In September 2023, the Cabinet Office issued PPN 09/23 to update the guidance for public sector bodies on the procurement of contracts with a higher risk of cyber security threats.
This is a timely publication during Cybersecurity Awareness Month which falls in October each year. In this article, we take a look at the key features of PPN 09/23.
What is the Cyber Essentials Scheme?
The Cyber Essentials Scheme (the "Scheme") is a government backed scheme to help all businesses protect themselves against a range of the most common cyber attacks and to demonstrate their commitment to cyber security.
To ensure appropriate cyber security controls are in place and reduce cyber security risks in supply chains, the government requires suppliers bidding for certain types of public contracts to hold certification under the Scheme (or demonstrate that equivalent controls are in place). References to "controls" mean the Scheme's five technical controls which protect from the most common cyber attacks, including controls such as boundary firewalls, malware protection and security update management.
There are two levels of certification under the Scheme, both of which implement the same technical standards, with different degrees of assurance:
- Cyber Essentials - completed through a verified self-assessment that is certified by an approved certification body.
- Cyber Essentials Plus – as above, but also includes a technical audit of the controls by a licensed assessor.
PPN 09/23 replaces the previous Cyber Essentials Scheme guidance in PPN 09/14.
Who is affected by PPN 09/23?
PPN 09/23 applies to all Central Government Departments, their Executive Agencies and Non-Departmental Public Bodies, and NHS bodies, (the "In-Scope Organisations"). In-Scope Organisations are required to update their processes (as discussed below) in light of PPN 09/29 by 19 December 2023.
How does the Scheme fit into the procurement process?
The Scheme should not be applied to all contracts as a matter of course. The intention of the Scheme is not to over-burden suppliers or deter Small and Medium-Sized Enterprises (SMEs) and Voluntary, Community and Social Enterprises (VCSEs) from bidding for public contracts. Instead, the intention is to ensure that proportionate and relevant security measures are in place for the goods or services being procured.
In-Scope Organisations must have regard for cyber security when contracting in situations where there is a higher risk of cyber security threats. Unfortunately, there is no single test that can be applied, but the Cabinet Office does give some example contracts for which cyber security considerations will be particularly relevant:
- where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier;
- where personal information of Government employees, Ministers and Special Advisors is handled by a supplier (such as payroll, travel booking or expenses information); and
- where ICT systems and services are supplied which are designed to store or process data at the OFFICIAL level of the Government Security Classifications Policy.
The task for In-Scope Organisations carrying out procurements therefore involves an assessment of all of the characteristics of a particular contract and whether those characteristics create a higher risk of cyber security threats, thereby meriting the inclusion of Cyber Essentials requirements.
Annex A to PPN 09/23 contains further examples of contracts which the Cabinet Office suggests meet the characteristics for the inclusion of Cyber Essentials requirements.
What steps must In-Scope Organisations take?
Having regard for PPN 09/23, In-Scope Organisations carrying out procurements should:
- Establish steps to routinely evaluate whether a contemplated procurement is at a higher risk of cyber security threats, considering the characteristics highlighted by the Cabinet Office.
- Where there is a higher risk of security threats, either:
- include within the technical requirements a need for the supplier to have either Cyber Essentials or Cyber Essentials Plus certification, depending on the level of risk; or
- include within the technical requirements a need for the supplier to demonstrate equivalent cyber protection controls are in place through other means where Cyber Essentials certification is not held.
- Ensure that the steps required by PPN 09/23 are implemented within the deadline, being 19 December 2023.
The Cabinet Office suggests that any Cyber Essentials requirements should be communicated to potential suppliers in the pre-procurement stage. Where it is decided that Cyber Essentials requirements apply, this should be set out in the Contract Notice.
Other considerations for In-Scope Organisations
The assessment of whether a procurement presents a higher cyber security threat is a subjective one. As such, PPN 09/23 states that In-Scope Organisations should ensure that decisions relating to appropriate cyber security controls are recorded in an audit trail, including circumstances where cyber security risks are assessed as very low, not relevant, or where no measures are required.
Further resources
For further guidance on the interpretation and implementation of PPN 09/23, please contact Amardeep Gill, Louis Sebastian or Jamie Norris.
A podcast by Trowers and Hamlins discussing the importance of cyber security in the public sector is available here. PPN 09/23, including Annex A (example contracts which meet the characteristics of including Cyber Essentials requirements) and Annex C (FAQs) is available here.