1. To assist all Scottish public sector organisations to implement the Supplier Cyber Security Guidance Note (“the Guidance Note”) in a consistent way, the Scottish Government Cyber Resilience Unit has worked with Procurement Centres of Expertise and key public sector partners to develop a beta version of a decision-making support tool – the Scottish Cyber Assessment Service (SCAS) – for optional use.
2. SCAS supports public sector organisations to (i) undertake information/cyber assurance assessments, (ii) identify appropriate, proportionate cyber security requirements, and (iii) seek assurances from bidding suppliers as to the extent to which they comply with these requirements, in a way that is aligned with the Guidance Note.
3. This advice note covers the following key issues:
i. An overview of the key features of the SCAS tool.
ii. Information on how the SCAS tool supports consistent implementation of NCSC Principle 5.
iii. Advice on how organisations can work to embed the use of SCAS in procurement processes.
iv. Advice on the Cyber Implementation Plan (CIP) process that forms a key part of the SCAS tool’s “fit” with procurement processes.
4. The following supporting documentation is available here:
(i) Example Tender and Contract Wording:
- Section A sets out some example wording that can be used in contract notices and invitations to tender.
- Section B sets out some example wording that can be used in contractual terms and conditions. It includes links to Scottish Government standard terms and conditions that are made available to the wider public sector, which have been adjusted to facilitate use of SCAS and reflect best practice in respect of cyber security generally.
(ii) Cyber Implementation Plan – Template and Example, which provides a Cyber Implementation Plan template for use in the CIP process.
It is important to understand that SCAS is intended as a decision-making support tool. It is not intended to replace a contracting authority’s obligation to fully consider and manage all relevant cyber risks to a contract.
If in doubt, please ensure that you consult a cyber security expert.