Welsh Procurement Policy Note WPPN 08/21: Cyber Essentials

Image

• A Wales of more cohesive communities
• A globally responsible Wales

1.1 WPPN 08/21 adopts the published Procurement Policy Note 09/14: Use of Cyber Essentials Scheme certification (“UKG PPN 09/14”) and updates the Procurement Advice Note (PAN) for the Public sector: Cyber Essentials (2014) which will now be archived.

2.1 This WPPN has been published to assist all WPS contracting authorities in Wales, including Welsh Government departments, NHS Wales bodies, Welsh Government sponsored bodies, local authorities and the wider public sector. This WPPN covers goods, services and works contracts being delivered in Wales.

2.2 Please circulate this WPPN across your organisation and to other relevant organisations that you are responsible for, drawing it to the specific attention of those in procurement, commercial and finance roles.

3.1 In September 2014, UK Government published a Procurement Policy Note on the Cyber Essentials certification scheme. UK government widely encouraged its adoption and have made it mandatory for their contracts involving the handling of personal information and provision of certain ICT products and services advertised after 1 October 2014.

3.2 In an effort to reduce the levels of cyber security risk in the supply chain, in consultation with industry, UK Government via the National Cyber Security Centre (NCSC) developed the Cyber Essentials Scheme to ensure a minimum level of security for all their suppliers.

3.3 Any of the following characteristics will necessitate the requirements prescribed by Cyber Essentials:
 

• Where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier.
• Where personal information of Government employees, Ministers and Special Advisors such as payroll, travel booking or expenses information is handled by a supplier.
• Where ICT systems and services are supplied which are designed to store, or process, data at the OFFICIAL level of the Government Protective Marking scheme.

3.4 Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. Implementing these measures can significantly reduce an organisation's vulnerability. However, it does not remove all cyber security risks; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. Cyber Essentials defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.

3.5 Cyber Essentials defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threat coming from the internet.

3.6 Cyber Essentials covers the basics of cyber security in an organisation’s enterprise or corporate IT system. Two levels of certification are available:

• Cyber Essentials – certification is awarded on the basis of a validated self-assessment, where an organisation undertakes their own assessment via a questionnaire which is approved by a Senior Executive such as a CEO.
• Cyber Essentials Plus – offers a higher level of assurance through external testing of the organisations security approach. Cyber Essentials Plus comprises remote and on site vulnerability testing to check whether the controls claimed actually defend against basic hacking and phishing attacks. It is therefore the more rigorous assessment and should be used when risk is assessed as high.

Application in Wales

3.7 From 1 April 2015 Cyber Essentials is required for all relevant Welsh Government contracts and is used by the Welsh Government Commercial Policy and Delivery Service on all collaborative frameworks. Contracts for inclusion must be identified during the procurement strategy defining process.

3.8 The impact for business has been considered. Certification costs organisations approximately £300 per annum at the basic level but more at the Plus level. Business Wales can signpost SME’s to external providers who provide advice on obtaining the Cyber Essentials accreditation. Prices for certification are not set by HMG and are largely driven by competition so costs may vary.

3.9 Whilst Cyber Essentials is a mandatory requirement for Welsh Government, the wider public sector is strongly encouraged to adopt it where contracts involve sensitive information.

4.1 Overview of key Cyber Essentials Scheme requirements

4.1.1 It is mandatory for suppliers to demonstrate that they meet the technical requirements (boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management) prescribed by Cyber Essentials for those contracts featuring any of the characteristics set out below, apart from those exemptions listed at paragraphs 4.2.2 – 4.2.3. The requirements can be found at Cyber Essentials: Requirements for IT infrastructure on NCSC.GOV.UK

4.1.2 Any of the following characteristics necessitate the requirements prescribed by Cyber Essentials:

• Where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier. 
• Where personal information of government employees, ministers and special advisors such as payroll, travel booking or expenses information is handled by a supplier. 
• Where ICT systems and services are supplied which are designed to store, or process, data at the OFFICIAL level of the Government Protective Marking scheme.

4.1.3 In addition to the above Cyber Essentials can also be used in any category of Government procurement on a case-by-case basis if a contracting authority considers this appropriate. Such a use requires that a cyber security risk is identified which would not be managed by any of the existing security requirements and where the use of Cyber Essentials is a relevant and proportionate way to manage this.

4.1.4 Examples could include: 

• Where data is held or accessed outside of the UK/EC
• Where data is regularly held in a separate Disaster Recovery location
• Escrow and Disaster Recovery suppliers with access to customer data

4.1.5 The WPS body must select either Cyber Essentials or Cyber Essentials Plus standards for suppliers depending upon the level of assurance required. It should be noted that Cyber Essentials was developed because neither ISO27001 nor other considered standards were sufficiently prescriptive to defeat common internet based threats. In some higher risk procurements it is likely that Cyber Essentials Plus will not provide sufficient assurance on its own and additional, broader, security requirements will be specified, e.g. ISO27000 series.

4.1.6 These types of contract tend to be from the following categories of supplier:

• Professional services – this includes commercial, financial, legal, HR and business services (who handle data).
• ICT – IT Managed or Outsourced services and ICT Services (who run systems that store data).

4.1.7 As a guide to how the policy should be applied, the following contract examples would be judged to be in scope:

• Curriculum vitae writing services to support over 1,000 individuals back into the labour market. Data held by the supplier will include name, address, telephone number, date of birth, email address and National Insurance number.
• Car hire services for 10,000 members of staff. Data held by the supplier will include name, work address, work email, home address (optional) and driving licence number.
• Contact centre services for advice, guidance and signposting over 100,000 individuals. Data held by the supplier will include name, address, postcode, telephone number, National Insurance number and limited financial details.

4.1.8 Conversely, the following contract examples would be judged to be out of scope:

• Communications and marketing planning services for a specific departmental product or service which would not require access to personal data.
• Driving instructor services for 10 individuals with very limited access to personal data involved and delivered by a sole trader whose use of IT is limited and incidental to the service being delivered.

4.2 Exemptions

4.2.1 Under the detailed circumstances that follow at paragraphs 4.2.2 - 4.2.3 it is not necessary to apply the requirements specified under Cyber Essentials for procurements which are otherwise in scope.

4.2.2 ISO27001 trumps Cyber Essentials. Any supplier with ISO27001 would not need to additionally hold Cyber Essentials or Cyber Essentials Plus provided the service being procured is in scope of their ISO certification.

4.2.3 Contracts may be exempt where use of Cyber Essentials can be demonstrated to be either not relevant or clearly disproportionate, such as where a cyber security risk is assessed as very low. In such cases it is suggested that a decision audit trail is recorded.

• The Public Contracts Regulations 2015
• The Public Procurement (Amendment etc.) (EU Exit) Regulations 2020

This WPPN is effective from the date of publication on 13 October 2021 until it is superseded or cancelled.

This WPPN aligns with the following WPPS principles:

Principle 9

We will improve the integration and user experience of our digital solutions and applications, maximising the use of our procurement data to support decision making.

If you have any questions about this WPPN, please contact:

Commercial Policy – Polisi Masnachol: CommercialPolicy@gov.wales.

Guidance and tools

Below are some of the policy guidance documents and supporting tools that are available to you for use in your procurement activity (in alphabetical order):

• Cyber Essentials website providing further details
• Cyber Essentials Common questionnaire and Cyber Essentials Plus common test specification: Free Download of Cyber Essentials Self-Assessment Questions

These are the default questions and tests to be applied by certification bodies, unless an alternative arrangement has been agreed with National Cyber Security Centre (NCSC) through their accreditation body.

• Details of accreditation bodies are available at Certification Bodies

FAQs are provided at Annex A, which form part of UKG PPN 09/14.

The following publications were utilised in the preparation of this WPPN:

• Procurement Policy Note 09/14: Cyber Essentials scheme certification (Crown Commercial Services – September 2014)

Procurement Policy Note 09/14: Cyber Essentials scheme certification

The below questions are taken from the Procurement Policy Note produced by Crown Commercial Services.

Q1. Why should Cyber Essentials be used in government’s supply chain?

• To manage cyber security risk in government’s supply chain
• To allow government’s suppliers to use a recognisable scheme to demonstrate to other potential customers that they take cyber security seriously; and
• It is simple, low cost to achieve and presents a minimal barrier to entry to the government supply chain.

Q2. What technical areas does Cyber Essentials cover?

• Boundary firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management

Q3. When should I discuss with/notify suppliers of any applicable Cyber Essentials requirement?

Ideally this should be discussed with potential suppliers in the pre-procurement stage where you are shaping your overall project requirements. Any applicable Cyber Essentials requirements must be specified in the Contract Notice under the Open procedure, and consideration should be given to highlighting any Cyber Essentials requirement in Contract Notices for other procedures to provide bidders with the longest possible time to seek certification.

Q4. How do suppliers know who to approach to undertake the certification process?

This service is provided by Government approved certification bodies which are currently accredited through Information Assurance for Small and Medium Sized Businesses (IASME). Additional accreditation and certification bodies will be appointed as the Cyber Essentials Scheme develops. Details of accreditation bodies are available at: Certification Bodies.

Q5. At what point is the supplier required to demonstrate possession of the Cyber Essentials certificate?

Evidence of holding a Cyber Essentials certificate (whether basic level or Plus) is desirable before contract award, but essential at the point when data is to be passed to the supplier. Under exceptional circumstances Departments may wish to make a risk-based decision and allow a contract to commence if a Cyber Essentials certification of a supplier business is either incomplete or not current. A record of the decision is required.

Q6. How much will it cost a supplier to become Cyber Essentials certified?

The cost for smaller companies to be Cyber Essentials certified is £300 + VAT at basic level, and there are no specific costs for cyber essential at plus level as there are quoted individually. Please refer to Lasme.co.uk for more detail. Up-to-date information on costs can be found on the web pages of IASME, the NCSC approved certification body, links to which can be found at Iasme.co.uk

Q7. How often will Cyber Essentials certification need to be renewed?

Suppliers should hold a Cyber Essentials Certificate that is no more than 12 months old. As Cyber Essentials provides assurance of compliance only at the time of testing, certified organisations that do not regularly patch their ICT or do not control secure configuration may become non-compliant in substantially less than one year. The requirement to certify at more regular intervals should be risk based and determined on a case by case basis, subject to the requirements of the contract.