Awarded to Hippo Digital Limited

Start date: Friday 1 October 2021
Value: £1,400,000
Company size: SME

NHS Digital

CSOC Engineering, Content and Discovery Team

7 Incomplete applications

2 SME, 5 large

8 Completed applications

7 SME, 1 large

• Published: Wednesday 7 July 2021
• Deadline for asking questions: Wednesday 14 July 2021 at 11:59pm GMT
• Closing date for applications: Wednesday 21 July 2021 at 11:59pm GMT

Overview

• Off-payroll (IR35) determination: Contracted out service: the off-payroll rules do not apply
• Summary of the work: NHS Digital’s CSOC requires a supplier to support discovery, engineering and content activities associated with onboarding and BAU lifecycle management of systems/services/customers in-scope of it’s protective monitoring service.
• Latest start date: Wednesday 1 September 2021
• Expected contract length: 6 months, with option to extend for a further 6 months
• Location: No specific location, for example they can work remotely
• Organisation the work is for: NHS Digital
• Budget range: £1m - £2m

About the work

• Why the work is being done: The NHS Digital Cyber Security Operations Centre (CSOC) is responsible for providing protective monitoring services across the NHS System. As part of its mandate the CSOC monitors a diverse set of NSH system/services (also referred to as customers) including NHS National Services (critical services which underpin the NHS system) and the TTCE Programme. The CSOC is responsible for ensuring the confidentiality, integrity, and availability of these assets by monitoring malicious activities, identifying, and managing incidents. Our mission is to ultimately become the MSSP for the NHS System to facilitate better health and care outcomes to patients.
• Problem to be solved: To successfully provide protective monitoring services to its customers the CSOC follows a structured onboarding process. The CSOC requires supplier support to carry out the following onboarding and life-cycle management activities: ; ; 1) Discovery – Engaging and technical assessment of systems in scope ; 2) Engineering Life-Cycle Management – Technical SIEM platform onboarding (i.e. Log ingest) and life cycle management of both customers and SIEM (Splunk); 3) Content Life-Cycle Management – Development, implementation and life cycle management of content (e.g. usecases and SIEM rules)
• Who the users are and what they need to do: The CSOC service a wide range of customers including NHS National Services, TTCE Programme, Primary/Secondary care estate and some critical 3rd party suppliers.
• Any work that’s already been done: The CSOC has been operational since 2017 and is currently undergoing an ambitious transformation programme to position itself as the MSSP for the NHS System. As part of it’s maturity c.100 National Services and 40 TTCE systems have been onboarded to the SIEM.
• Existing team: The CSOC has a range of functions including: ; ; 1) Threat Intelligence ; 2) Threat Hunting ; 3) Content; 4) Engineering ; 5) Protective Monitoring ; 6) Incident Management ; ; The supplier will be required to complement the existing content, engineering and discovery teams.
• Current phase: Beta

Work setup

• Address where the work will take place: The preferred working location is Leeds, however remote working with visits to Leeds depending on need; Although the preference is for collaborative work in the same location, remote-working is acceptable in line with the current government COVID-19 guidance
• Working arrangements: The Data Security Centre will provide the necessary leadership and project management support (along with other support); All development activities will take place on NHS Digital’s dedicated development devices (unless otherwise agreed) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, JIRA, SharePoint etc)
• Security clearance: Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable.

Additional information

• Additional terms and conditions: the initial Statement of Work (SOW) can be found: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9Ti/La4zcSZKZSlG8vzUTZAJuRSTXpdXcFkW6JhlQ3Zeqco; ; Order Form can be found here: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9VA/jnE47gEEal3mLfCmMreiiuMMzppXzueZfZyQ.mVuDNQ; ; Instructions to bidders can be found: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9Tn/sYbxsearrLFFC2agHKhZEu6kGmOQFw6l4P10F.PvPjM

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

• Essential skills and experience:
  • The supplier must provide evidence of delivering similar capabilities to other SOCs
  • The supplier should have proficiency working with national healthcare and/or government agencies.
  • The supplier must provide evidence of working with Splunk products.
  • The supplier must evidence ability to scale delivery capacity.
  • The supplier must demonstrate proficiency in agile (sprint based) delivery
  • The supplier must evidence SME knowledge/experience in cyber security
  • The supplier must evidence SME knowledge/experience with various cloud and on-prem systems to help develop security usecases
  • The supplier must evidence knowledge of tools such as Service Now, JIRA/Confluence and SharePoint
• Nice-to-have skills and experience:
  • Experience in process optimisation and implementing best practice related to SIEM Engineering and Content life-cycle management
  • Providing consultancy support and quality assurance in becoming a Centre of Excellence
  • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments.
  • Sound understanding of the NHS infrastructure and programmes.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

• How many suppliers to evaluate: 5
• Proposal criteria:
  • Ability to deliver a system/Service/customer discovery capability
  • Ability to deliver a SIEM Engineering & life-cycle management capability
  • Ability to deliver a Content life-cycle management capability
  • Ability to deliver a team with demonstrable Splunk experience
  • Ability to deliver a team with demonstrable cloud experience
  • Ability to deliver a team with demonstrable SOC experience
  • Ability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards)
  • Social Value - Create new business, new jobs and new skills throughout the life of the contract
• Cultural fit criteria:
  • Raising issues early and learning lessons from past work. Collaboration with the CSOC team working as part of a single team.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working
  • Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team. Supporting the setup of a Centre of Excellence.
• Payment approach: Fixed price
• Additional assessment methods:
  • Case study
  • Work history
  • Reference
  • Presentation
• Evaluation weighting:

  Technical competence

  60%

  Cultural fit

  5%

  Price

  35%

Questions asked by suppliers

• 1. Is there an existing supplier for this service: A number of suppliers support NHSD with this and other services within the Data Security Centre
• 2. Is Cyber Essentials Plus a mandatory requirement?: Yes
• 3. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering: Log ingest and maintenance will fall under the responsibility of the Engineering team. (RACI below); ; Activity - Edge layer management ; Responsibility TTCE PM Service - Engineering (Full) ; National Services PM Service - Engineering (Partial – some activities carried out by NHS Digital PILS); ; Activity - Log Ingest & lifecycle management, SIEM pre-prod management, SIEM prod management ; Responsibility TTCE PM Service - Engineering ; National Services PM Service - Engineering; ; Activity - SIEM Configuration ; Responsibility TTCE PM Service - Engineering (requestor)/Splunk (executor) ; National Services PM Service - Engineering (requestor)/Splunk (executor) ; ; More to follow...
• 4. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering: ...Follow on; ; Activity - SOC technology integrations with SIEM; Responsibility TTCE PM Service - Engineering ; National Services PM Service - Engineering; ; Activity - AWS Infrastructure Management ; Responsibility TTCE PM Service - NHSD PILS/ICT ; National Services PM Service - NHSD PILS/ICT; ; Activity - Other SOC Technology Management ; Responsibility TTCE PM Service - NSHD PILS/ICT/CSOC Local ; National Services PM Service - NSHD PILS/ICT/CSOC Local
• 5. Could we please know who supports the Dev, path-to-live and production systems. Does the Engineering scope include management and maintain of AWS infrastructure.: • In all cases the maintenance of the Edge layer will be the responsibility of the engineering team.; • The maintenance of splunk will be the responsibility of the engineering team. However, some configuration activities will be carried out by Splunk Support. ; • The AWS infrastructure is maintained by NHSD Platforms and infrastructure team.
• 6. Could we know how where is the forwarding tier for production SaaS environment? Are all the 3 environment forwarding tier the same?: The Splunk setup differs for the TTCE Service and National services (options to homogenise these environments are being discussed). ; Currently, There are two forwarding tiers aligned to the two Splunk SaaS instances. Each tier is the same for all its SaaS environments and is based in an AWS instance