Cyber security in government contracts

October 9, 2023
Tim Heywood


View profile

Most public bodies (that’s to say government departments, agencies, NDPBs and the NHS) have been obliged, since 2014, to utilise established cyber security standards as a key means of improving cyber security (and with that, data protection measures) in their supply chains.

The Cyber Essentials Scheme, is central to this.

Cyber Essentials is a Government backed scheme to help businesses of any size protect themselves against a range of the most common cyber attacks and to demonstrate their commitment to cyber security.

It’s described in the latest Procurement Policy Note as “the quickest and most effective means of mitigating risks associated with [sensitive] contracts…”.

For that reason it mandates the use of CE for the more data sensitive public contracts especially those where government information protectively marked at “Official” might be used, or for those contracts which involve the processing of  large amounts of personal data.

It makes plain, however, that CE does not guarantee security (it is intended to help SMEs and larger organisations get the basics of cyber security right), nor is it the only cyber security standard, and if a bidder for a public contract can demonstrate that it has an equivalent set of security measures or an international standard in place then will be just as acceptable.

In any event, the affected public bodies “…must ensure that effective and proportionate cyber security controls are applied to contracts to mitigate supply chain risks.

As the PPN states-

“There are key characteristics associated with contracts considered to be at a higher risk of cyber security threats. In-scope organisations must ensure that all suppliers demonstrate that they meet certain technical requirements for contracts or services that include the following characteristics:

where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier;

  • where personal information of Government employees, Ministers and Special Advisors is handled by a supplier (such as payroll, travel booking or expenses information);
  • where ICT systems and services are supplied which are designed to store, or process data at the OFFICIAL level of the Government Security Classifications Policy; and/or
  • where contracts deal with information related to the day-to-day business of Government, service delivery and public finances. “

Although the PPN says that not all contracts will be affected, given the presence of personal data in so many different types of contracts for goods and/or services, the requirement might well turn out to be almost universally applicable. That will be for the public bodies to work out.

But for suppliers, having a CE Certificate (or equivalent) gives them a real commercial advantage in the bidding process; helps streamline their bidding process input (because the certificate is shorthand for what can be extensive technical details that would otherwise have to be submitted afresh each time)  and it helps build trust with customers.

Whilst  the basic CE Certificate will be fine for most businesses, especially SMEs bidding for routine contracts, for the more complex businesses or high risk contracts, Cyber Essentials Plus will be the better bet. CE Plus applies the same technical standards and controls ( which include b effective boundary firewalls; internet gateways; secure configuration; access control; malware protection and security update management ) but comes with the additional assurance of having been independently tested remotely and through on-site vulnerability testing.

CE is not just relevant to organisations awarding or bidding for government contracts of course. It is proving to be a key tool for suppliers in all sectors (including lawyers and other professions), helping them cover the basics of cyber security to protect their commercial information. Crucially it is also very useful for demonstrating a commitment to personal data security. The ICO likes it, therefore so should we.

Tim Heywood FRSA is a partner in Gunnercooke llp specialising in data protection, cyber and procurement. Tim is a member of the Law Society’s Technology & Law Committee. He is the former Legal Adviser at what is now the National Cyber Security Centre (NCSC) (part of GCHQ). Tim advises IASME, which is the Government’s delivery partner for Cyber Essentials.

This blog is for guidance purposes only and is not legal advice. You should obtain specific legal advice on your particular circumstances.