UK Digital Marketplace Procurement

/arckit.gcloud-search <search query>

# Search by service category
/arckit.gcloud-search cloud hosting kubernetes

# Search by specific need
/arckit.gcloud-search monitoring prometheus grafana

# Search by project
/arckit.gcloud-search Find G-Cloud services for project 001

site:digitalmarketplace.service.gov.uk g-cloud cloud hosting kubernetes docker

# UK Digital Marketplace: G-Cloud Service Procurement

**Framework**: G-Cloud
**Service Category**: Cloud Hosting
**Project**: NHS Appointment Booking (001)

## 1. Service Overview

### What We Need
Managed Kubernetes service for containerized microservices with:
- Auto-scaling
- High availability (99.95% SLA)
- UK data residency
- NHS Digital integration

## 2. Must-Have Requirements

### Functional Requirements
- **Kubernetes v1.28+**: Container orchestration
- **Auto-scaling**: Horizontal pod autoscaling
- **Load balancing**: Layer 7 ingress

### Performance Requirements  
- **Uptime SLA**: > 99.95%
- **API response**: < 100ms (p95)

### Security Requirements
- **ISO 27001**: Current certification
- **Cyber Essentials Plus**: Current certification  
- **Data residency**: UK data centers only
- **NHS Digital compliance**: DCB0129, DCB0160

### Compliance Requirements
- **UK GDPR**: Full compliance
- **NHS Data Security and Protection Toolkit**: Standards met

## 3. Digital Marketplace Search Results

**Search Performed**: 2026-03-04 14:30 GMT
**Search Query**: `site:digitalmarketplace.service.gov.uk g-cloud kubernetes managed uk`

### Top Matching Services

#### 1. AWS Elastic Kubernetes Service (EKS)
- **Supplier**: Amazon Web Services
- **Service ID**: 1234567890123456
- **Link**: https://www.digitalmarketplace.service.gov.uk/g-cloud/services/1234567890123456
- **Key Features**:
  - Managed Kubernetes 1.28+
  - Auto-scaling (cluster autoscaler, HPA)
  - UK regions (London)
  - 99.95% uptime SLA
- **Pricing**: From £0.10/hour per cluster
- **Must-Have Match**: 9/10 requirements mentioned
- **Compliance**: ISO 27001, SOC 2, Cyber Essentials Plus, UK GDPR

#### 2. Azure Kubernetes Service (AKS)  
- **Supplier**: Microsoft
- **Service ID**: 2345678901234567
- **Link**: https://www.digitalmarketplace.service.gov.uk/g-cloud/services/2345678901234567
- **Key Features**:
  - Managed Kubernetes 1.29
  - Autoscaling (cluster/pod/node)
  - UK South region
  - 99.95% SLA (financially backed)
- **Pricing**: Free control plane + node costs
- **Must-Have Match**: 10/10 requirements mentioned
- **Compliance**: ISO 27001, SOC 2, Cyber Essentials Plus

#### 3. Google Kubernetes Engine (GKE)
- **Supplier**: Google Cloud
- **Service ID**: 3456789012345678
- **Link**: https://www.digitalmarketplace.service.gov.uk/g-cloud/services/3456789012345678
- **Key Features**:
  - Managed Kubernetes 1.28
  - Autopilot mode (fully managed)
  - London region
  - 99.95% SLA
- **Pricing**: From £0.10/hour (standard) or £0.20/hour (autopilot)
- **Must-Have Match**: 8/10 requirements mentioned
- **Compliance**: ISO 27001, SOC 2

## 4. Service Comparison Table

| Service | Supplier | Must-Have | Desirable | Compliance | Est. Cost (monthly) | Link |
|---------|----------|-----------|-----------|------------|---------------------|------|
| AKS | Microsoft | 10/10 | 5/7 | ISO 27001, SOC 2, CE+ | £200-500 | [link] |
| EKS | AWS | 9/10 | 6/7 | ISO 27001, SOC 2, CE+ | £220-480 | [link] |
| GKE | Google | 8/10 | 4/7 | ISO 27001, SOC 2 | £240-520 | [link] |

## 5. Recommendation

### Recommended Service

**Azure Kubernetes Service (AKS)** by Microsoft

**Rationale**:
- ✅ Meets 10/10 MUST requirements
- ✅ Strongest compliance (ISO 27001, Cyber Essentials Plus)
- ✅ Best value (free control plane)
- ✅ UK data residency (UK South)
- ✅ NHS Digital integration experience

**Next Steps**:
1. Visit service page: [link]
2. Contact Microsoft for NHS-specific requirements
3. Validate DCB0129/DCB0160 compliance
4. Request pricing quote for expected load
5. Schedule technical demo

### Alternative Option

**AWS EKS** - If Azure integration not preferred or AWS existing relationship

/arckit.gcloud-clarify <service name>

# G-Cloud Service Clarification Questions

**Service**: Azure Kubernetes Service (AKS)
**Supplier**: Microsoft

## Gap Summary

- ✅ **8** MUST requirements confirmed with evidence
- ⚠️ **2** MUST requirements mentioned ambiguously
- ❌ **0** MUST requirements NOT mentioned
- 🔵 **2** SHOULD requirements missing

**Overall Risk**: 🟠 HIGH (clarify first)

## Critical Questions

#### Q1: NHS Digital Compliance Evidence
**Requirement**: NFR-C-003 (MUST) - DCB0129 and DCB0160 compliance

**Gap**: Service mentions "healthcare compliance" but doesn't explicitly confirm DCB0129/DCB0160.

**Question**:
> Does Azure AKS support NHS Digital compliance standards?
> - Confirm DCB0129 (Clinical Risk Management) compliance
> - Confirm DCB0160 (Clinical Safety) compliance  
> - Provide certification numbers and expiry dates
> - Document clinical safety case template

**Evidence Needed**:
- DCB0129 compliance statement
- DCB0160 certification  
- Clinical risk management documentation
- NHS Digital attestation letter

**Priority**: 🔴 CRITICAL

## High Priority Questions

#### Q2: Uptime SLA Financial Backing
**Requirement**: NFR-P-001 (MUST) - 99.95% uptime SLA

**Gap**: "99.95% SLA" mentioned but financial backing terms unclear.

**Question**:
> What are the SLA credit terms if uptime falls below 99.95%?
> - Credit percentage at 99.9%, 99.5%, 99.0% thresholds
> - How to claim SLA credits
> - Maximum credit available
> - Planned maintenance exclusions

**Evidence Needed**:
- SLA agreement document
- Credit calculation methodology
- Historical uptime statistics (12 months)

**Priority**: 🟠 HIGH

## Email Template for Supplier

Subject: Technical Clarification Required - Azure AKS (Service ID: 2345678901234567)

Dear Microsoft Team,

We are evaluating Azure Kubernetes Service for NHS appointment booking 
system procurement via G-Cloud Digital Marketplace.

Before proceeding, we need clarification on:

**Critical Requirements (Blocking)**:
- Q1: NHS Digital compliance (DCB0129, DCB0160)

**High Priority Requirements**:
- Q2: SLA financial backing and credits

Could you please provide:
- Written responses to Q1-Q2
- Supporting documentation (compliance certificates, SLA terms)
- Access to demo environment for NHS integration testing

We aim to make procurement decision by 2026-03-18. Please respond by 2026-03-11.

Thank you,
[Your name]
NHS Trust

/arckit.dos <project ID or title>

# Generate DOS for existing project
/arckit.dos 001

# Generate DOS by description  
/arckit.dos Data Engineering Specialist for NHS project

# Create DOS for new project
/arckit.dos Cloud native development team

# UK Digital Marketplace: Digital Outcomes and Specialists

**Framework**: Digital Outcomes and Specialists (DOS)
**Procurement Type**: Digital Outcome + Specialists
**Project**: Payment Gateway Modernization (001)

## 1. Executive Summary

### Procurement Overview
Modernize legacy payment gateway to support real-time payments (Faster Payments), 
Open Banking (PSD2 XS2A), and Strong Customer Authentication. Outcome: PCI-DSS 
compliant cloud-native payment platform with 99.99% uptime.

### Strategic Alignment

**Architecture Principles**:
- PRIN-001: Cloud-first (AWS preferred)
- PRIN-005: API-first design (RESTful, OpenAPI 3.0)
- PRIN-008: Security by design (PCI-DSS Level 1)
- PRIN-012: Open source preference (where appropriate)

## 2. Digital Outcome Description

Vendor must deliver a production-ready payment gateway supporting:
- Real-time payment processing (Faster Payments, CHAPS)
- Open Banking API integration (OBIE v3.1 compliance)
- Strong Customer Authentication (PSD2 SCA)
- Fraud detection (rule engine + ML)
- Payment reconciliation automation

**Success Criteria**:
- Payment processing < 3 seconds (p95)
- 99.99% uptime SLA
- PCI-DSS Level 1 certification
- Zero critical security vulnerabilities
- OBIE conformance test suite pass

## 3. Essential Skills and Experience

### 3.1 Technical Capabilities (MUST Have)

From Functional Requirements:
- **Payment Systems**: Faster Payments, CHAPS, OBIE APIs (FR-001 to FR-007)
- **API Development**: RESTful APIs, OpenAPI 3.0, OAuth 2.0 (FR-008 to FR-012)
- **Fraud Detection**: Rule engines, ML models, anomaly detection (FR-013 to FR-015)

### 3.2 Non-Functional Expertise (MUST Have)

From Non-Functional Requirements:
- **Security**: PCI-DSS Level 1, encryption (AES-256), PKI (NFR-S-001 to NFR-S-008)
- **Performance**: High-throughput systems (>1000 TPS), caching strategies (NFR-P-001 to NFR-P-004)
- **Compliance**: PSD2, Open Banking, UK GDPR (NFR-C-001 to NFR-C-005)
- **Integration**: Message queues, event-driven architecture, API gateways (INT-001 to INT-006)

### 3.3 Architecture Governance (MUST Have)

- **Cloud-native**: AWS (ECS/EKS, Lambda, RDS, DynamoDB) following PRIN-001
- **Design Reviews**: Experience with HLD/DLD review processes
- **Documentation**: Architecture diagrams (Mermaid, C4), API specs (OpenAPI)
- **Traceability**: Requirements traceability throughout delivery

## 4. Desirable Skills and Experience

From SHOULD requirements:
- Machine learning (fraud detection models)
- Payment analytics dashboards
- Chaos engineering experience
- FinOps (cloud cost optimization)

## 5. Requirements Summary

### 5.1 Business Requirements (5 total)

| ID | Requirement | Priority | Acceptance Criteria |
|----|-------------|----------|---------------------|
| BR-001 | Support Faster Payments | MUST | Process payment in < 10 seconds |
| BR-002 | PCI-DSS Level 1 compliance | MUST | Valid AOC (Attestation of Compliance) |
| BR-003 | Open Banking integration | MUST | Pass OBIE conformance suite |
| BR-004 | Real-time fraud detection | SHOULD | Flag suspicious transactions in < 1 second |
| BR-005 | Payment analytics | SHOULD | Dashboard with 15+ metrics |

### 5.2 Functional Requirements (15 total)

**Payment Processing**:
- **FR-001** (MUST): Initiate Faster Payments via API - Accept payment request, return confirmation in < 10s
- **FR-002** (MUST): Process CHAPS payments - High-value same-day clearing
- **FR-003** (MUST): Open Banking PISP flow - PSD2 XS2A Account Information / Payment Initiation

**Strong Customer Authentication**:
- **FR-004** (MUST): SCA for payments >£30 - Dynamic linking, challenge-response flow
- **FR-005** (MUST): SCA exemptions - Low-value, trusted beneficiaries per PSD2 RTS

**Fraud Detection**:
- **FR-006** (MUST): Rule-based fraud checks - Velocity, geo-location, amount thresholds
- **FR-007** (SHOULD): ML-based anomaly detection - Behavioral models, risk scoring

### 5.3 Non-Functional Requirements (12 total)

**Performance**:
- **NFR-P-001** (MUST): 99.99% uptime SLA
- **NFR-P-002** (MUST): Payment processing < 3 seconds (p95)
- **NFR-P-003** (MUST): Support 1000 TPS peak load
- **NFR-P-004** (MUST): API response < 200ms (p99)

**Security**:
- **NFR-S-001** (MUST): PCI-DSS Level 1 certification (annual QSA audit)
- **NFR-S-002** (MUST): Data encryption at rest (AES-256)
- **NFR-S-003** (MUST): TLS 1.3 for data in transit
- **NFR-S-004** (MUST): Secrets management (AWS Secrets Manager / HashiCorp Vault)

**Compliance**:
- **NFR-C-001** (MUST): PSD2 RTS compliance (SCA, dynamic linking)
- **NFR-C-002** (MUST): Open Banking OBIE v3.1+ conformance
- **NFR-C-003** (MUST): UK GDPR / DPA 2018 compliance

### 5.4 Integration Requirements (6 total)

**Upstream Systems**:
- **INT-001** (MUST): Core banking system (ISO 20022 messages)
- **INT-002** (MUST): Faster Payments API (Bank of England)
- **INT-003** (MUST): Open Banking TPP API (OAuth 2.0, FAPI)

**Downstream Systems**:
- **INT-004** (MUST): Fraud platform (real-time event stream)
- **INT-005** (MUST): Analytics warehouse (batch ETL)
- **INT-006** (MUST): Notification service (email, SMS, push)

## 6. Evaluation Criteria

### 6.1 Technical Capability (40%)

**Essential Criteria** (Pass/Fail):
- ✅ Meets ALL MUST requirements (BR/FR/NFR/INT)
- ✅ PCI-DSS QSA certification or 5+ years Level 1 experience
- ✅ 2+ UK financial services payment projects
- ✅ Cloud-native architecture experience (AWS preferred)

**Scoring Criteria**:
- **Technical Approach** (20%): Solution design, PCI-DSS architecture, PSD2 approach
- **Evidence of Delivery** (10%): Similar payment projects, references, case studies
- **Understanding** (10%): Risk identification, compliance grasp, integration complexity

### 6.2 Team Experience and Composition (30%)

- **Team Skills Match** (15%): Coverage of essential + desirable skills
- **Track Record** (10%): Payment system references, PCI-DSS projects, Open Banking
- **Team Structure** (5%): Roles (architects, senior devs, QSA), availability

### 6.3 Quality Assurance (20%)

- **Testing Approach** (10%): PCI penetration testing, load testing, OBIE conformance
- **Compliance & Security** (5%): QSA audit plan, PCI quarterly scans, SCA testing
- **Documentation** (5%): HLD/DLD quality, runbooks, PCI documentation

### 6.4 Value for Money (10%)

- **Cost Breakdown** (5%): Transparency, milestone pricing, no hidden costs
- **Risk Mitigation** (5%): PCI-DSS risk approach, SCA fallback, fraud tuning

## 7. Deliverables

### 7.1 Architecture & Design

- ✅ **High-Level Design (HLD)** - PCI segmentation, AWS architecture, data flows
- ✅ **Detailed Design (DLD)** - Component specs, state machines, error handling
- ✅ **Data Model** - Entity schemas, PII classification, encryption mapping
- ✅ **API Contracts** - OpenAPI 3.0 specs for all APIs
- ✅ **Security Design** - PCI controls (SAQ D), TLS config, secret management
- ✅ **Integration Design** - Sequence diagrams for Faster Payments, OBIE, fraud

### 7.2 Implementation

- ✅ **Source Code** - Go/Java, cloud-native (ECS/Lambda), following AWS Well-Architected
- ✅ **Infrastructure as Code** - Terraform/CloudFormation for repeatable deployments
- ✅ **Configuration** - Environment-specific config (dev/staging/prod)
- ✅ **Database Migrations** - Flyway/Liquibase versioned migrations

### 7.3 Testing & Quality

- ✅ **Test Plans** - Unit, integration, E2E, PCI penetration, load tests
- ✅ **Test Results** - >80% coverage, PCI pen test report, QSA pre-audit
- ✅ **Performance Validation** - Load test evidence (1000 TPS sustained)
- ✅ **Security Validation** - OWASP Top 10 scan clean, PCI quarterly scan clean
- ✅ **Compliance Evidence** - OBIE conformance report, PCI AOC

### 7.4 Documentation

- ✅ **User Docs** - API documentation (Swagger UI), integration guides
- ✅ **Admin Docs** - Runbooks, incident response, PCI procedures
- ✅ **Handover Pack** - Architecture decision records (ADR), known issues, roadmap
- ✅ **Traceability Matrix** - Requirements → Design → Tests → Code mapping

### 7.5 Support & Warranty

- ✅ 90-day warranty (defect fixes)
- ✅ Knowledge transfer (2-week handover)
- ✅ Hypercare support (30 days post-launch, 24/7)
- ✅ PCI annual re-certification support (1 year)

## 8. Project Governance

### 8.1 Architecture Review Gates

**Mandatory Reviews**:
- ✅ **HLD Review** - PCI segmentation, AWS architecture, data flows validated
- ✅ **DLD Review** - Component design, API contracts, security controls approved
- ✅ **Code Review** - Ongoing (PR reviews), OWASP compliance
- ✅ **Security Review** - Pre-launch PCI assessment, penetration test review
- ✅ **QSA Audit** - External PCI-DSS Level 1 audit before go-live

Reference: `/arckit.hld-review` and `/arckit.dld-review` for formal review processes

### 8.2 Requirements Traceability

Vendor must maintain:
- Requirements → HLD (architecture patterns per requirement)
- Requirements → DLD (components addressing requirements)
- Requirements → Test Cases (acceptance criteria validation)
- Requirements → Code (feature branches linked to requirement IDs)

Reference: `/arckit.traceability` for validation framework

## 9. Next Steps

### For Procurement Team

1. **Review & Refine**: Validate with stakeholders and PCI QSA
2. **Budget Approval**: Obtain sign-off (estimated £400k-£600k for 6-month project)
3. **Publish on Digital Marketplace**:
   - https://www.digitalmarketplace.service.gov.uk/
   - Select "Digital Outcomes and Specialists"
   - Set closing date (typically 2 weeks)
4. **Answer Supplier Questions**: Via marketplace (public Q&A)
5. **Evaluate Proposals**: Use criteria in Section 6
6. **Technical Assessments**: Interview + code challenge for shortlist
7. **Award Contract**: Highest scoring supplier
8. **Publish Award**: Contracts Finder (legal requirement)

### For Architecture Team

1. **Prepare Review Frameworks**:
   - `/arckit.hld-review` - Set up HLD review checklist (PCI focus)
   - `/arckit.dld-review` - Set up DLD review process
2. **Establish Governance**:
   - Architecture Review Board (monthly)
   - PCI QSA engagement (quarterly scans, pre-audit, final audit)
3. **Traceability Setup**:
   - `/arckit.traceability` - Requirements tracking framework

## 10. Resources

- **Digital Marketplace**: https://www.digitalmarketplace.service.gov.uk/
- **DOS Buyers Guide**: https://www.gov.uk/guidance/digital-outcomes-and-specialists-buyers-guide
- **Sourcing Playbook**: https://www.gov.uk/government/publications/the-sourcing-and-consultancy-playbooks
- **Contracts Finder**: https://www.gov.uk/contracts-finder