Managed Storage Service including Data Lifecycle Management for a Forensic Computing Provision

Description

Summary of the work To work in partnership with the Insolvency Service to deliver a Data Lifecycle Management Service and to develop, run and support a cloud-based platform for Insolvency investigators and digital forensic technicians. Expected Contract Length 12 months with optional extension of 12 months Latest start date Saturday 1 October 2022 Budget Range The Agency is reviewing budget requirements and cannot provide further details at this stage. Why the Work is Being Done The Insolvency Service operates a digital forensics unit that collects and analyses data from insolvent companies. Data volumes continues to grow across all companies and levels of insolvency activity are hard to predict. To manage unpredictable volumes the Agency is modernising and migrating its forensic operations to use cloud-based infrastructure and services. The Insolvency service is aiming to modernise the existing in-house Forensic Computing Provision (FCP). Part of this is to work with an external provider who can provide a managed service for data life-cycle management which meets accreditation standards and can continue to be modernised to meet the needs of a changing digital landscape. Problem to Be Solved The current FCU provision will not meet the relevant accreditation standards legislation will soon require. The Agency requires appropriate cloud-based infrastructure to be created and maintained to provide a cost-efficient virtual forensic laboratory, including large data storage capacity and remotely-accessible secure workstations. Moreover, as the data is highly sensitive, a provider must deliver accredited data management practices ensuring the confidentiality, integrity and accessibility of the data. Further they must provide accredited data lifecycle management processes that prevent data tampering, and ensure the lowest operational costs possible. It is anticipated that the supply of this service will require a number of services lines which, at high level, are expected to be : 1. Initial work necessary to create and build the environment in which our users will work. 2. Technical support to operate the infrastructure side of the environment, including software deployments, patching and version upgrades etc 3. Data management support to ensure that data is appropriately segregated, its lifecycle and security managed appropriately, and that storage costs are optimised. 4. Governance support to ensure that the prior elements are being properly managed, and are seen to be so Who Are the Users There will be approximately 300 users of the system. The major use cases are as follows: I require to upload data into the platform and know that it is held securely and in accordance with forensic policies. I require to use tools to forensically analyse uploaded data and extract files of relevance to the investigation. I require to create derive data, manually or with applications, from the data and maintain an evidence chain of how the derivative work was generated and could be reproduced. I require to securely share data from the platform with selected external partners. I require that data is retained until it is no longer needed. I require that data is destroyed and destruction evidenced in compliance with Agency obligations I require that all activities are logged within a case-management system in support of potential prosecutions I require that data can only be accessed by relevant persons as granted from time to time Early Market Engagement No early market engagement was undertaken. Work Already Done An internal project team has completed a Discovery phase and an Alpha phase is ongoing. The intention is for suppliers to be on-boarded from Beta onwards. The project has pulled together its requirement of what the infrastructure may look like, which can be seen in the accompanying document. Existing Team The Insolvency Service has a project team established and is progressing the Alpha Phase. The team will continue during the Beta Phase. The team currently consists of: 1 FTE Senior Project Manager, 1 FTE Project Manager, 1 FTE Solution Architect, 1 FTE Business Analyst 0.25 FTE Commercial Lead There are also other suppliers which there will be some interface with so there is a potential need to work with these suppliers. Current Phase Alpha Skills & Experience • Have experience of building and designing Cloud Environments • Have extensive experience with Azure technologies • Have experience in facilitating secure data movement between internal and external bodies • Have experience in facilitating secure data movement between internal and external bodies • Have experience in running requirements workshops, collating requirements catalogues and defining user stories • Have experience of data ingestion and data migration • Have experience of deployment including go-live, early life support, training, user guides, service calls • Have experience of delivering and developing training for end users and train-the-trainer • Have experience of quality assurance through system testing, user acceptance testing, automated end-to-end testing, code quality checks etc • Have experience of delivering performance testing, scalability testing, operational acceptance testing and wider non-functional requirement testing • Have experience and technical support to operate the infrastructure side of the environment, including software deployments, patching and version upgrades • Have experience in Data management support to ensure that data is appropriately segregated, its lifecycle and security managed appropriately, and that storage costs are optimised • Have experience in Governance support to ensure that the prior elements are being properly managed, and are seen to be so • Have experience of supporting the system handover to a suite of service providers under a SIAM model including knowledge transfer Nice to Haves • Have experience of delivering project adhering to government IT security standards and patterns • Have experience of supporting assurance activities through Architectural Review Boards and OGC Gateway Reviews • Have experience of participating and chairing stakeholder engagement events across internal and external users • Have experience of creation of delivery plans and roadmaps • Have experience in Forensic Computing • Understand Insolvency legislation • Experience of working with criminal enforcement agencies Work Location All work will be completed remotely and the supplier will be responsible for the location of their staff. There will be a regular requirement for key supplier personnel to attend the Insolvency Service offices in London (Stratford) and Birmingham as required. The supplier will periodically be invited to attend and present at key stakeholder meetings, both remotely and at the Insolvency Service offices. Working Arrangments The suppliers will be expected to work to Insolvency core hours, 9-4 daily Monday-Friday. Some resource may need to be available to participate in extended hours FCU support. Minimum of quarterly review meetings (can be held remotely) at least one within a 12-month period to be face-to-face. Security Clearance Minimum BPSS, limited engagements may need SC. Supplier must be willing and able to undergo to SC clearance and provide suitably cleared personnel, if or when required under this contract Additional T&Cs None expected presently but reserve the right to review and agreed during contract finalisation prior to award. No. of Suppliers to Evaluate 5 Proposal Criteria • Your approach to designing and delivering the FCP solution meeting all government digital standards • Your proposal for how you will use Cloud Environments to deliver the solution • Your proposal for designing and delivering the payment distribution solution • Your approach to quality assuring the solution against functional and non-functional requirements • Your approach to designing and delivering the SDRP solution while following the appropriate NCSC Cyber Security Guidance as closely as possible • Your approach to collecting requirements and engaging stakeholders, managing Agile backlogs, sprint planning, estimation and prioritisation • Your proposed delivery plan and roadmap and how you will report ongoing progress and status • Your proposed resource profile for project delivery and how you will structure the project team • Your approach for training of operational staff, handover to technical support and transition for ongoing support • Describe your experience in the Forensic Computing environment Cultural Fit Criteria • Work as a team with our organisation and other suppliers • Have a no-blame culture and encourage people to learn from their mistakes • Take responsibility for their work • Share knowledge and experience with other team members • Be able to work with clients with low technical expertise • Define an approach to optimising the user journey to minimise the environmental footprint, for example; optimising download and export formatting for efficient printing, minimising click-throughs to reduce system engagement time • Provide the organisation’s approach to demonstrating a commitment to Carbon reduction (in line with PPN06/2021) • Provide the organisation’s approach to working in partnership with customers and stakeholders • Define an approach to tackling workplace inequality through training, employment, skills and the reduction of pay inequality Payment Approach Capped time and materials Assessment Method • Case study • Reference • Presentation Evaluation Weighting Technical competence 60% Cultural fit 20% Price 20% Questions from Suppliers 1. Please confirm or provide details of the proposed question and answer session for this opportunity. The session will be held via Microsoft Teams on Tuesday July 19 2022 from 10:00 - 11:00. The link to join the session is:shorturl.at/FGHWZor you can use the following details:Meeting ID: 319 410 041 29 Passcode: gNQAs7 2. Please could you confirm what the acronyms FCU and SDRP stand for? FCU: Forensic Computing UnitSDPR: Statutory Debt Recovery Programme 3. In the proposal criteria at bullet point 5 an "SDRP solution" is referred to. Please clarify what this is an the expectation for it. To clarify, this has been entered by mistake in lieu of the term FCP. Please disregard the reference to SDRP and consider only the FCP solution. 4. Please provide details of the incumbent supplier which ran the discovery phase. Discovery was undertaken in-house by the Agency. There is no "incumbent" supplier for this requirement. 5. In the context of the requirement, please explain what is mean by ‘forensic computing’. The Agency's Forensic Computing Unit is a part of its Investigation and Enforcement Services (IES) directorate. It maintains the integrity and custody chain of digital data for evidential purposes, which is a business-critical function. The team performs various functions but generally this consists of retrieving physical devices to undertake forensic extraction, storage and analysis of potential evidence to support the Agency's criminal and civil proceedings in delivery of it's function as the Insolvency Service. 6. Please clarify what legislation is being referred to in the statement “relevant accreditation standards legislation will soon require”? For clarification, the accreditation does not impact the “managed storage service” or legislation. However the accreditation would be ISO/IEC 17025 - the competence of testing and calibration laboratories is the main ISO standard used by testing and calibration laboratories & ISO/IEC 17020 - specifies requirements for the competence of bodies performing inspection and for the impartiality and consistency of their inspection activities. 7. Please confirm that all user based physical hardware, tools, software and licenses are to be managed by SSRO? Yes, this will be managed by the Insolvency Service. 8. Please clarify whether the intent is to use Azure Virtualisation technology for “remotely-accessible secure workstations” ? It is likely, but the Insolvency Service is also open to options and Suppliers are able to offer alternatives provided it meets the requirements. 9. Please clarify how many user based tools will be required to be install and configured on the “remotely-accessible secure workstations”? Discovery work ongoing, however expect this to be in the range of between 5 - 20. 10. Please clarify what the payment distribution system is (“Your proposal for designing and delivering the payment distribution solution”) and what the high level expectations and requirements are? To clarify, this has been entered by mistake in lieu of the term FCP. Please disregard the reference to payment solution and consider only the FCP solution. 11. Please confirm if all user based physical hardware, tools, software and licenses are to be managed by The Insolvency Service. Confirmed this will be managed by the Insolvency Service. 12. The notice states: "Have experience of supporting assurance activities through Architectural Review Boards and OGC Gateway Reviews”. Does this refer to delivery teams passing through these gateways with embedded architectural support, or evidence for actually chairing or hosting these gateways to assess solutions? The expectation is that a Supplier will support the Insolvency Service in these activities. 13. Please clarify what is meant by Forensic Computing See Question 5 and response. 14. Please clarify what is meant by OGC Gateway Review (since the Office for Government Commerce seems to no longer exist)? Please ignore reference to OGC. 15. What is the payment distribution solution mentioned within the proposal criteria? To clarify, this has been entered by mistake in place of the term FCP. Please disregard the reference to payment solution and consider only the FCP solution. 16. Please list the accreditation standards that the solution will have to be met. The accreditation would be ISO/IEC 17025 the competence of testing and calibration laboratories is the main ISO standard used by testing and calibration laboratories ISO/IEC 17020 specifies requirements for the competence of bodies performing inspection and for the impartiality and consistency of its inspection activities. 17. Will any data be deemed to be Official – (Sensitive) classification? Yes, it is expected that some data extracted will be considered as such. There will also be data classed as "Sensitive Personal Data" as defined in the Data Protection Act 2018. 18. Please clarify what software will provide data management capabilities in the new system? For example front end interaction and auditing? The expectation is that this is to form part of the proposal. 19. Please clarify details of the providers of the application support and development for both the front and back end of the data management software? The expectation is that this is to form part of the proposal. 20. Please clarify which organisation is responsible for end user services support for user based tools? The Agency would expect the provider to integrate with the Agency SIAM model and first line support is provided by Advanced365. The expectation is that the provider will provide second and third line support for installs and updates. The software provider would supply third line support for its own product. 21. Please articulate the final deliverables of the Alpha phase. The Agency will provide the requirements and knowledge from the Alpha Phase for Stage 2. This will include basic Architecture and Design. 22. Is it possible to expand on the data lifecycle and storage requirements, highlighting key compliance requirements and frameworks? Key points:- Data may be retained for a long time between Hot-Cold-Archive- The data must be immutable even to Agency personnel therefore versioning is required- Data must be segregated by case and by department and by subsequent department 23. Within the individual 100-word responses should the response consist of one, more detailed example or multiple examples with less detail? This is for the supplier to decide, the Agency does not want to be prescriptive or influence supplier responses. 24. Are there any specific themes or examples which should be included within suppliers’ responses? This is for the supplier to decide, the Agency does not want to be prescriptive or influence supplier responses. 25. Is it possible to provide a procurement schedule for this opportunity (Including anticipated proposal or pitch timeframes)? The need-by date is included in the post, currently targeting October. This may change as requirements are developed and the Agency reserves the right to change the date. As requirements are still being finalised it is not possible to provide a breakdown of timelines presently. These will be communicated to successful suppliers as part of Stage 2. 26. Within the cultural fit section the Agency is asking for suppliers’ to demonstrate commitment to carbon reduction inline with PPN06/2021 which is only applicable for contracts £5m and over. Therefore can it be assumed this is the budget figure and if not, is it possible to define the budget figure? Whilst the PPN sets out the expectations in terms of application of this rule to individual contracts, through its adoption of a social value model and commitment to sustainability and carbon reduction, the Insolvency Service is seeking to understand how suppliers are working to reduce carbon emissions as a "culture". In terms of a response, this should be at an organisational level and give details of the organisation's commitments. The Agency is not able to share a budget figure for this requirement at this stage. 27. On average, how many new matters does the Agency take on each month? 800 forensic requests per year, each of these may contain multiple devices. 28. What are the potential data volumes (GB) needed for storage? Currently hold 270TB but could be 1.25 PB at steady state. 29. Does the Agency want Digital Forensics as a service? No, this platform is designed for internal and other parties to work with. 30. Will the Agency consider Software as a Service model? The Agency are expecting the provider to build and operate the platform. Any software deployed is varied and will change in the future. The expectation is the provider will be flexible for which the Agency would choose. The Agency is not expecting provider to provide forensic software and therefore this question does not arise. 31. What accreditations is the Agency expecting (e.g. ISO27001, ISO17025)? See response 16. 32. What systems or tools do the Agency currently utilise on engagements (e.g. Nuix, Relativity, Reveal, etc)? Many and varied and likely to change so the Agency has chosen to not share this information as part of Stage 1. 33. What happens to case data at the end of an engagement and how long is it retained for? Data is placed in deep archive storage, capable of being rehydrated and retained from 2 - 25 years. Each case differs. 34. With regards to “secure data movement between internal and external bodies”, does this refer to the provision of data from third parties, such as forensic images to allow the Agency to undertake investigation work? Yes. 35. With regards to “data ingestion and migration”, does this refer to data ingestion using tools such as Encase and Nuix, then migrating the data into other platforms like Relativity for review? Yes 36. What types of data are in scope for migration, for example, will the data mainly consist of unstructured data or will there be any structured data required for migration? This will vary on a case by case basis and will include both structured and unstructured data. 37. Does the Agency want to store exhibits electronically, e.g. via an ePodding solution? Yes, that is the purpose of the desired platform. 38. After the contract has ended (including optional additional year), will the data lifecycle system and process be managed in-house? The expectation the platform will be long-lived and the contract will be repeatedly retendered. 39. With regards to “experience of supporting the system handover to a suite of service providers”, please provide examples of types of service providers This should read hand-offs not handover. The types of service providers will include front-line support such as first line support provider and may also include other providers responsible for virtualised desktop infrastructure. 40. Will the Agency utilise a current Case Management System or consider a new platform? The Agency has an existing case management system which will not be replaced. 41. Is there an opportunity to upload additional documents in addition to answering the 100 word limit questions? No, not for Stage 1. Please only answer questions as directed. The team will disregard additional documentation if submitted and there will be the opportunity to provide additional documentation where requested in Stage 2. 42. Must the solution be hosted in Azure or will the Agency enable suppliers to host in other clouds? No, as this is a managed service so can be hosted where the supplier prefers. It is worth noting that the Agency is Microsoft centric so this might be preferrable but requirement is cost-driven so cost of hosting is of greater importance than where it's hosted. 43. Please expand on what accreditations the old system doesn't meet and that the new system would be expected to meet. The accreditation relates to the forensic laboratory only and not delivery so no major impact but needs to be considered as part of the development as there is a need to ensure the Solution can support this accreditation. 44. Is ISO27001 required for the solution. The Solution must support the lab accreditation of ISO27001 but the Solution will not be required to be accredited as such. 45. Must the data be hosted in UK only Cloud, i.e. remain sovereign? With regard to the Agency's specific evidential, litigation and security requirements the data must but hosted in the UK (onshore) only. 46. With regard to the hosting, ownership thereof and billing requirements how does the Agency envisage this being set up? The Solution must be in a tenancy which is owned by the Agency but managed by the Supplier. Hosting will be billed directly to the Agency but the supplier will be responsible for provisioning and management thereof. 47. Does the Solution need to be a police assured secure facility? The expectation is that this is not the case. 48. Does the Agency expect this service will be stood up and working "right now" as in an off the shelf product or Solution or to be developed as part of the contract? The Agency doesn’t believe this service or Solution exists as needed currently and so if there was a product available it is expected that the price for this would be reflected in the proposal as there would be no costs associated with build effort. 49. How much existing data does the Agency currently hold in its Forensic Computing Unit? 90TB to be migrated and expect this to continue to grow and there is an expectation that there could be up to 1.25PB 50. Can the Suppliers have access to documents which detail outcomes from Discovery and Alpha phases? These will be provided at Stage 2, many of the outputs are related to understanding level of compute power but this will require but anything the Agency has will be shared as part of the second stage. 51. Can the Agency please provide more clarity with regard to security clearance and access and permissions for users? Heavy segmentation, limited number of cases and assigned to investigators. Role based access requirements. 52. Can more detail be provided with regard to how case assignment managed through the Solution? The expectation is that this is active directory subscriptions but not 100% clear on how cases are assigned or allocated. The Agency is open suggestions subject to internal security review and approval. The Agency operates a "SIAM" model so there is a need for the Supplier to interact with other suppliers within this ecosystem, act as a service desk, provide third line support, support with movers or leavers, etc. 53. Does the Solution need to interface with the current forensic case management software or does the Solution need to provide case management as part of provision of the services? Current thinking is that Skylab is a separate environment but can generate links which can be pushed into other case management software however data will always remain hosted in Skylab. There is a case management software that the forensic team use and can be deployed so it isn't expected that a case management element will be part of the Solution. 54. For the "to be" service, is there a requirement for private cloud, or will the Agency accept public cloud so long as it meets PASF specification? There is no requirement for a private cloud. Mainstream providers have sufficient security needs and the Agency are looking for solutions which do not lock us into particular providers.