CSOC Engineering, Content and Discovery Team

Description

Summary of the work NHS Digital’s CSOC requires a supplier to support discovery, engineering and content activities associated with onboarding and BAU lifecycle management of systems/services/customers in-scope of it’s protective monitoring service. Expected Contract Length 6 months, with option to extend for a further 6 months Latest start date Wednesday 1 September 2021 Budget Range £1m - £2m Why the Work is Being Done The NHS Digital Cyber Security Operations Centre (CSOC) is responsible for providing protective monitoring services across the NHS System. As part of its mandate the CSOC monitors a diverse set of NSH system/services (also referred to as customers) including NHS National Services (critical services which underpin the NHS system) and the TTCE Programme. The CSOC is responsible for ensuring the confidentiality, integrity, and availability of these assets by monitoring malicious activities, identifying, and managing incidents. Our mission is to ultimately become the MSSP for the NHS System to facilitate better health and care outcomes to patients. Problem to Be Solved To successfully provide protective monitoring services to its customers the CSOC follows a structured onboarding process. The CSOC requires supplier support to carry out the following onboarding and life-cycle management activities: 1) Discovery – Engaging and technical assessment of systems in scope 2) Engineering Life-Cycle Management – Technical SIEM platform onboarding (i.e. Log ingest) and life cycle management of both customers and SIEM (Splunk) 3) Content Life-Cycle Management – Development, implementation and life cycle management of content (e.g. usecases and SIEM rules) Who Are the Users The CSOC service a wide range of customers including NHS National Services, TTCE Programme, Primary/Secondary care estate and some critical 3rd party suppliers. Work Already Done The CSOC has been operational since 2017 and is currently undergoing an ambitious transformation programme to position itself as the MSSP for the NHS System. As part of it’s maturity c.100 National Services and 40 TTCE systems have been onboarded to the SIEM. Existing Team The CSOC has a range of functions including: 1) Threat Intelligence 2) Threat Hunting 3) Content 4) Engineering 5) Protective Monitoring 6) Incident Management The supplier will be required to complement the existing content, engineering and discovery teams. Current Phase Beta Skills & Experience • The supplier must provide evidence of delivering similar capabilities to other SOCs • The supplier should have proficiency working with national healthcare and/or government agencies. • The supplier must provide evidence of working with Splunk products. • The supplier must evidence ability to scale delivery capacity. • The supplier must demonstrate proficiency in agile (sprint based) delivery • The supplier must evidence SME knowledge/experience in cyber security • The supplier must evidence SME knowledge/experience with various cloud and on-prem systems to help develop security usecases • The supplier must evidence knowledge of tools such as Service Now, JIRA/Confluence and SharePoint Nice to Haves • Experience in process optimisation and implementing best practice related to SIEM Engineering and Content life-cycle management • Providing consultancy support and quality assurance in becoming a Centre of Excellence • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments. • Sound understanding of the NHS infrastructure and programmes. Work Location The preferred working location is Leeds, however remote working with visits to Leeds depending on need Although the preference is for collaborative work in the same location, remote-working is acceptable in line with the current government COVID-19 guidance Working Arrangments The Data Security Centre will provide the necessary leadership and project management support (along with other support) All development activities will take place on NHS Digital’s dedicated development devices (unless otherwise agreed) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, JIRA, SharePoint etc) Security Clearance Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable. Additional T&Cs the initial Statement of Work (SOW) can be found: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9Ti/La4zcSZKZSlG8vzUTZAJuRSTXpdXcFkW6JhlQ3Zeqco Order Form can be found here: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9VA/jnE47gEEal3mLfCmMreiiuMMzppXzueZfZyQ.mVuDNQ Instructions to bidders can be found: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/4J000000Q9Tn/sYbxsearrLFFC2agHKhZEu6kGmOQFw6l4P10F.PvPjM No. of Suppliers to Evaluate 5 Proposal Criteria • Ability to deliver a system/Service/customer discovery capability • Ability to deliver a SIEM Engineering & life-cycle management capability • Ability to deliver a Content life-cycle management capability • Ability to deliver a team with demonstrable Splunk experience • Ability to deliver a team with demonstrable cloud experience • Ability to deliver a team with demonstrable SOC experience • Ability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards) • Social Value - Create new business, new jobs and new skills throughout the life of the contract Cultural Fit Criteria • Raising issues early and learning lessons from past work. Collaboration with the CSOC team working as part of a single team. • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working • Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team. Supporting the setup of a Centre of Excellence. Payment Approach Fixed price Assessment Method • Case study • Work history • Reference • Presentation Evaluation Weighting Technical competence 60% Cultural fit 5% Price 35% Questions from Suppliers 1. Is there an existing supplier for this service A number of suppliers support NHSD with this and other services within the Data Security Centre 2. Is Cyber Essentials Plus a mandatory requirement? Yes 3. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering Log ingest and maintenance will fall under the responsibility of the Engineering team. (RACI below)Activity - Edge layer management Responsibility TTCE PM Service - Engineering (Full) National Services PM Service - Engineering (Partial – some activities carried out by NHS Digital PILS)Activity - Log Ingest & lifecycle management, SIEM pre-prod management, SIEM prod management Responsibility TTCE PM Service - Engineering National Services PM Service - EngineeringActivity - SIEM Configuration Responsibility TTCE PM Service - Engineering (requestor)/Splunk (executor) National Services PM Service - Engineering (requestor)/Splunk (executor) More to follow... 4. Is there a RACI matrix for the integrated environment. For example, who manages the centralised log aggregation of multiple AWS accounts. Would this fall under the scope of CSOC Engineering ...Follow onActivity - SOC technology integrations with SIEMResponsibility TTCE PM Service - Engineering National Services PM Service - EngineeringActivity - AWS Infrastructure Management Responsibility TTCE PM Service - NHSD PILS/ICT National Services PM Service - NHSD PILS/ICTActivity - Other SOC Technology Management Responsibility TTCE PM Service - NSHD PILS/ICT/CSOC Local National Services PM Service - NSHD PILS/ICT/CSOC Local 5. Could we please know who supports the Dev, path-to-live and production systems. Does the Engineering scope include management and maintain of AWS infrastructure. • In all cases the maintenance of the Edge layer will be the responsibility of the engineering team.• The maintenance of splunk will be the responsibility of the engineering team. However, some configuration activities will be carried out by Splunk Support. • The AWS infrastructure is maintained by NHSD Platforms and infrastructure team. 6. Could we know how where is the forwarding tier for production SaaS environment? Are all the 3 environment forwarding tier the same? The Splunk setup differs for the TTCE Service and National services (options to homogenise these environments are being discussed). Currently, There are two forwarding tiers aligned to the two Splunk SaaS instances. Each tier is the same for all its SaaS environments and is based in an AWS instance