Content

Salford City Council – Record of
Decision
 
I Councillor Youd, Lead Member
for Finance and Support Services and chairman of the Procurement
Board, in exercise of the powers contained within the
Council Constitution
do hereby:
 

approval to Award the
Purchase of software and hardware to enhance the cyber security
ecosystem, as detailed in the table below:

Detail
required

Answers

Title/Description of Contracted
Service/Supply/Project

Cyber Security
Ecosystem

Procurement Reference numbers (DN
and CR number supplied by Procurement)

S1767

Name of Successful
Contractor

The Network People (TNP)
Ltd

Supplier Registration
Number
(to be supplied by
Procurement

07667393

Proclass Classification
No.
(to be completed by
procurement)

271430

Type of
organisation
(to be supplied by
Procurement)

Private Limited
Company

Status of
Organisation
(to be supplied by
Procurement)

SME

Contract Value
(£)

£         
per annum

Total contract value £
(including extensions)

£995,671.70 total project
value

Contract
Duration

36 months

Contract Start
Date

02/06/2025

Contract End
Date

01/06/2028

Optional Extension Period
1

months

Optional Extension Period
2

months

Who will approve each Extension
Period?

Choose an item

Contact Officer (Name &
number)

Mark Williamson / Matt Wall

 

 

 

Lead Service
Group

Reform &
Transformation

How the
contract was procured?
(to be supplied by
procurement)

Direct Award/ Call
off

Framework Details (where
applicable)
(procurement body, framework
reference & title, start/ end date

Crown Commercial
Services
Network Services 3
RM6116

Funding
Source

Capital Programme

Ethical Contractor (EC):
Mayor’s Employment Charter

No
 

EC: Committed to sign The
Mayor’s Employment Charter

Yes
 
 

EC: Committed to the principles
outlined in the Mayor’s Employment
charter

N/A
 

EC: Accredited Living Wage
Employer

Yes
 

EC: Committed to becoming
Accredited Living wage Employer

N/A
?

 
The
Reasons are:
Salford City Council’s
digital transformation has not only advanced service delivery,
efficiency, and accessibility but also introduced new
vulnerabilities within an increasingly complex cyber threat
landscape. The integration of cloud-based services and AI-driven
technologies, while beneficial, has expanded the attack surface,
making the council a more attractive target for cybercriminals
employing sophisticated tactics.
Malicious actors now leverage
AI to automate and scale attacks, such as phishing campaigns that
mimic official communications, deepfake impersonations of council
officials, and AI-powered ransomware capable of identifying and
exploiting system vulnerabilities faster than traditional security
measures can respond. Additionally, the growing reliance on
third-party cloud services presents heightened risks, including
potential data breaches, unauthorised access, and supply chain
attacks that can compromise critical infrastructure and disrupt
essential public services.
 
To effectively counter these
evolving threats, Salford City Council must not only deploy
advanced AI-driven cyber-security tools capable of real-time threat
detection and response but also adopt a zero-trust architecture
that assumes no user or device is inherently trustworthy and
mandates continuous verification for system access.
 
Furthermore, comprehensive
incident response plans must be established to ensure rapid
containment and recovery from cyber incidents, minimising potential
operational, financial, and reputational damage.
 
Options considered and
rejected were:
None.
 
Assessment of Risk:
Failure to implement enhanced
cyber-security measures exposes Salford City Council to significant
and growing risks which will only increase the risk and likelihood
of an attack. Without AI-driven security tools, zero-trust
architecture, robust cloud protections, comprehensive employee
training, and a mature incident response plan, the Council remains
vulnerable to sophisticated AI-enhanced cyber-attacks. These
threats could lead to major service disruptions, data breaches
involving sensitive citizen information, severe financial losses,
and irreparable damage to public trust.
 
As cybercriminals, nation-state
actors, and hacktivists increasingly exploit AI to automate,
accelerate, and personalise attacks, Salford risks falling behind
the evolving threat landscape. Additionally, without strong cloud
security governance, the Council could suffer from unauthorised
access, vendor lock-in vulnerabilities, compliance failures, and
loss of control over critical data. Inaction would not only
jeopardise the continuity of vital public services but also expose
the Council to legal penalties under data protection and
cyber-security regulations, further amplifying the reputational and
financial impact of a successful cyber-attack.
 
Considering the potential risk
associated with offering services to other local authorities, it is
imperative to deploy the correct software and toolsets to
effectively deliver these services. Failure to do so could hamper
our capability, thereby reducing income and revenue
opportunities.
 
The source of funding
is: Capital Programme
- C00223.
 
Legal Advice
obtained:
Supplied by: The Shared Legal Service
When commissioning
contracts for the procurement of goods, services or the execution
of works, the Council must comply with the requirements of public
procurement legislation and its own Contractual Standing Orders
(CSO’s) failing which the decision may be subject to legal
challenge from an aggrieved provider. CSO’s stipulate that
where a suitable framework exists, this must be used unless there
is an auditable reason not to do so. The proposed award of the
contract is to be undertaken by way of a call off under the
relevant CCS framework, Crown Commercial Service framework, Network
Services 3, Lot 1a RM6116 for “Inter Site Connectivity (Wider
Area Network) / Data Access Services.
 
The Council will need
to have followed the procedure set out under the terms of the
framework agreement to ensure the direct award to The Network
People Ltd is compliant.
 
The report sets out in
some detail the risks involved should the Council fail to address
the increasingly sophisticated threat to cyber security and the
potential consequences of a failure to do so, such as disruption of
services, data breaches, financial consequences and regulatory
non-compliance.
 
Financial Advice
obtained:
submitted by: Grace Rogerson – Capital Finance
Manager – 01/05/2025
The report is seeking
approval to enter into a contract with The Network People Ltd to
purchase software and hardware to enhance the cyber security
ecosystem. The report provides a comprehensive analysis of the
risks the council faces if it fails to address the escalating cyber
threats. By entering into this contract, the council can
significantly enhance its cyber resilience, safeguard its digital
infrastructure and ensure the secure functioning of public services
in an increasingly digital environment. This contract will further
contribute to mitigating the financial risks associated with
potential cyber attacks, which can
exceed £10 million in certain scenarios.
 
As highlighted in the
report, cyber has been identified as the council’s highest
corporate risk, emphasising the critical need for a robust and
proactive approach to cyber resilience across all services and
systems.

There is approved unsupported
borrowing within the Digital, Data and Technology capital programme
for 25/26 to fund the contract value - £0.995m. The contract to be awarded is for a
three year period, upfront contractual payment will achieve
significant interest cost savings, which continues to promote value
for money.

Procurement Advice
obtained: Supplied by: Emma Heyes,
Category Manager
The
proposed route to market will be facilitated via a direct award
using the Crown Commercial Services RM6116 Network Services 3,
which was procured under Public Contract Regulations
2015.
 
Direct award is permissible on this framework, and contracting
authorities must satisfy themselves that the call-off procedure is
compliant with the framework rules and their own internal
governance.
 
The
CCS Buyer Guidance for RM6116 describes that buyers’ must
engage with all suppliers on the relevant Lot. In order to conduct
a direct award, buyers need to search and evaluate the available
service offers on the Digital eMarketplace.Buyers must compare the service offers
against its statement of requirements to identify service offers
that meet its needs.  There is always a
risk with direct award that value for money can’t always be
demonstrated.
 
Pre-market engagement with other suppliers on Lot 1a of this
framework has not been undertaken as required under the terms of
the framework, however the rationale for the direct award described
earlier in the report is for technical and operational reasons and
that TNP are the only supplier able to provide the services
described.
 
The
Council has assurances directly from Fortinet that TNP are their
highest accredited partner in Europe, bringing the highest level of
technical capability and expertise to Salford City Council's
programme.  Given the significant
investment in their capability with Fortinet's Security Fabric,
including advanced capabilities with Fortinet's SecOps offerings,
they are the only partner Fortinet believe are suitable for a
deployment of this kind due to the specific nature of the
programme.
 
Due
to the absence of pre-engagement with other providers, as required
under the terms of the framework, there remains a risk of challenge
from aggrieved providers if we haven’t correctly followed the
call-off process, and the risk increases in tandem with the value
and term of a contract, however this can be mitigated somewhat for
the reasons outlined above, and that other suppliers wouldn’t
attract the same discounts as TNP.
 
The
RM6116 Framework Schedule 6 and accompanying Framework and Joint
Schedules must be completed to form the contract between the
parties, which will require sealing by legal services.
 
HR Advice
obtained: N/A
 
Climate Change Implications
obtained: N/A
 
Contact Officer: Mark Williamson (Cyber Portfolio Lead) / Matt Wall
( Head of cyber and Technology)
Telephone number: mark.williamson@salford.gov.ukMatt.wall@salford.gov.uk
 
 

Signed:     Cllr J
Youd         Dated:     19 May
2025.
           
   Lead Member
 

FOR DEMOCRATIC SERVICES USE
ONLY:
 
*          
This decision was published on 20 May 2025
*          
This decision will come in force at 4.00 p.m. on 28 May 2025
unless it is called-in in
accordance with the Decision Making
Process Rules.