Cyber Security Procurement Support Tool: guidance for buyers
Guidance for buyers on embedding use of Cyber Security Procurement Support Tool into the procurement process.
Section B: Embedding use of the CSPST tool in procurement processes
Section B (i) Embedding the CSPST decision-making support tool in procurement processes
1. The recommended approach to embedding use of the CSPST decision-making support tool in procurement processes is set out in this section, which comprises the following sub-sections:
- Procurement Journey - Strategy Development
- Procurement Journey - Tender
- Procurement Journey - Contract
2. The diagram below summarises the overall approach:
Procurement Journey - Strategy Development
3. The Procurement Journey sets out guidance on the Strategy Development phase of the procurement process for contracts under Routes 1 (unregulated, under £50k, low risk, repetitive nature procurements), 2 (regulated procurements between £50k and the OJEU threshold) and 3 (regulated procurements of OJEU threshold and above).
4. CSPST should be used at the Strategy Development phase when a contracting authority is developing contract award requirements. Embedding an option in your organisational processes to make use of CSPST whenever a procurement is being undertaken can help ensure an appropriate audit trail for decision-making around cyber security. The Procurement Journey and Supplier Journey have both been updated to signpost to CSPST in circumstances where the tool is being used.
The following key steps should be followed when using CSPST at the strategy development phase of your procurement.
Step 1: Consider whether CSPST is suitable for your contract, framework or assessment.
Step 2: Register and use CSPST to complete an initial Risk Profile Assessment as part of your strategy development, during which you and your advisers can:
- Generate a cyber risk profile for the contract – this will consist of:
- A set of cyber security controls that the successful supplier will be expected to have in place, proportionate to the risk profile of the contract;
- Any certification requirements you wish to place on suppliers for assurance purposes; and
- Any supporting evidence requirements in support of suppliers’ completed Supplier Assurance Questionnaires.
Together, these will constitute the minimum cyber security requirements under the award criteria for the contract. You can also develop additional “scored” cyber security requirements to complement these minimum criteria if you wish, although CSPST cannot be used for these purposes; and
Step 3: Identify the approach you will take to non-compliant bidding suppliers – you can opt to adopt a strict pass/fail approach or accept Cyber Implementation Plans that set out binding commitments about what a successful supplier will do to meet the minimum requirements by a date/contract phase of your choosing.
Step 4: Ensure all relevant areas of your organisation with an interest have had an opportunity to agree the completed CSPST risk profile before “publishing” the risk profile and generating a final Risk Assessment Reference and Risk Profile Assessment report.
Step 5: Develop your documentation incorporating the outputs of CSPST.
Further information on these steps is set out below.
Step 1: Procurement Journey – Strategy Development – Decide whether CSPST is suitable for your Contract, Framework or Assessment
5. CSPST is likely to be suitable for assessing the cyber risks involved in “standalone” contracts, single supplier framework agreements, or contracts “called off” under a single or multi-supplier framework agreement. NB: CSPST is unlikely to be suitable for assessing risks when putting in place multi-supplier framework agreements, due to the wide range of potential scenarios under such agreements.
6. If you are using CSPST to assess a contract that you are “calling off” under an existing framework contract, you should ensure that the overarching framework contract has appropriate requirements that can provide a justification under procurement law for assessing suppliers’ cyber security using the CSPST tool. If in doubt, please seek legal advice.
7. CSPST can be used to support the identification and implementation of minimum contract award “pass/fail” requirements, which will usually form part of an individual contract’s Statement of Requirements. CSPST should not be used for generating ESPD “selection” criteria, as opposed to contract award criteria. This is because CSPST is intended to assess the cyber risks specific to individual contracts, and support public sector organisations to work with suppliers (via Cyber Implementation Plans) to manage risks on a proportionate basis when they do not currently meet cyber security requirements.
8. CSPST cannot be used to generate more sophisticated “scored” criteria, where a public body wishes to apply considered judgements to the proposed approach that different bidding suppliers will take to an aspect of cyber security that is of key importance to a contract, and award a variable “score” on the basis of the maturity or appropriateness of a bidders’ approach. However, the simple pass/fail approach that CSPST supports can be used in combination with a more sophisticated scored approach.
9. The table below summarises when CSPST is likely to be suitable for use.
|Scenario||Is CSPST suitable?|
|Class of contract or framework||“Standalone” contracts||√|
|Putting in place single supplier framework agreements||√|
|Contracts “called off” under multi- or single supplier framework agreements||√|
|Putting in place multi-supplier agreements/ dynamic purchasing systems||X|
|Type of criteria||Identifying and assessing against ESPD selection criteria||X|
|Identifying and assessing against minimum pass/fail contract award criteria||√|
|Identifying and assessing against more sophisticated scored cyber security contract award criteria||X|
Step 2: Procurement Journey – Strategy Development – Register and use CSPST to complete a risk profile assessment.
Step 2.1: Register with CSPST
10. You should register with CSPST using the relevant links in the tool. Note that, to ensure the security of your information, CSPST uses two factor authentication. You will therefore need to provide a mobile phone number to be able to access CSPST.
Step 2.2: Use the CSPST risk profile assessment function to generate an initial cyber risk profile
11. The Risk Profile Assessment (RPA) module of CSPST is intended for completion by either the lead procurement official, the lead project official or your organisation’s cyber security experts. It is intended to support identification of minimum cyber security requirements as part of the award criteria for a procurement.
12. CSPST tool’s functionality allows the “lead” official to invite other key officials to collaborate on completion of key sections of the RPA.
It is particularly important to ensure that your organisation’s cyber security experts are involved in decision-making around cyber security, and the CSPST tool includes prompts at appropriate points to help achieve this. Inviting your cyber security experts to collaborate on completion of the RPA can be a useful way of promoting such involvement.
13. The RPA asks a contracting authority to answer a pre-determined set of questions to help identify:
(a) whether a cyber risk is likely to be present in the contract; and
(b) if so, how significant those risks are likely to be.
14. Your answers to these questions will generate an initial cyber risk profile for the contract, which will correspond to a series of cyber security controls of increasing sophistication that suppliers can be required to have in place (see “Preparing Tender Documentation Incorporating the Outputs of CSPST” below).
15. CSPST allows you to adjust the initial cyber risk profile, by either raising the initial risk profile to a higher level or adding specific questions from a “master list” to help manage specific risks.
Step 2.3: Use CSPST to support identification of certification requirements for assurance purposes
16. At the RPA stage, you can also identify whether you wish to indicate to suppliers that they should hold certain certifications for assurance purposes.
17. Public sector organisations are encouraged to adopt the proportionate approach to certification set out in the Guidance Note. Certification can be helpful in that it provides a limited form of independent verification that a supplier has appropriate cyber security controls in place. However, requiring suppliers to hold certification can increase burdens and could potentially exclude suppliers that are capable of delivering a contract appropriately.
18. In line with the Guidance Note, CSPST allows public sector organisations to indicate whether they wish suppliers to hold either Cyber Essentials/Plus, IASME Gold or ISO27001 certification “or equivalent”. It interprets this to mean “or equivalent controls”.
Contracting authorities could, for example, permit suppliers not holding certification to complete a CSPST SAQ (see below) and provide other supporting evidence that offers assurance that SAQ answers are accurate (see “Use CSPST to support identification of requirements for supporting evidence”, below). Such supporting evidence may, for example, include copies of policy documents or penetration testing reports. CSPST also makes clear that SAQ answers can be subject to audit under contractual terms and conditions.
Step 2.4: Use CSPST to support identification of requirements for supporting evidence
19. At the RPA stage, you can identify whether you wish suppliers to provide any evidence in support of their SAQ answers. This functionality is intended to allow you to seek assurance (via means other than certification or post-contractual audit) that SAQ answers are accurate.
20. The supporting evidence functionality in CSPST offers a free text box that contracting authorities can complete, and which will be presented to suppliers unchanged. For that reason, contracting authorities should ensure that any requirements for supporting evidence are clearly communicated, and that instructions on how to submit such evidence are included. In general, supporting evidence should be submitted in the same way as other tender documentation, to help preserve the integrity of the procurement process.
21. If contracting authorities are requesting that suppliers hold specific certifications “or equivalent” for assurance purposes, they may wish to include consideration of alternative supporting evidence that they would be willing to accept in place of certification, and communicate this clearly using the supporting evidence functionality. The involvement of expert cyber security colleagues in such an approach will be important.
Step 3: Procurement Journey – Strategy Development – Use CSPST to support identification of your organisation’s approach to non-compliant suppliers
22. CSPST asks you to consider the approach you will take to bidding suppliers that do not currently meet the minimum cyber security requirements for the contract. It supports two approaches:
- adopting a strict approach, under which non-compliant suppliers will be excluded if their responses to SAQ questions do not meet the minimum requirements; or
- adopting an approach under which non-compliant suppliers will be prompted to complete a Cyber Implementation Plan (CIP) that sets out how they will address any areas of non-compliance to agreed timescales. Completed CIPs must be clear and credible, and will form part of the contractual requirements placed on the successful supplier.
23. Adopting the CIP approach is recommended as being more in line with the principle of working collaboratively with suppliers to improve cyber resilience.
If you intend to accept CIPs, please ensure you have considered Section B (ii) of this guidance, which sets out further information on the CIP process.
Step 4: Procurement Journey – Strategy Development – Agree and “publish” the completed risk profile assessment (risk assessment reference and RPA reports)
24. CSPST has been designed to support your organisation to make informed decisions about the final cyber risk profile for the contract throughout the risk assessment process. Key features supporting this are:
- The “collaborate” function, which allows lead officials to invite others within the same organisation (e.g. expert cyber security advisers) to complete specific sections of the RPA; and
- The ability to download a Risk Profile Assessment report at key stages of the process, to share with others for comment or advice.
25. Once all key people are content with the final risk profile for the contract, you should select the option within CSPST to “publish” the RPA. You will then be provided with:
- A Risk Assessment Reference number, which you will need to include in the documentation provided to suppliers (see Step 5 below); and
- A downloadable final Risk Profile Assessment report, which sets out:
- The answers your organisation has provided in the Risk Profile Assessment part of the CSPST process;
- The cyber risk profile for the contract (including any adjustments when these have been made, and any certification and supporting evidence requirements);
- The approach you have opted to take to risk management (strict vs CIP); and
- All of the SAQ questions that will be presented to bidding suppliers on this basis, and the minimum acceptable answers – these should be included in the documentation provided to suppliers (see Step 5 below).
Step 5: Procurement Journey – Strategy Development – Prepare documentation incorporating the outputs of CSPST (minimum pass/fail cyber security requirements)
26. When preparing tender documentation, contracting authorities should ensure appropriate communication of minimum cyber security requirements to suppliers by:
- ensuring that the contract notice, when issued, makes clear to potential bidders that there are minimum requirements concerning cyber security relevant to the procurement to which a pass/fail attaches, and that tenderers will be required to complete an online Supplier Assurance Questionnaire using the Cyber Security Procurement Support Tool;
- embedding the unique Risk Assessment Reference number (RAR) in the relevant tender documentation issued to potential bidders, along with clear information on the cyber security requirements that align with the risk profile. One way of communicating detailed information about minimum cyber security requirements generated using CSPST is to append the annex from the RPA report. This has been designed to be easily extracted without the need to adjust text, and includes a list of all questions that will be asked of suppliers under the contract’s cyber risk profile, as well as minimum acceptable answers.
It is important that all bidding suppliers can access and understand the minimum requirements for the contract. The most obvious place to include the unique RAR and other information about the minimum cyber security requirements is likely to be the Statement of Requirements.
- including clear instructions on how suppliers can access the Supplier Assurance Questionnaire (SAQ) in the CSPST tool using the RAR, and how they should submit the SAQ reports that the tool generates based on their answers; and
- if your organisation intends to accept Cyber Implementation Plans (CIPs), including a CIP template for suppliers to complete if they do not currently meet the minimum requirements under the cyber risk profile, along with clear instructions on how to submit completed CIPs and the date by which any cyber security improvements must be achieved. More information on the CIP process is at Section B (ii). A CIP template is available here.
Some example wording to support contract notice and tender document preparation is available here. The standard contractual terms and conditions developed for use by the Scottish public sector have also been updated to include optional clauses for use when CSPST is being used.
27. If you are issuing the proposed contractual terms and conditions alongside other tender documentation, you should ensure that these make clear that the minimum cyber security requirements and the outputs of the supplier’s completed CSPST Supplier Assurance Questionnaire (and any Cyber Implementation Plan, where applicable) will form part of these terms and conditions. Section B of the Example Tender and Contract Wording (available here) provides example wording to facilitate this. See also the “Procurement Journey – Contract” section below.
28. NB: A contracting authority may opt to communicate additional cyber security requirements, beyond the minimum pass/fail cyber security requirements that CSPST is used to generate, with a view to including evaluation of these as a separate scored quality criterion. This may be the case if, e.g. specific aspects of cyber security are of particular importance to a contract. Contracting authorities may opt to assess supplier’s proposals for meeting those additional requirements on a “scored” basis, the same way as other aspects of supplier proposals are assessed.
In these circumstances, contracting authorities can communicate those additional requirements alongside other scored requirements in the Statement of Requirements, and ask that supplier proposals for meeting them be submitted as part of their wider proposals to deliver the contract. CSPST cannot be used to communicate and assess such additional requirements. However, CSPST can be used in tandem with this approach to identify and assess minimum cyber security requirements on a pass/fail basis.
Some example wording to support this approach is set out at Section A of the Example Tender and Contract Wording (available here)
Procurement Journey - Tender
29. The Procurement Journey sets out guidance on the Tender phase of the procurement process for contracts under Routes 1 (unregulated, under £50k, low risk, repetitive nature procurements), 2 (regulated procurements between £50k and the OJEU threshold) and 3 (regulated procurements of OJEU threshold and above).
When CSPST is being used, these key steps should be followed at the Tender phase of your procurement:
Step 1: Issue your Invitation to Tender (ITT), incorporating the outputs of CSPST.
Step 2: Bidding suppliers use CSPST to complete the Supplier Assurance Questionnaire relevant to the contract, download a final SAQ Report and submit it (and any completed Cyber Implementation Plan and Supporting Evidence where applicable) alongside all other tender documentation.
Step 3: The contracting authority opens and evaluates the final RPA reports (and any completed Cyber Implementation Plan and Supporting Evidence where applicable) alongside all other tender documentation.
Further information on these steps is set out below.
Step 1: Procurement Journey – Tender – Issue your invitation to tender
30. Issue your Invitation to Tender, with the outputs of CSPST incorporated as per Step 5 of the “Strategy Development” phase above, in line with the guidance in the Procurement Journey.
31. You may wish to emphasise that completing a CSPST questionnaire can require time and effort, depending on (i) the risk profile of a contract and (ii) how well suppliers understand their organisation’s cyber resilience arrangements. It is vital that suppliers leave sufficient time to complete the CSPST questionnaire ahead of the submission deadline. Example text for inclusion in ITTs is included in Section A of the Example Tender and Contract Wording (available here)
Step 2: Procurement Journey – Tender – Suppliers use CSPST to complete a supplier assurance questionnaire and submit it with any other relevant information
32. Bidding suppliers will be able to locate the unique RAR and information about the contract’s minimum cyber security requirements in the tender documentation.
33. Bidding suppliers should then register for and/or log onto CSPST tool, input the unique risk assessment reference number for the contract, and submit answers to the questions about the cyber security arrangements they have in place for the contract. The tool allows them to download a "pre-submission" SAQ report that presents them with an overview of the answers they have provided and how they compare to the minimum acceptable answers for the contract. When they are satisfied with their answers, they should click “submit” in the CSPST tool.
34. Based on their answers, the tool will then provide a final SAQ report that gives formal confirmation of whether the bidding supplier’s answers meet the minimum requirements for the contract. The tool will prompt them to take the following action:
- If the bidding supplier meets the minimum requirements, the CSPST tool will prompt them to download a copy of the SAQ report and submit it (and any supporting evidence where applicable) along with all other tender documentation via the contracting authority’s preferred route (e.g. PCS or PCS-t).
- If the SAQ report indicates that the bidding supplier does not meet the minimum requirements, the CSPST tool will advise suppliers to follow two main courses of action, dependent on the risk management approach the contracting authority has opted to adopt:
- If the contracting authority is adopting a strict pass/fail approach, the supplier will be prompted to submit their SAQ report, so that the contracting authority can use it to consider whether to reject the supplier at its discretion in line with procurement regulations.
In these circumstances, CSPST will prompt suppliers that disagree with the outcome of the SAQ report, or that have made any errors in their submission, to provide information to the contracting authority alongside the report and their tender documentation detailing the reasons why.
- If the contracting authority is accepting Cyber Implementation Plans (CIPs), the supplier will be prompted to complete and submit a CIP and submit it alongside the SAQ report (and any supporting evidence where applicable) and other tender documentation. See section B (ii) of this guidance for further information on the CIP process.
Step 3: Procurement Journey – Tender – Evaluate tenders prepared using CSPST
35. Contracting authorities should expect to receive SAQ reports and, where relevant, Cyber Implementation Plans and any required supporting evidence alongside all other tender documentation submitted by bidding suppliers.
36. When assessing these aspects of the bid, contracting authorities should consider the following:
- Does the supplier’s SAQ report indicate that all minimum cyber security requirements for the contract are met?
- If so, and in the absence of any contradictory supporting evidence (see below), contracting authorities should award a pass for this aspect of the bid.
- If not, and the contracting authority is adopting a strict pass/fail approach, they may decide to reject the supplier, making clear the basis on which they are doing so in line with procurement regulations.
- If not, and the contracting authority is accepting CIPs, they should assess the SAQ report alongside the submitted CIP (see below).
- Does any Cyber Implementation Plan submitted by a bidding supplier credibly and satisfactorily address all of the shortfalls identified in the SAQ report? The ability to undertake the actions committed to within the timelines stipulated by the contracting authority may be a factor in assessing credibility.
- If so, and in the absence of any contradictory supporting evidence (see below), contracting authorities should award a pass for this aspect of the bid, and proceed to assess all other (non-cyber security) aspects of the bid. The completed CIP will form part of the contractual requirements for the procurement.
- If not, the contracting authority may decide to reject the supplier, making clear the basis on which they are doing so in line with procurement regulations.
- Does any submitted certification or supporting evidence contradict a supplier’s SAQ report or CIP? For example, a supplier may claim to hold certification covering the entire scope of the contract, when in fact it is limited to only one part of the networks or systems used to deliver the contract. Or a supplier may claim to have well developed information security policies in place, but provide a copy of a substandard policy document.
- If so, contracting authorities may wish to seek further information via appropriate clarification processes, in line with procurement regulations. This could include, for example, requiring a supplier to complete a supplementary CIP addressing shortfalls.
- Alternatively, if it is clear from contradictory evidence that the supplier does not in fact meet the minimum requirements, and the contracting authority is adopting a strict pass/fail approach, they may decide to reject the supplier, making clear the basis on which they are doing so in line with procurement regulations.
37. The outcome of the tender assessment process should be communicated to suppliers in the usual way.
Procurement Journey – Contract
38. The Procurement Journey sets out guidance on the Contract phase of the procurement process for contracts under Routes 1 (unregulated, under £50k, low risk, repetitive nature procurements), 2 (regulated procurements between £50k and the OJEU threshold) and 3 (regulated procurements of OJEU threshold and above).
When CSPST is being used, these key steps should be followed at the Contract phase of your procurement:
Step 1: Embed CSPST outputs (and any completed CIP, where applicable) in contractual terms and conditions; and
Step 2: Return to the CSPST tool to select the successful supplier, in order to support your organisation to manage overall cyber risks to supply chains.
Further information on these steps is set out below.
Step 1: Procurement Journey – Contract – Embed CSPST outputs and CIPs in contractual terms and conditions
39. Contracting authorities should ensure they embed the commitments made by the successful supplier via the CSPST Supplier Assurance Questionnaire and any CIP in the terms and conditions for the contract.
40. The Example Tender and Contract Wording guidance (available here) provides example wording to facilitate this. It includes links to Scottish Government model terms and conditions that are made available to the wider public sector, which have been adjusted to facilitate use of CSPST and reflect best practice in respect of cyber security generally.
41. Where the contracting authority is using Scottish Government’s Model ICT Services Contract, it should note that Schedule 13 (Security Management) of that contract contains existing general security requirements which may overlap and interact with the contracting authority’s specific cyber security requirements (to be set out in the Annex to Schedule 13). This is because the Model ICT Services Contract is intended for use with higher value or complex ICT contracts. The contracting authority should, therefore, ensure there are no conflicts between the specific cyber security requirements in the Annex and the rest of Schedule 13. In its tender documentation the contracting authority should draw to the attention of potential bidders that its requirements encompass Schedule 13 in its entirety.
42. The contract should then be managed in line with the best practice guidance in the Procurement Journey and the Guidance Note on Supplier Cyber Security.
Step 2: Procurement Journey – Contract – Use CSPST to manage overall cyber security risks to organisational supply chains
43. Contracting authorities should ensure that they return to the CSPST tool after contract award, and select the successful supplier in the CSPST tool.
This is to support their procurement and/or cyber security experts to gain an understanding of which contracts with which types of cyber risks have been let to which suppliers. Having such an understanding can help support decision-making around key issues such as cyber security audits of suppliers (e.g. focusing audit efforts on high risk individual contracts, or on suppliers delivering multiple contracts with moderate-to-high cyber security risks).
Section B (ii) Use of cyber implementation plans
1. When using CSPST, contracting authorities are prompted to decide whether they wish to adopt a strict pass/fail approach to suppliers who do not currently meet the minimum cyber security requirements for a contract, or whether they are willing to accept Cyber Implementation Plans (CIPs) that commit the successful supplier to working to address shortfalls to agreed timelines. This decision is entirely one for the contracting authority.
2. Contracting Authorities are encouraged to consider accepting CIPs from bidding suppliers whenever it is proportionate and appropriate to do so. The CIP approach aligns closely with Principle 11 of the NCSC guidance, which requires contracting authorities to work closely with suppliers to encourage them to continue improving their security arrangements.
When CIPS are being used, these key steps should be followed:
Step 1 (Strategy Development): Consider carefully the date or contract phase by which you will require a supplier to have implemented their CIP.
Step 2 (Strategy Development): Ensure that you clearly communicate your specific requirements relevant to the CIP process to suppliers, by incorporating the relevant outputs from CSPST into your tender documentation;
Step 3 (Tender): Suppliers use CSPST outputs to support their completion of a CIP where applicable;
Step 4 (Tender): Evaluate CIPs alongside SAQ reports (and, where applicable, supporting evidence) as part of tender evaluation;
Step 5 (Contract): Incorporate CIPs into contractual terms and conditions; and
Step 6 (Contract): Monitor implementation of CIPs.
Further information on these steps is set out below.
Step 1 (CIPs): Procurement Journey – Strategy Development – Consider the date or contract phase by which you will require CIP implementation
3. As part of their strategy development, contracting authorities should consider carefully the date by which they will require bidding suppliers to achieve compliance with minimum cyber security requirements. Issues to consider include:
- The overall risks involved in the contract – e.g. lower risk contracts may justify greater latitude in the amount of time you give suppliers to achieve full compliance, whereas higher risk contracts may require compliance from the contract commencement date.
- The date or contract phase from which the supplier is likely to have access to information that the public sector “owns” or is responsible for, and how sensitive that information is.
- The contracting authority’s risk appetite in respect of a successful cyber attack on the supplier.
4. Where available, contracting authorities should involve their cyber security and data protection experts in these decisions.
Step 2 (CIPs): Procurement Journey – Strategy Development – Document preparation - communicate your CIP requirements clearly to suppliers
5. The “compliance appetite” stage of the CSPST tool allows contracting authorities to indicate whether they are willing to accept CIPs for a specific contract. If so, the CSPST tool will prompt the contracting authority to enter details of:
i. the date or contract phase by which suppliers will be required to achieve compliance with minimum requirements; and
ii. how suppliers should submit their Cyber Implementation Plan. This will usually be alongside the SAQ report and all other submitted tender documentation, via the contracting authority’s preferred portal (e.g. PCS-t or PCS) or other method, to help preserve the integrity of the procurement process.
6. This information will be presented to suppliers via the CSPST tool when they log on to answer the Supplier Assurance Questionnaire.
Contracting authorities should also include information about these issues in their tender documentation (e.g. in Instructions to Tenderers or the Statement of Requirements), to ensure transparency for bidding suppliers. The Example Tender and Contract Wording (available here) provides example wording to support this.
7. Contracting authorities should ensure they issue a template CIP with tender documentation, so that non-compliant suppliers can complete and return the CIP in the correct format. A template CIP, and an example of a completed CIP, can be found here.
Step 3 (CIPs): Procurement Journey – Tender – Suppliers use CSPST outputs to support completion of a CIP
8. Upon completion of an SAQ, CSPST will provide bidding suppliers with a report that sets out the extent to which they currently meet the minimum cyber security requirements for the contract.
9. The report will also inform non-compliant suppliers of the following:
- Whether the contracting authority is willing to accept CIPs from suppliers who do not currently meet minimum requirements;
- If so, what they should include in their CIP; and
- How the CIP should be submitted.
10. Where a contracting authority is willing to accept CIPs, the SAQ report identifies the areas where a supplier does not meet the minimum requirements for the contract. Suppliers must then complete a CIP and submit it alongside all other tender documentation. The CSPST tool and the CIP template make clear that the CIP must set out clear, credible information on:
- the supplier's proposed actions to achieve the requirements it currently does not meet – this may include proposed alternative mitigations or controls to manage relevant cyber risks; and/or
- the supplier's reasoning as to why compliance with specific minimum requirements is not necessary for the contract; and
- in line with any requirements specified by the contracting authority in CSPST and Instructions to Tenderers, the date or contract phase by which the supplier intends to achieve the requirements or have in place alternative mitigations or controls.
Step 4 (CIPs): Procurement Journey – Tender – Evaluate CIPs
11. The contracting authority will usually receive a bidding supplier’s completed CIP along with their SAQ report and all other tender documentation.
12. The contracting authority can then assess the extent to which the supplier’s CSPST SAQ report and CIP (when implemented) will together meet the minimum cyber security requirements for the contract.
13. Contracting authorities should ensure the way in which they assess CIPs is open and transparent, ensures equitable treatment between bidding suppliers, and is in conformity with procurement regulations. Options include the following:
- Where the contracting authority agrees that proposed remediation measures set out in the CIP would, when implemented, result in the supplier meeting the minimum cyber security requirements for the contract, they may agree the CIP. When a CIP is agreed for a successful supplier it will form part of the final contractual terms and conditions, and the supplier may be treated on a par with suppliers achieving full compliance in their SAQ report.
- Where the contracting authority judges that any alternative controls or mitigations that are proposed by the supplier will effectively mitigate the risks that the minimum cyber security requirements for the contract are designed to address, they may agree the CIP. When a CIP is agreed for a successful supplier it will form part of the final contractual terms and conditions, and the supplier may be treated on a par with suppliers achieving full compliance in their SAQ report.
- Where the contracting authority does not agree that the proposed measures set out in the CIP are credible or appropriate and/or they believe they would result in unacceptable risk, they may exercise their discretion to reject a supplier in line with procurement regulations.
14. Public sector organisations should ensure that their internal processes require officials with appropriate seniority and expertise to sign off on CIPs, with due regard to the risk profile of the contract.
Step 5 (CIPs): Procurement Journey – Contract – Incorporate CIPS into contractual terms and conditions
15. An agreed CIP must, along with the final SAQ report, form part of the final contract award (or contractual amendment following review).
The Example Tender and Contract Wording (available here) provides example wording to facilitate this. It includes links to standard Scottish Government terms and conditions that are made available to the wider public sector, which have been adjusted to facilitate use of CSPST and reflect best practice in respect of cyber security generally.
Step 6 (CIPs): Procurement Journey – Contract – Monitor Implementation Of CIPS
16. The contracting authority should request regular updates from the supplier to ensure progress is being made on implementing the CIP within the agreed timeframe.
This advice note has been produced by the Scottish Government Cyber Resilience Unit to support implementation of the Scottish Public Sector Cyber Resilience Framework and the Supplier Cyber Security Guidance Note.
Please send all comments, questions or additions to firstname.lastname@example.org
There is a problem
Thanks for your feedback