Public Services > Central Government

Whitehall mandates supply chain cyber security standard for suppliers

David Bicknell Published 27 September 2014

'Cyber Essentials' controls will drive security compliance for companies bidding for government contracts


The government wants to improve cyber security in its supply chain.

From next week on 1st October, all suppliers must be compliant with new "Cyber Essentials" controls if they are bidding for government contracts which involve the handling of sensitive and personal information and the provision of certain technical products and services.

The government has developed Cyber Essentials in consultation with industry, and according to the government, it offers "a sound foundation of basic cyber hygiene measures which, when properly implemented, can significantly reduce a company's vulnerability." The scheme's set of five critical controls is applicable to all types of organisations, of all sizes, giving protection from the most prevalent forms of threat coming from the internet.

Cabinet Office minister Francis Maude said: "It's vital that we take steps to reduce the levels of cyber security risk in our supply chain. Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Gaining this kind of accreditation will also demonstrate to non-government customers a business' clear stance on cyber security.

"Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so."

To ensure the scheme is flexible and affordable, there are two levels of assurance available, Cyber Essentials and Cyber Essentials Plus. Organisations assessed as successful in meeting the scheme's requirements are awarded a certificate and are able to display the appropriate Cyber Essentials or Cyber Essentials Plus badge on their marketing material.

A new accreditation body, QG has been set up, joining CREST and the IASME Consortium in appointing firms who can certify company applications.

The government hopes that mandating Cyber Essentials will provide further protections for the information it handles and will encourage adoption of the new scheme more widely.

The scheme was launched in June and is gathering pace, with insurance firms like AIG offering incentives to businesses to become certified. Larger organisations like Hewlett-Packard (HP), one of the scheme's early adopters also beginning to demand it from its own supply chains.

Stuart Bladen, Regional Vice President & General Manager, UK Public Sector, HP Enterprise Services said: "Cyber Essentials helps keep businesses safe online, which is why HP has been an active supporter of the scheme from its initial concept. Our extended supply chain of differing business types, including a large SME community, can get affordable cyber security assurance to protect their own and HP intellectual property and information, and that of customers.

"For this reason HP UK Public Sector has written to its entire supply chain explaining the merits of the certification and notifying our intention to require them to adopt this scheme."

* A survey from Government Computing and CSC has revealed that the advent of fundamental change in the public sector, with greater financial responsibilities placed on local authorities and NHS trusts and increasing digitisation of services, must drive a more rigorous assessment of cyber threats and defences.

But have sufficient public sector organisations taken that message on board? Are they too fearful of a knock on the door from the Information Commissioner's Office over their stewardship of confidential personal data and any subsequent ICO financial penalties, to realise that they face a greater financial threat from the attractiveness to attackers of their new found financial commitments and services?

Those in the public sector responsible for ensuring the security of information and for the development of cyber security policing and prevention are encouraged to download the full report to learn how their public sector peers are getting to grips with the growing challenges posed by cyber threats and see the five questions security-aware managers and executives should ask themselves.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.