Home Office - OSCT (Office for Security and Counter Terrorism)

Home Office OSCT - Service Management & 1st Line Service Desk Provision copy

Incomplete applications

9
Incomplete applications
6 SME, 3 large

Completed applications

7
Completed applications
0 SME, 7 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Tuesday 12 September 2017
Deadline for asking questions Tuesday 19 September 2017 at 11:59pm GMT
Closing date for applications Tuesday 26 September 2017 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work We requires the provision of:

1. Integrated ITIL Service Management Services (Incident, Problem, Change, CSI)

2. 1st Line Service Desk (SaaS App and infrastructure support)

These services should be provided as one overall service. The service must be delivered at SC Clearance as a minimum from within the UK.
Latest start date Friday 16 March 2018
Expected contract length 2 Years
Location No specific location, eg they can work remotely
Organisation the work is for Home Office - OSCT (Office for Security and Counter Terrorism)
Budget range

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The Home Office – Office of Security and Counter-Terrorism (OSCT) is looking to appoint a supplier to undertake 1st line support and Service Management of our CDS (Communications Data Service) Platform

CDS Support teams provide ongoing support, maintenance and further develop communications data acquisition capabilities for the purpose of law enforcement and national security.

The organisational and support model of the CDS is undergoing a significant change in structure aimed at becoming more user focused. In preparation for transition to this new service model we have specified new requirements to replace the existing support agreements and methodologies.
Problem to be solved The CDS Platform and suite of applications is provided nationally to a number of agencies and organisations. We therefore needs to provide a 1st line Service Desk for users and contributors to access the CDS support organisation in the event of an issue or a request they may have.

We also require an ITIL Aligned assurance model which includes Change, Problem management and Incident Management to assure the service is managed according to best practice and with a user focussed mindset, ensuring the service is available and fit for purpose at all times.
Who the users are and what they need to do These services are consumed by Law Enforcement Agencies and Intelligence Agencies across the UK in accordance with the relevant legislation. The service being procured will also liaise with data providers such a telecoms companies technical support teams.

The CDS Platform comprises of a suite of capabilities / applications ranging from workflow and case management to data mediation and management.
Early market engagement
Any work that’s already been done The existing support teams have been operating for 4 years in their current form.

In order to let this contract the transition team has undertaken a full discovery of the service "as is" and the organisational and user high-level requirements.

The output of this work has been fed into this tender action and the accompanying design packs that the successful supplier will be provided with.
Existing team The existing service is delivered by two external bodies one commercial and one HMG organisation. We are looking to combine these services into the single service described in this ITT.

The two existing services come to an end in 2018. The Service Management element in March and the Service Desk in May. This may mean a staggered transition.
Current phase Live

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The service is to be operated from the suppliers premises which must be within the UK only. There will be occasional visits to Home Office Locations across the UK but mainly in London.
Working arrangements The service will be provided from the suppliers own location wholly within the UK.

The service will operate 24/7 as per the design documentation. (Out of hours requirement differs from in hours)

The supplier must provide account management/Service Delivery Management resources which will act as liaison between the us and the supplier. The person(s) performing this role will attend Home Office locations across the UK (Mainly London) on a weekly basis.

The Service will be inclusive of any travel or accommodation expenses which are incurred in delivering the service
Security clearance The service must be provided at SC Clearance levels as a minimum. there is a potential for DV level services to be added into the service during the contract but these elements will be small and classed as additional as and when required,

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The supplier must provide an ITSM toolset which meets the OSCT security requirements

The supplier must have or provision access to the PSN to provide these services

The supplier must provide a minimum of 2x available desk spaces for use by OSCT staff who wish or need to work from their site

The supplier must provide the service with resources/staff who are ITIL foundation qualified as a minimum

The supplier must provide monthly service reviews which report on the KPI's and SLA's across the entire CDS support model (KPIs within design pack)

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • ITIL Service Management Experience (Incident, Problem, Change) in a SIAM type model
  • 1st Line Service Desk Experience
  • Access to or be able to provision access to the PSN by the go live date
  • Be able to provide an ITSM toolset which meets the "Official Sensitive" security requirements
  • Have application support experience (SaaS)
  • Demonstrable experience of running and managing CABs inc out of hours emergency CABS
  • Be able to operate the service entirely from the UK with SC Cleared resources
  • Demonstrable experience of managing Problem Review Boards
  • Provide a minimum of 2 always available desk spaces with internet connectivity for Home Office Resources to use as required
  • The SMP Provider must provide a dedicated Account Manager/Service Delivery Manager as the main relationship holder
  • The SMP Provider must maintain all relevant forms, templates and documentation in relation to the service (as approved by the CCD). Making them available in the ITSMT. - demonstrable experience
  • Producing comprehensive Weekly, Monthly, Quarterly and Annual service reports
  • Experience delivering Continual Service Improvement
  • Be able to provide a portable non geographic local rate phone number for users to call and an email address
  • The SMP supplier should be able to demonstrate previous experience of performing Request Fulfillment and Access Management
  • Demonstrable experience of transitioning similar services in a short timeframe.
  • Customer satisfaction and feedback survey capability (which meets security requirement)
  • Be able to stand up the two service elements by no later than 16/03/18
  • Demonstrable technical competency in Active Directory
  • The supplier will not seek to sub-contract any part of the service
Nice-to-have skills and experience
  • The Service Desk Provider are a member of the SDI (service desk institute) or other industry body
  • Previoius experience in national security or law enforcement end user support
  • ISO20001 Accreditation
  • Provide service continuity as part of the service (DR/BC of the desk and SM team)
  • Demonstrate how they would reduce incident and problem volumes
  • Use technology and automation to improve the end user experience
  • Deploy user satisfaction and feedback solutions as part of the service
  • Design a service that is easily scaleable with transparent up and down pricing
  • The ability to integrate Service Management with Agile and DevOps 3rd line models

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 10
Proposal criteria
  • Approach and methodology
  • How the approach or solution meets our organisation’s policy and goal
  • Value for money
  • Technical solution
  • Estimated timeframes for the work
  • Support team structure
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Take responsibility for their work
  • Understand the real world benefit and impact of the service
  • Can work with clients with low technical expertise
  • Share knowledge and experience with other team members and support teams
Payment approach Fixed price
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

10%

Price

40%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Please could you advise what your budget is for this work? We are not disclosing disclosing the budget at this stage, we encourage bidders to provide us with a value for money solution that utilises current industry best practice and fully meets our requirements. We would also remind bidders of the evaluation criteria and the weighting that is put upon price.
2. In respect to your first essential skill ‘ITIL Service Management Experience (Incident, Problem, Change) in a SIAM type model’, does this question refer to where we operate Incident, Problem, Change in a SIAM environment where we are not the SIAM provider, or are you looking for examples of our experience we are the SIAM provider? We are interested in both examples where it supports your proposal, however, where a bidder has been the SIAM, and owned the assurance processes, would be advantageous as it relates more closely to this requirement.
3. Two questions (‘Provide a minimum of 2 always available desk spaces with internet connectivity for HO Resources to use as required’, ‘Be able to stand up the two service elements by no later than 16/03/18’) appear to be requirements of the work you wish to commission,not our skills and experience. Please may you clarify how we should answer, given the DOS process at this stage asks responses detail ONE previous delivery example in a specified format? We are also concerned we do not have your detailed requirements at this stage to enable us to robustly commit to these questions. We are looking for positive confirmation you are able to meet these requirements. We appreciate experience of these two elements is not pertinent to these requirements.

In regards to detailed requirements, we are looking to implement a vanilla best practice driven service model, you should model your response appropriately. We will work with finalists and the successful respondent to ensure our detailed requirements can and will be met.
4. Can you clarify the position for the Terms & Conditions for this opportunity (presumably under the DOS2 framework) Yes, we can confirm that the Terms and Conditions appertaining to DOS2 Framework will apply to this opportunity.
5. Active Directive capability - can you clarify whether you require the capability to deploy, configure and integrate AD Our requirement is for service desk resources to be adequately skilled to perform user administration tasks in Active Directory. Such as password resets, account management, group assignments and such related tasks.
6. Can you clarify the balance of evidence required - do you require any detailed capabilities of individuals for any particular areas of expertise? We do not require individual resource evidence, we are looking for organisational experience in the relevant areas. Case studies or references are welcomed.
7. Can you clarify the difference in the capability requirement for "Customer satisfaction and feedback..." (as per Essential skills) and "user satisfaction and feedback solution.." (nice-to-have skills) In the essential area we are looking for suppliers who have implemented processes to capture the responses from a service management tools existing capability for example and create reports and create targeted initiatives to improve the user experience.

In the nice to have section we are interested in understanding any technological value add a respondent could bring to the table to enhance this activity.
8. Is the CDS platform to be supported based on Microsoft Platforms? Could you advise if there are any MS technologies to be supported? The CDS platform is a combination of technology sets, the service we are procuring is user focussed and should be technology, or solution, agnostic in regards to infrastructure and architecture.
9. Within your Overview section and Essential Skills and Experience section you describe the ability for the supplier to support SaaS applications, could you describe this / these applications in greater detail? The applications we require supporting are closed user community web based applications, which range in purpose from knowledge and article publication to workflow. Typical first line requests are user administration, access issues or application errors. The first line service desk will not have access to the live applications themselves but will have access to demo environments for the majority.
10. You require your Service Management and 1st line Service Desk supplier to provide the ITSM tooling, on this basis can we assume that there will be no existing tooling transferring to the new supplier and any such ITSM tool that is implemented will be a completely UK based operation / delivery. We currently use Remedy ITSM, this is provided by our incumbent supplier. It is anticipated that the new supplier will need to provide a new solution.
11. You describe under Skills and Experience that you require a supplier to work in a SIAM type model and you also describe a requirement to interface to DevOps and Agile teams at 3rd line. Can you elaborate on the service delivery model expected for this contract? The delivery model is currently being developed, and this high level summary is all that is available at this time. We are looking for flexible partners to assist us in changing our business and delivery model going forward.
12. In the sections Latest Start Date and Essential Skills and Experience the latest date for standing up the two elements required is no later than 16th March 2018. Whilst About the Work describes a staggered transition as the service desk is in place until May 2018 could you elaborate on how you envisage the implementation taking place, i.e. all at once or via staggered approach? The commencement date for the Service Management element is a hard date of 16th March 2018, the first line service desk would follow as soon as practicably possible after this date, but cannot transition prior to the end of May 2018.
13. Within your Overview section and Essential Skills and Experience section you describe the ability for the supplier to support SaaS applications, could you describe this / these applications in greater detail? The applications this requirement supports are closed user community web based applications which range in purpose from knowledge and article publication to workflow. Typical first line requests are user administration, access issues or application errors. The first line service desk will not have access to the live applications themselves but will have access to demo environments for the majority.
14. Can the Authority provide User base information? There is a high level summary of the user base within the requirement, we are unable to provide more details at this stage.
15. Can the Authority confirm the average call handle time? The average call handling time at present is 2 minutes 58 seconds.
16. Can the Authority confirm how is FCR measured for desk? Currently we measure First Call Resolution by assessing the number of Incidents that are opened, resolved, not assigned beyond first line and do not have a status change beyond this.
17. Can the Authority confirm service request fixed within SLA on the desk? Service Request Metrics:
SR Logged SR Closed
Aug-16 867 1360
Sep-16 761 847
Oct-16 880 873
Nov-16 1631 1262
Dec-16 1138 1332
Jan-17 1388 1079
Feb-17 1401 1872
Mar-17 1933 2492
Apr-17 1188 1184
May-17 1382 1352
Jun-17 1346 1420
Jul-17 1226 100
18. Can the Authority provide the data for Incident fixed within SLA on the desk? Incident performance metrics:
Incidents Logged Incidents Resolved
Aug-16 143 43
Sep-16 153 286
Oct-16 229 184
Nov-16 275 133
Dec-16 156 180
Jan-17 167 130
Feb-17 214 237
Mar-17 237 527
Apr-17 185 350
May-17 158 230
Jun-17 187 318
Jul-17 126 50
19. Can the Authority confirm service hours for service desk? The 1st line Service Desk operated 24/7, however there are two distinct periods:

In Hours – 08:00 – 1800 Monday to Friday excluding bank holidays
Out of Hours – 18:00 – 08:00 all days.

Out of hours currently our service desk only process high priority activities. We are looking to respondents to provide the best possible user experience and value for money solution.

The Service Management element is 24/7 also but only Major Incident and Change Management activities typically occur out of hours.
20. Can the Authority provide the current customer satisfaction %, breakdown by desk? This information is not currently captured and is therefore not available.
21. Can the Authority provide the type of incoming channels for the service desks (breakdown by each desk)? The service desk currently has two contact channels Telephone and Email please see the breakdown:
Phone Email
Aug-16 274 not recorded
Sep-16 391 "
Oct-16 442 "
Nov-16 1345 "
Dec-16 591 "
Jan-17 859 "
Feb-17 938 "
Mar-17 1146 "
Apr-17 726 2231
May-17 687 1814
Jun-17 713 1644
Jul-17 590 1770

November 2016 and March 2017 increase was due to the release of new products.

Please note that telephone volumes are influenced by operational activity within our stakeholder community. We expect any respondents to ensure their resource model allows for this periodic demand increase.
22. Can the Authority provide the number of Major incidents / breakdown for 12 months? We are unable to provide a monthly breakdown for security reasons but the current run rate is less than 1 major incident per month, and 3 Priority 1’s.
23. Can the Authority provide the peaks and trough data for service desk, incoming calls to the ACD system by the hour? We are unable to provide an hourly breakdown but have summarised the in and out of hours splits:

Core Hours
Offered Calls 590

Week Day 18:00 - 08:00
Offered Calls 51
24. Can the Authority confirm the abandoned rate % for service desk (12 months’ breakdown)? Offered Abandoned
Aug-16 274 11
Sep-16 391 10
Oct-16 442 5
Nov-16 1345 23
Dec-16 591 5
Jan-17 859 4
Feb-17 938 8
Mar-17 1146 11
Apr-17 726 5
May-17 687 4
Jun-17 713 1
Jul-17 590 5
25. Can the Authority confirm FCR (first contact resolution) of service desk (12 months’ breakdown)? Due to an interim process being in place we have not been formally measuring our service against this metric for the past 12 months, as a result the performance metrics in this area are not valid.

We can however advise that we target 80% of calls to the service desk as first call resolution at present.
26. Can the Authority confirm the number of agents on the current desk? At present the Service Desk is staffed by an average of 4 FTE in hours and 1 out of hours. However it is worth noting that at present these agents are backed up by a leveraged team who can be added into the resource pool to provide increased capability when required.
27. Can the Authority provide the location of the current service desk? The service is currently located at the incumbent supplier's premises within the United Kingdom.
28. Can the Authority provide the number of current FTE covering Incident/Problem/Change and CSIP? At present a team of 7 FTE provide these services.
29. It is a 2 year contract, but what is the likelihood of a long term contract or contract extension? The contract will comply with the DOS2 Framework terms and conditions. At present we are only offering a 2 year contract, however this will be an ongoing requirement.
30. Can the Authority confirm the existing IT Service desk provider(s)? The current provider(s) will remain anonymous until the contract is awarded. We are not able to provide this information at this stage
31. Can the Authority provide the list of services to be supported? Due to the nature of the services we are unable to divulge this information at this stage. We have provided a high level summary of these services below:
Circa 10 SaaS applications which include from Workflow tools to Data Mediation and Documentation Storage systems.
This service desk and service management team will also have responsibility for managing Incidents, problems and changes across the entire infrastructure platform and network.
32. Can the Authority provide the list of 3rd party suppliers? We are not able to provide a list of third party suppliers at this stage.
33. Can the Authority provide the list of KPIs, SLAs & OLAs currently in place across all disciplines? Our service design has utilised the majority of the standard ITIL V3 Process KPI’s for the relevant activities, please refer to these for KPI lists.

We are unable to share our existing SLA’s and OLA’s at this time, we can however share high level SLA’s as below:

Priority - Response
P1 15mins
P2 - 15mins
P3 - 60mins
P4 - 240mins

Response includes assignment to the correct support group.
34. Can the Authority confirm the current volume of contacts? Average monthly contacts at present sits at: 2373 (combined)
35. Can the Authority outline the biggest Major Problems outstanding? This level of detail is not available at this stage due to the nature of the services being provided. We can say that at present we have circa 30 open problems across our services and around 10% of those can be considered long term.
36. Can the Authority provide the volume of current open Problems? This level of detail is not available at this stage due to the nature of the services being provided. We can say that at present we have circa 30 open problems across our services and around 10% of those can be considered long term.
37. Can the Authority confirm whether changes completed to schedule? Currently the majority changes are conducted within a weekly change window which is 3hrs long. We have not had any changes exceed this period (unless planned) within the last 6 months.
38. Can the Authority confirm number of current problems and major incidents related to changes? We currently have no major incidents or problems related directly to changes.
39. Can the Authority confirm whether change CSIP plan available to review? The CSIP plan will be made available to the successful applicant upon award. We can
40. Can the Authority confirm - do post implementation reviews of failed changes take place? We can confirm they do, and that this is a mandatory activity within change management for us both now and going forward.
41. Can the Authority provide CMM Assessment of current change process end to end? As we are changing the operating model and thus the processes within the organisation previous assessments are not relevant to this requirement. We can however confirm we will be conducting a CMMI review of the implemented processes that come out of this award.
42. Can the Authority provide a copy of current RFC form? As our RFC form is considered Operational documentation we are unable to provide this. However we can advise that our RFC form should be built into the ITSM tool
43. Can the Authority provide the details of third parties who can raise changes? At present a number of groups can raise changes we have provided the most common below:

1. Support Teams
2. Project Teams
3. Security Teams

Product Owners and Technical Assurance
The current attendees of our CAB are as follows:

• Change Manager
• Product Owners / Service Owners
• Support Team Representatives
• Application Technical Assurance Leads
• Security Team Representatives
• Problem Manager
• Project Managers/Representatives
44. Can the Authority provide the details for current change approval process? The current change approval process will not be transitioned as is to the new supplier and is currently being migrated into a new tool. As previously stated we are seeking to implement ITIL Change Management best practice as standard and the standard process should be considered the target model.
45. Can the Authority provide details of current CAB set up, technical/management reviews? CABs are currently held via teleconference, technical impact assessment is done prior to the CAB and where required management or user engagement activities are also undertaken prior to the CAB meetings.
46. ISO20001 seems to be a subset of ISO20000, can the Authority confirm if ISO20000 meet the specified requirement? We can confirm ISO20000 is acceptable.
47. Can the Authority please confirm the best way to go about providing evidence to some of the questions? E.g. BCDR - do we attach our BCDR plan or confirm that we operate a BCDR policy. We are expecting to see either Policies, case studies or examples backed up by references as the evidence for these criteria.
48. The evaluation weighting refers to 40% on price. Can you clarify/confirm the assumption that this applies to a later stage in the procurement process. (if applicable at this point, please can you provide clarification of the volumetrics associated with the service.) The 40% does apply to this stage as it is one of our assessment criteria.
49. Can the Authority confirm current CAB Member details and positions? The current attendees of our CAB are as follows:

• Change Manager
• Product Owners / Service Owners
• Support Team Representatives
• Application Technical Assurance Leads
• Security Team Representatives
• Problem Manager
• Project Managers/Representatives
50. Can the Authority provide the number of Major incidents / breakdown for 12 months? We are unable to provide a monthly breakdown for security reasons but the current run rate is less than 1 major incident per month. And 3 Priority 1’s.
51. Can the Authority confirm the volume of standard, non-standard and emergency changes per month? We currently average the following volumes for changes per week:

Standard - 15
Non Standard - 18
Emergency - 1
Unauthorised - 0 (less than 1% of all changes)

We will be allowing successful respondents access to the change agenda and history as part of due diligence.
52. Can the Authority confirm the usage of Change Management Process and number of unauthorised changes? We do use a Change Management Process and are currently averaging the following volumes for changes per week:

Standard - 15
Non Standard - 18
Emergency - 1
Unauthorised - 0 (less than 1% of all changes)

We will be allowing successful respondents access to the change agenda and history as part of due diligence.
53. Can the Authority provide the data for calls logged in the SMT tool vs calls handled via the ACD system % (12 months’ breakdown)? Offered Calls Emails Received Incidents Raised
Aug-16 274 NA 143
Sep-16 391 NA 153
Oct-16 442 NA 229
Nov-16 1345 NA 275
Dec-16 591 NA 156
Jan-17 859 NA 167
Feb-17 938 NA 214
Mar-17 1146 NA 237
Apr-17 726 2231 185
May-17 687 1814 158
Jun-17 713 1644 187
Jul-17 590 1770 126

Please note that we only have email volume data for 4 months.
54. Can the Authority provide the number of failed / unsuccessful changes (12 months’ breakdown)? We are not prepared to provide a monthly breakdown but can advise that our failed changed rate is less than 1% of all changes.
55. Can the Authority provide the volume of failed changes per month? This is not information that we are able to disclose but can advise that our failed changed rate is less than 1% of all changes.
56. Can the Authority provide the number of non-standard changes completed (12 months’ breakdown)? We currently average the following volumes for changes per week:

Standard - 15
Non Standard - 18
Emergency - 1
Unauthorised - 0 (less than 1% of all changes)

We will be allowing successful respondents access to the change agenda and history as part of due diligence.
57. In your essential skill and requirement ‘Be able to provide an ITSM toolset which meets the "Official Sensitive" security requirements’, please could you send us a copy of the security requirements you refer to? The requirements for the classification can be found here: https://www.gov.uk/guidance/official-sensitive-data-and-it

Please note that this requirement is due to the secure nature of the systems being supported and under no circumstances will any operational data be stored on the tool.
58. Can the Authority provide some clarification on the OSCT security requirements for the ITSM toolset? The requirements for the classification can be found here:

https://www.gov.uk/guidance/official-sensitive-data-and-it

Please note that this requirement is due to the secure nature of the systems being supported and under no circumstances will any operational data be stored on the tool