We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Cyber Security Procurement Support Tool: guidance for buyers

Published 15 January 2020
Directorate
Safer Communities Directorate
Part of
Law and order, Public sector
ISBN
9781839602177

Guidance for buyers on embedding use of Cyber Security Procurement Support Tool into the procurement process.

View supporting documents Supporting documents

Section A: Background

A (i): Cyber Security Procurement Support Tool (CSPST) Decision Making Support Tool – Overview

1. CSPST is a secure online cyber risk assessment and supplier assurance questionnaire tool. It is available to all Scottish public sector organisations[1]. It can be accessed here[2] and is signposted within PCS-t, PCS and in the Scottish Procurement Journey and Supplier Journey. It provides the following functionality:

  • Scottish public sector buyers can make use of the tool to answer a pre-determined set of risk profile assessment questions at the information/cyber risk assurance stage of a procurement process[3].
  • CSPST will then generate a risk profile for the contract in question. CSPST allows public sector organisations to adjust risk profiles to cater for their individual risk appetites and the risks involved in specific contracts, where they have the expertise to do so.
  • The risk profiles in CSPST correspond with a set of recommended minimum security requirements that suppliers can be asked/required to meet. (NB: Where no cyber risk is present, this will be identified and no requirements will be generated.)

These minimum security requirements correspond broadly with those set out at Principle 5 of the NCSC Principles and associated use cases, thus promoting consistency with NCSC guidance as per Key Point 2 of the Guidance Note.

  • On the basis of those minimum security requirements, a tailored Supplier Assurance Questionnaire (SAQ) is generated within CSPST. When going out to tender, buyers can include in their Invitation To Tender document a requirement for potential bidders to log onto CSPST and complete the SAQ in order to understand and demonstrate the extent to which they comply with the minimum cyber security requirements for that contract. Bidding suppliers can then be required to download an SAQ report and submit this along with their other tender documents for assessment by the contracting authority.
  • To ensure proportionality, a compliance appetite stage in the CSPST tool allows buyers to opt not to exclude bidders that do not currently meet the minimum cyber security requirements. Instead, buyers can place a requirement on bidders who do not currently meet the minimum requirements to complete a Cyber Implementation Plan, which sets out how the supplier will work towards meeting minimum requirements over a certain timeframe. The recommended approach is for completed CIPs to be submitted alongside SAQ reports and all other tender documents.
  • CSPST allows suppliers to save their answers against specific risk profiles, so that they can reuse information provided previously when bidding for any other public sector contracts with the same broad risk profiles. This can help minimise additional burdens on suppliers.
  • CSPST allows buyers to build up an overview of cyber risks in their suppliers over time.
  • CSPST has been designed to help “translate” the requirements of 3 key standards widely used in public and private sector procurement (Cyber Essentials, IASME Gold and ISO27001) into answers against the tool’s questions. This helps to minimise burdens on suppliers by reducing the total number of questions that bidding suppliers must answer.

2. For public sector organisations that do not wish to make use of CSPST as part of their procurement processes, the CSPST Question Set mirrors the online tool and is available here. Public sector organisations can adapt and incorporate this Question Set into existing processes if they wish to do so, to help drive greater consistency of practice across the Scottish public sector.

3. CSPST has been incorporated into Scottish Government procurement processes where appropriate. The standard terms and conditions for Scottish Government contracts, which can be adapted and used by all other public sector organisations, have been updated to facilitate use of the CSPST tool, and ensure best practice in respect of supplier cyber resilience. Some example wording for tendering and contractual processes is available in the Example Tender and Contract Wording document here.

Future development of CSPST

4. A public sector working group will oversee developments and improvements to the CSPST tool.

5. The Scottish Government would welcome feedback from contracting authorities and suppliers on the CSPST tool. Please send all feedback to cyberfeedback@gov.scot.

A (ii) Alignment of CSPST decision-making support tool with NCSC Principle 5

1. Use of CSPST can support effective implementation of a number of the NCSC Supply Chain Principles – see the Guidance Note, Key point 1, for further consideration of this.

2. CSPST is specifically designed to support implementation of NCSC Principle 5 (Set and Communicate Minimum Security Requirements for your Suppliers) in the following way:

Supplier Scenario

Recommended approach

Use Case A: Protecting information shared with suppliers – see also overview diagram later in this guidance.
  • Suppliers of services/goods where no cyber risk has been identified
  • In view of the importance of cyber resilience to the wider sustainability and resilience of Scotland’s digital economy, CSPST encourages and supports Scottish public sector organisations to signpost all suppliers to NCSC best practice guidance in respect of cyber resilience, even where a specific cyber risk to a contract has not been identified.
  • Supplier arrangements involving the processing of personal data.
  • CSPST supports decision-making in this scenario in two key ways:
    • its algorithm aims to ensure that any contract involving digital processing of anything other than the least sensitive personal data will generate a “moderate” risk profile as a minimum. CSPST’ moderate risk profile is intended to embed all of the key requirements set out in the NCSC/ICO GDPR guidance on security outcomes.
    • its algorithm helps to ensure that, in all circumstances involving the electronic processing of personal data, suppliers are additionally asked to confirm generally that their cyber security arrangements are in conformity with the NCSC/ICO guidance on a proportionate basis.
  • Presence of a “Very Low” risk to delivery of services or goods by a supplier has been confirmed.
  • CSPST supports decision-making in this scenario by helping to ensure that all bidding suppliers are asked only to attest to having considered and implemented the most basic measures recommended by the NCSC for protecting against cyber risks. For small businesses and charities, these can be found in the NCSC Small Business Guide and the NCSC Small Charity Guide - a series of simple, quick and effective steps that any small business or 3rd sector organisation can work through to improve their resilience.
  • Presence of a “Low” risk to delivery of services or goods by a supplier has been confirmed.
  • CSPST supports decision-making in this scenario by helping to ensure that all bidding suppliers are asked a series of questions about the cyber security arrangements for the contract which align with basic NCSC advice (embodied in the NCSC Small Business Guide for small businesses) and the controls set out in the NCSC Cyber Essentials certification scheme.
  • Contracting authorities can opt to ask that suppliers hold Cyber Essentials, Cyber Essentials Plus, IASME Gold, ISO27001 or equivalent as a form of independent assurance re: compliance. Suppliers can rely on any such certification held to auto-complete answers in CSPST. This helps to minimise burdens on bidding suppliers by reducing the total number of questions they must answer.
  • Presence of a “Moderate” risk to delivery of services or goods by a supplier has been confirmed.
  • CSPST supports decision-making in this scenario by helping to ensure that all bidding suppliers are asked a series of questions about the cyber security arrangements for the contract which align with basic NCSC advice (embodied in the NCSC Small Business Guide for small businesses), the controls set out in the NCSC Cyber Essentials certification scheme, the 10 Steps to Cyber Security and the NCSC ICO GDPR guidance on security outcomes.
  • Contracting authorities can opt to ask that suppliers hold Cyber Essentials, Cyber Essentials Plus, IASME Gold, ISO27001 or equivalent as a form of independent assurance re: compliance. Suppliers can rely on any such certification held to auto-complete answers in CSPST, thus reducing burdens.
  • Presence of a “High” risk to delivery of services or goods by a supplier has been confirmed.
  • CSPST supports decision-making in this scenario by helping to ensure that all bidding suppliers are asked a series of questions about the cyber security arrangements for the contract which align with basic NCSC advice (embodied in the NCSC Small Business Guide for small businesses), the controls set out in the NCSC Cyber Essentials certification scheme, the 10 Steps to Cyber Security, the NCSC/ICO GDPR guidance on security outcomes and the NIS Cyber Assessment Framework. It also aims to ensure broad alignment at this level with the controls set out in the ISO27001 standard.
  • Contracting authorities can opt to ask that suppliers hold Cyber Essentials, Cyber Essentials Plus, IASME Gold, ISO27001 or equivalent as a form of independent assurance re: compliance. Suppliers can rely on any such certification held to auto-complete answers in CSPST, thus reducing burdens.
  • Some Operators of Essential Services (e.g. in the energy, communications, health and water sectors) are required to operate to the most sophisticated NCSC-endorsed requirements, in the form of the Security of Network and Information Systems principles. Compliance with these principles should be regulated by Competent Authorities.
  • To help protect against fraud, theft, and insider threats, where these are identified as potentially present.
  • CSPST presents specific questions that are presented to suppliers from the Low risk profile level upwards, asking whether appropriate personnel, physical and procedural controls are in place for the contract. These include questions aimed at ensuring that all staff working on a contract are screened, following the principles outlined by the Cabinet Office Baseline Protective Security Standard (BPSS).
  • Suppliers are delivering or making use of cloud-based systems.
  • CSPST supports decision-making in this scenario by helping to ensure that key aspects of the NCSC’s Cloud Security Principles are embedded within the questions asked at different risk profiles. Its algorithm also helps ensure that, in all circumstances where suppliers are delivering or relying on cloud based systems, they are asked to confirm generally that these comply with the NCSC’s Cloud Security Principles.
  • Information is to be held in a common data environment.
  • CSPST embeds some of the NCSC cloud security principles that are relevant to common data environments, including data separation/segregation. Public sector organisations should also review arrangements using the “Common Data Environments” guidance available on the CPNI website at https://www.cpni.gov.uk/digital-built-assets-and-environments, outside the CSPST tool.

Use Case B: Specifying security requirements to a supplier
who is delivering something to you
  • Where, e.g. new software tools or components being manufactured and supplied to public sector organisation.
  • CSPST includes questions aimed at providing some assurance as to whether products or solutions have been developed with security in mind to an appropriate degree. However, additional controls may be required to provide assurance about the product/service to be delivered. It is important that these are specified to suppliers as clearly as possible in advance.

NCSC guidance makes clear that you need absolute clarity about your security and functional needs. These must be described clearly and unambiguously to the supplier. If the supplier is delivering an IT system then it must meet the security requirements that have been specified.

  • It may also be important in such circumstances to ask about the product/solution supplier’s organisational cyber security arrangements, to provide assurance that hostile actors cannot easily access a supplier’s systems to meddle with products and solutions that will be used by the public sector. CSPST supports you to ask such questions appropriately when products or solutions are being supplied.
  • The NCSC Marketplace sets out how the NCSC provides oversight of some products and service testing, to give confidence that appropriate levels of security are in place for threat environments. Note that these currently tend to be for more high-end, sophisticated products.
  • Where project or asset/facilities management being delivered using collaborative digital engineering systems.

Use Case C: Connecting a supplier’s systems to yours
  • Network connections/ data sharing with suppliers.
  • CSPST includes questions that help seek appropriate assurance in these situations. However, public sector organisations should also have regard to the following key points from NCSC guidance, and satisfy themselves whether the questions being asked of suppliers via CSPST are appropriate and/or sufficient:
    • Ensure that any network connections or data-sharing with suppliers do not introduce unmanaged vulnerabilities that have the potential to affect the security of business systems. This is a critical consideration for all contracts that include connections to a supplier's system.
  • Decide such key questions as: will the supplier work at the public sector organisation’s premises or theirs? How much access and connectivity will they need to carry this out?
  • Where consideration is being given to connecting a supplier's systems to a public sector organisation’s, the public sector organisation may adopt the following approach:
    • Ensure that the access provided to systems, services, information and premises is limited, controlled and monitored. This is true for both the supplier's people and their systems. These accesses should be reviewed periodically, and removed when no longer required.
    • If it is intended that the supplier will perform the contracted work on the public sector organisation’s systems and premises, the public sector organisation should ensure these are appropriately segregated from the rest of the network, in line with NCSC guidance at 10 Steps to Cyber Security, Network Security.
  • Access to contract-related information, contracted products or services should be limited on a 'least privilege' basis.
  • There should be a secure means to exchange hard and soft copy information with the supplier. The public sector organisation may wish to follow guidance on hard copy exchanges available via the Cabinet Office, Government Classification Scheme, and guidance on data in transit/exchanges available at 10 Steps to Cyber Security, Home and Mobile Working.
  • Where organisations use operational technology as part of a system or to deliver services, like other technology it should be treated as 'untrusted', and managed accordingly.

Use Case D: National security case – where targeting by, e.g. a hostile state is likely
  • National security risk identified
  • If the Contracting Authority identifies that SECRET or TOP SECRET information will be processed digitally by a supplier, CSPST asks users to exit the tool and seek advice from their cyber security experts, and/or NCSC and CPNI.
  • Matters for consideration will likely include:
    • Adoption of bespoke approaches to security.
    • Use of high assurance products, with improved personnel and physical security arrangements.
    • Vulnerabilities that might arise in manufacturing or build processes.
    • Additional measures to protect the privacy and identity of contracting partners and their procurement activities.

Diagram providing visual representation of the way in which CSPST supports implementation of NCSC Principle 5

Diagram providing visual representation of the way in which CSPST supports implementation of NCSC Principle 5

Contact

Email: CyberResilience@gov.scot

Back to top