CSOC Engineering, Content and Tooling Support

Description

Summary of the work NHS Digital’s CSOC requires a supplier to support engineering and content activities associated with onboarding and BAU lifecycle management of systems/services/customers in-scope of its protective monitoring service. Expected Contract Length 2 years + 6 month (Optional Extension) Latest start date Monday 12 September 2022 Budget Range Circa £4 to £5m excl VAT for the full two year term. It is expected that the value of the first year will be lower with a possible uplift in year 2 of the contract if the volume of onboarding increases. We will ask for the optional 6 month extension value to be included as part of the response in Stage 2. Why the Work is Being Done The NHS Digital Cyber Security Operations Centre (CSOC) is responsible for providing protective monitoring services across the NHS System. As part of its mandate the CSOC monitors a diverse set of NHS system/services, including NHS National Services (critical services which underpin the NHS). The CSOC is responsible for ensuring the confidentiality, integrity, and availability of these assets by monitoring malicious activities, identifying, and managing incidents. Problem to Be Solved To successfully provide protective monitoring services to the NHS the CSOC follows a structured onboarding process. The CSOC requires supplier support to carry out the following onboarding and life-cycle management activities: 1) Engineering Life-Cycle Management – Technical Security Information and Event Management (SIEM) platform onboarding (i.e. Log ingest) and life cycle management of log sources within the SIEM tools (Splunk and Sentinel). 2) Content Life-Cycle Management – Development, implementation and life cycle management of content (e.g. usecases and SIEM rules) 3) Support of interfaces between SIEM tools and other CSOC tooling. Who Are the Users The CSOC service a wide range of customers including NHS National Services provided by NHSD and 3rd party partners, Primary/Secondary organisations across the NHS estate. The onboarding of log sources and development of use cases under this contract will allow NHS Digital and the Trusts they provide security monitoring for to receive early warning of indicators o of compromise within their systems. Early detection allows rapid containment, the mitigation of cyber attacks and helps to prevent the loss of patient and other sensitive data and the loss of IT infrastructure which would negatively impact the delivery of patient care. Early Market Engagement There has been no relevant early market engagement. Work Already Done A wide range of log sources from over 100 systems have been onboarded onto the current SIEM and around 100 use cases are currently active monitoring for security threats. Existing Team The CSOC has a range of functions including: 1) Threat Intelligence 2) Threat Hunting 3) Dev Ops Content 4) Dev Ops Engineering 5) Protective Monitoring 6) Incident Management 7) Service Management The supplier will be required to complement the existing content, engineering and discovery teams. Current Phase Live Skills & Experience • The supplier must provide evidence of delivering similar capabilities to other SOCs • The supplier should have proficiency working with national healthcare and/or government agencies. • The supplier must provide evidence of working with Splunk and Sentinel products. • The supplier must evidence ability to scale delivery capacity (up as well as down). • The supplier must demonstrate proficiency in agile (sprint based) delivery. • The supplier must evidence SME knowledge & experience in cyber security. • The supplier must evidence SME knowledge & experience with various cloud and on-prem systems to help develop security use cases. • The supplier must evidence knowledge of tools such as Service Now, JIRA/Confluence and SharePoint Nice to Haves • Experience in process optimisation and implementing best practice related to SIEM Engineering and Content life-cycle management. • Providing consultancy support and quality assurance in becoming a Centre of Excellence. • Demonstrable mentoring capabilities for permanent staff during the transition to path to live and live environments. • Sound understanding of the NHS infrastructure and programmes. Work Location The preferred working location is Leeds, however remote working with visits to Leeds depending on need. Although the preference is for collaborative work in the same location, remote-working is acceptable in line with government COVID-19 guidance. Working Arrangments The Data Security Centre (DSC) will provide the necessary leadership and project management support (along with other support). All development activities will take place on NHS Digital’s dedicated development devices (unless otherwise agreed) and all information will be stored on NHS Digital’s information and knowledge management platforms (Confluence, JIRA, SharePoint etc) Security Clearance Individuals in the supplier’s team that have access to Authority’s data must be SC cleared or clearable. Additional T&Cs Instruction to Bidders, the initial Statement of Work (SOW), Draft Order Form and Call-off Terms and Conditions are available at the following links via Atamis: Instruction to Bidders: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/8d000000IfcI/2JorBB4NYDrm71vwzQudeUqkvZoft4efoVUBeWNwy7Y Draft DOS 5 Order Form: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/8d000000IfX8/VhgAeq8wtzhFivqz0i.oAgBUZwTjHlMYQrXHQcmfaUo Draft SOW 01: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/8d000000IfWu/Tkfk_sV6RkDqRtDrkBekIr9UmnglB.eH09EmRNTdr2Y Draft DOS 5 Call-Off Schedules: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/8d000000IfWQ/YscxRpCsXBjLh2r.d9UdTgm8mBC6qeOFZXfH9Ug1z8Q DOS 5 Joint Schedules: https://atamis-1928.cloudforce.com/sfc/p/0O000000rwim/a/8d000000IfXX/fvtijFva5mozVSh9ZCyZRg2tvONcJ6VgoW.t42kf4Lg Atamis reference: C80289 To view the above you must be registered on NHS Digital's e-tendering portal. Suppliers not registered please register using the link above. The Buyer reserves the right to award future SOWs under this Call-off Contract against all charging methods in the framework. No. of Suppliers to Evaluate 5 Proposal Criteria • Ability to deliver a SIEM Engineering & life-cycle management capability. • Ability to deliver a Content life-cycle management capability. • Ability to deliver a team with demonstrable Splunk and Sentinel experience. • Ability to deliver a team with demonstrable cloud experience. • Ability to deliver a team with demonstrable SOC experience. • Ability to deliver using Agile delivery methodology to Government Standards (including: Government Digital Service Standards) • Ability to mobilise a team to start of the contract term. • Social Value - Deliver additional environmental benefits in the performance of the contract including working towards net zero greenhouse gas emissions. Cultural Fit Criteria • Raising issues early and learning lessons from past work. Collaboration with the CSOC team working as part of a single team. • Approach to leveraging existing supplier knowledge and experience to the benefit of the wider programme. Also, approach to proactive issue management, problem resolution and improving ways of working • Value for money. Strategy for leaving a sustainable legacy by providing learning opportunities / knowledge transfer events for the CSOC team. Supporting the setup of a Centre of Excellence. Payment Approach Fixed price Assessment Method • Case study • Work history • Reference Evaluation Weighting Technical competence 65% Cultural fit 5% Price 30% Questions from Suppliers 1. How large is the current security engineering team? 4 permanent staff and 9 outsourced supplier staff 2. Is the intent to replace the current team with an outsourced service, or augment the current team with a supplier’s capabilities/specialists? The intent is to augment the current permanent staff with the supplier's team of specialists. 3. Is the intent to replace one SIEM for the other e.g. replace Splunk with Sentinel (or vice versa) or to integrate the two? The SIEM strategy will be reviewed during the contract period - there are no predetermined intentions. The current SIEM is Splunk and we are in the early stages of exploring the opportunities presented by Sentinel. 4. What level of onsite working is expected vs remote e.g. 1 day/week, 2 days/ month etc.? No onsite working is expected, although some onsite working may be requested once or twice per quarter. Please note that all remote working must be within the UK, in line with NHS Digital policy. 5. Is there an incumbent? Yes, the current incumbent is Hippo Digital Ltd. 6. Does a Sentinel Workspace currently exist and if so, what state is it in? There are a few possible Sentinel workspaces, most don't exist and those that do are fairly basic. 7. Are there opportunities to provide technical solutions, such as automation software and custom tooling as well as personnel as part of this tender? Yes, expertise in automation and optimisation would be welcome to make the service more efficient as well as providing staff to undertake and oversee this work. Licensing for software and tooling would need to be independently evaluated and purchased. 8. In regards to log ingestion, what format are the logs in (e.g. flat files, json etc) and will they be real time ingestions or regular batches? The ingested logs are in a variety of formats, depending upon the capabilities of the source systems. Nearly all feeds are real-time and a few are in batches. 9. In regards to SIEM tools and other CSOC tooling; Could you give a run down of those tools? What form the interfaces take in to the tools? where they are hosted currently? The primary SIEM tool is Splunk and we are in the early stages of exploring the opportunities presented by Sentinel. Splunk Cloud Enterprise Security is used with APIs to other cloud tooling and source system environments (mostly cloud) as required. There is an AWS-based log feeding control environment and GitLab (cloud) code control. 10. Do you have technical details of where the SIEM platform is currently hosted and the tools/tech stacks? It is a Splunk Cloud Enterprise Security solution, with an AWS-based log feeding control environment and GitLab (cloud) code control. 11. Do you have any of examples of existing use cases to aid understanding? A few examples: Excessive password failures, attempts to login without multi-factor authentication, attempts to login from unapproved locations, attempts to send traffic over unauthorised ports, excessive failed traffic message responses. 12. In regards to the existing teams we will compliment; are you able to provide information on the size of these teams and the type of roles you have in them? There are four permanent staff who perform similar roles to those outlined in this tender. See also published answer to clarification question 1 13. Is BPSS clearance acceptable to start the project while individuals are going through the clearance? Yes, provided that the individuals are eligible for SC Clearance and expect their application to be successful. 14. Can you confirm that a Protective Monitoring service is not required during the transformation period (SIEM integration)? There is currently no planned transformation period. If there was then a full Protective Monitoring service would be required throughout. 15. Can the you advise if a Protective Monitoring service will be required post transformation? There is currently no planned transformation period. If there was then a full Protective Monitoring service would be required during and afterwards. 16. Is there a SOAR/Automation platform currently in use by the SOC team? Yes - XSOAR is being used as a Proof of Concept phase. 17. Does NHSD require us to support the log sources as well as the SIEM ? The supplier should provide detailed technical advice and guidance about the log sources but is not responsible for supporting them outside of the SIEM. 18. How many log sources / new rules do NHSD expect us to onboard / create in year 1 and in each subsequent year ? This should be detailed in the Statement of Work available via the Atamis link. Onboarding year 1 is 60 systems with multiple log sources each, year two likely to be similar depending upon complexity. Rules year 1 is 48 new rules and 120 rule improvements, year two likely to be similar 19. Will we be responsible for testing log source integration or will NHSD be involved with any service owners ? The supplier should provide detailed technical advice and guidance about log source integration and is responsible for testing the integration within the SIEM. 20. Where are the log sources expected to be onboarded ? Are they NHSD managed locations or at remote locations (e.g. Trusts) ? The majority of log sources are NHSD managed locations but some will be other NHS locations and third parties contracted to NHSD. 21. What is the current SIEM ingestion rate (x GB) for both Splunk and Sentinel ? Current SIEM ingestion is about 6 TB of data per day. 22. Will NHSD support all licensing and log storage requirements or do we need to provide pricing for these elements? NHSD will provide all licensing, tooling and and log storage capability - this is not part of the pricing. 23. How many use cases per month need to be created for each platform ? Will it be x each or x in total depending on the specific application or priority areas. This should be detailed in the Statement of Work available via the Atamis link in the requirements. The total is approximately 4 new rules and 10 rule improvements per month. 24. Can the team work remotely from UK-based delivery centre after the first 90 days? Yes - some onsite working may be requested once or twice per quarter. All remote working must be within the UK, in line with NHS Digital policy. 25. Is NHSD using Splunk Cloud or Splunk Enterprise (self-managed)? Splunk Cloud 26. How many use cases / month beyond the first 90 days? Maintain the same cadence - approximately 4 new rules and 10 rule improvements per month. 27. How many use cases are currently deployed? Approximately 100 use cases 28. What is the size of the Splunk and Sentinel environment (GB/day)? Current SIEM ingestion is about 6 TB of data per day.