The Scottish Government is soon to launch a new online procurement tool which aims to embed cyber security into the public sector procurement processes.
The launch of this tool ties in with the Public Sector Action Plan which aims to ensure that the public sector improve their cyber security posture overall. As part of this there has been a real push for cyber essentials certification across the public sector and many workshops to build awareness and understanding of cyber security risks and preventive measures.
The Public Sector Action Plan was one of 5 actions plans that has come from the original cyber resilience strategy in 2015 which has an aim to make Scotland a secure place to live and work – and having a secure public sector is a key part of this.
The Scottish Government have developed the Scottish Cyber Assessment Service (SCAS) and the Supplier Cyber Security Guidance Note to embed cyber security into public sector supply chain. SCAS is an online tool that provides a way for public sector organisations to assess cyber risk at the start of the procurement process and seeks to ensure that the public sector obtains consistent and proportionate cyber security assurances from potential suppliers. SCAS requires suppliers to complete a questionnaire detailing their current level of cyber security, with detailed questions aligned with authoritative guidance from the National Cyber Security Centre.
Public sector organisations will use the tool to complete a Cyber Risk Profile Assessment for all contracts before they issue Invitations to Tender. This will generate a Cyber Risk Profile for the contract, and a Supplier Assurance Questionnaire that is proportionate to the risk. All suppliers bidding for a contract will then be given a Risk Assessment Reference. They can use this to log onto the Tool, complete the relevant Supplier Assurance Questionnaire, and download a report to submit alongside all other tender documents.
The Cyber Risk Profile (risk level) will determine how many questions are required to be answered, the lower the risk the fewer the questions, the higher the risk the more questions required. The questions will be consistent across contracts (of similar risk levels) and aligned with the NCSC guidance and standards. If a supplier does not have the cyber security requirements in place, the public sector buyer may opt to accept a Cyber Implementation Plan outlining how the supplier would meet the required cyber security requirements by a specified future date i.e. prior to the start date of the contract. The assessment broadly align with NCSC Supply Chain Guidance.
Public sector organisations will then assess the answers provided as part of their evaluation of tenders. The tool helps to manage supplier burdens in two main ways:
- Consistent questions for similar contracts across the public sector (similar risk levels)
- Suppliers can reuse many/all of the answers they have supplied previously
Companies looking to supply into the public sector have the choice to either wait until they are involved with a tender for a public sector contract at which point they will receive a link to the tool as part of this process or they can start to become familiar with the questions in advance and assess for themselves how well they stack up against the questions.
The supplier may need to enlist the help of others within their organisation to complete the questions, particularly IT security and information assurance but once completed the answers can be re-used for further public sector tenders with some sense check needed to ensure the information is still relevant.
Further details can be found at www.cyberassessment.gov.scot. The expected launch date is Jan 13th 2020.