The Cabinet Office has recently published PPN 09/23 relating to the Cyber Essentials scheme. This is a government backed scheme to improve cyber resilience within the public sector and which prospective suppliers for certain types of public sector contracts are required to hold (or demonstrate equivalent controls are in place). The Note replaces the previous PPN regarding Cyber Essentials (PPN 09/14) and requires all in scope organisations (central government departments, executive agencies and NDPBs, and all NHS bodies) to implement the requirements of PPN 09/23. Whilst not mandatory for other public bodies, they are advised to consider applying the approach set out in the PPN.
The Note sets out the technical requirements and minimum standards suppliers to all in-scope organisations are required to meet in order to be able to deliver contracts or services that include a number of attributes relating to personal data of either citizens or government workers, day to day government business, or systems designed to process data at Official level or above. Annex A of the Note provides a helpful list of examples of the types of contracts where compliance with the Cyber Essentials scheme would be required and also where the Scheme would not be relevant to other types of contracts. Evidence of holding a Cyber Essentials certificate (or evidence of an equivalent standard for cyber security) is considered essential at the point when data is to be passed to the supplier.
The Note highlights that Cyber Essentials may not be appropriate for certain requirements, and where the relevant organisation deems that there is a higher risk of being subject to cyber-attack, it may be necessary to apply more sophisticated strategic measures to deal with such threats. Conversely, the Note also advises that in-scope organisations should not over-burden suppliers or deter SMEs or other third sector enterprises from bidding from public contracts. Organisations will need to be able to record their decision-making around the use of the Scheme in any procurement exercise in case of challenge. However, given the Scheme’s requirements include some relatively basic cyber hygiene measures, it may be more pertinent for organisations to be able to demonstrate their reasons for not applying the Scheme, depending on the nature of the procurement being run and contract being offered. Equally organisations will need to consider whether to apply the basic Cyber Essentials Scheme in their Contract Notice, or whether the more stringent requirements of the Cyber Essentials Plus scheme should be specified. The Note confirms in its FAQs at Annex C, that any applicable Scheme requirements should be discussed with potential suppliers in the pre-procurement stage and specified in the Contract Notice.
Bevan Brittan can help with reviewing your cyber security requirements as part of your ongoing business resilience and your procurement needs. We are able to offer specialist cyber security advice from experts in our Information Law and Privacy team, together with dedicated commercial support from our Commercial and Infrastructure teams.