Cyber Security Procurement Support Tool: guidance for buyers

Footnotes

1. Scottish public sector organisations is defined broadly to include all those implementing the Public Sector Action Plan on Cyber Resilience: central government, NDPBs, Non Ministerial departments, health boards, local authorities and universities and colleges. The tool is NOT available to third sector or charity buyers.

2. At https://cyberassessment.gov.scot/

3. CSPST is not suitable for procurement processes to establish complex multi-supplier framework agreements, where the range of cyber risks could be very wide. Further information on this can be found at page 10 of this note.

4. Buyers can place a requirement on bidders who do not currently meet the minimum requirements to complete a Cyber Implementation Plan, which sets out how the supplier will work towards meeting minimum requirements over a certain timeframe. These plans will form part of binding contractual commitments.

5. As CSPST is a contract-specific tool, it is considered more appropriate to use CSPST at call-off stage, as noted above.

6. As noted in paragraph 8, above, the simple pass/fail approach that CSPST supports can be used in combination with a more sophisticated scored approach.