Use of cyber security scheme made mandatory for certain government contracts

The Government is to make the adoption of a scheme aimed at reducing levels of cyber security risk mandatory for all central government contracts of a certain type advertised from this week (1 October).

In a public procurement policy note, the Cabinet Office said its ‘Cyber Essentials’ scheme must be used for those contracts which featured characteristics involving handling of personal information and provision of certain ICT products and services.

Cyber Essentials “defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threat coming from the internet”, the Cabinet Office said.

The policy note, which can be viewed here, added: “Cyber Essentials is for all organisations, of all sizes, and in all sectors. Government is widely encouraging its adoption.”

The note applies to all central government departments including non-ministerial departments, executive agencies and non-departmental public bodies.

“Other contracting authorities (e.g. in local government and the wider public sector) may choose to apply the measures set out in [this note],” the Cabinet Office said.

The scheme has two levels of certification – Cyber Essentials and Cyber Essentials Plus. The latter requires vulnerability tests to be performed as part of the certification.

The Cabinet Office said Cyber Essentials offered a sound foundation of basic hygiene measures that all types of organisations could implement and potentially build upon.

“Government believes that implementing these measures can significantly reduce an organisation's vulnerability,” it said. “However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy.”