PPN 09/23 (PCR 2015)

Updates to the Cyber Essential Scheme

In: Plan > Strategy and plan

Overview

This PPN applies to central government departments, their executive agencies and non-departmental public bodies, and NHS bodies (collectively referred to as ‘in-scope organisations’).

This PPN sets out government guidance on ensuring effective cyber security controls are in place for certain types of contract considered to be at a higher risk of cyber security threats; or with certain characteristics that would require them to have a greater regard to cyber security concerns.

In particular, this PPN requires that suppliers bidding for these types of contract must demonstrate prior to the award of the contract that they hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place).

In-scope organisations should note that there may be cases where a higher level of security controls are required, and should specify these requirements accordingly.

Objective at this commercial stage

Cyber security controls should be relevant and proportionate to the procurement. In-scope organisations should develop a strategic approach as part of a wider organisational security strategy in collaboration with security teams and experts, as appropriate.

Key considerations at this commercial stage

In-scope organisations should:

• ensure that effective and proportionate cyber-security controls are incorporated into every procurement where the contract is considered to be at higher risk of cyber security threat
• consider whether Cyber Essentials or Cyber Essentials Plus certification should be included in the technical requirements
• not include Cyber Essentials or Cyber Essentials Plus certification as a matter of course to all contracts
• consider whether specific assurance of products or services is required
• consult security teams or experts to ensure proportionate additional measures are put in place.

Legal framework

The PPN should be read alongside the relevant parts of the legal framework, including but not limited to, the following provisions of the Public Contracts Regulations 2015 (which may be particularly relevant to the consideration of this PPN):

• Regulation 58: Selection criteria
• Regulation 70: Conditions for performance of contracts
• Regulation 107: Qualitative selection

Additional support and guidance

Make sure you:

• read the PPN and any supporting implementation guidance
• seek legal and commercial advice in the context of specific procurements

Read the PPN

This applies to

• Plan > Strategy and plan
• Define > Sourcing strategy
• Procure > Finalise and publish procurement pack
• Procure > Clarification and due diligence
• Manage > Manage and monitor