Awarded to BJSS Limited

Start date: Friday 16 July 2021
Value: £9,600,000
Company size: large
NHS Test & Trace (T &T)

NHS Test & Trace Halo Platform Support Service

12 Incomplete applications

5 SME, 7 large

10 Completed applications

2 SME, 8 large

Important dates

Published
Friday 30 April 2021
Deadline for asking questions
Friday 7 May 2021 at 11:59pm GMT
Closing date for applications
Friday 14 May 2021 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Summary of the work
Test & Trace seeks a partner to assume accountability & responsibility for delivering all activities for operational running and maintenance of Halo platform. This includes pre-defined build activity and further evolution to support the UKHSA organisation. The provider is expected to establish how the solution evolves to meet emerging demands.
Latest start date
Monday 2 August 2021
Expected contract length
24 months Maximum
Location
London
Organisation the work is for
NHS Test & Trace (T &T)
Budget range
NHS Test & Trace anticipates the total cost for Halo support of up to £13m for initial 12 months based on current run rate.
The successful Supplier will be expected to scale resources up and down in accordance with the demand of the tenants using the Halo Platform based on benchmarked costs around agreed technical resources at capped SFIA levels.

About the work

Why the work is being done
Halo is a cloud-based IT platform which offers a secure, scalable, cost-controlled environment for services provided by NHS Test and Trace. It provides hosting for current and incoming applications on either AWS or Microsoft Azure alongside associated enabling services. It also provides end user facing capabilities including desktop environments, collaborative tooling, and day to day business applications. To date there are circa 40 tenants and ten thousand users on the platform. Tenants and Users can ramp up and down quickly depending on demand.
Problem to be solved
The Halo platform has undergone significant development since the start of the pandemic. This has taken place under the pressures of a national crisis and the platform continues to evolve, improve, and operate to support the wider T&T organisation.

Having delivered a capability which can support the critical operations of T&T the Halo team are looking to adjust their mode of operating. This incorporates:
• Continued support of critical Halo Platform services on the platform and wider T&T operations.
• Continuous Improvements of Halo Services, refactoring, and consolidation against existing activities to ensure this can be done in an efficient and risk-free way.
• Further evolution of the Halo Platform services to ensure it is secure and fit for purpose in the next phase of pandemic response, and to support the UK HSA organisation.
• Continued onboarding of new services and support for new demand from existing tenants.
• Managing standards, procedures and documentation in support of the Halo Platform capabilities and services.

This exercise will seek to identify the appropriate partner organisation to own and deliver this activity.
Who the users are and what they need to do
The Halo platform serves a vast number of different user types. Broadly these can be described as:

Indirect end users who make use of the applications which are enabled by Halo such as analysis tools to help establish the 'R' number, and Test and Trace applications used by the public. These users need a stable and performant platform to ensure that any and all use cases can be facilitated by Halo.

Direct end users, who make use of tools which are owned and managed by the Halo team such as collaboration tool sets. These users need a complete suite of IT tools which allow them to perform their roles in responding to the pandemic.

Application teams (tenants), including those developing and deploying tools, and those supporting end users of these applications. These users need to be able to understand how their services are operating and respond at pace to complex user demand.
Early market engagement
N/A
Any work that’s already been done
Halo platform is a standing service, initiated to support the pandemic response, and evolved to meet the changing needs. The platform currently supports circa 40 applications, 10,000 users, and expects a further 10 applications and 25,000 users be onboarded by July.

Development and evolution is ongoing during the procurement period and a roadmap for delivery is in place which will be shared with shortlisted suppliers to give a sense of scale of delivery. This roadmap is a living product and will continue to grow through to transition. The successful supplier will be responsible for owning and developing this when onboarded.
Existing team
The existing team is sized based on a substantial level of build activity to put the platform in place and onboard tenants. The future team is expected to move to sustainable resourcing levels to allow for both operation and evolution of the platform as the balance moves away from a significant build focus. Internal forecasts show the team size reducing by 50% by the time the successful supplier is onboarded. The current teams made up of different suppliers are provided for context only - Leadership team (~10); Management team (~25) ; Five Product teams (~90); Service team (~25).
Current phase
Live

Work setup

Address where the work will take place
Test and Trace are based in London. Whilst some activity will be required at this location work may take place from supplier offices or remotely.
Working arrangements
The supplier should assume a level of on-site (in our London Offices) working for all individuals however this will not be full time 5 days per week. Once restrictions are lifted, the supplier may be required to collaboratively work on-site to allow sufficient stakeholder engagement and support to be provided). Supplier costs must be inclusive of all expenses.
Supplier is required to use approved online tool to provide time sheet information to Finance & Operations on a monthly basis.
Security clearance
Provider personnel (and sub-contractors) must comply with HMG Baseline Personnel Security Standard (BPSS) as a minimum. CTC clearance will be required in some instances. There may also be a requirement for some post holders to undergo SC clearance, if not already held and, in limited circumstances, DV clearance.

Additional information

Additional terms and conditions
Test & Trace will use the standard DOS 5 contract.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrable evidence of capability to rapidly stand up a large (~60-80 FTE within 6-8 weeks) programme team, and scale team sizes up and down at short notice.
  • Demonstrable evidence of 3+ years recent experience of designing, building and operating enterprise scale, cloud-based IT platforms and accelerators on AWS and Azure
  • Demonstrate recent experience deploying agile DevOps / SRE practices at scale to manage & evolve live services in a highly dynamic environment.
  • Demonstrable evidence of recent experience leading, creating and maintaining platform vision and translating this to delivery roadmaps in line with changing organisational demand.
  • Demonstrable evidence of an extremely high competency in deploying infrastructure as code and automation of cloud services using pipelines.
  • Demonstrable expertise in designing and implementing cloud networking services and security infrastructure.
  • Demonstrable experience in building, configuring, securing and operating large-scale Microsoft 365 estates including end user devices, both physical and virtual
  • Demonstrable evidence of highly experienced capability in Identity Management and securing cloud platforms using best practice and cyber security standards such as CIS, NIST, OWASP etc.
  • Demonstrable expertise in the Atlassian suite of tools, Splunk and Dynatrace tooling
  • Experience in operational support of cloud tooling platform, including but limited to: incident management; change management; problem management; application and infrastructure management; security management; running operational procedures; collaborative tooling support).
Nice-to-have skills and experience
  • Provide AWS and Azure Partner Status (please state level held only).
  • Demonstrate experience of Security Operations Centre capabilities.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Onboarding & Transition
  • Overall platform management approach
  • Build & Run approach & Methodology
  • Technical Competence and Fit
  • Organisation, proposed team and ability to rapidly flex
  • Value for Money
Cultural fit criteria
  • Ability to function effectively and collaborate in a multi-supplier environment.
  • Working successfully in complex public sector organisations.
  • Approach to proactive issue management, problem resolution and improving ways of working.
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Presentation
Evaluation weighting

Technical competence

65%

Cultural fit

10%

Price

25%

Questions asked by suppliers

1. Could the Authority share the procurement timeline for shortlist, evaluation, presentation and award?
The Indicative Tender Timetable is as below;
Publish Requirement in DOS: 30/04/2021
Clarification period: 30/4/2021 – 07/05/2021
Bidder Response Close: Friday 14 May 2021 at 11:59pm
Issue RFP to shortlisted bidders: 25/05/2021
RFP Close: 11/06/2021
Award Decision: 28/06/2021
Governance & Approvals: 09/07/2021
Award Notification: 10/07/2021
Contract execution: 23/07/2021
Onboarding / Transition: 26/07/2021
2. Could this service be performed remotely from overseas whilst retaining a small management/engagement team in London? If so, would India or China be acceptable locations...?
Whilst offshoring may be an option that is explored during the life of the contract, Halo cannot currently be supported from outside of the UK. Most of the technical resources will require SC clearance, so will be required to be UK based. Responses from organisations who do not have the capability to fulfil all requirements from within the UK will therefore not be considered.
3. Which technologies were used in building the Halo platform?
The Halo technology stack is engineered around a large range of Azure, M365 and AWS native cloud services and DevOps tooling with AAD used as the primary Identity Provider. Major tech components used in addition to Cloud PaaS include:
Ansible, Packer, Vault, Atlassian JIRA DC / Confluence DC / Bitbucket DC / Crowd DC / JSD DC / OpsGenie SaaS, Palo Alto Firewalls, Github SaaS, Miro SaaS, Slack SaaS, Splunk SaaS and Dynatrace SaaS. Workspaces and Windows Virtual Desktops are also heavily used for Desktop engineering.
4. Can you please specify the skill sets needed for support?
Skills required include, Platform Engineering, SecDevOps, SRE, Terraform, CloudFormation, ARM, Python, Bash, Relational and Non-Relational Databases. Deep expertise in cloud products, infrastructure and networking, particularly around Landing Zones and Account / Subscription vending. SME (SFIA 6) level skills required for Microsoft AAD and configuring and security hardening the full suite of Microsoft 365 E5 (Office, Windows and Security products)

24/7 Support required for L2 monitoring - SysOps and DevOps capabilities. L3 support from reach back into the Halo product teams with callout mechanisms. L4 support- 3rd party PaaS/SaaS services AWS / Azure / Splunk / Dynatrace / Trello / Miro.
5. What are the current ticket volumes for support?
Ticketing volumes are circa 500 per week supporting circa 10,000 platform users. Expected volumes to aid in supplier estimations are in the region of 1500 per week as users expand to 35000 users. Self-service will soon be rolled out to automate and reduce support ticket.
6. How many platform enhancements are in the pipeline? Can you share the feature list?
The roadmap is under continuous evolution and will be so for the contract duration. Currently the teams are delivering against a plan of ~100 committed epics for platform enhancement by end of July. A further ~50 epics exist on the roadmap for delivery under/post transition details to provided at RFP stage. This figure should be seen as a starting point for supplier plans; this will increase in volume and clarity over the coming months. In addition, part of the supplier’s responsibilities under platform evolution will be to establish the correct items to deliver against as the platform is further matured.
7. Are the 40 applications built on Halo included in the Scope of Support?
If yes, what are the technologies used in developing these 40 applications?
‘Application’ support for Halo tenants is not in scope for support of the Halo service. This will fall to application teams whilst the Halo team manages the enabling platform. L2/L3/L4 support for the Halo tenants (application teams) is in scope for any Halo Service they consume e.g. An ingress or egress firewall or JIRA etc.
8. Where is the Halo platform currently hosted?
The Halo platform is hosted on Azure and AWS Regions within the UK as well as the various SaaS capabilities.
9. Please can you confirm who your existing partners are in delivering this service?
There is no current organisation fulfilling the entirety of the ask described in this exercise. The current suppliers fulfilling various functions brought together within this procurement are a mix of large and small organisations. The large organisations involved are BJSS and Mastek.
10. Can you please clarify if a supplier can partner with another supplier and bid for this opportunity?
The Authority’s preference is to select a single service provider who may subcontract if they so wish under the agreed terms & conditions.
11. Can some of the roles be delivered using a global delivery model subjected to appropriate security constraints?
Whilst offshoring may be an option that is explored during the life of the contract, Halo cannot currently be supported from outside of the UK. Most of the technical resources will require SC clearance, so will be required to be UK based. Responses from organisations who do not have the capability to fulfil all requirements from within the UK will therefore not be considered.
12. Can you kindly share the full technology stack that is used?
See response 3 for an overview of technology used. A full list of all AWS and Azure services will be shared at the next stage.
13. Will you allow Vendor to bring in their relevant accelerators?
All technology choices will be considered at the Authority TDA and where there is a need, we would welcome the use of accelerators. These will be subject to security and commercial review before they are accepted for implementation.
14. If vendor gets shortlisted to second round, how important is experience of Security Operations Centre capabilities?
SOC capabilities are not essential but are considered a nice to have.
15. Are you looking to replace all the existing vendor resources with 60-80 resources of new vendor? Can you provide how many resources from current team of 150 are from vendor and what are their skills, roles?
Yes, the current team size will be replaced with the requirements outlined in this procurement as we move from a foundation build stage into a continuous evolution run stage. Further details of team composition will be provided at the next stage, but the skills required are listed in the Essential skills and experience section of this procurement.
16. Can you share who is the incumbent vendor?
See response to Question 9
17. Please can you provide more detail on the ‘benchmarked costs around agreed technical resources at capped SFIA levels’ so that we can check that these are in line with our pricing.
All SFIA levels must match the skills and experience required for a role, and suppliers should be confident that the individuals put forward are in line with these levels. A blend of resource is expected however these should not include any roles above SFIA 7.
18. Is TUPE is in scope for this opportunity?
We do not anticipate TUPE to apply in this instance.
19. Would it be acceptable for Suppliers to use more than one example in each answer?
Yes
20. Q10: Can we answer with examples of supporting cloud services/solutions?
All answers will be accepted, and examples should show ownership across the full set of service capabilities given.
21. In response to clarification question 11, you have responded by stating that offshoring may be an option. Please can you clarify if partial offshoring or near-shoring (with BPSS clearances and with adequate security constraints including data encryptions) is an option, with a gradual ramp up through the project lifecycle?
Whilst offshoring may be considered in future (as per the previous response), making use of mitigations such as those given in the supplier’s question, it is not being considered at this time. Suppliers should show a capability which can meet the requirements using resource based in the UK.
22. Can more information be given on the functionality of Splunk, is it used for security monitoring?
There are multiple Splunk SaaS instances. The CDOC (Cyber Defence Operations Centre) focuses on security monitoring. The Halo Splunk ingests logs and provides operational monitoring, dashboards and alerting whilst the Telemetry Splunk instance provides business insight, reporting and analysis.
23. You have provided some detail already on the skills required. Can you provide a more detailed breakdown of the resource skills and deliverables expected at this stage (appreciate that more information on this will follow at the next stage).
More information will be provided on capabilities and the current team structure at the next stage however suppliers will still be expected to recommend a structure and resourcing profile based on their own experience and understanding of the requirement. Nothing further will be shared prior to shortlisting.
24. Can you provide more background detail on the work undertaken to date and the delivery scope and timeline moving forward?
Delivery to date covers items already provided, the Halo platform is a live operational service with all stated tools in place and configured. Onboarding for ~40 tenants has taken place. The platform team have a plan for delivery of further enhancements and migrations through to end of July 2021, and a roadmap is being continuously evolved for future work. Given the nature of the environment Halo operates in this is fluid and subject to change based on priority initiatives. No further information can therefore be shared prior to shortlisting, and suppliers should expect change throughout the submission period.
25. The provider is expected to establish how the solution evolves to meet emerging demands – can you provide more detail on the emerging demands?
Halo exists in a fluid environment due to nature of the pandemic. A key enabler for measures put in place across Test & Trace and therefore the team and technologies are required to flex to meet demand at short notice. Ongoing demand is expected to be driven by measures put in place to contain and manage the pandemic.
Halo will support creation of UKHSA which will require need for the solution to evolve.
This is in addition to the usual pressures of delivering similar IT platforms which should evolve and change in line with general conditions and technological change.
26. You mention a complete suite of IT tools – can you provide a list of the suite of IT tools and whether some or all of the IT tools will be commissioned through the supplier or you just require operational support of existing tools?
See the response to Q3. The supplier may need to support T&T in selecting and commissioning new tools and will need to ensure an optimal suite of tools is maintained for users of the platform during their guardianship of the platform. No tools are required as part of this exercise.
27. Can you provide more details on the suppliers involved and what aspect of service delivery / resourcing they are responsible for post this supplier appointment as well as what UKHSA will retain responsibility for?
The current suppliers’ responsibilities are part of this exercise and they will not therefore hold responsibilities alongside the chosen supplier. UKHSA will maintain overall accountability for the Halo platform and will therefore retain responsibility for overall decision making, oversight and governance of the team and solution, and other client-side functions.
28. The opportunity states that both some activity will be required at the authority’s London location and bidders should assume a level of on-site working for all supplier individuals. Can the authority please clarify this requirement, does the authority have an expectation that all supplier individuals will regularly attend site or will attendance requirements be driven by role and current activity?
Attendance requirements will be driven by roles, activities, and overall context of a given situation. In general suppliers should expect some on site presence for all roles, however this will vary from full time working through to ad-hoc visits as required (assume as low as once per month on average for roles with the lowest on site requirement).
29. Can the authority please confirm if Service Integration for Halo (to take accountability for the delivery of end-user services delivered through the combined efforts of Halo and the tenants) is in-scope for this opportunity?
Halo will engage with workloads, stakeholders and clients to provide services and must take accountability for the Halo part of an end to end solution.
However the Service Integration role which typically owns responsibility for providing an end to end solution across multiple suppliers is not in scope.
30. As the HALO platform services provider, will this supplier be excluded from bidding for applications that would be hosted on HALO?
No, this is not expected to limit suppliers ability to pursue other opportunities with applications enabled by Halo.
31. Q7: Is this asking about managing O365 on end user devices or about any kind of management of end user devices in general?
We operate M365 licenses on Halo issued EUDs, WVDs and also BYOD devices including mobiles. Management of the devices is via GPO policy and Endpoint Manager (Intune, MAM, MDM). We also deploy EUD using Microsoft Managed Devices (MMD).
There is also a requirement for the support team to also provide L2/L3 remote support for two VMWare physical servers hosted in one of our Labs which may involve resolving issues on site in the event of situations where remote support is not sufficient.
32. What will the supplier by responsible for: delivery of resources or delivery of service levels?
The supplier will be responsible for providing service to meet prioritised outcomes in order to meet Authority's highly dynamic demand.
Service levels required are sets of KPIs/OLAs will form part of RFP stage as summarised:
L2 Support - 24/7/365
L3/L4 Support – 24/7/365 (on-call)
L1/L2/L3/L4 8am-8pm Mon-Fri

Minimum availability of 99.99% all services
RTO of 2 hours
RPO of zero data loss

Sev 1 incidents - response time <15 minutes
Sev 1 incidents - resolution time <2 Hours
Requirement to support weekend and out of hours releases as required.
Support shall cover system and security monitoring of all services.
33. Will the platform operational delivery responsibility rest with the client or the supplier? If the former, what contractual basis and metrics will be used?
The accountability for operational delivery of Halo services will be with the supplier to meet the agreed KPI/OLAs as detailed in Question 19.
34. Can more information be given on the E5 security modules enabled on Azure?
The full suite of AADP2, Threat Protection, Information Protection, Security Management and Advanced Compliance are enabled and within scope of the services.
35. Can the authority please confirm if Level 1 support for Halo is in-scope for this opportunity?
Level 1 support is required internally to the Halo Platform and is in scope of the services in this procurement to ensure the operational and security status of the Halo services. This would need to dock into a central T&T service desk. L1 support is expected to be in place from 8am-8pm, Mon-Fri excluding public holidays.