Information

Cyber Security Procurement Support Tool: guidance for suppliers

Guidance for suppliers on how to embed use of the Cyber Security Procurement Support Tool into the procurement process.


Introduction

1. The cyber security of suppliers is increasingly important to the Scottish public sector. The number of cyber attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and public services. Against this background, the Scottish public sector wants to ensure its suppliers have appropriate cyber security in place. That’s because:

  • We have a duty to prevent our public services from being disrupted by cyber attacks on suppliers; and
  • We want to support our suppliers to improve their cyber security, because it’s good for the sustainability and resilience of our digital economy and society.

2. To help improve supply chain cyber security, the Scottish public sector is being encouraged to adopt a more consistent approach. This will involve them implementing:

  • A Guidance Note, which has been produced for all public sector organisations, setting out best practice from the National Cyber Security Centre (the UK technical authority on cyber security).
  • A decision-making support tool called the Cyber Security Procurement Support Tool (CSPST), which all suppliers bidding for public sector contracts may be asked to use.

3. This guidance is for suppliers to the public sector who wish, or who have been asked, to make use of the CSPST tool. It provides some basic information about how to use the tool, and what its benefits are expected to be.

Important

  • Completing a CSPST questionnaire can require time and effort, depending on (i) the risk profile of a contract and (ii) how well you understand your organisation’s cyber resilience arrangements.
  • It is vital that you leave sufficient time for your organisation to complete the CSPST questionnaire ahead of any procurement deadlines.

4. The CSPST tool itself has been designed to be intuitive to use, and includes links to guidance and advice for suppliers. You can also access a presentation on CSPST here.

Future development of CSPST

5. A public sector working group will oversee developments and improvements of the CSPST tool.

6. The Scottish Government would welcome feedback from suppliers on the CSPST tool. Please send all feedback to cyberfeedback@gov.scot.

Contact

Email: CyberResilience@gov.scot

Back to top