NHS Digital

Cyber Deployment Partner PMO and Security Demand & Supply Management - as a Service

Incomplete applications

5
Incomplete applications
2 SME, 3 large

Completed applications

12
Completed applications
3 SME, 9 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 21 September 2018
Deadline for asking questions Friday 28 September 2018 at 11:59pm GMT
Closing date for applications Friday 5 October 2018 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Provide PMO and Security Demand & Supply Management Team to support the expanded Data Security Centre responsibilities.
Latest start date Monday 7 January 2019
Expected contract length Initial 6 Month SOW, with a view to extend to 9 months for PMO & 18 months for SDSM
Location Yorkshire and the Humber
Organisation the work is for NHS Digital
Budget range The budget for this work is in the region £1,500,000 to £1,650,000
for PMO and SDSM.

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done In February 2018, NHS Digital and NHS England were asked to provide improved and enhanced cyber security services to health and care. To ensure funding is utilised in the most effective way to address security threats, vulnerabilities and risks most prevalent across the sector, a systemic risk analysis has been undertaken to inform the strategy and approach. The outcome of the risk analysis reconfirmed the working assumption within NHS Digital, NHS England and other Arm’s Length Bodies that cyber risks are systemic across the sector- systemic vulnerabilities exist across a range of security domains and consistently across different organisation types.
Problem to be solved The Data Security Centre needs to build out a Augmented PMO: to manage the overall Cyber Portfolio. This will build on the current Data Security Office within the DSC. It will provide delivery and project management oversight; enhanced communication and engagement activities across the programme as well as with stakeholders across Health and Social Care.
Security Demand and Supply Management (SDSM): this component of the CDP will provide, govern, and manage the commercial and procurement approaches to the delivery of the Cyber programme. This will cover the procurement lifecycle from requirements generation through to market engagement and the procurement itself.
Who the users are and what they need to do The team will deliver support to the NHS D Data Security Centre which in turn supports the wider NHS with the Cyber & Data Security Requirements. The team will ultimately report into the Data Security Centre Director.
Early market engagement
Any work that’s already been done Development of an initial CDP Operating Model and Options.
Existing team You will be working with a full team made up of a Programme director, Programme manager, various work stream leads and commercial leads - additionally you will be working with our Strategic Partner - IBM
Current phase Alpha

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Leeds - Vantage House & London - Skipton House
Working arrangements The supplier is expected supply a resource working within team made of up of the specialist skills. We expect the supplier to be flexible to our needs and can make working with a mixed team across multiple sites.

Off site and remote working can be accommodated by exception, however due to security considerations this would need to be discussed.

Day rates to be inclusive of travel and subsistence
Security clearance Individuals in the supplier’s team will require SC clearance, or be willing to undergo SC clearance checks.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The will be the requirement to add a formal condition in relation to the ability of the supplier to transition to services into BAU and the commercial agreement regarding this milestone.
Invoicing against deliverables / billing will be subject to a 20% retention linked to the BAU transition timelines

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Designing and delivering Governance Risk, Compliance and supply & demand management function within cyber security programmes in the last 3 years
  • Implementing Governance Risk, Compliance and supply & demand function methodologies, tools and resources
  • Implementing a suite of Governance Risk, Compliance and supply & demand management policies and standards within cyber security programmes in the last 3 years
  • Setting up a BAU team including supporting recruitment, training newly appointed staff and knowledge transfer to the enduring team
  • Mobilising an experienced Operating model implementation and transformation team within the timescales and to managing its performance over the entire contract duration
  • Collaborating and working alongside external delivery partners to enable the delivery of the wider Cyber Security Programme
Nice-to-have skills and experience
  • Outline experience of collaboration and functioning within complex ecosystems of suppliers and internal stakeholders, and ensuring that the end customer needs are represented and met
  • Proven thought leadership in implementing PMO and Supply & Demand Management methodologies in complex governmental organisations.
  • Relevant professional qualifications, memberships and contributions to cyber security knowledge, corporately or by proposed team members

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 6
Proposal criteria
  • Approach and methodology in planning and managing the delivery of the various work packages.
  • Solution design methodology and governance
  • Proposed team structure including CVs and relevant experience of named team members
  • Mobilisation plan, including capacity to be flexible with requirements and ability to quickly draw on/source other skills sets as required.
  • Supplier Exit Strategy, including knowledge transfer to DSC BAU teams.
  • Risks identified with approach suggested and the solution to manage those risks.
  • Ensuring consistency of staff within the implementation team
  • Value added activities which further improve delivery confidence
Cultural fit criteria
  • Approach to functioning effectively and collaboratively in a complex multi-supplier environment.
  • Approach to proactive issue management, problem resolution and improving ways of working
  • Approach to leading by example to keep data secure.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme
  • Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the wider DSC team.
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

70%

Cultural fit

10%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. You have stated up to £1,000 per day for this position. We have a ceiling on the rates we can submit for the application. Will you consider higher rates from us once we get to the next stages for the opportunity? NHS Digital has set out its budget for this requirement which is an Digital outcome. This is a top level budget due to affordability so there will be no consideration of higher rates. To be clear this is not one position.
2. Are private sector and public sector examples accorded equal weight in the evaluation? NHS Digital will be looking at the scale and suitability of experience therefore will be treating public and private sector the same.
3. In client confidential examples, are we permitted to anonymise the client name, referencing the sector instead? Yes this will be okay.
4. Are global i.e. non UK examples accorded equal weight? NHS Digital will be looking at the suitability of the experience therefore appropriate global examples will be scored appropriately.
5. Does the reference to standards need to be industry/global standards e.g. ISO or can they relate to organisation-specific standards? NHS Digital corporate standards must be adhered to, as well any specific industry and government standards.
6. In respect to mobilising an experience ‘Operating Model team’ – can our examples include both in-house and external resources? Yes, this would be acceptable.
7. In respect to Governance, Risk and Compliance examples, do these need to relate to information security specifically, or can they relate to other risk categories providing that the capability is relevant and applicable to NHSD’s requirement? Yes as long as it is applicable to the requirement.