SPISN/0290 Enterprise Data Analytics Development & Support

Description

Summary of work Suppliers who intend to work as a consortium are encouraged to respond to stage 1 collaboratively. There will be an additional CQ period (1 week) for the questions released at Stage 2 for the down-selected suppliers. As part of the Stage 1 bid return, suppliers must sign and return a copy of the attached Security Aspects Letter (SAL). Build & Migrate OFFICIAL SENSITIVE Azure Tenancy: The current contracted OFFICIAL SENSITIVE (OS) platform is hosted and managed within a supplier owned Azure Tenancy, where prescribed change limitations are placed upon users preforming day to day tasks. The Authority and users must be empowered to deliver in an Agile, DevSecOps manner and technically enabled to carry out change on the platform in line with evolving user requirements, without restrictions being placed by a supplier. The design and build of an OS Cloud Solution utilising where appropriate existing build guides is required within an Authority owned tenancy offering. The existing platform is currently a combination of infrastructure as code and manual build; however, the user requires a platform that is as far as practical all infrastructure as code. There will also be a need to migrate appropriate infrastructure as code and existing workloads from the current OS tenancy to the Authority owned Azure tenancy. Working in unison with the Authority and collaboration with suppliers that currently support the existing OS Cloud and SECRET platforms is a prerequisite. Support to OFFICIAL SENSITIVE Azure Cloud: To provide platform infrastructure, security management, support, and continuous development of an OFFICIAL SENSITIVE Cloud Azure tenancy within an Authority owned environment. The platform use case is for the development, hosting & exploitation of deployed data analytical products and tools. Suppliers will be required to work in unison with other suppliers as directed by the Authority, to enable the successful outcomes of the product delivery life-cycle. Additionally, enable the integration of other components within the Enterprise Data Analytics solution. Support to SECRET ASH: To provide platform infrastructure support and continued development of a geographically separated on-premises SECRET platform. The Data Analytics Platform is currently hosted on Azure Stack Hubs, with associated management infrastructure. The platform use case is for the development and hosting & exploitation of deployed data analytical products and tools. Suppliers will be required to work in unison with other suppliers as directed by the Authority, to enable the successful outcomes of the product delivery life-cycle. Additionally, enable the integration of other components within the Enterprise Data Analytics solution. Service management functions aligned to ITIL (Information Technology Infrastructure Library) 4, encompassed within an agile framework. The Authority requires a route to market to enable the swift procurement of hardware to meet User requirements throughout the project life-cycle. The hardware will be necessary to support an existing cross-classification Data Analytics Platform (OFFICIAL SENSITIVE Cloud & SECRET on-prem), with a Cross-Domain Gateway. Option under Support to SECRET: Support to Cross Domain Gateway (CDG) as a Service: The Authority will require ongoing support to a CDG solution delivered in Q2 2024. The delivered CDG v1.0 capability will be hosted on the higher classification HMI in the interim, with a future requirement to host v2.0 on separate hardware. As a result, the Authority may require the procurement, management, and support for hardware to host v2.0 of the gateway. Suppliers will be required to work in unison with other industry partners & customer engineering teams as directed by the Authority, to enable the successful build of an iterative CDG solution. Where the supplied staff will work West Midlands Who the organisation using the products or services is Ministry of Defence Why the work is being done Current supplier contracts are coming to expiry. Requirements have evolved through lessons identified and greater refined use cases, this now requires a new approach to development and support. The OFFICIAL SENSITIVE tenancy requires migration to allow the Authority to have more control over how the tenancy is managed and how change is initiated. The business problem The existing in-service Data Analytics Platform requires continuation of through-life support management. The existing support and delivery contract is due to expire March 24 and MOD must now compete this requirement to ensure that the operational capability does not go unsupported. The current OFFICIAL tenancy is constrained by admin rights that constricts the user experience too much, therefore MOD will move this tenancy to a MOD owned environment Q1 2024. The Authority requires engagement between a new supplier and existing tenancy owner to facilitate any migration activities between current OFFICIAL platform and MOD owned enabling the efficient and successful close down of the legacy platform. The Authority requires the new supplier to integrate closely with the new tenancy build team to facilitate a phased handover for the continuation of the new tenancy build, then support and continually evolve. There will be the requirement to work closely with the existing supplier to efficiently and effectively handover the extant on-premise SECRET platform support contract, with no interruption to the in-service capability. As part of the ongoing support requirement, the Authority expects the supplier, as directed, to deliver continual improvements and evolution to the SECRET platform utilising Infrastructure as Code. While the Authority will guide, there is also the expectation that the new support supplier will maintain knowledge of technology trends through horizon scanning, making recommendations for approval where appropriate. To lead change and encourage a culture of collaboration & compliance in a demanding environment, while informing and supporting governance and control. The people who will use the product or service User type: Data Analytics Centre (DAC) Definition: As an Internal DAC team, made up of Product and Service functions, Architects, DevSecOps Engineers & Trainers I need to Create/Approve/Implement changes, monitor resource, proactively maintain system uptime, train other users and resolve incidents and problems in an agile manner. User type: Developers Definition: As a developer to the wider organisation I need to Develop products to enhance the data platform, and provide data insights so that I support the user community through their data analysis requirements. User type: Standard User Definition: As a Standard User I need to consume the Data, Tooling and Products established on the platform to enable a quicker decision making process. Any pre-market engagement done Information Note released via the Defence Sourcing Portal (DSP) 20/12/23. Defence conferences & Expos (e.g. DSEI 2023, SDSC UK 2023). Work done so far Designed, built, integrated and delivered into service an on premise SECRET platform using DELL Azure Stack Hubs and HMI, and other technologies including but not limited to; DELL networking equipment, F5 - load balancers, Garrison and Veritas - back up devices. Designed, built and delivered into service an OFFICIAL SENSITIVE Azure Cloud tenancy, hosting data analytics and DevSecOps capabilities. The Authority has begun building a new ESLZ in a MOD owned tenancy ready to further develop and scale out to the full capability. Development of a limited Cross Domain Gateway capability. Which phase the project is in Live Existing team The core team in the Data Analytics Centre (DAC) compromises of a mixed team of Military, Civil Service and contractors. The contract roles are broken down into Delivery Head, Product Head, Service Head, a Data Architect. There are several permanent military and civilian contractual staff developers, and it is expected that the Enterprise Partner will work to the DAC and with other suppliers. Address where the work will be done Hereford Working arrangements Ordinarily business operating hours are Monday to Friday for 8hrs per day, usually 0900 – 1700 across both the Cloud and on Premises platforms. The business requires a call off option of 16hrs additional per month to draw upon for out of hours activity (The additional 16hrs will be enacted through a 3 day notice period and split between both platforms). The 0900 – 1700 working hours may change in the future to include additional out of hours support. The Cloud platform will allow remote working, but weekly and ad-hoc on site presence will be required to attend face-to-face meetings. Personnel will require SC clearance. The on Premises platform requires permanent onsite support staff due to the nature of the platform in line with the hours annotated above. Personnel will require DV clearance or SC with a view to acquiring DV. Individuals and Teams will need to rotate between platforms to gain the wider understanding of the organisation, its requirements, context and aid the building of working relationships. Continuous on site presence is the Authority's preferred approach. Bidders to confirm within their proposal about their proposed approach to working arrangements. Security and vetting requirements Security Check (SC) Security and vetting requirements Developed Vetting (DV) More information about the Security requirements: OFFICIAL: Minimum SC clearance required. SECRET: SC as minimum and DV for any admin roles. Experience with implementing NIST 800-53 Security Controls Latest start date 31 May 2024 Expected contract length Contract length: 2 years 0 months 0 days Optional extension: 1 years 0 months 0 days Special terms and conditions special term or condition: Special Terms & Conditions will be released during stage two of the down-selection. Budget Indicative maximum: The contract value is not specified by the buyer Indicative minimum: The contract value is not specified by the buyer Contracted out service or supply of resource? Supply of resource: the off-payroll rules may apply Questions and Clarifications 1. Regarding the OFFICIAL – SENSITIVE (OS) documents classification. The Supplier IT network holds no accreditation, as the owners of this asset could you please confirm that this is the correct GSC, and if so please confirm if you are content for us to process this on our IT network. Please we aware that we do hold Cyber Essentials Plus and have a valid ISO 27001 certificate associated with our IT network. If you are not content for us to process this asset on our IT network, please be aware that we do have an IT network that has been accredited by MoD CyDR and an email ress can be provided for that accredited network. The Authority would direct you to the ISNs included in the SAL that allows for sharing of OS documents with partners at OS where the are part of the Need to know. The Authority would expect suppliers corporate network to be secure and CE+ is a minimum to allow for this. The Authority would to ask if the Corporate network supports TLS v1.2 or above. This is a min baseline that could allow for working at OS. Last Updated : <strong>07/02/2024</strong> 2. Can you please advise on the budget for this opportunity? £4-6M over a 2 year period. This is for support only, any development work may have an itional budget. Last Updated : <strong>07/02/2024</strong> 3. 7. Are there any known issues with the current system, is there an assessment of techncial debt that could be shared at the appropriate stage 8. ASH @ S (or any other current in scope equipment), is this all contained and intended for use within the UK geography, or are there overseas deployable itterations that would require successful bidder support? 9. Are all licences, software and hardware maintenance agreements held by the MOD Authority (not held by the incumbent support provider)? 10. Are there any ITAR (or equivalent) related factors to be considered? 11. What is the accreditation status of the systems to be migrated supported (and are there any significant JSP604 Network joining rules that need to be ressed to achieve full ATO)? 12. The design and current build support for the target MODCloud OS Tennent - can you please advise who is the Technical Lead Authority for this? (is it all inhouse, or are there external 3rd parties involved?) The Authority are not in a position to release this level of detail at Stage 1 - The successful bidders will be provided with itional technical information at Stage 2, with the opportunity to ask further questions. Last Updated : <strong>08/02/2024</strong> 4. Please could the Authority confirm if they foresee any TUPE requirements if the incumbent is unsuccessful in this tender? The Authority can confirm that there are no TUPE requirements. Last Updated : <strong>07/02/2024</strong> 5. A non-essential experience question has not been asked at Stage 1. Would it be permissible to submit a response to our non-essential experience within the 750 acters permitted for that question (which would be in ition to the 750 acters for the essential skills question), or would the Authority disqualify the response on the basis of it being too long? The Authority understands the desire to share itional information surrounding non-essential experience, however this would not be scored and not improve supplier chances to be successful in Stage 1. Therefore, at this stage the Authority can confirm we will only be marking against outlined criteria. If suppliers are successful in shortlisting, then the Authority would welcome additional information at Stage 2. Last Updated : <strong>07/02/2024</strong> 6. We understand there is an existing environment, will any of the capability and functionalities be required to be supported under this contract and if so what information will be provided prior to bid submission? Please could the Authority advise if there has been any customisations by the existing provider during dev and delivery of the existing solution? The Authority can confirm that the existing capabilities and functionalities of the in-service platform will require support as part of this contract. Additional information outlining the current environment will be provided to successful bidders in Stage 2. All technical information provided at Stage 2 will be up to date with the current configurations on the platform. Last Updated : <strong>07/02/2024</strong> 7. Would you consider breaking this tender out into two lots? Azure Tenancy migration and support and then ASH Support? Is there a TUPE requirement for the existing staffincumbent that currently supports the platform? The Authority internally considered multiple approaches to this tender and have settled on the advertised method - this will not be changed at this date. As stated in the tender, the Authority encourages collaboration. Last Updated : <strong>07/02/2024</strong> 8. Who is the incumbent? - Are there mechanisms in place to ensure the incumbent doesnt have any advantage over bidders to ensure fair competition practices? - Does TUPE apply to this procurement? If so, will there be an opportunity for potential bidders to conduct TUPE due diligence to assess potential liabilities and risks associated with the transfer? - Please can you give an indication of budget as it helps to develop a realistic solution within the clients constraints? The Authority has an exemption against DSPCR, but as a team we follow the relevant principles closely. All questions and subsequent answers have been designed to be impartial and will be submitted to the marking team anonymously, which will not allow the current incumbent to have any competitive advantage. In line with this, all technical information provided at Stage 2 will be up to date with the current configurations on the platform to ensure the opportunity is fair, open and transparent. The current incumbent supplier is CGI and the budget is £4-6M over a 2 year period.The Authority can confirm that there are no TUPE requirements. Last Updated : <strong>07/02/2024</strong> 9. 1. Please confirm if we can reference the work we are doing for the authority in our bid response? 2.Please, could you clarify whether a dual national can access and support the bid? They hold SC but no caveats. 3. If we wish to partnersubcontract on the bid and collaborate on the response do you need to pre-authorise this? 1. The Authority gently discourages references to other work. All questions and subsequent answers have been designed to be impartial and will be submitted to the marking team anonymously, which will not allow the current incumbent to have any competitive advantage. 2. As the tendering information will all be OFFICIAL SENSITIVE there should be no issue with a dual national that holds SC supporting the bid response. However, a dual national would need to be vetted on a by basis should they be included as part of the support team due to the classifications of the wider platform. 3. The Authority does not need to pre-authorise any partnershipscollaborations, however does encourage those bidding as part of a consortium to detail this in their bid. Last Updated : <strong>08/02/2024</strong> 10. 1) Can the Authority advise how many staff members are required? 2) The current support contract ends 0324 and the new contract starts 0524. Can the Authority outline how engagement with the incumbent will be managed? 3) Can the Authority confirm the split of work between OS and S? 4) Is there a Security Operations Centre? And if so, does the Authority intend that the successful bidder will monitor this? The Authority encourages suppliers to present suggested personnel requirements as part of their Stage 2 proposal should they be successful in shortlisting - we have provided a breakdown of the existing team to help scope this. The Authority can confirm that there will be a contracted transition period with the incumbent. There is a Security Operations Centre, and currently the Authority monitors the OFFICIAL platform through a separate contract. Due to technical limitations, the S platform is currently monitored by the existing supplier. Last Updated : <strong>08/02/2024</strong> 11. Noting the Authoritys comment that the current contract with the incumbent supplier completes in March 2024, can the Authority advise if there will be a gap of service or does the Authority require potential providers to commence handover and transition before 31st March 2024? The Authority can confirm that the new support contract will start May 2024, and there will be a contracted transition period between a new supplier and incumbent. The Authority requires support to continue throughout as the capability is now in-service. Last Updated : <strong>08/02/2024</strong> 12. In attachment 3 there is a single box to provide our responses to all 11 questions and it states that the acter count is 750. Can you please confirm that you require stand alone responses to each question (each of 750 acters) and that we can provide our responses to each question directly under each question. As per the CCS Guidance: Suppliers are requested to provide an individual response against each of the questions. Each response should not exceed 750 acters in length (the equivalent of about 150 words). Last Updated : <strong>08/02/2024</strong> 13. Can you confirm if the word count for Essential Skills and experience is 750 acters in total, or 750 acters for each of the 11 questions within this section? As per the CCS Guidance: Suppliers are requested to provide an individual response against each of the questions. Each response should not exceed 750 acters in length (the equivalent of about 150 words). Last Updated : <strong>08/02/2024</strong> 14. Is the equipment stack limited to Dell, F5, Garrison and Veritas, or can other suitable hardwaresoftware services be proposed which meet the requirements? Current accredited stack is limited to Dell, F5, Garrison and Veritas, but we are open to other solutions as part of Stage 2 proposal, should suppliers be successful in Stage 1 shortlisting. Last Updated : <strong>07/02/2024</strong> 15. Who is the current incumbent? What is the budget? How many roles are expected to require DV clearance, and will the MOD hold them? The current incumbent supplier is CGI and the budget is £4-6M over a 2 year period. This is for support only, any development work may have an itional budget. The Authority is not explicit in how many roles we would expect to hold DV at this stage and would welcome suggestions as part of the Stage 2 proposal, however all admin roles on the platform must hold DV clearance. The Authority will not hold DV for a supplier, only individual contractors we employ directly. Last Updated : <strong>07/02/2024</strong> 16. 1. Existing platform is mix of IaC and manual build, with aspiration to be 100 IaC. What of existing platform is manual build? (i.e. is it possible to quantify how much needs to be assesseded if possible to IaC) 2. Can you please provide details of existing workloads which will need to be moved to the new tenant 3. Attachment1 states supplier to integrate closely with the new tenancy build team to facilitate a phased handover for the continuation of the new tenancy build. Can you please state what has been completed so far by the new tenancy build team and how much work remains to be completed before live workloads can be migrated? 4. Can you provide details of the toolschain , tools and services that the devsecops services will require to fully support the service ? (are these all commercial, open source or are the proprietry elements ?) 5. The cross domain gateway support option, is this already designed accredited and will the design and documentation be owned by the Authority customer for passing onto any incoming successful bidder? 6. Are the services supported by full, up to date documentation? The Authority are not in a position to release this level of detail at Stage 1 - The successful bidders will be provided with itional technical information at Stage 2, with the opportunity to ask further questions. Last Updated : <strong>08/02/2024</strong>