PPN 014 (PA 2023)

PPN 014 Updates to the Cyber Essential Scheme

In: Define > Sourcing strategy

Overview

This PPN applies to all central government departments, their executive agencies and non-departmental public bodies, and NHS bodies (collectively referred to as ‘in-scope organisations’) when awarding public contracts for goods, and or services, and or works, other than special regime contracts. Other public sector bodies may wish to apply the approach set out in this PPN.

This PPN sets out government guidance on ensuring effective cyber security controls are in place for certain types of contract considered to be at a higher risk of cyber security threats; or with certain characteristics that would require them to have a greater regard to cyber security concerns.

In particular, this PPN requires that suppliers bidding for these types of contract must demonstrate prior to the award of the contract that they hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place).

In-scope organisations should note that there may be cases where a higher level of security controls are required, and should specify these requirements accordingly.

Note: This PPN replaces PPN 09/23 for procurements commencing on or after 24 February 2025.

Objective at this commercial stage

Effective and proportionate cyber-security controls should be incorporated into all procurements for contracts that are considered to be at higher risk of cyber security threats. Early engagement with security teams and experts will help establish the security risk and proportionate controls for the procurement in question.

Key considerations at this commercial stage

In-scope organisations should:

• ensure that effective and proportionate cyber-security controls are incorporated into every procurement where the contract is considered to be at higher risk of cyber security threat
• consider whether Cyber Essentials or Cyber Essentials Plus certification should be included in the technical requirements
• require Cyber Essentials or Cyber Essentials Plus certification if appropriate
• where Cyber Essentials or Cyber Essentials Plus certification is required, allow a supplier to demonstrate equivalent controls by other means
• ensure that decisions relating to appropriate cyber security controls are recorded in the audit trail

Legal framework

This content is under development.

Read the PPN

This applies to

• Plan > Strategy and plan
• Define > Sourcing strategy
• Procure > Finalise and publish procurement pack
• Procure > Clarification and due diligence
• Manage > Manage and monitor