This opportunity is closed for applications

The deadline was Wednesday 21 July 2021
NHS Digital

CSOC Engineering, Content and Discovery Team

7 Incomplete applications

2 SME, 5 large

8 Completed applications

7 SME, 1 large

Important dates

Published
Wednesday 7 July 2021
Deadline for asking questions
Wednesday 14 July 2021 at 11:59pm GMT
Closing date for applications
Wednesday 21 July 2021 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
NHS Digital’s CSOC requires a supplier to support discovery, engineering and content activities associated with onboarding and BAU lifecycle management of systems/services/customers in-scope of it’s protective monitoring service.
Latest start date
Wednesday 1 September 2021
Expected contract length
6 months, with option to extend for a further 6 months
Location
No specific location, for example they can work remotely
Organisation the work is for
NHS Digital
Budget range
£1m - £2m

About the work

Why the work is being done
The NHS Digital Cyber Security Operations Centre (CSOC) is responsible for providing protective monitoring services across the NHS System. As part of its mandate the CSOC monitors a diverse set of NSH system/services (also referred to as customers) including NHS National Services (critical services which underpin the NHS system) and the TTCE Programme. The CSOC is responsible for ensuring the confidentiality, integrity, and availability of these assets by monitoring malicious activities, identifying, and managing incidents. Our mission is to ultimately become the MSSP for the NHS System to facilitate better health and care outcomes to patients.
Problem to be solved
To successfully provide protective monitoring services to its customers the CSOC follows a structured onboarding process. The CSOC requires supplier support to carry out the following onboarding and life-cycle management activities:

1) Discovery – Engaging and technical assessment of systems in scope
2) Engineering Life-Cycle Management – Technical SIEM platform onboarding (i.e. Log ingest) and life cycle management of both customers and SIEM (Splunk)
3) Content Life-Cycle Management – Development, implementation and life cycle management of content (e.g. usecases and SIEM rules)
Who the users are and what they need to do
The CSOC service a wide range of customers including NHS National Services, TTCE Programme, Primary/Secondary care estate and some critical 3rd party suppliers.
Early market engagement
Any work that’s already been done
The CSOC has been operational since 2017 and is currently undergoing an ambitious transformation programme to position itself as the MSSP for the NHS System. As part of it’s maturity c.100 National Services and 40 TTCE systems have been onboarded to the SIEM.
Existing team
The CSOC has a range of functions including:

1) Threat Intelligence
2) Threat Hunting
3) Content
4) Engineering
5) Protective Monitoring
6) Incident Management

The supplier will be required to complement the existing content, engineering and discovery teams.
Current phase
Beta

Work setup

Address where the work will take place
The preferred working location is Leeds, however remote working with visits to Leeds depending on need
Although the preference is for collaborative work in the same location, remote-working is acceptable in line with the current government COVID-19 guidance
Working arrangements
The Data Security Centre will provide the necessary leadership and project management support (along with other support)
All development activities will take place on NHS Digital’s dedicated development devices (unless otherwise agreed) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, JIRA, SharePoint etc)
Security clearance
Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable.

Additional information

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • The supplier must provide evidence of delivering similar capabilities to other SOCs
  • The supplier should have proficiency working with national healthcare and/or government agencies.
  • The supplier must provide evidence of working with Splunk products.
  • The supplier must evidence ability to scale delivery capacity.
  • The supplier must demonstrate proficiency in agile (sprint based) delivery
  • The supplier must evidence SME knowledge/experience in cyber security
  • The supplier must evidence SME knowledge/experience with various cloud and on-prem systems to help develop security usecases
  • The supplier must evidence knowledge of tools such as Service Now, JIRA/Confluence and SharePoint
Nice-to-have skills and experience
  • Experience in process optimisation and implementing best practice related to SIEM Engineering and Content life-cycle management
  • Providing consultancy support and quality assurance in becoming a Centre of Excellence
  • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments.
  • Sound understanding of the NHS infrastructure and programmes.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Ability to deliver a system/Service/customer discovery capability
  • Ability to deliver a SIEM Engineering & life-cycle management capability
  • Ability to deliver a Content life-cycle management capability
  • Ability to deliver a team with demonstrable Splunk experience
  • Ability to deliver a team with demonstrable cloud experience
  • Ability to deliver a team with demonstrable SOC experience
  • Ability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards)
  • Social Value - Create new business, new jobs and new skills throughout the life of the contract
Cultural fit criteria
  • Raising issues early and learning lessons from past work. Collaboration with the CSOC team working as part of a single team.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working
  • Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team. Supporting the setup of a Centre of Excellence.
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

5%

Price

35%

Questions asked by suppliers

1. Is there an existing supplier for this service
A number of suppliers support NHSD with this and other services within the Data Security Centre
2. Is Cyber Essentials Plus a mandatory requirement?
Yes
3. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering
Log ingest and maintenance will fall under the responsibility of the Engineering team. (RACI below)

Activity - Edge layer management
Responsibility TTCE PM Service - Engineering (Full)
National Services PM Service - Engineering (Partial – some activities carried out by NHS Digital PILS)

Activity - Log Ingest & lifecycle management, SIEM pre-prod management, SIEM prod management
Responsibility TTCE PM Service - Engineering
National Services PM Service - Engineering

Activity - SIEM Configuration
Responsibility TTCE PM Service - Engineering (requestor)/Splunk (executor)
National Services PM Service - Engineering (requestor)/Splunk (executor)

More to follow...
4. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering
...Follow on

Activity - SOC technology integrations with SIEM
Responsibility TTCE PM Service - Engineering
National Services PM Service - Engineering

Activity - AWS Infrastructure Management
Responsibility TTCE PM Service - NHSD PILS/ICT
National Services PM Service - NHSD PILS/ICT

Activity - Other SOC Technology Management
Responsibility TTCE PM Service - NSHD PILS/ICT/CSOC Local
National Services PM Service - NSHD PILS/ICT/CSOC Local
5. Could we please know who supports the Dev, path-to-live and production systems. Does the Engineering scope include management and maintain of AWS infrastructure.
• In all cases the maintenance of the Edge layer will be the responsibility of the engineering team.
• The maintenance of splunk will be the responsibility of the engineering team. However, some configuration activities will be carried out by Splunk Support.
• The AWS infrastructure is maintained by NHSD Platforms and infrastructure team.
6. Could we know how where is the forwarding tier for production SaaS environment? Are all the 3 environment forwarding tier the same?
The Splunk setup differs for the TTCE Service and National services (options to homogenise these environments are being discussed).
Currently, There are two forwarding tiers aligned to the two Splunk SaaS instances. Each tier is the same for all its SaaS environments and is based in an AWS instance