- 31 Jan 2020
1. The purpose of this SPPN is to make public bodies aware of the publication of a Scottish public sector supplier cyber security guidance note on Wednesday 15 January 2020.
- Framework agreements and contracts have the potential to be susceptible to cyber risks. This new guidance is encouraged for use by public bodies to help them to assess their procurements for cyber risks at all stages of the procurement process.
- The guidance encourages public bodies to follow the key steps and principles in it wherever possible to help ensure a consistent approach to cyber security across the Scottish public sector.
- The guidance also highlights that a decision-making support tool is available for optional use by public bodies. The tool is being tested as an open beta. This means it is available for general use in a live environment to allow for the gathering of feedback to improve performance. Information about the guidance and the support tool is available on the Scottish Government website. Public bodies are encouraged to familiarise themselves with the guidance first before making use of the tool.
- More generally, to help with implementation of this guidance, we have put in place a Digital Technology Services dynamic purchasing system. It is a one stop shop for purchasing bodies looking to buy cyber security services and resources and which can be obtained under Lot 3 Cyber Security Services.
2. The Scottish Government published a Public Sector Cyber Resilience Action Plan on 8 November 2017. This included a commitment to ‘develop a proportionate, risk-based policy in respect of supply chain cyber security, which should then be applied by public bodies in all relevant procurement processes’. This new guidance meets that commitment and is intended to help public bodies to determine the levels of cyber risk associated with any given contract.
Contracts and framework agreements that the guidance can apply to
3. The guidance applies mainly to new contracts and framework agreements. For existing procurements a decision can be taken to complete an assessment retrospectively to help determine if there is a cyber security and/or data security and the processing of personal data risk. The guidance includes detailed advice about the steps that can be taken to conduct such a review.
4. The new guidance encourages a proportionate and flexible approach to setting minimum security requirements for suppliers. Public bodies should continue to make their own decisions and take their own legal advice about what levels of cyber security are appropriate and practical for suppliers to deliver on a case by case basis. This includes making use of cyber security certifications and accreditations or equivalent only where appropriate and proportionate to the level of cyber risk assessed to be present in specific contracts.
5. Please bring this SPPN to the attention of all relevant staff, including those in agencies, non-departmental public bodies and other sponsored public bodies within your area of responsibility.
The Scottish Government
5 Atlantic Quay