PCD 1530 ExtraHop Deployment to Condor

PCD 1530 ExtraHop Deployment to Condor

This paper seeks the approval to proceed with the procurement and implementation of a network intrusion and prevention solution based upon the ExtraHop Reveal(x) technology. ExtraHop is currently deployed within the MPS datacenters.  This paper is seeking funds to deploy the solution into a new datacenter and renewal of licenses of the existing datacenter.  

This is in support of the MPS Cyber Security Strategy.  

Recommendation: 

The Deputy Mayor for Policing and Crime is recommended to: 

1. Approve Capital costs inclusive of hardware, technical services and project management resources at a value of £845.5k fully funded within the MOPAC approved DDaT Capital Plan. 

2. Approve Project revenue costs of £40k for ITHC awarded to Capgemini fully funded within the MOPAC approved DDaT revenue budget. 

3. Approve the direct award of a contract for a Network Intrusion and Prevention solution to Kedron via a value-added reseller with a total contract value of £1.3m and a term of three years. This is fully funded within the DDaT MOPAC approved revenue budget. 

PART I - NON-CONFIDENTIAL FACTS AND ADVICE TO THE DMPC 

1. Introduction and background  

1. The MPS published the Cyber Security Strategy externally in late 2019, which focused on a number of key themes revolving around protecting data, reinforcing identities, inspecting network traffic and training preparedness.  These are borne out from the need to protect the organisation from external threats and from those emanating from within. The Strategy focuses on providing approaches and outcomes in meeting the perceived and actuated threats. 

2. Traditionally Policing operated from closed environments within its own boundary with only essential egress of services to other Police / Criminal Justice partners. The boundary controls robust as they are generally kept external threats at bay. Over time and more so today through mobility and accessing external services (e.g. Cloud, Collaboration etc.) these closed environments have opened up and data is now accessible on the move. While the landscape is changing the threat exposure is greater, organisations evolve and so do threats. 

3. One of the core pillars of the strategy is Transparency of Traffic, where harmful content must be excluded where possible, detected where not and contained where it exists.  Understanding and monitoring data movement throughout systems is critical. 

4. The proposed solution from ExtraHop Reveal(x) uses the network and the transactions that flow across it as the most comprehensive source of data, which provides insight into what is happening in the environment.  Reveal(x) is central to the Met’s ability to provide visibility across these discrete areas.  Reveal(x) can also aid in the identification of where sensitive data is accessed and moved unexpectedly and in the aftermath of a breach, can pinpoint exactly what data was accessed, from where and by whom to determine the breadth and severity of a breach and identify compromised records. 

2. Issues for consideration 

1. This information is contained in the restricted section of the report. 

2. Contributes to the MOPAC Police & Crime Plan 2022-25 

3. ExtraHop Reveal(X) provides a Network Detection and Response capability that will protect the digital infrastructure of the MPS by making best use of technology in readiness for Cyber emergencies. 

3. Financial Comments  

1. Capital costs inclusive of hardware, technical services and project management resources at a value of £845.5k fully funded within the MOPAC approved DDaT Capital Plan. 

2. Project revenue costs of £40k for ITHC awarded to Capgemini fully funded within the MOPAC approved DDaT revenue budget. 

3. The remainder of this information is contained in the restricted section of the report. 

4. Legal Comments 

1. The Mayor’s Office for Policing and Crime (“MOPAC”) is a contracting authority as defined in the Public Contracts Regulations 2015 (“the Regulations”).  All awards of public contracts for goods and/or services valued at £189,330 or above shall be procured in compliance with the Regulations and MOPAC governance.  This report confirms the value of the proposed contract exceeds the above threshold.  Accordingly, the Regulations shall be engaged. 

2. The route to market shall be the MOPAC’s reseller contract with CDW.  The report also confirms the proposed contract falls within the technical and financial scope of the CDW contract and that the CDW contract was procured compliantly.  The procurement of ExtraHop Reveal(x) via CDW is a compliant route to market. 

3. Paragraph 4.8 of the MOPAC Scheme of Delegation and Consent provides that the Deputy Mayor for Policing and Crime (DMPC) has delegated authority to approve business cases for revenue or capital expenditure of £500,000 or above. 

4. Under paragraph 4.13 of the MOPAC Scheme of Delegation and Consent the Deputy Mayor for Policing and Crime (“DMPC”) has delegated authority to approve all requests to go out to tender for contracts of £500,000 or above. Further, the DMPC has delegated authority under the same paragraph to approve the procurement strategy for all revenue and capital contracts of a total value of £500,000 or above, such determination to include decisions on the criteria and methodology to be adopted in the tendering process, any exemptions from procurement requirements, and any necessary contract extensions.  

5. Under paragraph 4.15 of the MOPAC Scheme of Delegation and Consent the DMPC has authority to award contracts with a total value of £500,000 or above. 

5. Commercial Issues  

1. The direct award of a contract for a Network Intrusion and Prevention solution to Kedron via a value-added reseller with a total contract value of £1.3m and a term of three years. This is fully funded within the DDaT MOPAC approved revenue budget. 

2. This will be procured the Value added reseller (VAR) contract with CDW, which was awarded via the Tech products Crown Commercial Services Framework Agreement. 

6. GDPR and Data Privacy  

1. The MPS is subject to the requirements and conditions placed on it as a 'State' body to comply with the European Convention of Human Rights and the Data Protection Act (DPA) 2018. Both legislative requirements place an obligation on the MPS to process personal data fairly and lawfully in order to safeguard the rights and freedoms of individuals. 

2. Under Article 35 of the General Data Protection Regulation (GDPR) and Section 57 of the DPA 2018, Data Protection Impact Assessments (DPIA) become mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects. 

3. The Information Assurance and Information Rights units within MPS will be consulted at all stages to ensure the project meets its compliance requirements. 

4. The project does not use currently personally identifiable data of members of the public, so there are no current GDPR issues to be considered. If the project uses personally identifiable data of members of the public at a later date DPIAs will be completed as needed. 

7. Equality Comments   

1. MOPAC is required to comply with the public sector equality duty set out in section 149(1) of the Equality Act 2010. This requires MOPAC to have due regard to the need to eliminate discrimination, advance equality of opportunity and foster good relations by reference to people with protected characteristics. The protected characteristics are: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. 

2. There are no equality or diversity issues arising from this request. 

8. Background/supporting papers 

1. Appendix 1 MPS Part 1 Paper – ExtraHop Deployment to Condor 

Part 2 – This section refers to the details of the Part 2 business case which is NOT SUITABLE for MOPAC Publication.   

 The Government Security Classification marking for Part 2 is:  

OFFICIAL-SENSITIVE [COMMERCIAL]  

 Part 2 of ExtraHop Deployment to Condor BJP is exempt from publication for the following reasons:  

•  Exempt under Article 2(2)(a) of the Elected Local Policing Bodies (Specified Information) Order 2011 (Data Protection Section 43 – Commercial Interests).    

The paper will cease to be exempt upon completion of the contract. This is because the information is commercially sensitive and could compromise future procurement activity.