ServiceNow Vulnerability Response, Development and Implementation 2025

Description

Which phase the project is in Live Existing team The primary team the supplier will be working with is the Digital Security Adaptive Cybersecurity Ecosystem (ACE) team, who’s primarily responsibility is providing services to DWP that utilise the ServiceNow SecOps and IRM modules. This includes multiple Business Analysts who work with the business users to understand requirements for the Security services, technical leads to design workable solutions, as well as delivery management to progress the work through the delivery pipeline and create plans in alignment with the product roadmap. The team is headed up by a Service Owner who engages with the wider Digital Security and Cyber Resilience Centre (CRC) teams to ensure the product and service works in alignment with all other workstreams as part of the Adaptive Security Programme. The supplier will be required to occasionally work with business stakeholders across the various security teams to help understand and refine requirements. They will also work closely with the DWP Place Platform team whose broad responsibility is to maintain the uptime and integrity of the wider ServiceNow platform; a capability that includes delivery management, governance mechanisms (including SDLC standards), architecture, system administration. Address where the work will be done It is anticipated that the majority of the work will be performed remotely. Where work is required to be completed on-site, this could be at the Corporate Hubs listed below. Blackpool - Peel Park, Brunel Way, Blackpool FY4 5ES Manchester - 2 St Peter's Square, Manchester M2 3AA Working arrangements The supplier can carry out their roles from whichever location allows them to do so the most effectively. This can be largely covered by home working, although occasional visits to DWP on-site Hubs will be required to participate in Discovery type activities. Provide more information about your security requirements: Security Check (SC) Latest start date 2025-04-01 Enter the expected contract length: 2 years Extension period: 1 year Are you prepared to show your budget details?: Yes Indicative maximum: £4,000,000 Provide further information: Optional 12 month extension at £2,000,000 Confirm if you require a contracted out service or supply of resource Contracted out service: the off-payroll rules do not apply Summary of work The Department’s Adaptive Security Programme focus is on improving security controls across Digital Services to reduce the residual risks associated with a Cyber-attack. Beginning in January 2022 we have been implementing ServiceNow’s Security Operations platform as a core set of controls. The successful ServiceNow partner will: - Provide demonstrable evidence of multiple successful VR, SIR and IRM implementations in large scale, complex organisations - Provide consultancy and hands-on-deployment for the design and configuration of new features, enhancements and fixes to the VR, SIR and IRM modules, including integration with existing security tools and resources including but not limited to Tenable, Wiz, Splunk, Sentinel, GitLab, XSOAR, Mandiant, MISP, Tanium, Ansible - Provide consultancy and hands-on-deployment for the design and configuration of additional workspaces such as SBOM, Security Posture Control, Threat Intelligence Security Centre. Including integration workflows between the various modules. - Propose, design, and build optimal methods to achieve reporting requirements. Including the use of ServiceNow Visualisations, Platform Analytics, Control Towers & Cyber Exec Dashboard - Provide consultancy and hands-on-development for advanced ServiceNow features including GenAI, Low-Code/No-Code & Automated Testing Framework (ATF) - Configure data and promote code into the Production instance, through the DWP ServiceNow SDLC in line with internal DWP Place platform governance - The successful partner will also supply architects and their own Project Management capability to ensure the most effective and efficient implementation delivers early value realisation over several outcome-based milestones - The successful partner will ensure that Knowledge Transfer, of design, development, or process, is delivered to required DWP teams. The successful partner will provide relevant training and training materials during the implementation. Where the supplied staff will work No specific location (for example they can work remotely) Who the organisation using the products or services is The Department for Work and Pensions Why the work is being done Following a phase of work to mature the security modules in-line with ServiceNow’s capability model, additional support is required to integrate SecOps more effectively into the wider ServiceNow platform as well as a number of new capabilities, including SPC & TISC. Currently the Vulnerability Management, Security Monitoring & Investigations, Security Risk Management, and Threat Intelligence processes are disconnected. Enhancements to each of the security modules and workspaces will enable more efficient and collaborative efforts to detect and respond to Cyber-Security events. Enhancements to the IRM module to enable continual compliance of multiple security frameworks (CIS, CAF) is a key objective. This requires the integration of multiple third-party data sources (Tanium, Wiz) via indicators that can automate the collection of data to measure control effectiveness. To demonstrate enterprise compliance of these security controls, development of dashboards and platform analytics is required. Further work is needed to integrate VR & IRM to enable processes such as policy exceptions, allowing us to utilise real-time threat data to enrich risks and controls, as well as identify mitigating controls when patch management isn’t possible. SPC should be utilised here also, to enrich vulnerability management policies with tooling gaps and identify ‘toxic combinations’ to focus our remediation efforts. Development of low code/no code functionality is needed to increase delivery efficiency and provide autonomy to our user teams. ServiceNow GenAI capabilities will enable our user teams to prioritise investigation and remediation activities as well as performing automated searches across various tables to suggest solutions to complex tasks. These features will enable DWP to respond and adapt to the Cyber-Security landscape, empowering Security professionals to quickly make risk-based decisions within a single platform. The business problem you need to solve Specialist ServiceNow security subject matter expertise is required to allow us to get the most simple, effective and automated VR, SIR & IRM solutions out of the licences previously purchased. The DWP Place Product team do not have the required knowledge or experience of the security modules. Securing the SME services will ensure that we get the implementation right first time and in the shortest timeframe. Integrated, automated vulnerability response is required to handle the ever-increasing cyber security threats to our Digital Estates in line with the reduction of residual risks associated with a Cyber-attack on DWP services. There is also a need to improve understanding, monitoring and capture of the Cloud Estate. The ServiceNow SIR, VR and IRM modules allows us to address these challenges. The risk of extending the capability of VR, SIR and IRM in SecurePlace relates to the manual nature of the activities and the probability that our staff cannot keep pace with volumes of activities and the increasingly sophisticated and diverse nature of threats. The manual processes are slower and therefore lend the possibility of exploits and attacks being successful. Enhancing each of the 3 modules in recognition of each of the other’s capabilities, as well as empowering each of the operational teams utilising them daily, enables the SecurePlace service to act as a hub for the wider Adaptive Cyber-Security Eco-System. This ensures we are in the best possible position to identify, respond and recover from any potential security risk, as opposed to disconnected security tools and functions. DWP Place Product team do not have the knowledge, experience, or resources to undertake the activities in house. First user type: Vulnerability Response First user type: Security Incident Response First user type: Integrated Risk Management