Managed Cloud Support and Migration Services for HMPPS Digital Prisons

Description

Summary of the work A Supplier team is required to provide managed service support, testing and training development services for In-Cell Technology programme and other programmes, business-as-usual cloud maintenance services for HMPPS Digital Prisons, to deliver of continuous improvement and managed cloud support for MOJ’s Digital Prison Unilink Environments hosted on the Azure platform. Expected Contract Length 24 Months Latest start date Monday 10 January 2022 Budget Range The maximum budget for this contract is £740,000. Evaluators will welcome bids below this maximum budget value. Why the Work is Being Done HMPPS is committed to improving infrastructure and technology in prisons in order to deliver cost-effective ways of working and unlock innovative approaches to rehabilitation. It also recognises that technology offers the potential to develop smarter, innovative ways to address the needs of those in custody. The In-Cell device programme is a new high-profile service which will allow service users (residents) residing in specific youth custody and general prison institutions to access a number of digital services and applications via a laptop device that will provide both residents and the HMPPS with a number of key benefits. Benefits include access to site specific and educational content, and a number of software applications such as providing residents with the capability of ordering of meals directly from the canteen for pre-set mealtimes rather than using paper-based systems. These Transactional Services give prisoners more control of aspects of prison life. Problem to Be Solved The Microsoft Azure Cloud Infrastructure is crucial to the deployment of transactional services on laptops and kiosks. Without this infrastructure, we are unable to deploy and support these services. HMPPS Digital Prisons require a Supplier managed services team to continue providing the Microsoft Azure Cloud Infrastructure and support. The Supplier’s services shall include the delivery of smaller workstreams to deliver this overall outcome, which are the following: 1. Create test and training environment to test updates before deployment. 2. Create the infrastructure to enable the Unilink solution to be deployed to new prisons as required by the In-Cell Technology Programme 3. Support and maintain the current Unilink technical back-end infrastructure including active management and alerting on these environments, which should be aligned with MOJ standards. 4. Apply updates and patches as per the business requirement, working closely with Unilink and MOJ. 5. Provide security & vulnerability management of infrastructure. 6. Maintain and share security risk assessments with MOJ 7. Maintain Infrastructure design and Security Documentation and share with MOJ Who Are the Users As a security professional, I would expect the servers and services maintained by the Supplier to be up to date with the MOJ security standards: 1. NCSC - Cloud Security Principals – including Data in Transit, Asset Protection and resilience: https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles 2. NCSC – End User Device Security guidance: https://www.ncsc.gov.uk/collection/end-user-device-security 3. NCSC – PDNS - Protective DNS: https://www.ncsc.gov.uk/information/pdns 4. MOJ - Security Guidance – Data Security and Privacy: https://ministryofjustice.github.io/security-guidance/#moj-security--guidance 5. MOJ - Technical guidance – Development, Naming, storing source code and https://ministryofjustice.github.io/technical-guidance/#moj-technical-guidance GOV - Service Manual – Provides further information regarding running services within government: https://www.gov.uk/service-manual Early Market Engagement Not undertaken Work Already Done Not applicable Existing Team The MOJ Technology Operations team includes senior infrastructure engineers and the Head of Technology Operations. The In-Cell Technology programme includes the Technology Workstream Lead and the Service Owner. The team also includes the MOJ Architecture team. Current Phase Live Skills & Experience • Evidence of in-depth understanding and experience of presenting clear, compelling, evidence-based recommendations for change based on primary and secondary research. • Experience in the development of services to comply with Government Digital Standards and Technology Code of Conduct. • Experience of migrating away from legacy applications to digital services and assisting with remediation where necessary. • Experience using modern standards to deploy robust cloud-based solutions that can scale to meet the demand of user needs • Proven track record of building products in Terraform and Logic apps • Experience of building secure systems and adhering to modern security best practice and standards, including providing vulnerability management services • Experience of providing services with a test-driven development, continuous integration and delivery approach • Experience of delivering services to meet API Technical and Data Integration Standards. • Proven experience of providing maintenance and support for cloud data stores, include monitoring, alerting and security patch management. • Proven track record of Azure Virtual Desktop, remote desktop services, SQL Servers, SQL MI, Azure Web Apps, Client server application deployment Nice to Haves • Demonstrable experience of setting up platform as a service environments and active management of a cloud infrastructure • Experience working within a large government program of work, with multiple teams, dependencies and stakeholders Work Location Predominantly virtually, with the possibility of London based physical working, if required. Occasional travel to other locations in England and Wales may also be required during testing and implementation phases. Working Arrangments Standard working hours will be required is 8:00am – 6:00pm. Any planned downtime, configuration or deployments or patches will need to be performed out of hours. Security Clearance A minimum of Baseline Personnel Security Standard (BPSS) standard is required. Where access to live HMPPS data is necessary, Security Clearance (SC) will also be required for Supplier Staff. All Supplier staff delivering these services must hold these clearances prior to the Contract Start Date. No. of Suppliers to Evaluate 3 Proposal Criteria • Explain your overall approach, including your delivery methodology, and how you will draw on your experience (including lessons learned) from a similar project to successfully execute this project • Explain how you will measure and manage a quality service including speed of delivery and ensuring continuous improvements throughout the contract period. • Explain how you will provide a service which will be secure and your experience of providing a secure cloud service • Provide an example team structure including each individual’s skills, experience, responsibilities and relevance of individuals, and explain how you will ensure the team deliver their responsibilities throughout this approach. • Provide examples of how you have identified and taken ownership of risks, issues, and dependencies and how you have managed their mitigation and resolution • Demonstrate how you will deliver value for money throughout this project. • Demonstrate how you would document your work to ensure effective knowledge transfer to the business throughout the contract, and hand-over at contract end Cultural Fit Criteria • Share knowledge and experience with team members and the wider service • Work as a team with our organisation and other suppliers in a diverse environment • Be transparent and collaborative when making decisions • Have a no-blame culture and encourage people to learn from their mistakes • Take responsibility for their work Payment Approach Capped time and materials Assessment Method Presentation Evaluation Weighting Technical competence 65% Cultural fit 10% Price 25% Questions from Suppliers 1. Who from your team will be scoring applications for this opportunity and what positions do they hold? There will be a cross section of technical stakeholders who will be evaluating. 2. Who is the incumbent and how long they have been the incumbent? There is an incumbent in place, but the MOJ is unable to disclose any further information about the incumbent. 3. Can you please provide an anticipated timeline for this procurement that includes dates for:• Shortlisting Notification for Stage 2• Submission Deadline for Stage 2• Presentation• Evaluation period• Award Notification Inviting Suppliers to Round 2: Tuesday 23rd November 2021,Submission for Phase 2: Wednesday 1st December 2021, Presentations: Monday 6th December 2021, Evaluation completion: Wednesday 8th December 2021, Award Notification Release: Wednesday 15th December 2021 4. Can you confirm if shortlisted suppliers will have the opportunity to present? Successful suppliers after Round 1 evaluation will have the opportunity to present. 5. Please, can the Authority supply a download of all the questions within the application form, in order to assist potential suppliers to evaluate the opportunity and best mange their response? Alternatively, are suppliers able to insert draft responses to the 100 word questions (in order to advance and see the questions on the following pages) and come back to rework them at a later time in the process, prior to submission deadline? The assessment questions are already published on the digital market place for both rounds of this procurement. 6. Do suppliers need in-depth knowledge of Unilink for this opportunity? No, If it is not mentioned in essential requirements/evaluation criteria. Experience of dealing with 3rd parties who provide software in secure environments such as prisons would be beneficial. 7. Can you please expand on “assisting with remediation where necessary.” and what you’d like the supplier to demonstrate? The supplier will be expected to assist with troubleshooting, incident management and producing solutions when issues occur. The supplier should demonstrate their ability to work in a team with developers and to review and recommend fixes and improvements. 8. Can you please confirm what Data Integration Standards you currently work to? The below links will provide all of of our standards - https://security-guidance.service.justice.gov.uk/#cyber-and-technical-security-guidance. Suggest that supplier follows NCSC Guidance. 9. A Supplier team is required to provide managed service support” in the summary of work – When does your existing contract end with the incumbent supplier and will the incumbent supplier be available for knowledge transfer support during the transition period? Current contract end date is 25 January 2022. And, yes, the current incumbent are contractually obliged to provide exit/transition during the transition period. 10. Create test and training environment to test updates before deployment” in the Problem to be solved section. – Do you expect a fixed monthly fee for the managed services with additional fees for design, build, migration and development services? Yes 11. Support and maintain the current Unilink technical back-end infrastructure including active management and alerting on these environments, which should be aligned with MOJ standards” in the problem to be solved section. – Can you provide details on this backend infrastructure and where this is currently hosted The backend infrastructure is hosted in Azure and it consists of Windows VMs, SQL DB Servers, IIS web Servers, load balancers and domain services. 12. The “In-Cell Technology programme includes the Technology Workstream Lead and the Service Owner. The team also includes the MOJ Architecture team” in the Existing team section. – Can you describe the expected working relationship between these parties and the supplier? The In-Cell technology programme (via a single point of contact - a Project Manager) will coordinate effort required from both the programme team, architecture team and the supplier. There will be shared project plans and RAID logs as part of wider project & programme governance. 13. The “In-Cell device programme is a new high-profile service which will allow service users (residents) residing in specific youth custody and general prison institutions to access a number of digital services and applications via a laptop” in the Why the work is being done section – Is local device configuration in scope and if so what are the requirements? No, Local device configuration is not in the scope. 14. What is the current size of the in-scope Azure estate in terms of the number of virtual machines, databases and serverless workloads and what is the current monthly consumption spend? Roughly 80 virtual machines, around 5 database servers. No cost passed to supplier 15. Do you have existing preferred cloud tooling in place and can the supplier bring their own tooling and cloud management platform The infrastructure is built and managed with terraform and is provisioned using tools like ansible. Rearding own tooling I would say no as MoJ will need to continue and carry this on after the contract has finished. 16. Which API Technical and Data integration standards are you referring to? This is in relation to “Experience of delivering services to meet API Technical and Data Integration Standards.” https://security-guidance.service.justice.gov.uk/management-access/#management-access / https://security-guidance.service.justice.gov.uk/managing-user-access-guide/#managing-user-access-guide. NCSC Guidance should be followed 17. One of the questions asks for: Experience in the development of services to comply with Government Digital Standards and Technology Code of Conduct. Is ‘Technology Code of Conduct’ correct, or should it read ‘Technology Code of Practice’? The technology code of practice - GOV.UK - https://www.gov.uk/guidance/the-technology-code-of-practice 18. What is meant by “migrating” and therefore the context for “remediation”? Does this mean migrating from a legacy application to a new digital service / application – in which case remediation should not be necessary, as it is a new service? Or, does it mean moving an application to a new hosting platform (but not replacing the application)? This includes being able to migrate existing services to newer platforms. E.g moving from SaaS to Paas. supplier not expected to remediate the application 19. Will the scores from the evidencing round be taken through to final evaluation or simply used for the purposes of down-selecting suppliers? If scores are carried forward into the proposal stage, then how will this weighting work? Phase 1 scores are only used for shortlisting 20. Please can you detail further by your definition of remediation within the context of “Experience of migrating away from legacy applications to digital services and assisting with remediation where necessary.”? This includes being able to migrate existing services to newer platforms. E.g moving from SaaS to Paas. supplier not expected to remediate the application