NHS Digital

Cyber Deployment Partner Cyber Design Authority - as a Service

Incomplete application

1
Incomplete application
1 SME, 0 large

Completed applications

14
Completed applications
4 SME, 10 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 21 September 2018
Deadline for asking questions Friday 28 September 2018 at 11:59pm GMT
Closing date for applications Friday 5 October 2018 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work Provide Cyber Design Authority Team to support the expanded Data Security Centre responsibilities
Latest start date Monday 7 January 2019
Expected contract length Initial 6 Month SOW, with a view to extend to 12 months
Location Yorkshire and the Humber
Organisation the work is for NHS Digital
Budget range The budget for this work is the region of £700,000 to £850,000

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done In February 2018, NHS Digital and NHS England were asked to provide improved and enhanced cyber security services to health and care. To ensure funding is utilised in the most effective way to address security threats, vulnerabilities and risks most prevalent across the sector, a systemic risk analysis has been undertaken to inform the strategy and approach. The outcome of the risk analysis reconfirmed the working assumption within NHS Digital, NHS England and other Arm’s Length Bodies that cyber risks are systemic across the sector- systemic vulnerabilities exist across a range of security domains and consistently across different organisation types
Problem to be solved The Data Security Centre needs to build a Cyber Design Authority (CDA): this element of the CDP will provide enterprise security architectural patterns, design reviews, and guidance to ensure consistency of quality, architectural robustness, and alignment to overarching architectural, platform, and technology strategies
Who the users are and what they need to do The team will deliver support to the NHS D Data Security Centre which in turn supports the wider NHS with the Cyber & Data Security Requirements. The team will ultimately report into the Data Security Centre Director.
Early market engagement
Any work that’s already been done Development of an initial CDP Operating Model and Options
Existing team You will be working with a full team made up of a Programme director, Programme manager, various work stream leads and commercial leads - additionally you will be working with our Strategic Partner - IBM
Current phase Alpha

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Leeds - Vantage House & London - Skipton House
Working arrangements The supplier is expected supply a resource working within team made of up of the specialist skills. We expect the supplier to be flexible to our needs and can make working with a mixed team across multiple sites.

Off site and remote working can be accommodated by exception, however due to security considerations this would need to be discussed.

Day rates to be inclusive of travel and subsistence
Security clearance Individuals in the supplier’s team will require SC clearance, or be willing to undergo SC clearance checks.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions The will be the requirement to add a formal condition in relation to the ability of the supplier to transition to services into BAU and the commercial agreement regarding this milestone.
Invoicing against deliverables / billing will be subject to a 20% retention linked to the BAU transition timelines

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Designing and delivering Cyber Design Authority within cyber security programmes in the last 3 years
  • Implementing Cyber Design Authority function methodologies, tools and resources
  • Implementing a suite of Cyber Design Authority policies and standards within cyber security programmes in the last 3 years
  • Setting up a BAU team including supporting recruitment, training newly appointed staff and knowledge transfer to the enduring team
  • Mobilising an experienced Operating model implementation and transformation team within the timescales and to managing its performance over the entire contract duration
  • Collaborating and working alongside external delivery partners to enable the delivery of the wider Cyber Security Programme
Nice-to-have skills and experience
  • Outline experience of collaboration and functioning within complex ecosystems of suppliers and internal stakeholders, and ensuring that the end customer needs are represented and met
  • Proven thought leadership in implementing Cyber Design Authority methodologies in complex governmental organisations.
  • Relevant professional qualifications, memberships and contributions to cyber security knowledge, corporately or by proposed team members

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Approach and methodology in planning and managing the delivery of the various work packages.
  • Solution design methodology and governance
  • Proposed team structure including CVs and relevant experience of named team members
  • Mobilisation plan, including capacity to be flexible with requirements and ability to quickly draw on/source other skills sets as required.
  • Supplier Exit Strategy, including knowledge transfer to DSC BAU teams.
  • Risks identified with approach suggested and the solution to manage those risks.
  • Ensuring consistency of staff within the implementation team
  • Value added activities which further improve delivery confidence
Cultural fit criteria
  • Approach to functioning effectively and collaboratively in a complex multi-supplier environment.
  • Approach to proactive issue management, problem resolution and improving ways of working
  • Approach to leading by example to keep data secure.
  • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme
  • Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the wider DSC team.
Payment approach Capped time and materials
Assessment methods
  • Written proposal
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

70%

Cultural fit

10%

Price

20%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Has the Development of an initial CDP Operating Model and Options been completed? The Op Model with detailed design will be completed by December 2018.
2. Can you share the report of the CDP Operating Model and Options so that bidders of the current opportunity are able to understand recommendations from the CDP? This is not something that will be shared at this stage. Initial outputs of the Op Model will be shared with suppliers who are selected to present at the next stage of this procurement.
3. Will the supplier be based in London with occasional visit to other locations? It will be Leeds based, with some travel to London.
4. Is the CDP bidding for this opportunity? CDP is the name given to the project, it is not a supplier.
5. Why January 2019 instead of having the supplier started in October? The Op Model with detailed design will be completed by December 2018, therefore expectation is Delivery will start in January.
6. Are private sector and public sector examples accorded equal weight in the evaluation? NHS Digital will be looking at the scale and suitability of experience therefore will be treating public and private sector the same.
7. In client confidential examples, are we permitted to anonymise the client name, referencing the sector instead? Yes this will be okay.
8. Are global i.e. non UK examples accorded equal weight? NHS Digital will be looking at the suitability of the experience therefore appropriate global examples will be scored appropriately.
9. Does the reference to standards need to be industry/global standards e.g. ISO or can they relate to organisation-specific standards? NHS Digital corporate standards must be adhered to, as well any specific industry and government standards.
10. In respect to mobilising an experience ‘Operating Model team’ – can our examples include both in-house and external resources? Yes, this would be acceptable.
11. Is the £700k-850K for the initial 6 months, or 24 months? The £700-850k budget is for a 12 month period.
12. The requirement states that the CDA will ensure alignment to overarching architectural, platform and technology strategies. Please can you confirm whether there are any form of accreditation/assurance requirements or processes within that, and whether the CDA will be expected to support such a process or whether this will be completed by other parties. Yes the CDA will also act as an assurance function, it will therefore be expected support processes aligned to this.