Invitation to Tender

28 February 2023
Vacancy - supplier

Invitation to Tender

Westminster Foundation for Democracy (“WFD”) is looking to contract an outsourced Security Operations Centre (“SOC”) to improve its resilience to cyber security threats.

Please scroll to the bottom for supplier Q&A. This will be regularly updated whilst the tender is live.


WFD is the UK public body dedicated to supporting democracy around the world. Operating internationally, WFD works with parliaments, political parties, and civil society groups as well as on elections to help make political systems fairer, more inclusive and more accountable. Our vision is of a world in which freedom and democracy thrive.

. We are a problem-solving, practitioner-led organisation that offers:

  • Specialist analysis, research, and advice to inform policy makers on a range of democratic governance issues, including through our HMG Centre of Expertise;
  • High quality and impactful programmes that directly support the full spectrum of institutions in political systems to develop inclusive political processes, more accountable political systems, protection of rights and freedoms, and more pluralistic societies; and 
  • International elections observation on behalf of the UK.

Aim of this Invitation to Tender

WFD is issuing this Invitation to Tender (“ITT”) to a range of potential suppliers of services and would welcome a bid from your organisation.

As part of WFD’s continued efforts to improve resilience to cyber security threats; there is a need to improve the current way in which WFD identifies, detects, responds, contains and remediates cyber security incidents and continuously improve our cyber security defences. The time is now right for WFD to establish an outsourced managed SOC capability, to improve the efficiency and effectiveness of our security operations functions and capabilities, and proactively reduce the potential impact of cyber security events.

 WFD wishes to implement a SOC solution in order to:

  • understand where the organisation needs to focus its resources to maximise its cybersecurity posture;
  • detect and respond to threats, 24/7/365, keeping the information held on systems and networks secure;
  • increase resilience by learning about the changing threat landscape (both malicious and non-malicious, internal and external);
  • identify and address negligent or criminal behaviours; and
  • derive business intelligence about user behaviours to shape and prioritise the development of technologies.

Bid submission

All bids should be submitted by 23.59 on Sunday 26 March 2023 in writing, must comply with the requirements of this ITT, and must include the information requested in the Bid Requirements below.

The bid should be sent electronically and addressed to: SOC Procurement Team at

The same email address should be used for any questions related to this ITT.

WFD’s standard terms and conditions for tendering and key policies (including our Code of Conduct) are found at Policies | Westminster Foundation for Democracy (

Detailed Specification


The nature of WFD’s work to support democracy around the world on behalf of the UK exposes WFD to an outsized range of cyber security threats. WFD requires the services of an outsourced Security Operations Centre to reinforce its resilience to the cyber threats we face.

Scope of work

It is envisaged that the Services to be delivered will encompass three broad stages:

  • Requirements gathering stage: research, investigation and evaluation of WFD’s current technical operations.
  • Onboarding stage: once the supplier has understood the scope of the technical operations, they will deploy log agents to end-user devices.
  • Ongoing services: continuous provision of investigation, triage, and remediation of cyber security threats to WFD.

Deliverables and milestones

Milestone/ deliverable


Timeframe/ delivery date

Kick off/Initiation and development of target operating model for SOC Contract commences with an opportunity to reconfirm scope and deliverables. To gain additional information and context regarding WFD and to further clarify the scope. Develop and document a target operating model for the SOC in accordance with the NCSC guidance[1] for WFD approval, including incident response protocols By end-May 2023
Threat modelling and Onboarding of Systems and Log Sources

Conduct threat modelling exercise, define detection approach and document findings.

Onboarding of devices/ applications and log sources by deploying the logging agent scope. Deliver report confirming successful onboarding.

By mid-June 2023
Progress Meeting/Technical Testing Testing of detection approach and use cases and conduct red/purple team exercise, including collaboration with WFD and other HMG stakeholders. Produce a report outlining all findings, remediation steps for each, and an evaluation of WFD’s vulnerabilities. Refinement of incident response procedures. By mid-July 2023
Ongoing SOC operations feedback, and continuous improvement Daily operations of the SOC such as triaging and investigating alerts report. Ongoing of the final deliverable
Monthly Reporting Reports are created and delivered monthly to inform WFD of the threats remediated, whilst providing insight into the security operations affecting WFD. Monthly reports

Working arrangements

The Supplier will be expected to primarily work remotely, liaising regularly with WFD, and coordinating closely with WFD’s IT managed service provider.

Minimum experience and expertise

The Supplier and its staff assigned to the Contract shall:

  • have an excellent understanding of the cyber threat landscape. The consultant should hold relevant compliance, technical or commercial roles;
  • be fully conversant with industry-standard threat investigation methods; and
  • be registered with NCSC Cyber Security Information Sharing Partnership (CISP).

The supplier may provide their proposed project team, including a skills profile and any knowledge-based specialities of relevant team members, to evidence their inclusion in the project)

Bid process


Below is the proposed timescale for the tendering process. Please note the dates are indicative and subject to change. 


Issue ITT 28 February 2023
Final date for supplier questions 22 March 2023
Closing date for receipt of completed tender proposals 26 March 2023
Shortlisting of bids w/c 27 March 2023
Supplier interviews/ presentations to tender committee (if applicable). w/c 03 April 2023
WFD announces preferred supplier w/c 17 April 2023
Standstill period 10 calendar days
Contract finalised and signed 

30 April 2023


Bid requirements

In general, the bid should include the following:

  1. Organisational profile
  2. Proposed solution and how it meets the specification
  3. Financial proposal
  4. References
  5. Confirmation of compliance with General Terms and Conditions of Tendering

Organisational profile:

  • Company profile, including brief history and financial overview
  • Confirmation of Cyber Essentials Plus and ISO 27001, and other relevant certification status
  • Case studies/credentials demonstrating relevant experience and skills profile
  • Names and brief biographies of key staff

WFD is particularly keen to receive bids from organisations which are – or are working towards becoming – living wage employers and that have a broadly representative and balanced Board from gender and ethnicity perspectives. 

Proposed solution:

  • Clear explanation as to the proposed approach to meeting the specification set out in this ITT, including the approach the supplier will take to developing and delivering a target operating model for the SOC in accordance with NCSC guidance[2]
  • Detailed project plan, including timelines, assumptions and dependencies, resourcing and risks.

Financial proposal:

  • Full breakdown costings for the proposed solution in sterling
  • Separate accounting of VAT and/or any other applicable tax, duty, or charge.
  • Detailing of any discount applied in view of WFD’s not-for-profit status.


  • The bid should include details of two references relating to similar goods/services provided in the last three years. Please note – referees will only be contacted once Preferred Bidder status is assigned.

Confirmation of acceptance of General Terms and Conditions of Tendering:

  • All bids should include a signed copy of the Confirmation of Compliance form as annexed to this ITT.

All bidders should also note the following:

  • all bids should be submitted in English;
  • all bids should be submitted in electronic form only;
  • this ITT and the response may be incorporated in whole or in part into the final contract;
  • only information provided in response to questions set out in this documentation will be taken into consideration for the purposes of evaluating the ITT;
  • bids which are poorly organised or poorly written, such that evaluation and comparison with other submissions is notably difficult, may exclude the bidder from further consideration; and
  • any bids which do not fully comply with the requirements of this ITT may be disregarded at the absolute discretion of WFD.

Evaluation criteria

WFD intends to shortlist providers based on their response to the RFP and will use the following scoring criteria.



Quality of bid document 10%
Service offer and fit to specification 25%
Value for money 40%
Professional profile, track record, relevant experience, and references 25%
Total weighting  100%


WFD will score each criterion using the following table:


The proposal submitted omits and fundamentally fails to meet WFD’s scope and specifications. Insufficient evidence to support the proposal to allow WFD to evaluate. Not Answered


The information submitted has a severe lack of evidence to demonstrate that WFD’s scope and specifications can be met. Significant omissions, serious and/or many concerns. Poor


The information submitted has some minor omissions in respect of WFD's scope and specifications. The tender satisfies the basic requirements in some respects but is unsatisfactory in other respects and raises some concerns. Satisfactory.


The information submitted provides some good evidence to meet the WFD’s scope and specifications and is satisfactory in most respects and there are few concerns. Good.


The information submitted provides good evidence that all of WFD's scope and specification can be met. Full and robust response, any concerns are addressed so that the proposal gives confidence. Very Good.


The information submitted provides strong evidence that all of WFD's scope and specification can be met and the proposal exceeds expectation i.e. exemplary in the industry. Provides full confidence and no concerns. Outstanding


Tender Queries 

Any questions related to this tender should be addressed to the SOC Procurement Team at

Equal Information

Should any supplier raise a question that is of general interest, WFD reserves the right to circulate both question and answer to other respondents, either via WFD’s website or by email. In this event, anonymity will be maintained.

Annual reports

Please provide a link or copy of your company’s latest audited annual accounts with the bid.

Other information

If the potential supplier believes that there is additional information that has not been requested in the ITT but is relevant to your bid, please include that information as a separate attachment and explain its relevance to this ITT.

Expected duration of the contract

We expect to award a contract to the successful supplier for a three-year period, subject to an annual review.


Q: Is NCSC Cyber Security Information Sharing Partnership (CISP) mandatory?

A: Membership of the NCSC Cyber Security Information Sharing Partnership (CISP) is mandatory for the bid to be considered.  All bidders should be currently a member of CISP or committed to becoming a member before contracting.

Q: Is there a formal process to “Express an Interest”? And then get a tender pack or will it all be completed based on the information and instructions from the website?

A: There is no process to express an interest, bids should be submitted based on information contained on our website. 

Q: Firewalls, end users devices, etc, How many logs sources? 

A: There are approximately 175-200 end-user devices. There are approximately 5 log sources in scope. We cannot disclose the number of firewalls.

Q: Will it all be cloud based?, On Premise?, or hybrid (both)

A: These are a mixture of on-prem and cloud.

Q: Can you please confirm whether the £50,000 budget covers the full three year contract length or is based on an annual budget?

A: £50,000 is a minimum figure, not based on an annual budget. This is a required field on Find a Tender and Contracts Finder.

Q: Can you please confirm that you have an active Microsoft Azure tenant?

A: Yes, we have one active Microsoft Azure tenant.

Q: Are you expecting the supplier to also resolve all security alerts, or to pass the alerts onto the WFD IT Service Desk for remediation? If you are expecting the supplier to resolve all alerts, can you please give an indication of the volume of tickets likely to be worked on in any given month?

A: We are unable to provide this information at this stage, as this information will be gathered as part of the delivery of the contract. 

Q: Can you please confirm who the IT Managed Service provider is?

A: In line with public procurement guidance, WFD publishes details of awarded contracts on the Find a Tender and/or Contracts Finder service, as appropriate/applicable.

Q: On premise server infrastructure used (if applicable), number of servers, server roles and associated operating systems?

A: We use Microsoft Server OS, however we are unable to divulge further information on our server architecture. 

Q: Networking equipment (number of firewalls, network security appliances and routers/switches)?

A: For security reasons, we are unable to divulge this information.

Q: Details of any existing endpoint security technologies such as anti-virus or EDR/XDR solutions?

A: WFD do have endpoint protection in place, but we are unable to disclose further information about the software. 

Q: Is the project available for subcontracting and can it be subcontracted to Indian company?

A: We are looking to build a partnership with a supplier that demonstrates good value for money, and it would need to be clear how any subcontracted elements of the proposal would meet this. For reasons of data protection compliance and security, we would need to ensure that any consultant(s) working on the WFD account are located in – and processing data within – the UK. 

Q: In your tender, are there any template tender documents with the criteria on for us to complete as I have been unable to locate any so far?

A: There are no template documents. The tender should be structured as set out in the ‘Bid Requirements’ section.

Q: A solution that we could put forward can ingest telemetry from various 3rd party security vendors, for example Firewalls. Is this something you would like us to additionally quote? If so, what is the make and model?

A: If possible, we would like to see this as an option, costed separately. We are unable to provide firewall makes or models.

Q: Have you been advised on including an NDR solution integrated with the service? (Additional Cost).

A: If an NDR solution is being proposed, the financial proposal should clearly separate such cost (and make clear as to whether this is optional). 

Q: Is there a specific budget limit aligned to this procurement?

A: We do not publish budget limits, to encourage competitive bids. 

Q: Is there a technical specification required to be completed?

A: No.

Q: Are we only allowed a single submission or are we allowed to put 2 options forward?

A: We would consider one submission per supplier, but this could contain more than one option. 

Q: Has the WFD ever used a Managed Security Service Provider in the past?

A: No, WFD has not used an outsourced Security Operations Centre previously.

Q: Does the WFD have any security capabilities in-house that we need to work with?

A: WFD does not have any dedicated security staff in-house.

Q: Do WFD have an assessed data volume ingest (GB/day)?

A: Data volume ingest will be obtained as part of the deliverables.

Q: Do WFD have a preferred technology

A: No

Q: Do WFD have an assessed data volume ingest (GB/day)?

A: Data volume ingest will be obtained as part of the deliverables.

Q: Would you like a proposal that features the requirements gathering?

A: WFD would expect there to be an element of requirements gathering as part of the deliverables.

Q: Can you please confirm the type of M365 license that have you deployed for your users? i.e. E3/E5

A: For security reasons, we cannot confirm the Microsoft licenses that are in use.

Q: Do you utilise Azure AD?

A: Yes

Q: Can confirm if you protect your servers utilising Microsoft Product suite i.e. Defender for Cloud/Endpoint

A: We can confirm that we protect our servers, but for security reasons, we cannot confirm the product we use.

Q: You have mentioned 5 log sources, can you provide further information

A: Whilst we cannot provide details of each log source, we can confirm that these are a mixture of Microsoft and non-Microsoft.

Q: You have asked for a managed SOC partner, can you elaborate on the expected services you would wish to make up this service?

A: WFD is looking for a SOC to detect and respond to any potential cyber security threats, ensuring the information held on systems and networks is secure. We anticipate that a SOC will strengthen WFD's security posture by:
•    reducing time to respond
•    minimising breach impact
•    increasing security visibility
•    staying a step ahead of any attackers
•    keeping the organisation informed of risks
We are looking for continuous (24/7/365) monitoring of WFD's corporate estate for suspected attacks to help detect, triage and respond to cybersecurity threats as soon as possible. This will enable WFD to secure increased centralised visibility over its network alongside complete visibility into the network infrastructure and potential attack vectors. WFD have an EDR solution in place, managed by our managed service provider, which can be reviewed as part of this engagement.

Q: As you have indicated that much of the information will be obtained as part of the deliverables, is it anticipated that at this stage there may need to be discussions had on the commercials to reflect any changes that may come to light as part of a true up or down of service?

A: The pricing model should be clear as part of the proposal. We will review commercials after each stage of the process, if necessary.

Q: Do you have any specific compliance requirements?

A: There are no specific compliance requirements.

Q: Regarding hot storage of operational log data, do you have any specific preference for storage, 30, 60, or 90 days, PCI DSS compliance mandates 90 days, for example.

A: WFD has no specific compliance requirements to this regard, but would welcome a choice of different storage options/costings to be set out in the bid document. 

Q: How many physical locations are in scope?

A: WFD operates in over 25 countries around the world. We would expect coverage to extend to all devices globally. 

Q: Do you have a specific technology platform of choice?

A: We have no technology platform preference.