DMFD141 Network Security Licensing and Support Renewal

1.1 Report LFC-0581 to the London Fire Commissioner (LFC) sets out the background for the request to commit revenue expenditure for the amount set out in part 2 of the decision to procure a new support contract for Cisco network security and licensing for up to five years from February 2022.

1.2 The London Fire Brigade (LFB) network infrastructure incorporates a security environment which has grown significantly over the last seven years. Initially it was introduced to separate the wireless and wired networks. This Cisco infrastructure has been developed and refined to meet the increasing digital threat and to comply with the ever-changing government security requirements designed to keep organisations safe from malicious threats.

1.3 The present security environment incorporates the Cisco identity services engine (ISE), the Cisco firewall management centre (FMC) and a variety of Cisco adaptive security appliance (ASA) firewalls, which are next-generation firewalls incorporating anti-malware protection.

1.4 A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organisation’s security policies. At its simplest, a firewall is the security barrier that sits between a private internal network and the outside world. A firewall’s main purposes are to allow non-threatening traffic in, and to keep dangerous or malicious traffic out.

1.5 The current setup was introduced in 2017. It is an ongoing solution that changes with the developments in technology and threats. The original tender involved the purchase, licensing and support of the equipment. This contract has been extended for the final time (three plus two years) and a new contract is required for February 2022 to ensure support and licensing can continue uninterrupted.

2.1 The environment consists of Cisco firewalls which require a new contract to ensure support and licensing can continue uninterrupted. No new products or hardware are being purchased.

2.2 These firewalls and security solutions are used for the following purposes:

• control and mobilising system firewalls – Capita environment segregation and security
• wireless local area network firewalls – wireless/wired network segregation
• ISE
• internet service provider (ISP) firewalls (internet connection) (demilitarised zone)/ISP sites)
• FMC – intrusion prevention system (IPS), and traffic management/analysis
• predetermined attendance firewall – control personal computer segregation, virtual private network
• Voice firewalls – hosted voice solution.

2.3 The LFB network has over time become increasingly complex and critical to the operational effectiveness of the LFB. The essential purpose of retendering for support is to ensure all security items within the Cisco environment are kept up to date. Specifically, this includes software versions, patches, licensing and virus updates; and ensuring that the policies on the firewalls are fit for purpose. Below is a more in-depth explanation of the suite of Cisco products used to protect the LFB network.

2.4 Cisco ISE is a solution that provides context-aware identity management, and determines whether users are accessing the network on an authorised, policy-compliant device. It can establish the user’s identity, location and access history, which can be used for compliance and reporting. It can also assign services based on the assigned user role, group and associated policy (job role, location, device type and so on), and grant authenticated users with access to specific parts of the network or applications.

2.5 Cisco ISE is currently being developed to ensure that only LFB laptop builds and devices can join the network, and that it will protect the network points at LFB premises. This protection of network points will only allow LFB devices to plug into the network. Any external device that is not recognised as an LFB device will not be able to access any network resources. This software protection of the network ports is essential if fire stations are to be opened to members of the public. Please note this is not a physical security method, but a software solution.

2.6 The Cisco ASA firewalls LFB use are industry-leading and are not only used to protect LFB from the outside world, but also used to segregate the LFB network from the mobilising network. This segregation between Capita and LFB is designed to protect both environments whilst allowing essential communications between the two networks.

2.7 Firewalls are also used to connect LFB to the external world via the ISP. These firewalls ensure activities such as remote access, web browsing, email, Microsoft 365 and other critical activities are safe and secure. They are also an integral part of the wireless network and, as LFB staff return to Union Street and other office-based locations, will become an essential to enabling modern, flexible working.

2.8 An IPS is network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application, or potentially access the rights and permissions available to the compromised application.

2.9 The FMC is the administrative centre for Cisco security products, running on a number of different platforms. It provides complete and unified management of firewalls, application control, intrusion prevention, website filtering, and advanced malware protection. The Cisco FMC provides extensive intelligence about the users, applications, devices, threats and vulnerabilities that exist in the network. It also uses this information to analyse the network's vulnerabilities. It provides recommendations on what security policies to put in place and what security events you should investigate.

Costs

2.10 The exact cost may vary due to several factors, including general market conditions and exchange rates. Estimates based on current market costs of the equipment are set out in part 2 of this decision.

2.11 As part of the current ICT environment, the required sums are included in the current approved revenue budgets. The approval sought includes a contingency sum over the life of the contract, to allow for fluctuations in exchange rates and potential changes to the security architecture arising from organisational change. This sum can also be met from existing revenue budgets.

3.1 The LFC and the Deputy Mayor for Fire and Resilience are required to have due regard to the Public Sector Equality Duty (section 149 of the Equality Act 2010) when taking decisions. This in broad terms involves understanding the potential impact of policy and decisions on different people, taking this into account and then evidencing how decisions were reached.

3.2 It is important to note that consideration of the Public Sector Equality Duty is not a one-off task. The duty must be fulfilled before taking a decision, at the time of taking a decision, and after the decision has been taken.

3.3 The protected characteristics are: age, disability, gender reassignment, pregnancy and maternity, marriage and civil partnership (but only in respect of the requirements to have due regard to the need to eliminate discrimination), race (ethnic or national origins, colour or nationality), religion or belief (including lack of belief), sex, and sexual orientation.

3.4 The Public Sector Equality Duty requires decision-takers in the exercise of all their functions, to have due regard to the need to:

• eliminate discrimination, harassment and victimisation and other prohibited conduct
• advance equality of opportunity between people who share a relevant protected characteristic and persons who do not share it
• foster good relations between people who share a relevant protected characteristic and persons who do not share it.

3.5 Having due regard to the need to advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it involves having due regard, in particular, to the need to:

• remove or minimise disadvantages suffered by persons who share a relevant protected characteristic where those disadvantages are connected to that characteristic
• take steps to meet the needs of persons who share a relevant protected characteristic that are different from the needs of persons who do not share it
• encourage persons who share a relevant protected characteristic to participate in public life or in any other activity in which participation by such persons is disproportionately low.

3.6 The steps involved in meeting the needs of disabled persons that are different from the needs of persons who are not disabled include, in particular, steps to take account of disabled persons’ disabilities.

3.7 Having due regard to the need to foster good relations between persons who share a relevant protected characteristic and persons who do not share it involves having due regard, in particular, to the need to:

• tackle prejudice
• promote understanding.

3.8 An Equality Impact Assessment has not been completed for this report as there will be no impact on any groups with protected characteristics. The outcome of the procurement will be a replacement of network and security products and licenses and will therefore be transparent to users.

Workforce comments

4.1 There is no foreseeable impact on the workforce from continuing to have a supported network security environment. There would, however, be an impact on workforce resources and skillsets if the support agreement cannot be renewed, and if LFB ICT staff need to provide security without the relevant systems and manufacturer support that would be required.

Procurement

4.2 Use of the TfL ICT Resellers Framework was considered as a potential route to market. Contact has also been made with the GLA Collaborative Procurement team to seek interest from other functional bodies who may have a similar requirement. To date no expressions of interest have been received. This framework has now been discounted as there are others that offer more favourable commercials.

4.3 Other potential collaborative procurement routes that have been identified to date are the use of the Crown Commercial Service (CCS) Technology Services 3 Framework; and the NHS London Procurement Partnership (LPP) Information Management and Technology (IM&T) Framework.

4.4 Technology Services 3 offers public-sector buyers a flexible and compliant way to source all their technology product needs. Of the 253 suppliers on this framework, 64 per cent are SMEs. The UK public sector and their associated bodies and agencies, including the voluntary sector and charities, can use this framework.

4.5 LPP has established the IM&T Framework which consists of suitably experienced, capable, qualified and resourced suppliers available for use by NHS trusts, clinical commissioning groups, GP services, and other health and social care providers within the United Kingdom, as well as local authorities and third-sector organisations. The purpose of the framework is to provide a compliant route to market for each of the initiatives.

4.6 When tendering for this service on previous occasions, the CCS frameworks were used. However, they often resulted in limited tender responses. The LLP framework offers some additional suppliers that have not previously been invited to tender. In order to encourage maximum market engagement, it is likely that this framework will be the preferred route to market. A firm decision cannot be made at this point in time, as all of the documents for the CCS framework are not currently available meaning that a full analysis can be carried out. From previous experience the LPP framework also offered more favourable commercials, which again will need to be assessed to ensure that best value is achieved.

4.7 Any new procurement activity will need to be undertaken in line with the GLA Group Responsible Procurement policy. At present no specific sustainability implications have been identified in relation to this procurement.

Conflicts of interest

4.8 There are no conflicts of interest to declare from those involved in the drafting or clearance of this decision.

5.1 The report recommends that revenue expenditure for the amount set out in part 2 of the decision is agreed to procure a new support contract for network security and licensing for up to five years from February 2022. The cost of this will be met from within existing ICT department budgets.

6.1 Under section 9 of the Policing and Crime Act 2017, the LFC is established as a corporation sole with the Mayor appointing the occupant of that office. Under section 327D of the GLA Act 1999, as amended by the Policing and Crime Act 2017, the Mayor may issue to the LFC specific or general directions as to the manner in which the holder of that office is to exercise his or her functions.

6.2 By direction dated 1 April 2018, the Mayor set out those matters, for which the LFC would require the prior approval of either the Mayor or the Deputy Mayor for Fire and Resilience (the Deputy Mayor).

6.3 Paragraph (b) of Part 2 of that direction requires the LFC to seek the prior approval of the Deputy Mayor before “[a] commitment to expenditure (capital or revenue) of £150,000 or above as identified in accordance with normal accounting practices…”.

6.4. The Deputy Mayor's approval is accordingly required for the LFC to commit to expenditure the sums set out in this report.

6.5 The statutory basis for the actions proposed in this report is provided by section 5A of the Fire and Rescue Services Act 2004, under which the LFC, being a ‘relevant authority’, may do ‘anything it considers appropriate for the purposes of the carrying out of any of its functions’.

6.6 The LFB’s General Counsel also notes that the proposed procurement route for this service is in compliance with the Public Contracts Regulations 2015 undertaken in line with the Commissioner’s policies and the GLA group Responsible Procurement policy.

• Part 2 form - confidential