Decision Maker:

Outcome:

Is Key Decision?: Yes

Is Callable In?: Yes

Date of Decision: May 19, 2025

Purpose:

Content: Salford City Council – Record of Decision   I Councillor Youd, Lead Member for Finance and Support Services and chairman of the Procurement Board, in exercise of the powers contained within the Council Constitution do hereby:   approval to Award the Purchase of software and hardware to enhance the cyber security ecosystem, as detailed in the table below: Detail required Answers Title/Description of Contracted Service/Supply/Project Cyber Security Ecosystem Procurement Reference numbers (DN and CR number supplied by Procurement) S1767 Name of Successful Contractor The Network People (TNP) Ltd Supplier Registration Number (to be supplied by Procurement 07667393 Proclass Classification No. (to be completed by procurement) 271430 Type of organisation (to be supplied by Procurement) Private Limited Company Status of Organisation (to be supplied by Procurement) SME Contract Value (£) £          per annum Total contract value £ (including extensions) £995,671.70 total project value Contract Duration 36 months Contract Start Date 02/06/2025 Contract End Date 01/06/2028 Optional Extension Period 1 months Optional Extension Period 2 months Who will approve each Extension Period? Choose an item Contact Officer (Name & number) Mark Williamson / Matt Wall       Lead Service Group Reform & Transformation How the contract was procured? (to be supplied by procurement) Direct Award/ Call off Framework Details (where applicable) (procurement body, framework reference & title, start/ end date Crown Commercial Services Network Services 3 RM6116 Funding Source Capital Programme Ethical Contractor (EC): Mayor’s Employment Charter No   EC: Committed to sign The Mayor’s Employment Charter Yes     EC: Committed to the principles outlined in the Mayor’s Employment charter N/A   EC: Accredited Living Wage Employer Yes   EC: Committed to becoming Accredited Living wage Employer N/A ?   The Reasons are: Salford City Council’s digital transformation has not only advanced service delivery, efficiency, and accessibility but also introduced new vulnerabilities within an increasingly complex cyber threat landscape. The integration of cloud-based services and AI-driven technologies, while beneficial, has expanded the attack surface, making the council a more attractive target for cybercriminals employing sophisticated tactics. Malicious actors now leverage AI to automate and scale attacks, such as phishing campaigns that mimic official communications, deepfake impersonations of council officials, and AI-powered ransomware capable of identifying and exploiting system vulnerabilities faster than traditional security measures can respond. Additionally, the growing reliance on third-party cloud services presents heightened risks, including potential data breaches, unauthorised access, and supply chain attacks that can compromise critical infrastructure and disrupt essential public services.   To effectively counter these evolving threats, Salford City Council must not only deploy advanced AI-driven cyber-security tools capable of real-time threat detection and response but also adopt a zero-trust architecture that assumes no user or device is inherently trustworthy and mandates continuous verification for system access.   Furthermore, comprehensive incident response plans must be established to ensure rapid containment and recovery from cyber incidents, minimising potential operational, financial, and reputational damage.   Options considered and rejected were: None.   Assessment of Risk: Failure to implement enhanced cyber-security measures exposes Salford City Council to significant and growing risks which will only increase the risk and likelihood of an attack. Without AI-driven security tools, zero-trust architecture, robust cloud protections, comprehensive employee training, and a mature incident response plan, the Council remains vulnerable to sophisticated AI-enhanced cyber-attacks. These threats could lead to major service disruptions, data breaches involving sensitive citizen information, severe financial losses, and irreparable damage to public trust.   As cybercriminals, nation-state actors, and hacktivists increasingly exploit AI to automate, accelerate, and personalise attacks, Salford risks falling behind the evolving threat landscape. Additionally, without strong cloud security governance, the Council could suffer from unauthorised access, vendor lock-in vulnerabilities, compliance failures, and loss of control over critical data. Inaction would not only jeopardise the continuity of vital public services but also expose the Council to legal penalties under data protection and cyber-security regulations, further amplifying the reputational and financial impact of a successful cyber-attack.   Considering the potential risk associated with offering services to other local authorities, it is imperative to deploy the correct software and toolsets to effectively deliver these services. Failure to do so could hamper our capability, thereby reducing income and revenue opportunities.   The source of funding is: Capital Programme - C00223.   Legal Advice obtained: Supplied by: The Shared Legal Service When commissioning contracts for the procurement of goods, services or the execution of works, the Council must comply with the requirements of public procurement legislation and its own Contractual Standing Orders (CSO’s) failing which the decision may be subject to legal challenge from an aggrieved provider. CSO’s stipulate that where a suitable framework exists, this must be used unless there is an auditable reason not to do so. The proposed award of the contract is to be undertaken by way of a call off under the relevant CCS framework, Crown Commercial Service framework, Network Services 3, Lot 1a RM6116 for “Inter Site Connectivity (Wider Area Network) / Data Access Services.   The Council will need to have followed the procedure set out under the terms of the framework agreement to ensure the direct award to The Network People Ltd is compliant.   The report sets out in some detail the risks involved should the Council fail to address the increasingly sophisticated threat to cyber security and the potential consequences of a failure to do so, such as disruption of services, data breaches, financial consequences and regulatory non-compliance.   Financial Advice obtained: submitted by: Grace Rogerson – Capital Finance Manager – 01/05/2025 The report is seeking approval to enter into a contract with The Network People Ltd to purchase software and hardware to enhance the cyber security ecosystem. The report provides a comprehensive analysis of the risks the council faces if it fails to address the escalating cyber threats. By entering into this contract, the council can significantly enhance its cyber resilience, safeguard its digital infrastructure and ensure the secure functioning of public services in an increasingly digital environment. This contract will further contribute to mitigating the financial risks associated with potential cyber attacks, which can exceed £10 million in certain scenarios.   As highlighted in the report, cyber has been identified as the council’s highest corporate risk, emphasising the critical need for a robust and proactive approach to cyber resilience across all services and systems. There is approved unsupported borrowing within the Digital, Data and Technology capital programme for 25/26 to fund the contract value - £0.995m. The contract to be awarded is for a three year period, upfront contractual payment will achieve significant interest cost savings, which continues to promote value for money. Procurement Advice obtained: Supplied by: Emma Heyes, Category Manager The proposed route to market will be facilitated via a direct award using the Crown Commercial Services RM6116 Network Services 3, which was procured under Public Contract Regulations 2015.   Direct award is permissible on this framework, and contracting authorities must satisfy themselves that the call-off procedure is compliant with the framework rules and their own internal governance.   The CCS Buyer Guidance for RM6116 describes that buyers’ must engage with all suppliers on the relevant Lot. In order to conduct a direct award, buyers need to search and evaluate the available service offers on the Digital eMarketplace.Buyers must compare the service offers against its statement of requirements to identify service offers that meet its needs.  There is always a risk with direct award that value for money can’t always be demonstrated.   Pre-market engagement with other suppliers on Lot 1a of this framework has not been undertaken as required under the terms of the framework, however the rationale for the direct award described earlier in the report is for technical and operational reasons and that TNP are the only supplier able to provide the services described.   The Council has assurances directly from Fortinet that TNP are their highest accredited partner in Europe, bringing the highest level of technical capability and expertise to Salford City Council's programme.  Given the significant investment in their capability with Fortinet's Security Fabric, including advanced capabilities with Fortinet's SecOps offerings, they are the only partner Fortinet believe are suitable for a deployment of this kind due to the specific nature of the programme.   Due to the absence of pre-engagement with other providers, as required under the terms of the framework, there remains a risk of challenge from aggrieved providers if we haven’t correctly followed the call-off process, and the risk increases in tandem with the value and term of a contract, however this can be mitigated somewhat for the reasons outlined above, and that other suppliers wouldn’t attract the same discounts as TNP.   The RM6116 Framework Schedule 6 and accompanying Framework and Joint Schedules must be completed to form the contract between the parties, which will require sealing by legal services.   HR Advice obtained: N/A   Climate Change Implications obtained: N/A   Contact Officer: Mark Williamson (Cyber Portfolio Lead) / Matt Wall ( Head of cyber and Technology) Telephone number: mark.williamson@salford.gov.ukMatt.wall@salford.gov.uk     Signed:     Cllr J Youd         Dated:     19 May 2025.                Lead Member   FOR DEMOCRATIC SERVICES USE ONLY:   *           This decision was published on 20 May 2025 *           This decision will come in force at 4.00 p.m. on 28 May 2025 unless it is called-in in accordance with the Decision Making Process Rules.