On 25 September 2014 the government published a procurement policy note stating that from 1 October 2014 suppliers must comply with the new Cyber Essentials security requirements when bidding for central government contracts that involve handling sensitive and personal information and providing certain technical products and services.
Who will be affected?
Suppliers bidding for central government contracts advertised after 1 October 2014 which involve:
- handling personal information of citizens or government employees such as addresses and bank details or payroll and expenses information; and/or
- supplying ICT systems and services designed to store or process data at the OFFICIAL level of the Government Protective Marking scheme.
There are some exemptions, for example, where suppliers already operate under certain other cyber security schemes.
What is 'Cyber Essentials'?
Cyber Essentials is a scheme consisting of a set of basic controls which are designed to protect against the most prevalent internet threats. The scheme is aimed at all organisations regardless of size or sector but will be mandatory for certain central government contracts from 1 October 2014. There are two levels of certification within the scheme: Cyber Essentials and Cyber Essentials Plus. Organisations which are able to meet the requirements receive certification and can display a badge on their marketing material. The scheme was launched by the Department for Business, Innovation & Skills and focuses on five main controls:
- Boundary firewalls and internet gateways.
- Secure configuration.
- Access control.
- Malware protection.
- Patch management.
It is free to download but there are charges for the certification. For more information on Cyber Essentials please read our article, Bare essentials for internet security: government advice for businesses.
What will be required?
Suppliers will be required to demonstrate that they meet the technical requirements set out in the Cyber Essentials scheme. The contracting authority will decide whether suppliers have to comply with Cyber Essentials or Cyber Essentials Plus depending on the level of security required. Further security requirements may still be specified in high risk procurements. In practice, this is likely to mean that suppliers will have to obtain certification and renew it as appropriate.
More information and a list of FAQs can be found in the policy note itself: Use of Cyber Essentials Scheme certification.
For more information please contact Andrew Dunlop in our Data Protection team.