1. The cyber security of suppliers is increasingly important to the Scottish public sector. The number of cyber attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and public services. Against this background, the Scottish public sector wants to ensure its suppliers have appropriate cyber security in place. That’s because:
- We have a duty to prevent our public services from being disrupted by cyber attacks on suppliers; and
- We want to support our suppliers to improve their cyber security, because it’s good for the sustainability and resilience of our digital economy and society.
2. To help improve supply chain cyber security, the Scottish public sector is being encouraged to adopt a more consistent approach. This will involve them implementing:
- A Guidance Note, which has been produced for all public sector organisations, setting out best practice from the National Cyber Security Centre (the UK technical authority on cyber security).
- A beta version of a decision-making support tool called the Scottish Cyber Assessment Service (SCAS), which all suppliers bidding for public sector contracts may be asked to use.
3. This guidance is for suppliers to the public sector who wish, or who have been asked, to make use of the SCAS tool. It provides some basic information about how to use the tool, and what its benefits are expected to be.
- Completing a SCAS questionnaire can require time and effort, depending on (i) the risk profile of a contract and (ii) how well you understand your organisation’s cyber resilience arrangements.
- It is vital that you leave sufficient time for your organisation to complete the SCAS questionnaire ahead of any procurement deadlines.
4. The SCAS tool itself has been designed to be intuitive to use, and includes links to guidance and advice for suppliers. You can also access a presentation on SCAS here.
Future development of SCAS
5. A public sector working group has been established to oversee developments and improvements to the beta version of the SCAS tool. Following an initial operational period of 6 months, we expect an updated version of SCAS to be put in place.