This opportunity is closed for applications

The deadline was Monday 11 July 2022
NHS Digital (Health and Social Care Information Centre)

CSOC Engineering, Content and Tooling Support

5 Incomplete applications

2 SME, 3 large

11 Completed applications

7 SME, 4 large

Important dates

Monday 27 June 2022
Deadline for asking questions
Monday 4 July 2022 at 11:59pm GMT
Closing date for applications
Monday 11 July 2022 at 11:59pm GMT


Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
NHS Digital’s CSOC requires a supplier to support engineering and content activities associated with onboarding and BAU lifecycle management of systems/services/customers in-scope of its protective monitoring service.
Latest start date
Monday 12 September 2022
Expected contract length
2 years + 6 month (Optional Extension)
Yorkshire and the Humber
Organisation the work is for
NHS Digital (Health and Social Care Information Centre)
Budget range
Circa £4 to £5m excl VAT for the full two year term. It is expected that the value of the first year will be lower with a possible uplift in year 2 of the contract if the volume of onboarding increases. We will ask for the optional 6 month extension value to be included as part of the response in Stage 2.

About the work

Why the work is being done
The NHS Digital Cyber Security Operations Centre (CSOC) is responsible for providing protective monitoring services across the NHS System. As part of its mandate the CSOC monitors a diverse set of NHS system/services, including NHS National Services (critical services which underpin the NHS). The CSOC is responsible for ensuring the confidentiality, integrity, and availability of these assets by monitoring malicious activities, identifying, and managing incidents.
Problem to be solved
To successfully provide protective monitoring services to the NHS the CSOC follows a structured onboarding process. The CSOC requires supplier support to carry out the following onboarding and life-cycle management activities:
1) Engineering Life-Cycle Management – Technical Security Information and Event Management (SIEM) platform onboarding (i.e. Log ingest) and life cycle management of log sources within the SIEM tools (Splunk and Sentinel).
2) Content Life-Cycle Management – Development, implementation and life cycle management of content (e.g. usecases and SIEM rules)
3) Support of interfaces between SIEM tools and other CSOC tooling.
Who the users are and what they need to do
The CSOC service a wide range of customers including NHS National Services provided by NHSD and 3rd party partners, Primary/Secondary organisations across the NHS estate. The onboarding of log sources and development of use cases under this contract will allow NHS Digital and the Trusts they provide security monitoring for to receive early warning of indicators o
of compromise within their systems. Early detection allows rapid containment, the mitigation of cyber attacks and helps to prevent the loss of patient and other sensitive data and the loss of IT infrastructure which would negatively impact the delivery of patient care.
Early market engagement
There has been no relevant early market engagement.
Any work that’s already been done
A wide range of log sources from over 100 systems have been onboarded onto the current SIEM and around 100 use cases are currently active monitoring for security threats.
Existing team
The CSOC has a range of functions including:

1) Threat Intelligence
2) Threat Hunting
3) Dev Ops Content
4) Dev Ops Engineering
5) Protective Monitoring
6) Incident Management
7) Service Management

The supplier will be required to complement the existing content, engineering and discovery teams.
Current phase

Work setup

Address where the work will take place
The preferred working location is Leeds, however remote working with visits to Leeds depending on need. Although the preference is for collaborative work in the same location, remote-working is acceptable in line with government COVID-19 guidance.
Working arrangements
The Data Security Centre (DSC) will provide the necessary leadership and project management support (along with other support).
All development activities will take place on NHS Digital’s dedicated development devices (unless otherwise agreed) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, JIRA, SharePoint etc)
Security clearance
Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable.

Additional information

Additional terms and conditions
Instruction to Bidders, the initial Statement of Work (SOW), Draft Order Form and Call-off Terms and Conditions are available at the following links via Atamis:

Instruction to Bidders:

Draft DOS 5 Order Form:

Draft SOW 01:

Draft DOS 5 Call-Off Schedules:

DOS 5 Joint Schedules:

Atamis reference: C80289
To view the above you must be registered on NHS Digital's e-tendering portal. Suppliers not registered please register using the link above.

The Buyer reserves the right to award future SOWs under this Call-off Contract against all charging methods in the framework.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • The supplier must provide evidence of delivering similar capabilities to other SOCs
  • The supplier should have proficiency working with national healthcare and/or government agencies.
  • The supplier must provide evidence of working with Splunk and Sentinel products.
  • The supplier must evidence ability to scale delivery capacity (up as well as down).
  • The supplier must demonstrate proficiency in agile (sprint based) delivery.
  • The supplier must evidence SME knowledge & experience in cyber security.
  • The supplier must evidence SME knowledge & experience with various cloud and on-prem systems to help develop security use cases.
  • The supplier must evidence knowledge of tools such as Service Now, JIRA/Confluence and SharePoint
Nice-to-have skills and experience
  • Experience in process optimisation and implementing best practice related to SIEM Engineering and Content life-cycle management.
  • Providing consultancy support and quality assurance in becoming a Centre of Excellence.
  • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments.
  • Sound understanding of the NHS infrastructure and programmes.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Ability to deliver a SIEM Engineering & life-cycle management capability.
  • Ability to deliver a Content life-cycle management capability.
  • Ability to deliver a team with demonstrable Splunk and Sentinel experience.
  • Ability to deliver a team with demonstrable cloud experience.
  • Ability to deliver a team with demonstrable SOC experience.
  • Ability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards)
  • Ability to mobilise a team to start of the contract term.
  • Social Value - Deliver additional environmental benefits in the performance of the contract including working towards net zero greenhouse gas emissions.
Cultural fit criteria
  • Raising issues early and learning lessons from past work. Collaboration with the CSOC team working as part of a single team.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working
  • Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team. Supporting the setup of a Centre of Excellence.
Payment approach
Fixed price
Additional assessment methods
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. How large is the current security engineering team?
4 permanent staff and 9 outsourced supplier staff
2. Is the intent to replace the current team with an outsourced service, or augment the current team with a supplier’s capabilities/specialists?
The intent is to augment the current permanent staff with the supplier's team of specialists.
3. Is the intent to replace one SIEM for the other e.g. replace Splunk with Sentinel (or vice versa) or to integrate the two?
The SIEM strategy will be reviewed during the contract period - there are no predetermined intentions. The current SIEM is Splunk and we are in the early stages of exploring the opportunities presented by Sentinel.
4. What level of onsite working is expected vs remote e.g. 1 day/week, 2 days/ month etc.?
No onsite working is expected, although some onsite working may be requested once or twice per quarter. Please note that all remote working must be within the UK, in line with NHS Digital policy.
5. Is there an incumbent?
Yes, the current incumbent is Hippo Digital Ltd.
6. Does a Sentinel Workspace currently exist and if so, what state is it in?
There are a few possible Sentinel workspaces, most don't exist and those that do are fairly basic.
7. Are there opportunities to provide technical solutions, such as automation software and custom tooling as well as personnel as part of this tender?
Yes, expertise in automation and optimisation would be welcome to make the service more efficient as well as providing staff to undertake and oversee this work. Licensing for software and tooling would need to be independently evaluated and purchased.
8. In regards to log ingestion, what format are the logs in (e.g. flat files, json etc) and will they be real time ingestions or regular batches?
The ingested logs are in a variety of formats, depending upon the capabilities of the source systems. Nearly all feeds are real-time and a few are in batches.
9. In regards to SIEM tools and other CSOC tooling; Could you give a run down of those tools? What form the interfaces take in to the tools? where they are hosted currently?
The primary SIEM tool is Splunk and we are in the early stages of exploring the opportunities presented by Sentinel. Splunk Cloud Enterprise Security is used with APIs to other cloud tooling and source system environments (mostly cloud) as required. There is an AWS-based log feeding control environment and GitLab (cloud) code control.
10. Do you have technical details of where the SIEM platform is currently hosted and the tools/tech stacks?
It is a Splunk Cloud Enterprise Security solution, with an AWS-based log feeding control environment and GitLab (cloud) code control.
11. Do you have any of examples of existing use cases to aid understanding?
A few examples: Excessive password failures, attempts to login without multi-factor authentication, attempts to login from unapproved locations, attempts to send traffic over unauthorised ports, excessive failed traffic message responses.
12. In regards to the existing teams we will compliment; are you able to provide information on the size of these teams and the type of roles you have in them?
There are four permanent staff who perform similar roles to those outlined in this tender. See also published answer to clarification question 1
13. Is BPSS clearance acceptable to start the project while individuals are going through the clearance?
Yes, provided that the individuals are eligible for SC Clearance and expect their application to be successful.
14. Can you confirm that a Protective Monitoring service is not required during the transformation period (SIEM integration)?
There is currently no planned transformation period. If there was then a full Protective Monitoring service would be required throughout.
15. Can the you advise if a Protective Monitoring service will be required post transformation?
There is currently no planned transformation period. If there was then a full Protective Monitoring service would be required during and afterwards.
16. Is there a SOAR/Automation platform currently in use by the SOC team?
Yes - XSOAR is being used as a Proof of Concept phase.
17. Does NHSD require us to support the log sources as well as the SIEM ?
The supplier should provide detailed technical advice and guidance about the log sources but is not responsible for supporting them outside of the SIEM.
18. How many log sources / new rules do NHSD expect us to onboard / create in year 1 and in each subsequent year ?
This should be detailed in the Statement of Work available via the Atamis link. Onboarding year 1 is 60 systems with multiple log sources each, year two likely to be similar depending upon complexity. Rules year 1 is 48 new rules and 120 rule improvements, year two likely to be similar
19. Will we be responsible for testing log source integration or will NHSD be involved with any service owners ?
The supplier should provide detailed technical advice and guidance about log source integration and is responsible for testing the integration within the SIEM.
20. Where are the log sources expected to be onboarded ? Are they NHSD managed locations or at remote locations (e.g. Trusts) ?
The majority of log sources are NHSD managed locations but some will be other NHS locations and third parties contracted to NHSD.
21. What is the current SIEM ingestion rate (x GB) for both Splunk and Sentinel ?
Current SIEM ingestion is about 6 TB of data per day.
22. Will NHSD support all licensing and log storage requirements or do we need to provide pricing for these elements?
NHSD will provide all licensing, tooling and and log storage capability - this is not part of the pricing.
23. How many use cases per month need to be created for each platform ? Will it be x each or x in total depending on the specific application or priority areas.
This should be detailed in the Statement of Work available via the Atamis link in the requirements. The total is approximately 4 new rules and 10 rule improvements per month.
24. Can the team work remotely from UK-based delivery centre after the first 90 days?
Yes - some onsite working may be requested once or twice per quarter. All remote working must be within the UK, in line with NHS Digital policy.
25. Is NHSD using Splunk Cloud or Splunk Enterprise (self-managed)?
Splunk Cloud
26. How many use cases / month beyond the first 90 days?
Maintain the same cadence - approximately 4 new rules and 10 rule improvements per month.
27. How many use cases are currently deployed?
Approximately 100 use cases
28. What is the size of the Splunk and Sentinel environment (GB/day)?
Current SIEM ingestion is about 6 TB of data per day.