We have adopted the UK government’s PPN 07/23 Security Classification Policy with immediate effect.
The Government Security Classifications Policy (GSCP) has been updated to address gaps in the previous policy. The policy applies to any information or data that is created, processed, stored or managed as part of a government contract, including Welsh Government contracts as a central government body.
The GSCP uses 3 classification tiers
- Top secret
Each tier provides a set of recommended behaviours and a set of protective controls. These are proportionate to the threat profile for that tier and the potential impact of a compromise, accidental loss or incorrect disclosure of information held within that tier.
The contents of the PPN should be implemented by June 2024. This 12-month implementation window is to allow sufficient time for the requirements of the updated classifications policy to be integrated into commercial activity.
In-scope organisations must ensure that appropriate protective security controls are in place for new and existing contracts in line with the updated Policy. A full suite of guidance documents is available on GOV.UK, with specific guidance for commercial teams and suppliers. An e-learning module, Government Security Classification Policy, is available on the Civil Service Learning website.
Most of the updates are minor which will not require a contract variation to existing contracts. However, there might be some instances where specific contracts need to be reviewed.
In-Scope Organisations should notify existing suppliers that the Government Security Classification Policy has been updated and set out any changes needed to the contract.
If you have any queries about PPN 07/23, please e-mail: ICTProcurement@gov.wales