows Deployment Service

27 Incomplete applications

22 SME, 5 large

26 Completed applications

17 SME, 9 large

Important dates

Published
Friday 29 January 2021
Deadline for asking questions
Friday 5 February 2021 at 11:59pm GMT
Closing date for applications
Friday 12 February 2021 at 11:59pm GMT

Overview

Summary of the work
Outcome based managed service to;

1) Design, implement and test a secure cloud managed "evergreen" Windows 10 solution connecting to all CPS digital services.

2) Design of a Target Operational Model (TOM) detailing management, support and reporting processes.

3) Provision of training and assistance to operational resources.
Latest start date
Monday 26 April 2021
Expected contract length
12 months with an option to extend for up to the maximum of 6 months
Location
Yorkshire and the Humber
Organisation the work is for
The Crown Prosecution Service (CPS)
Budget range

About the work

Why the work is being done
The CPS has started the journey to Windows 10 and has completed a migration to Office 365. With this, newer version updates are released in shorter cycles with an obligation to keep up to date. As well as the need for an evergreen operating model, the CPS is seeking to move towards a zero-trust approach to security and to make full use of the Microsoft services already procured under its M365 E5 licensing agreement.

With several business-critical legacy services running in the data center and upcoming networking changes across the estate, the environment is complex and requires a structured and phased approach to reaching the desired end state.

Ultimately, the requirement is to provide users with devices which are modern and deliver an experience superior to that which they get from personally owned IT and ‘just work’!
Problem to be solved
Implementation of modern device management and migration from Windows 8.1 managed via GPO/SCCM under multiple suppliers to a secure cloud managed Windows 10 solution.

The solution needs to simplify the underpinning architecture, moving to a "cloud-based security for internet access" and access to ‘on premises’ applications. Processes relating to deployment and management should be simplified to include zero trust and the ability to remotely manage, reset and redeploy devices without the need to collect, rebuild and reissue devices.

CPS has already commenced rollout of MS surface laptops with a Windows 10 gold image and this is managed by existing suppliers through SCCM. These will also need to be planned and transitioned to the new solution. There is limited scope for co-management.

The solution needs to integrate the process to enable ongoing management, updating of software, incident/problem/change management with other services and other providers .

The supplier will be expected to design a Target Operating Model ("TOM"); to advise on resourcing requirements and to define the potential division of responsibilities between internal CPS teams and potential third-party service suppliers to allow efficient ongoing operational support of this service.

Further information is available from: jack.mellish@cps.gov.uk
Please use reference: PR137 2020
Who the users are and what they need to do
The CPS supplies some IT services to HMCPSI and the Attorney General’s Office. This requirement covers the entire estate including users across all three departments, contractors and suppliers where devices and accounts are provided. Currently this equates to approximately 7000 users at various locations in England.

The solution will need to enable these users to continue to access a range of applications from those installed on the device to legacy apps running in the data center to public cloud SaaS applications.

Users must be able to use their managed devices from any location to access all of their applications. This will be achieved by connecting to the public internet (via a cloud security broker) or plugged into the CPS office network. Users, devices and services will then be managed and supported with minimal physical intervention by the centralised operational team.
Early market engagement
Any work that’s already been done
The CPS has completed a migration to Office 365 which includes Exchange Online, SharePoint Online and Teams (including PSTN services).

A current state assessment has also been undertaken in respect of End User Computing services and a "cloud based" only proof of concept (ALPHA "POC") has been completed using autopilot and endpoint manager. No other non-cloud 3rd party services have been integrated with this POC.

Android smartphones have been deployed to approximately 700 users which are being managed via endpoint manager and there is work underway to deploy MS Teams Meeting Room systems.
Existing team
The CPS has a programme manager and project managers in place reporting up to a steering group. There is a supporting architecture function that will approve solution designs and relevant third-party suppliers are engaged up to provide integration support as necessary.
Current phase
Alpha

Work setup

Address where the work will take place
The CPS has sites all over England and Wales and may require work at any of these sites as necessary however, primarily work will be based at;
- 4 South Parade, Wakefield, WF1 1LR
- 102 Petty France, London SW1H 9EA
Obviously due to Covid -19 restrictions remote working is supported and may be accepted ongoing for the term of the engagement.
Working arrangements
Working hours are expected to be: Mon-Fri 9am-5pm.
Due to Covid -19 restrictions work will primarily be conducted remotely, however some onsite working may be required at key stages throughout the project - please see above.

It is expected the supplier will manage the team provided and this may comprise a mix of technical, service and project management resource to deliver the outcomes as proposed.

Agile project principles and iterative deliverables as per CCS service manual should be followed by the supplier.
Security clearance
DBS level clearance will be required for all personnel before commencement of the contract and the CPS reserves the right to require SC level depending on the nature work during the term of the engagement.

Additional information

Additional terms and conditions
Any additional terms will be identified and published as part of the assessment stage of this process.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • have the necessary skills and experience in building Windows 10 cloud managed devices
  • have the necessary skills and experience of cloud security platforms such as ZScalar
  • have the necessary skills and experience in zero trust security model using NCSC guidelines
  • have the necessary skills and experience in implementing and optimising Microsoft 365 technologies including but not limited to Intune
  • have the necessary skills and experience in integrating to supporting technologies such as active directory
  • have the necessary skills and experience in integrating with on-premise services
  • have the necessary skills and experience in delivering complex application deployment
  • have the necessary skills and experience in agile project delivery methodology
  • have the necessary skills and experience in working for similar size and complex public sector customers
  • have the necessary skills and experience in working in a multi-vendor environment
  • have the necessary skills and experience in network architecture security
Nice-to-have skills and experience

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • technical solution
  • approach and methodology
  • estimated timeframes for the work
  • how they've identified risks and dependencies and offered approaches to manage them
  • team structure
  • value for money
Cultural fit criteria
  • work as a team with our organisation and other suppliers
  • be transparent and collaborative when making decisions
  • take responsibility for their work
  • share knowledge and experience with other team member
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

65%

Cultural fit

15%

Price

20%

Questions asked by suppliers

1. What is the budget of this project?
Thank you for your question. CPS do not have a final budget for this work at this stage. We expect this procurement exercise and therefore the supplier proposals to clarify budget requirements.
2. Will the CPS consider bids for individual component parts of their requirement – specifically, separate bids for the Cloud managed ever green solution, the Target Operating Model design and the provision of training and assistance to operational resources?
Thank you for your question. Unfortunately not. We are looking for a single supplier contract to deliver the end-to-end solution.
3. Can we please know the budget range of this work?
Thank you for your question. CPS do not have a final budget for this work at this stage. We expect this procurement exercise and therefore the supplier proposals to clarify budget requirements.
4. Would you accept a proposal from a consortium?
Thank you for your question. Unfortunately not. We are looking for a single supplier contract to deliver the end-to-end solution.
5. Do you have an agreed budget for this piece of work?
Thank you for your question. CPS do not have a final budget for this work at this stage. We expect this procurement exercise and therefore the supplier proposals to clarify budget requirements.
6. What is the budget range for this work?
Thank you for your question. CPS do not have a final budget for this work at this stage. We expect this procurement exercise and therefore the supplier proposals to clarify budget requirements.
7. Could you clarify the procurement process? The “Proposal Criteria” includes several elements that don’t seem to map to the “Essential Skills and Experience” sections where bidders are permitted to enter a response. Is the “Proposal Criteria” only for the 3 shortlisted bidders following this initial stage?
Thank you for your question. Yes that is correct. This is a two stage process as set out in the framework. A shortlist is made from the essential skills and experience. The second stage is the 'assessment stage' which is the where a proposal will be required and this will be evaluated based on the proposal criteria. Further instruction on the format of the proposal and the evaluation will be provided to the shortlisted suppliers.
8. What are the total numbers of end-users, endpoint devices, locations, and users per location?
Will the already-implemented Windows 10 devices are included in this, and will the existing Windows 10 Gold Image be maintained in parallel?
What is the network architecture already in place, and can this be adapted to optimise performance for this solution? Is on-premises access wired or via Wi-Fi, and is this open to change?
Who will be responsible for repackaging of applications?
Will the Android phones mentioned need to be managed under the same regimen as the Windows 10 devices?
There are approx. 7000 users across approx. 70 locations throughout England & Wales. Users per location varies. Already implemented Windows 10 devices will need to be recalled, reset and reissued. The existing gold build will be maintained in parallel. Network architecture is hub and spoke with all sites using wired connections. The network architecture will be adapted and open to change however the Windows 10 solution may need to accommodate the existing architecture in the interim.

We will be looking to the supplier for application packaging and the Android devices are already being managed internally through Intune.
9. Please could the CPS confirm the types of licensing you are currently using right now? Eg. E3 or E5 licenses.
Thank you for your question. All users have M365 E5 licenses
10. Please could the CPS confirm what tier your Active Directly currently sits in?
Thank you for your question. Active Directory is in the data centre and synced using AD Connect.
11. Please can you expand on the delivery of complex application deployments?
Thank you for your question.
There are many different applications which need to be deployed to devices across differing groups of users, some of which require specific configurations using transforms, command line and dependencies. Many applications are Windows 8.1 versions and need re-packaging with Windows 10 versions for deployment via Intune.
12. Is there a desire to move the “several business-critical legacy services running in the data centre” to SaaS systems or IaaS (Azure/AWS) environments?
Thank your for your question. Whilst there is a desire to move data centre services to Saas / IaaS, this is not yet on the roadmap and it is not expected to happen through the life of the programme.
13. Which applications are CPS intending to deploy? Do they intend to use containerised deployment of applications?
Thank your for your question. There is a vast list of applications currently deployed across the estate. Part of the project will include identifying those which are still required and repackaging Windows 10 versions for deployment via Intune.
14. Are CPS able to sponsor SC clearances for our staff if required?
Thank you for your question. Yes, as required
15. Are you looking to explore the security and compliance benefits of E5 against devices and endpoints?
Thank your for your question. Yes, security & compliance plays a part in ensuring endpoints are appropriately secure.
16. Where you ask for modern device management, are our hand tied to Active Directory and SCCM or can we explore Endpoint Manager for device as well as phone?
Thank your for your question. We are expecting this project to move us from SCCM to Endpoint manager. Active Directory will remain for authentication and we currently use PTA through AD Connect. There may be a requirement to hybrid join but if possible, we would like to avoid this.
17. With Zero Trust, are we limited or can we use the whole E5 suite of tool?
Thank you for your question. The whole of E5 is available for use and we are looking to take advantage of as many features as needed. We are also working with Zscaler as part of our Zero Trust strategy.
18. Is the expectation that the supplier awarded this work will deliver the implementation, or is the expectation the supplier will deliver a design and manage / work with other suppliers or internal IT functions against a plan for implementation?
Thank you for your question. It is expected that the supplier will complete the implementation but will be required to work with incumbents where changes to existing services are required plus the internal team and any other supporting suppliers as necessary.
19. Is the expectation that the supplier will be responsible for the full replacement of existing end user devices including logistics and decommissioning?
Thank you for your question. The supplier will not be responsible for logistics or decommissioning of existing devises.
20. Can the CPS clarify what type of ‘on-premise’ applications and services are being referenced in the essential skills and experience section?
Thank you for your question. The CPS has several applications and services running in its data centres. These are largely backend services such as SCCM & VPN as well as our main case management system and some legacy applications which are accessed using RDP.
21. Is there requirement to provide end user support as part of the implementation?
Thank you for your question. Yes. We are expecting the supplier to provide 2nd/3rd line support before handing over into final operating model which is likely to be an internal team.
22. How many applications will need packaged for Windows 10? How many on premise applications are there?
Thank you for your question. There are 5 or 6 key business applications on-premises which are accessed from the network (either on site or over VPN). Currently there are over 1000 Windows apps however this includes many which are no longer in use and multiple versions of the same apps. It is expected the final list will be in the region of 300-500.
23. Is there an expectation of user data migration for users moving between Windows environments?
Thank you for your question. All user data is synced to the cloud so little requirement for data migration.
24. Is there a clear understanding of user to on-premises applications mapping?
Thank you for your question. Yes
25. Can you please clarify the statement “there is limited scope for co-management” within the ‘Problems to be solved’ section?
Thank you for your question. SCCM and device management is currently managed across 2 incumbent suppliers. The process of making changes is long and cumbersome. Our preference is to have a clean start with devices managed through Endpoint Manager.
26. Have all the tools and platforms outlined in the ‘essential skills and experience’ been approved and accredited for use by CPS? What is the pathway for solution accreditation and approval before go live?
Thank you for your question. Yes. The full M365 stack is available for use in this solution. The CPS already makes use of much of Office365 and manages mobile devices via Endpoint manager. The new solution will be subject to sign off from internal architecture and security teams and will be subject to ITHC.
27. Has a Data Protection Impact assessment been completed for this programme if needed?
Thank you for your question. DPIAs have been completed previously but may need to be revisited/updated.
28. How many packaged applications there are, and how many are expected to be repackaged for the new environment?
Thank you for your question. There are over 1000 applications running across devices on the estate. This includes many different versions of the same application and a large number of redundant apps. Some of these apps are local installs and so have not been packaged. We expect the final list of apps to be in the region of 300-500 with all apps being required installs or made available through company portal/store for business.
29. As part of Zero trust strategy, has CPS identified any tools such as Next gen firewall, NAC, Segmentation, Identity, Application security and Data Security ?
Thank you for your question. The CPS currently manages identity and access via AzureAD, Conditional Access, SSO. We are expecting to build on this to bring in device related signals, MFA, PIM. All of our SaaS applications are configured for SSO and we are exploring the use of Azure App Proxy/Zscaler for accessing on prem apps. We are looking at using Zscaler for securing internet traffic. The CPS has a separate project running looking at data strategy, but it is expected that MIP will play a role.
30. Does CPS has ZTNA controls available ?
Thank you for your question. Not at the moment. Currently looking at Azure App Proxy and/or Zscaler ZPA.
31. Are you planning to modernize identity security controls like cloud based Identity, PAM, UEBA etc...?
Thank you for your question. We already have cloud-based identities with some controls in place. This project will look to build on this making full use of the features offered through our existing licensing including privileged access management. Integration with SIEM will be a requirement although within the scope of this project, we are not expecting SOAR capabilities.
32. Is Zscaler private access considered to replace your traditional VPN?
Thank you for your question. This is something we are considering as well as Azure App Proxy. We are unsure as to how achievable this would be within the timescales of this project.
33. Are you considering Zscaler internet access, Zscaler Edgewise and CSPA ?
Thank you for your question. Zcsaler ZIA is in scope. We are considering other features such as ZPA / Azure App Proxy to reduce/remove reliance on VPN.
34. Do you have a flat or quasi flat network, with needs segmentation?
Thank you for your question. There is no segregation between sites but VNETs are used in Azure. For reasons of security, details of the existing network can’t be shared until the successful supplier commences the contract.
35. What would be the plan for the devices which are unable to migrate to windows 10 ?
Thank you for your question. We are replacing all end user devices with new Surface Laptops.
36. How does Azure AD factor in authentication for end user authentication ?
Thank you for your question. Azure AD is right at the centre of end user authentication.
37. How does CPS see Software Asset Mgmt and Hardware Asset Mgmt evolving Modern Mgmt including asset tracking ?
Thank you for your question. We are looking to the supplier to assist with this as part of the Target Operating Model however we will be looking for a highly automated system with feeds from Endpoint manager into ServiceNow which is used by HW/SW asset management.
38. How does CPS foresee the TOM for delivering the End User computing services ?
Thank you for your question. Logistics, decommissioning, break fix will likely be outsourced. First line will continue as is and the CPS will build an internal team for 2nd/3rd line support. Further support contracts may be needed through third parties and/or Premier. It is expected that the bulk of the activities required to deliver EUC services will be undertaken by the CPS team. We are looking to the supplier to advise as part of this programme and handover to the internal team as necessary.