CACI Synergy Costing Software [SW5]

Synergy is a costing software solution and PLICS. It enables users to load costs budget data in a general ledger format and reassign those costs across a user definable hierarchy using weighted allocations and/or specific allocations. This allows to better understand the costs of the services and/or products they provide.


  • Complete traceability of costs through all allocation stages
  • Exception analysis with full audit trail
  • Create and save on-screen enquiries
  • Patient Level Information Costing System (PLICS)
  • Fully supports the new costing transformation programme
  • Source data with no extra IT consultancy or SQL knowledge
  • Direct connectivity to SQL database for easier loading of data
  • Pre-built with all standard definitions and rules
  • Single model for local and national requirements
  • Embedded Data visualisation dashboards


  • Fast calculation times
  • Quantify the costs of the services being delivered
  • Quantify the costs of the products being delivered
  • Gain clear insight into what drives costs
  • Identify profit and loss making activities
  • Free up time by scheduling tasks to run overnight
  • Allows internal and external benchmarking of processes
  • Faster production of statutory submissions and returns


£24,000 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

8 9 7 0 2 8 2 1 4 9 7 3 3 1 8


CACI UK Ltd CACI Digital Marketplace Sales Team
Telephone: 0207 602 6000

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
Internet connection and internet browser access

User support

Email or online ticketing support
Email or online ticketing
Support response times
CACI’s standard Service Level Agreement (SLA) for 'Severity 1 - Critical issues' includes a response time of 1 hour. Resolution, if not achieved immediately when CACI responds, depends on the complexity and severity of the enquiry. Typically this is within 24-48 hours with CACI’s team working on a basis of 'continuous working (within service cover time) until fixed or a workaround delivered'.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
CACI operates a comprehensive managed service that provides customers with access to a dedicated team responsible for answering any queries or resolving any incidents encountered in relation to CACI supported software and solutions.

The managed service, which is included in the price quoted, provides:

- Access to Service Desk
- Defined SLA for Incident Response and Resolution
- Documented Scope of Service and Statement of Work
- Service Delivery Plan
- Service Reporting
Support available to third parties

Onboarding and offboarding

Getting started
For all implementations CACI take a collaborative approach with the customer and users to promote knowledge transfer at all stages. This ensure users are able to effectively utilise Synergy, maximising its value. Included in the services offered are:

- Onsite (or offsite) classroom based training courses including full training materials
- Software installation documents are with assistance available via the managed services desk
- Excel templates are provided in the formats required for loading into the software
- Onscreen help is available for users within Synergy
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
A package exists within Synergy which can be run to extract all data dimension table data as well as results table data for a selected model.

The package is run through the user interface and will extract the data in CSV format and save the extracted files to a location on the server which the user can then access.
End-of-contract process
At the end of a contract, either due to the customer not wishing to renew or cancellation, the date on which the termination will take effect will be agreed and confirmed with the customer. Data will then be extracted from Synergy on the cancellation date and is then securely provided.

Once confirmation is received from the customer that all the required data has been received (transferred or extracted) the system is then cleared and shut down. This is then communicated to the customer in writing with confirmation that CACI is no longer in possession of any customer data.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Service interface
Customisation available
Description of customisation
Users can customise the service by adding local requirements to the prepopulated areas of Synergy, including:

- Adding local datasets
- Adding local matching rules
- Adding local allocation methodologies
- Adding user enquiries/reports

All of the above tasks are covered in training and can be carried out via the user interface.

User roles and access can also be customised. The security module allows the creation of multiple roles. Each role created is assigned permissions to determine the actions allowed for the role at individual screen level. Access permissions for each screen can be deny access, read only, edit existing records, add new records etc.


Independence of resources
Every customer is allocated a dedicated resource in cloud environment to prevent any performance issues when using the solution.


Service usage metrics
Metrics types
Reports can be provided to customers on usage of Synergy with various user defined variables.
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be exported from within each screen in CSV format. Packages can be setup or run to export data from multiple screens at one time in CSV format.
Data export formats
Data import formats
  • CSV
  • Other
Other data import formats
  • MSSQL Server
  • Postgres SQL
  • CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Data is protected in its own segregated environment with industry leading firewalls in CACI's UK data centre. Additionally 2 factor authentication security is in place.

Availability and resilience

Guaranteed availability
System availability is over 99%. 

Anticipated downtime for upgrades is agreed in advance with customers to avoid any impact during busy periods. This proactive approach enables communications to be sent to the user base prior to the release of upgrades or patches.
Approach to resilience
Synergy is hosted on an IL3 hosting environment within CACI's UK based data centre which has robust physical, technical and environmental controls to protect data.

All systems are backed up nightly on offsite encrypted media, patched regularly, protected by high-end firewall systems, intrusion detection and antivirus systems, dedicated to the secure environment.

The solution utilises the latest HP blade systems and HP 3PAR all flash SANs with redundant networks. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure.

Climate control is in place to maintain a constant operating temperature for servers and other hardware. The Data centre is conditioned to maintain atmospheric conditions at optimal levels.

Further information is available upon request.
Outage reporting
In the unlikely event of service outage an email alert would be sent to the user(s) from CACI Customer Care Team.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
CACI operates a layered, segregated and separated environment with role based multi-factor authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Not applicable.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Data Seal and Cyber Essentials certification
Information security policies and processes
CACI have implemented an Information Security Management System (ISMS) containing a set of policies and procedures for systematically managing sensitive data, systems and processes. The foundation of our ISMS is designed in accordance with the ISO27000 series of international standards, industry best practices and regulatory controls.

Overall responsibility for the design, coordination, implementation and verification of the programme is centralised within the organisation.

CACI's Information Security objectives are defined at board level and managed day to day by the Projects and Security team. KPIs are produced against our security objectives and reported back to the executive board. Each team has an Information Asset Owner (IAO) responsible for its assets. A number of suitable trained Security Officers provide guidance across the organisation.

Risk Assessments are conducted upon all services in accordance with our Risk Assessment Methodology document to identify and address all associated risks. CACI actively employs a policy of least provisioning, where employees are only granted the minimum system access to perform their assigned job.

CACI has implemented a comprehensive security awareness programme. Information security training is provided upon induction, on-going security training and updates are provided thought employment. All Information Security Policies are published on our intranet site.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All change management is covered by CACI's ISO 27001 ISMS. We have a continuous development programme across all CACI products and services including Synergy and the associated datasets. This is managed through Agile Project Management processes, any changes and enhancements are implemented as they are reviewed and approved by our software developers and product owners.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Systems and application are routinely updated and patched to the latest release levels to ensure best practices for security.

Deployment of service packs and updates is in accordance with CACI’s ISO 27001 Patching Policy. All operating system patches are deployed within 30 days to enable testing before full release. Critical patches are applied immediately.

Vulnerabilities scans are conducted on critical systems and applications by our network team utilising the Nessus vulnerability scanning product and vulnerabilities addressed accordingly. CACI’s system administrators subscribe to alerts and publications to ensure new are emerging threats are countered promptly and effectively.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
CACI uses Checkpoint firewalls with the Intrusion Prevention System (IPS) blades.

By default, any websites that are accessible directly over the Internet are protected by F5 Application Security Manager (ASM)/ Web Application Firewalls (WAF).

Protections include blocking anomalous behaviour, preventing the exploit of known vulnerabilities, enforcing geolocation-based blocking, protecting commonly used APIs and dynamic policy development (learning desirable traffic and usage).

CACI has robust and mature incident response plans and processes and business continuity management to minimise the impact of a cyber-security attack or incident. Security events are promptly reported to our security team, critical events are responded too immediacy.
Incident management type
Supplier-defined controls
Incident management approach
CCACI has Cyber Incident Response Plans and processes to help promptly detect a cyber-incident on CACI networks, systems or infrastructure. This enables consistent and effective approach in containing the attack, hasten the recovery times and provide plans for responding to a number of potential attack scenarios.

All employees are required to report any real, perceived or potential security incidents to the central Security Department. All Security Incidents are recorded and documented in-line with our Security Incident Policy and Response Procedure. A Security Incident Support call is raised and requires analysis, corrective action and preventative action to be recorded.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
Health and Social Care Network (HSCN)


£24,000 a licence a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.