CSOC Engineering, Content and Discovery Team
7 Incomplete applications
2 SME, 5 large
8 Completed applications
7 SME, 1 large
- Wednesday 7 July 2021
- Deadline for asking questions
- Wednesday 14 July 2021 at 11:59pm GMT
- Closing date for applications
- Wednesday 21 July 2021 at 11:59pm GMT
- Off-payroll (IR35) determination
- Contracted out service: the off-payroll rules do not apply
- Summary of the work
- NHS Digital’s CSOC requires a supplier to support discovery, engineering and content activities associated with onboarding and BAU lifecycle management of systems/services/customers in-scope of it’s protective monitoring service.
- Latest start date
- Wednesday 1 September 2021
- Expected contract length
- 6 months, with option to extend for a further 6 months
- No specific location, for example they can work remotely
- Organisation the work is for
- NHS Digital
- Budget range
- £1m - £2m
About the work
- Why the work is being done
- The NHS Digital Cyber Security Operations Centre (CSOC) is responsible for providing protective monitoring services across the NHS System. As part of its mandate the CSOC monitors a diverse set of NSH system/services (also referred to as customers) including NHS National Services (critical services which underpin the NHS system) and the TTCE Programme. The CSOC is responsible for ensuring the confidentiality, integrity, and availability of these assets by monitoring malicious activities, identifying, and managing incidents. Our mission is to ultimately become the MSSP for the NHS System to facilitate better health and care outcomes to patients.
- Problem to be solved
To successfully provide protective monitoring services to its customers the CSOC follows a structured onboarding process. The CSOC requires supplier support to carry out the following onboarding and life-cycle management activities:
1) Discovery – Engaging and technical assessment of systems in scope
2) Engineering Life-Cycle Management – Technical SIEM platform onboarding (i.e. Log ingest) and life cycle management of both customers and SIEM (Splunk)
3) Content Life-Cycle Management – Development, implementation and life cycle management of content (e.g. usecases and SIEM rules)
- Who the users are and what they need to do
- The CSOC service a wide range of customers including NHS National Services, TTCE Programme, Primary/Secondary care estate and some critical 3rd party suppliers.
- Early market engagement
- Any work that’s already been done
- The CSOC has been operational since 2017 and is currently undergoing an ambitious transformation programme to position itself as the MSSP for the NHS System. As part of it’s maturity c.100 National Services and 40 TTCE systems have been onboarded to the SIEM.
- Existing team
The CSOC has a range of functions including:
1) Threat Intelligence
2) Threat Hunting
5) Protective Monitoring
6) Incident Management
The supplier will be required to complement the existing content, engineering and discovery teams.
- Current phase
- Address where the work will take place
The preferred working location is Leeds, however remote working with visits to Leeds depending on need
Although the preference is for collaborative work in the same location, remote-working is acceptable in line with the current government COVID-19 guidance
- Working arrangements
The Data Security Centre will provide the necessary leadership and project management support (along with other support)
All development activities will take place on NHS Digital’s dedicated development devices (unless otherwise agreed) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, JIRA, SharePoint etc)
- Security clearance
- Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable.
- Additional terms and conditions
the initial Statement of Work (SOW) can be found: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9Ti/La4zcSZKZSlG8vzUTZAJuRSTXpdXcFkW6JhlQ3Zeqco
Order Form can be found here: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9VA/jnE47gEEal3mLfCmMreiiuMMzppXzueZfZyQ.mVuDNQ
Instructions to bidders can be found: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9Tn/sYbxsearrLFFC2agHKhZEu6kGmOQFw6l4P10F.PvPjM
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
- Essential skills and experience
- The supplier must provide evidence of delivering similar capabilities to other SOCs
- The supplier should have proficiency working with national healthcare and/or government agencies.
- The supplier must provide evidence of working with Splunk products.
- The supplier must evidence ability to scale delivery capacity.
- The supplier must demonstrate proficiency in agile (sprint based) delivery
- The supplier must evidence SME knowledge/experience in cyber security
- The supplier must evidence SME knowledge/experience with various cloud and on-prem systems to help develop security usecases
- The supplier must evidence knowledge of tools such as Service Now, JIRA/Confluence and SharePoint
- Nice-to-have skills and experience
- Experience in process optimisation and implementing best practice related to SIEM Engineering and Content life-cycle management
- Providing consultancy support and quality assurance in becoming a Centre of Excellence
- Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments.
- Sound understanding of the NHS infrastructure and programmes.
How suppliers will be evaluated
All suppliers will be asked to provide a written proposal.
- How many suppliers to evaluate
- Proposal criteria
- Ability to deliver a system/Service/customer discovery capability
- Ability to deliver a SIEM Engineering & life-cycle management capability
- Ability to deliver a Content life-cycle management capability
- Ability to deliver a team with demonstrable Splunk experience
- Ability to deliver a team with demonstrable cloud experience
- Ability to deliver a team with demonstrable SOC experience
- Ability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards)
- Social Value - Create new business, new jobs and new skills throughout the life of the contract
- Cultural fit criteria
- Raising issues early and learning lessons from past work. Collaboration with the CSOC team working as part of a single team.
- Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working
- Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team. Supporting the setup of a Centre of Excellence.
- Payment approach
- Fixed price
- Additional assessment methods
- Case study
- Work history
- Evaluation weighting
Questions asked by suppliers
- 1. Is there an existing supplier for this service
- A number of suppliers support NHSD with this and other services within the Data Security Centre
- 2. Is Cyber Essentials Plus a mandatory requirement?
- 3. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering
Log ingest and maintenance will fall under the responsibility of the Engineering team. (RACI below)
Activity - Edge layer management
Responsibility TTCE PM Service - Engineering (Full)
National Services PM Service - Engineering (Partial – some activities carried out by NHS Digital PILS)
Activity - Log Ingest & lifecycle management, SIEM pre-prod management, SIEM prod management
Responsibility TTCE PM Service - Engineering
National Services PM Service - Engineering
Activity - SIEM Configuration
Responsibility TTCE PM Service - Engineering (requestor)/Splunk (executor)
National Services PM Service - Engineering (requestor)/Splunk (executor)
More to follow...
- 4. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering
Activity - SOC technology integrations with SIEM
Responsibility TTCE PM Service - Engineering
National Services PM Service - Engineering
Activity - AWS Infrastructure Management
Responsibility TTCE PM Service - NHSD PILS/ICT
National Services PM Service - NHSD PILS/ICT
Activity - Other SOC Technology Management
Responsibility TTCE PM Service - NSHD PILS/ICT/CSOC Local
National Services PM Service - NSHD PILS/ICT/CSOC Local
- 5. Could we please know who supports the Dev, path-to-live and production systems. Does the Engineering scope include management and maintain of AWS infrastructure.
• In all cases the maintenance of the Edge layer will be the responsibility of the engineering team.
• The maintenance of splunk will be the responsibility of the engineering team. However, some configuration activities will be carried out by Splunk Support.
• The AWS infrastructure is maintained by NHSD Platforms and infrastructure team.
- 6. Could we know how where is the forwarding tier for production SaaS environment? Are all the 3 environment forwarding tier the same?
The Splunk setup differs for the TTCE Service and National services (options to homogenise these environments are being discussed).
Currently, There are two forwarding tiers aligned to the two Splunk SaaS instances. Each tier is the same for all its SaaS environments and is based in an AWS instance