The Government has updated its policy on the cyber security controls that it requires suppliers of certain public contracts to have in place. Procurement Policy Note 09/23 updates and replaces PPN 09/14 and applies to all central government departments, their executive agencies, non-departmental public bodies and NHS bodies (in-scope organisations). It must be implemented in new procurements by in-scope organisations by the end of December 2023.
The PPN is also of wider interest to other public sector bodies who may wish to apply the guidance in the PPN to contracts which have a high cyber security risk.
PPN 09/14 originally introduced a requirement for suppliers bidding for certain types of public contracts to hold Cyber Essentials or Cyber Essentials Plus certification. Cyber Essentials is a government backed certification scheme which helps businesses to protect themselves against cyber attacks and demonstrate their commitment to cyber security (the scheme).
Cyber Essentials assesses how an organisation has implemented technical controls in order to protect itself from cyber attacks. It is a self assessment process where suppliers complete a questionnaire which is then verified by an independent certification body in order to obtain certification. Cyber Essentials Plus comprises remote and on-site vulnerability testing in addition to assessing the same technical controls as Cyber Essentials. The testing checks whether a supplier's security controls actually provide a defence against hacking and phishing attacks. Cyber Essentials Plus certification requires a more rigorous assessment so should only be used where there is a higher cyber security risk.
What are the updated requirements?
PPN 09/23 appears to move away from a one-size-fits-all approach of mandating that suppliers hold Cyber Essentials or Cyber Essentials Plus certification when delivering certain higher-risk contracts. Instead, In-Scope Organisations must first and foremost ensure that effective and proportionate cyber security controls are applied to such contracts in order to mitigate supply chain risks. There is no change to the types of contracts for which such cyber security controls need to be applied: these are described as contracts that have certain characteristics, such as:
- Where personal information of citizens and/or government employees, ministers and special advisers are handled by a supplier;
- Where ICT systems and services are supplied which are designed to store/process data at the OFFICIAL level; or
- Where contracts deal with information related to the day-to-day business of government, service delivery and public finances.
PPN 09/23 states that for such contracts, the quickest and most effective means of mitigating cyber security risks are for the technical requirements to include either Cyber Essentials or Cyber Essentials Plus certification (or equivalent). Suppliers must review any Cyber Essentials certification annually for the duration of the contract, so In-Scope Organisations should monitor the supplier's certification on an annual basis.
PPN 09/23 also outlines some of the limitations to the Cyber Essentials Scheme for certain contracts, highlighting that a more considered and nuanced approach to technical requirements to mitigate cyber security risks may now need to be undertaken by In-Scope Organisations. These include:
- The Scheme does not assure specific products or services being supplied. Where specific assurance of products or services is required, further standards should be applied;
- The Cyber Essentials certification may not be enough to mitigate the risks if the contract is particularly high risk. In this case additional security controls should be put in place in order to mitigate the risk;
- The Scheme is not designed to negate risk in respect of more advanced and targeted attacks. These types of risks will require more sophisticated measures;
- The Scheme should not be applied as a blanket approach to all contracts; and
- Security controls put in place must be relevant and proportionate to the contract being procured so as to not deter or overburden SMEs or VCSEs who may wish to bid for the contract.
In-scope organisations should note that where they are accessing Cloud services through the Crown Commercial Service G-Cloud Commercial Agreements framework, suppliers on these Agreements are required to demonstrate that they comply with the Government's cloud security principles as opposed to cyber essentials, although suppliers are still encouraged to state their cyber essentials certification if they have it.
For further information please see the full PPN here.