PPN09/23 – New guidance from the Cabinet Office: how to avoid the ever-increasing cyber attacks


10th October 2023

The Cabinet Office has produced a new procurement policy note (PPN09/23) outlining the new updates to the Cyber Essentials Scheme.

What is the Cyber Essentials scheme?

Cyber Essentials is a Government backed scheme to help businesses protect themselves against the most common cyber-attacks and gives those businesses who are certified a chance to show off their commitment to cyber security as a whole. This accreditation demonstrates that tight controls have been placed on data movement between the business and its suppliers.

This PPN09/23 replaces PPN09/14 (published in 2014), and requires in-scope bodies – including Central Government Departments, their executive agencies, non-departmental government and NHS bodies – to implement the PPN by 19 December 2023. Whilst PPN09/23 is not stated as applicable to the wider public sector, it states that other public sector bodies may wish to apply the approach set out in the PPN. The contents of the PPN will also be of interest to those working in cyber security and IT or tech organisations.

Cyber security controls required for 'high risk' contracts

The biggest takeaway from the PPN is that in-scope organisations must ensure that effective and proportionate cyber security controls are applied to contracts with their suppliers to help mitigate supply chain risks, especially to those contracts that are deemed ‘high risk’ of cyber security threats. Characteristics of ‘high risk’ contracts are:

  • where personal information of citizens or government employees, ministers or special advisers is handled by a supplier;
  • where the contract involves IT systems and services designed to store or process data at an ‘official level’ of government classification (i.e. information that is labelled secret or top secret);
  • where contracts deal with information related to the day-to-day business of government, service delivery and public finances.

Some further examples of high risk characteristics are outlined in Annex A of the guidance, of which can be found here.

 

Cyber Essentials scheme accreditation to be used to mitigate risk

The Cabinet Office highlights that the quickest and most effective way of mitigating risks associated with high risk contracts is to ensure that the chosen supplier has the Cyber Essentials or Cyber Essentials Plus Accreditation, or that the equivalent controls are in place. Evidence of such accreditation, or the equivalent, must be evidenced at the time the data is passed to the supplier and should be renewed annually for duration of contract.

The Cabinet Office recognises that this is not a total solution to the wider issue of cyber security and more advanced, targeted attacks, which are becoming more and more difficult to control and additional standards or safeguards may also be required in addition to Cyber Essentials certification. Instead, the Cyber Essentials Scheme it is intended to be a ‘sound foundation of basic hygiene measures that all organisations can implement and build upon’.

On the other hand, the PPN also states Cyber Essentials Scheme should not be applied to all contracts as a matter of course and that in-scope organisations must not take a blanket approach, as not all contracts will require suppliers to be certified under a Cyber Essentials Scheme. Therefore organisations will have a judgement call to make.

Some helpful frequently asked questions are also included at Annex C.

The full guidance note can be found here. Should you have any further queries as to the updated policy, or cyber security in general, please contact our specialist commercial lawyers.

Public procurement specialists

Speak to one of our experts

Arrange a call

Enjoy That? You Might Like These:


articles

1 November -
As many of us may know already, local authorities that run their own leisure facilities have, since March 2023, had some very good news from Government, confirming that leisure services... Read More

case-studies

30 October -
The Vice President of the Court of Protection has issued guidance in the case Leicestershire County Council v P and Anor [2024] EWCOP 53 relating to fluctuating capacity, when anticipatory... Read More

events

28 October
Our Public Sector Insights webinar on Thursday 12 December focused on data protection and information governance. Read More