The Cabinet Office has outlined a new policy which will require suppliers to central government departments to comply with, and be accredited under, the 'Cyber Essentials' scheme in many instances. The new procurement policy has effect from 1 October.
Under the policy, suppliers that would be involved with processing or storing personal data or those supplying IT systems or services to departments handling 'official' government data would, subject to limited exceptions, be obliged to comply with the standards set out under the Cyber Essentials scheme (12-page / 267KB PDF).
"It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain," Cabinet Office minister Francis Maude said. "Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Gaining this kind of accreditation will also demonstrate to non-government customers a business’s clear stance on cyber security."
"Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so," Maude said.
The Cyber Essentials scheme was introduced earlier this summer as an initiative designed to help businesses win recognition for the cyber security measures they put in place. Businesses can apply for either a 'cyber essentials' certificate or a 'cyber essentials plus' certificate under the scheme. Compliance with either scheme is assessed with reference to guidelines (17-page / 513KB PDF) the government published that set out "basic controls" organisations can implement to protect against hacking attacks and other cyber security breaches.
The guidelines address cyber security aspects that range from deploying firewalls, secure configuration of devices and networks, laying down restrictions on access to systems and data, tackling the threat of malicious software and managing software and security updates appropriately.
A 'cyber essentials' certificate is issued if a business self-assesses their own compliance with the guidelines and their assessment is independently verified. A 'plus' certificate is only available if a business allows the cyber security measures it has in place to be independently tested for compliance with the 'cyber essentials' guidance.
In its new procurement policy note, the Cabinet Office explained that suppliers may be able to win some central government contracts without being accredited under the Cyber Essentials scheme. However, it outlined certain types of contracts which only accredited suppliers would be eligible to perform.
If suppliers would be involved in handling personal data of the public or government employees, or if they are providing IT systems and services that are "designed to store, or process, data at the OFFICIAL level of the Government Protective Marking scheme" then those suppliers would, generally, be required to "demonstrate that they meet the technical requirements prescribed by Cyber Essentials", the Cabinet Office said.
The Cabinet Office said that government departments are able to require suppliers to be Cyber Essentials accredited in other cases, subject to conditions. Requiring suppliers to adhere to the cyber security standards under the scheme is an option open to government departments where a "cyber security risk is identified which would not be managed by any of the existing security requirements and where the use of Cyber Essentials is a relevant and proportionate way to manage this", according to the new policy.
Procurements through the G-Cloud or some other existing IT contract frameworks, including the digital services framework and ID assurance framework, would be exempt from the new policy. Contracts tendered by the Ministry of Defence are also exempt.
The policy also explains that businesses that adhere to the ISO27001 standard could also be held as meeting equivalent standards of cyber security as businesses accredited under the Cyber Essentials scheme and therefore not have to win accreditation for their approach to cyber security under that scheme to win government contracts.
If forcing suppliers to comply with the Cyber Essentials scheme would be "clearly disproportionate", government departments may also contract with providers that do not achieve the standards set out under that scheme, according to the policy.