PCD 1813 C&C Windows Server 2012 Upgrade Implementation

Executive Summary:   

This Business Justification concerns the upgrade of the Microsoft Windows 2012 servers supporting the Command and Control system used by the Met.  It is necessary to reduce risk of extended unplanned outages posed by legacy technologies, ensure vendor support and reduce cyber risk by being able to security patch the servers. 

Recommendation: 

The Deputy Mayor for Policing and Crime, via the Investment Advisory and Monitoring meeting (IAM), is asked to: 

• Approve a project to implement the Microsoft Server upgrade for the Command and Control system using existing suppliers and at a capital cost totalling £767k across 2024/25, 2025/26 & 2026/27 from the MOPAC-approved Digital, Data and Technology (DDaT) Capital Plan. 

PART I - NON-CONFIDENTIAL FACTS AND ADVICE TO THE DMPC 

1. Introduction and background 

1. The suite of Mission Critical C&C applications forms an integral part of the service provided to the community of London and the Front-Line staff that respond to incidents and requests for help for which it is critical to have a dependable, stable, and supported C&C platform.  

2. Most of the Microsoft Windows servers in the C&C environment are running Microsoft Windows Server 2012R2 for which extended support ended on 10th October 2023. Microsoft Windows Server 2019 is proposed as the target version of Microsoft Windows Server which has mainstream support until 9th January 2024 and extended support until 9th January 2029. Where feasible, servers will be upgraded to Microsoft Windows Server 2022 to provide a longer lifetime. 

3. This work has no bearing on the future Command and Control replacement programme and relates to the existing Mission Critical service only. 

2. Issues for consideration 

1. Extended Security Updates for the Microsoft Windows Server 2012 platform can be bought until October 2026. After this there are no further support options available for the WS2012 platform. It is likely that several elements of the current C&C environment will need to remain available after October 2026. 

2. The current Mission Critical C&C service is contracted until October 2029, with current forecasts for the replacement C&C solution to be delivered in 2027. 

3. The business case continues the programme of work which started under an earlier project, which covered the assessment and design phase of the upgrade of the C&C Windows Server 2012R2 estate. 

4. Contributes to the New Met for London (NMfL) Plan and / or MOPAC Police & Crime Plan 2022-25 

5. The Command & Control (C&C) system is a Mission Critical service supporting the MPS in keeping Londoners safe by providing call handling, management and retrieval of emergency calls and subsequent resource deployment to all emergency events. It plays an integral part in the New Met for London plan by helping to enable focus on the community and the frontline. It is essential to have a stable, reliable and supported C&C system in order to maintain this focus. 

3. Financial Comments  

1. Commercially sensitive finance, commercial and legal detail has been redacted. This information is contained in the restricted section of the report. This is to ensure a compliant procurement process. 

2. The Windows Server 2012 Upgrade Implementation project, if approved, will be completed for a capital cost of £767k fully funded from the MOPAC approved DDaT Capital Plan. 

3. Commercial Services have approved the request to use the existing Unisys Command and Control contract. It has been confirmed that the requirement is not within the scope of the core service charges of the Unisys Command and Control agreement and is not available as a catalogue service offering. The services required to deliver the upgrade will be procured via a Contract Change Notice. 

4. The Command and Control Contract commenced in October 2024, and so represent the most cost-efficient rates for services are used. Furthermore, value for money on this project has been assured because the services being procured are on a fixed cost basis and have been reviewed by the project team.  

5. This is a one-off project requirement and there is no requirement to amend the existing contracts via change control because of this project. 

4. Legal Comments 

1. The Mayor’s Office for Policing and Crime (“MOPAC”) is a contracting authority as defined in the Public Contracts Regulations 2015 (“the Regulations”). All awards of public contracts for goods and/or services valued at £214,904 or above shall be procured in accordance with the Regulations. This report confirms the value of the proposed contract exceeds this threshold. 

2. The detailed routes to market are compliant with the Regulations as follows. The proposed services are within the financial and technical scopes for the MOPAC’s current (i) Infrastructure, (ii) Command and Control, (iii) Applications Management, and (iv) Value Added Reseller contracts. It is also confirmed that the H.T.E Framework was procured compliantly in accordance with the Regulations and the proposed direct award is a compliant within accordance with the framework agreement’s terms. 

5. Commercial Issues  

1. The project will issue Project Work Orders under existing contracts with BT, Capgemini and Unisys. These contracts are respectively: the Call Routing Agreement 2 (CRA2), the Pegasus Infrastructure Tower and the Call Handling System (CHS).  

6. GDPR and Data Privacy 

1. The MPS is subject to the requirements and conditions placed on it as a 'State' body to comply with the European Convention of Human Rights and the Data Protection Act (DPA) 2018. Both legislative requirements place an obligation on the MPS to process personal data fairly and lawfully in order to safeguard the rights and freedoms of individuals.  

2. Under Article 35 of the General Data Protection Regulation (GDPR) and Section 57 of the DPA 2018, Data Protection Impact Assessments (DPIA) become mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects.  

3. The Information Assurance and Information Rights units within MPS will be consulted at all stages to ensure the project meets its compliance requirements.  

4. The project does not use personally identifiable data of members of the public, so there are no GDPR issues to be considered. 

7. Equality Comments   

1. MOPAC is required to comply with the public sector equality duty set out in section 149(1) of the Equality Act 2010. This requires MOPAC to have due regard to the need to eliminate discrimination, advance equality of opportunity and foster good relations by reference to people with protected characteristics. The protected characteristics are: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. 

2. As this is a one-off project to be completed by the incumbent supplier as part of an existing service this work does not change any aspects relating to equality or diversity. 

8. Background/supporting papers 

None.