Awarded to KPMG LLP

Start date: Monday 14 June 2021
Value: £4,000,000
Company size: large
NHS Digital

Cyber Innovation Factory Partner (CSIF)

17 Incomplete applications

14 SME, 3 large

13 Completed applications

7 SME, 6 large

Important dates

Monday 29 March 2021
Deadline for asking questions
Monday 5 April 2021 at 11:59pm GMT
Closing date for applications
Monday 12 April 2021 at 11:59pm GMT


Off-payroll (IR35) determination
Summary of the work
NHS Digital require a supplier to become an Innovation Partner to lead and deliver against defined objectives and deliverables. The supplier must bring innovative ideas through innovation and into a ‘delivery ready’ state with all the appropriate deliverables
Latest start date
Monday 31 May 2021
Expected contract length
1 year, with optional 1 year extension
No specific location, for example they can work remotely
Organisation the work is for
NHS Digital
Budget range
£1m - £2m

About the work

Why the work is being done
The DSC requires a strategic and fully independent innovation partner that can help drive this disruptive innovation as it shifts to a more sustainable and innovative operating model. The challenges for the DSC in achieving this aim are:
• Upskilling and in-housing an innovation function with constrained resource capacity and capability
• Access to proven and experiences subject matter experts in security operations, data intelligence and innovation with the Health and Care Sector
• Elaborating and designing on potential solutions to conceptual problems in a repeatable and standardised manner, to ensure future projects deliver intended outcomes.
Problem to be solved
The DSC need to effectively and efficient capture the innovative ideas from across the sector and prioritise these against the overall strategic priorities. Stakeholders within organisations (National and Local) need to align resources, budgets, technology initiatives with overall business strategy. This requires consistent and disruptive innovation. In addition, the DSC requires continued improvement and business change to support its own maturity and expansion, in order to ensure they are to successfully serve the health and care estate in alignment with the DSC’s ambition to become an MSSP for the sector.
Who the users are and what they need to do
CSIF has local, regional, and national users. The function manages a wide set of personas including technical and non-technical users. Two current personas include a CIO and NHSX Programme Manager.
Early market engagement
Any work that’s already been done
The DSC’s CSIF capability was formally established and embedded from 2019-2020. The CSIF provides a standardised way of testing solutions to user-defined problems in a controlled manner, therefore de-risking future delivery of projects designed to improve security to healthcare customers and/or the internal DSC. The CSIF uses a standard operating model.

The CSIF has already successfully supported delivery of a number of improvements and services and the DSC are now seeking a partner to support strategic priorities for FY21/22.
Existing team
• Product Owner (for each initiative)
• Project Manager to oversee all of innovation
• + any additional SME required by the CSIF as and when needed
Current phase

Work setup

Address where the work will take place
The preferred working location is Leeds, however remote working with visits to Leeds depending on need

Minimum travel, for selected team members, may be required to other regions in England.

Although the preference is for collaborative work in the same location, remote-working is acceptable in line with the current government COVID-19 guidance
Working arrangements
The DSC will provide the Project Managers, , Product Managers, Business Analysts, and Security SMEs.. This can be achieved by working onsite at the NHS Leeds Office

All development activities will take place on NHS Digital’s dedicated development IT and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, Jira and SharePoint).
Security clearance
All individuals must have BPSS as a minimum

Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • The supplier must provide evidence they have delivered innovation functions in a health and cyber security environment
  • Proficiency in working with a SOC, analysing threats, and providing innovative ideas to mitigate these threats
  • Evidence in having the ability to deliver flexible and disruptive innovation during the current national crisis
  • The supplier must demonstrate proficiency and experience in agile development projects that include business analysis, data consulting, data strategy, user experience research and design for a similar scale product.
  • Experience in engaging senior business and user stakeholders (up to board level), feeding back into requirements and ensuring that the product delivers user expectations and requirements.
  • The supplier must demonstrate experience of Interpreting research findings to formulate actionable insights that drive the development of service design in a Health and Care setting.
  • Have a broad depth of SME’s in Security and Health which can be called upon to support innovation activities
  • Proven experience using JIRA, Confluence and Sharepoint
  • Proven ability to hand over a Beta product to a live service team where any potential new added Intellectual Property during the programme will reside solely with the customer
Nice-to-have skills and experience
  • Experience in providing consultancy support and quality assurance in becoming a Managed Security Services Provider (MSSP) for the health and care system
  • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments
  • Sound understanding of the NHS infrastructure and programmes
  • Experience of customer and end user engagement across varied health care Programmes

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Capability to deliver a Cyber Security Innovation Factory with a range of suppliers
  • Capability to deliver innovation initiatives through Ideate and Incubate phases over the life of the contract
  • Capability to deliver a roadmap plan for maturing and in-housing the 'Run' aspects of the CSIF to the DSC- including analysis of risks, dependencies, opportunities and other considerations
  • Capability to develop a strategy for enabling the DSC to promote how the CSIF capability operating within the DSC could be embedded within other NHS Digital functional areas (non-cyber specific).
  • Capability to leverage threats and vulnerabilities identified by the DSC's external customer base
  • Capability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards)
  • [Social Value] Deliver additional environmental benefits in the performance of the contract including working towards net zero greenhouse gas emissions
Cultural fit criteria
  • Approach to innovation with a succeed-quickly and fail-fast mentality. Raising issues early and learning lessons from past work. Collaboration with the DSC team working as part of a single team.
  • Approach to user-centric design methodology (putting the user at the core of the design activities), data driven analysis and experience in using data to challenge existing mindset.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working
  • Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the DSC team.
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. At the proposal stage, in order to compare suppliers like for like, how will price be evaluated: will you be evaluating by the total price, rate card or both? How do you ensure that you are completing a genuine value for money comparison rather than just a rate card comparison?
At the proposal stage, we will be evaluating total price to solve the defined problem
2. Is there a day rate cap?
There is no day rate cap, as the work is primarily outcome based. However we would expect to see market leading rates used in the innovation submission.
3. What roles are you expecting suppliers to provide? In addition, are you expecting all roles to have the ability to be full time for the duration of the project?
NHSD expect the supplier to solve the stated problems by leading the CSIF. This means the supplier should define the team needed and the resource blend. E.g. there may be a need to call upon a SME for a 4hr workshop once
4. Will the scores from the evidencing round be taken through to final evaluation? Or will they only be used for the purposes of shortlisting suppliers?
Once the 5 suppliers have been down selected. The 5 selected suppliers will be assessed on their new proposal, Any sections on the initial shortlisting that are required will be duplicated into the full requirements when issued.
5. Has the work been fully defined, bounded and prioritised?
6. Will you be able to organise access to users and other stakeholders throughout the project?
Yes, access to users will be organised, assuming NHSD are given enough time to obtain the users and stakeholders
7. For the first evaluation round (evidence), what would you expect to see from an answer for it to be deemed ‘exceeding’ and score 3 marks?
• Evidence or example clearly answers the question and provides additional supporting information that demonstrates similarity with our project.
• Evidence or example demonstrates use of best practice, and adoption of latest techniques and approaches, novel approaches, evidence they can adapt standard practice, methods or deliverables to different situations.
• Evidence or example clearly demonstrates the experience and/or skills requested.
• Evidence or number of examples requested has been given (where appropriate).
8. Are you able to recruit and provide access to users for the purpose of user research?
Yes, access to users will be organised, assuming NHSD are given enough time to obtain the users and stakeholders
9. Do you have any preference between public sector or private sector examples? Or will both be treated equally as long as they are relevant to the question?
NHSD would expect to see relevant examples as per the guidance
10. Is it permissible to provide more than one example where required to fully address the question?
Multiple examples are fine, however it should be recognised these need to be relevant
11. Please can you share a procurement timetable outlining steps from receipt of initial submissions by midnight 12th Apr to work commencement on 31st May (typically including evidence response evaluation, shortlisting/informing suppliers, preparation of supplier proposals, evaluation of supplier proposals, announcement of successful supplier, contract completion, contract signatures, commence work)?
Note the below timeline is indicative and subject to change

12th April 21 Stage 1 submission deadline
15th April 21 The Buyer evaluates Stage 1 responses and notifies bidders of the outcome with feedback.
16th April 21 SHORTLISTED SUPPLIERS ONLY invited to submit a tender response
23rd April 21 Deadline for receipt of clarification questions.
26th April 21 Deadline for response to supplier questions raised.
04th May 21 Deadline for submission of Stage 2 responses.
13th May 21 The Buyer evaluates Stage 2 responses.
21st May 21 Internal Approvals.
21st May 21 Preferred supplier Notification.
31st May 21 Contract Commencement.
12. Which roles will be represented on the evaluation panel?
A cross section of the team that the supplier will be working with on a day to day basis will form the evaluation panel
13. What are the key technologies underpinning DSC’s service delivery today? Which of these are strategic choices and therefore fixed for the duration of the contract?
The DSC use a range of technologies, depending on the specific need. Operationally, our CSOC is underpinned by security, analysis & ingestion tooling, such as Splunk and Microsoft technologies. Our product delivery and innovation areas are underpinning by business and specific project tooling such as Confluence & Jira. This is underpinned by Service Management tooling (Cherwell, soon to be ServiceNow) to ensure the management and integration and delivery of our portfolio