Cyber Security incident response contracts: FOI release

Information requested

I'd like to make a request for information in relation to your cyber security contracts. In particular:

• When was the NCC Incident Response contract awarded?
• What is the scope of the contract?
• After what procurement or fair competition process was this contract awarded?
• What is the value and length of the contract?

And in your clarification you further asked:

if you're able to share details of all contracts held with NCC over the last 5 years that would be appreciated.

Response

There are two incident response retainers publicly listed as supplied by the NCC Group within the last five years, and as you have not specified which of these your query relates to, I have responded below in relation to both of them (bullets 1 and 2)

Further in your clarification you asked for details of all contracts held with NCC over the last 5 years, which has led to the identification of one further contract which I have listed as bullet 3 under your original headings (although not specifically an Incident response contract)

When was the NCC Incident Response contract awarded?

1. August 2023

2. September 2023

3. August 2025

What is the scope of the contract?

1. Incident response retained services

2. Incident response retained services

3. Lessons Learned Multi Factor Authentication Coverage Pilot

After what procurement or fair competition process was this contract awarded?

1. GCloud Purchase

2. GCloud Purchase

3. Digital technology and cyber services: dynamic purchasing system

What is the value and length of the contract?

The total value as published is:

1. £139,800

2. £120,000

3. £36,000

The length of the contract is:

1. We consider this information to be exempt from disclosure under section 30(c) of FOISA, further details below.

2. We consider this information to be exempt from disclosure under section 30(c) of FOISA, further details below.

3. 11/08/2026 – 10/01/2026

As outlined above, we consider that the information requested in some parts of your request is exempt under 30(c) of FOISA (prejudice to effective conduct of public affairs). In considering these exemptions we have taken account of the fact that disclosure of information under the FOISA is to “the world at large”, not just to an individual applicant. We are therefore required to consider the effect of releasing the information into the public domain.

We recognise that there is an inherent public interest in openness and transparency regarding the spending of public money and in demonstrating that funding is used effectively. However we have to balance this interest with the ability of those responding to incidents to operate safely and securely, as well as to protect our networks and information, all of which is required to enable the conduct of public affairs. To disclose the above may prejudice this by providing information about the maturity of our incident response provision, which may be used by hostile actors.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.