Using the Modular Security Schedules

The modular security management schedules have been created to make the security requirements in government contracts more robust and better adaptable to different procurement scenarios.  

This page is designed to help you choose the most appropriate schedule for your procurement and put clear and appropriate security requirements in your contracts. 

There are 5 schedules that you can choose from for your procurement. You should select them based on which standard contract you are using and your specific procurement needs.

Each schedule has been developed to be applicable to the most common procurement scenarios across government. They can also be adapted to meet more complex needs.

These schedules are primarily designed to be used for contracts processing Official including Official (caveated sensitive) data. However, the Authority-led Security Management Schedule can be adapted to be used for higher classifications. For more guidance on how to classify your data or information, please refer to the  UK Government Security Classifications Policy.

The 5 schedules 

There are 5 different security management schedules; some have minor adaptations to fit in with one of the Model Services Contract (MSC), Mid-Tier Contract (MT) or Short Form Contract (SF) that is being used.  

Authority/Buyer-Led Security Management Schedule

For large managed services and systems provided by third parties with significant involvement from the buyer.

Supplier-Led Security Management Schedule

For large managed services and systems provided by third parties where less buyer involvement is needed or possible.

Developer Security Management Schedule

For where the supplier develops a system, application, or website for the buyer.

Consultancy Security Management Schedule

For consultancy and professional services.

Short Form Security Management Schedule

For use with lower value, less sensitive procurements.

Choosing the right security schedule for your procurement 

To choose the right schedule, you need to follow these steps. This section will guide you through each of them.

1. Understand the standard contract you are using 

There are three standard contracts for use by government departments and public sector organisations. These should be used when procurements are not being done through government procurement frameworks.

Your commercial team should be able to advise you on which contract to use. This is mainly based on the value and size of your procurement.

More guidance on each one can be found here:

• Model Services Contract
• Mid-Tier Contract
• Short Form Contract

We are intending to include these security schedules in the next published versions of these three standard contracts, including ‘wiring them into’ the rest of the contract. 

Until these are published, you can use these security schedules for:

• version 2.1 of the Model Services Contract (replacing schedule 5)
• version 1.2 of the Mid-Tier Contract (replacing schedule 16 and schedule 19)
• version 1.3 of the Short Form Contract (adding in a new Annex). 

You may need to amend the contracts to make the schedules work correctly – for example, referring to the new schedule in the Award/Order Forms, and the Core Terms. 

This table sets out which schedules can be used for each standard contract.

Table 1:

Note that Authority-led and Buyer-led are largely the same schedule, but the term “Authority” is used to refer to the contracting authority in the Model Services Contract, and the term “Buyer” is used in the Mid-Tier and Short Form Contract. The term “buyer” is mainly used throughout this guidance to describe the contracting authority.

*The Developer and Consultancy Security Schedules can be used in the Short Form but as they are adapted to the Mid-Tier, they will need to be amended to fit into the Short Form Contract.

2. Assess the sensitivity of the data which will be processed, stored, or hosted under your contracts

Next, you must understand the types of data being processed under your contract. This is also important from a data protection perspective, which you can learn more about on the Information Commissioner’s Office (ICO) website. 

The sensitivity of data can broadly be divided into 4 risk categories, below you will find the types of data which fit into each category. If you are not sure how to assess the data, you should speak to your organisation’s data protection or security team.

Table 2:

Now you have assessed the security category of the data involved in your procurement, you can narrow down the schedules available to you.

Table 3:

Note that Authority-led also covers Buyer-led in Table 3 above. 

*If you are using the Authority-led Security Schedule for Security Category 4, you need to make sure that all your security requirements for this level of data are included.

 

3. Selecting your schedule based on your assessment

Now that you have worked out which schedules can be used for both the standard contract in use, and the security category of the procurement, it is now time to pick the right schedule.

In some cases, there will only be one schedule which is applicable to both your standard contract and security category, so you should use that one.

Sometimes, there may be more than one schedule which could be applicable for your standard contract and security category. This gives you the flexibility to find the most appropriate schedule for the type of procurement you are doing.

To make this decision, you should consider the detailed information on each relevant schedule, which is set out below. There is also further information at the bottom of this page under further schedule adaptations.

 

Authority/Buyer-led Security Management Schedule

This is to replace the former Accreditation Security Management Schedule (Schedule 5, Part B) from the Model Services Contract (MSC). For large managed services where the buyer has sufficient in-house expertise to undertake a full assurance exercise.

Examples of where this would be used are the Civil Service Pension Scheme, and for large fraud detection and prevention contracts, both of these examples are typically multi million pound contracts running over several years with large volumes of sensitive personal information being processed. Managed Service Contracts for running large IT systems for the public sector may also fall into this category.

 

Supplier-led Security Management Schedule

Replaces the former Assurance Security Management Schedule (Schedule 5,Part A) from the MSC.

For large managed services where the buyer lacks sufficient in-house expertise or resource to undertake a full assurance exercise, but with the same security requirements as the Authority-led schedule.

 

Developer Security Management Schedule

This security schedule is suitable for where the Supplier develops a system, application or website for the Buyer. The schedule includes requirements concerning secure coding practice. 

This schedule could be used where a digital service for citizens is being built either solely by the supplier or in partnership with the buyer. There are options in this schedule for either a “standard” risk agreement or a “higher” risk agreement. This depends on the level of risk for the system being developed and the sensitivity of the data being processed.

Consultancy/Professional Services Security Management Schedule

Applies to consultancy and professional services where the supplier may process sensitive and/or large volumes of government data, but is not building an IT service. 

This can also be used where a supplier works on HMG systems or equipment. There are options in this schedule for either a “standard” risk agreement or a “higher” risk agreement.

 

Short Form Security Management Schedule

This is a “lighter” security schedule and it includes a set of security requirements with options; generally for use with lower value, less sensitive procurements  where the buyer will have limited resources to manage security compliance.  

Suitable for use where the supplier will handle limited quantities of data or there is little or no sensitive data.

After you have chosen your schedule

You should now have picked which schedule is best-suited to your needs. There are a few final steps to help you adapt the schedule to your procurement scenario and risk tolerance. 

Within each schedule, there are certain customisable options. For example, in some schedules you can make specific choices about hosting locations, certification requirements, security requirements, and other aspects of your contract. When you open the schedule document these are set out as clear tick-boxes at the start of the schedule which you can select.

The options vary between the different schedules based on the risk categories they can be used for and the type of procurement you are doing. If you are unclear on which requirements to include, seek advice from your organisation’s security team.

 

Download and start using your schedule

(Publication date October 2024)

Remember, the schedules are continuously improving and evolving, so make sure you check back regularly to download the latest versions.

Model Services Contract (MSC)

Download the latest MSC Authority/Buyer-Led Security Management Schedule

Download the latest MCS Supplier-Led Security Management Schedule

Mid-Tier Contract (MT)

Download the latest MT Authority/Buyer-Led Security Management Schedule

Download the lates MT Supplier-led Security Management Schedule

Download the latest MT Developer Security Management Schedule

Download the latest MT Consultancy Security Management Schedule

Download the latest MT Short Form Security Management Schedule

Short-Form Contract (SF)

Download the latest SF Short Form Security Management Schedule

 

Additional considerations

In the majority of cases, you will now be able to select the correct schedule and adapt it appropriately. However, some organisations may have different ways of working and different levels of commercial and security resources.

Below, you will find more information and guidance on additional considerations you might have to take if you need to make further changes to your schedules. 

If the schedules are not appropriate for your specific needs or contract delivery model, and cannot be adapted accordingly, you will need to draft a bespoke schedule with legal support.

 

Choosing the Supplier-led versus the Authority/Buyer-led Security Management Schedule

Both the Supplier and Authority/Buyer-led schedules include the same robust security controls, the difference between them is the level of oversight that the buyer has of the assurance activities.

The Supplier-led schedule places more responsibility on the supplier in terms of performing assurance activities with less oversight from the buyer. 

The Authority/Buyer-led schedule places more responsibility on the buyer to take a proactive role in the oversight of assurance activities. This is often helpful for contracts which include sensitive government data or information, where the buyer has sufficient in-house security resources to conduct assurance activities.

This difference aims to reflect the varying security expertise and capacity across government organisations, and gives more flexibility to contracting authorities.

 

Using the Security Management Plan (SMP)

In some cases, it will be necessary for your supplier to complete an SMP, this will be made clear once you have selected your schedule and chosen your options.

The SMP is a contractually-defined document that is specific to the solution being procured. It requires suppliers to demonstrate how they are protecting your information by detailing the risk assessment and security controls they have put in place, based on the security requirements within the schedule.

It is your responsibility as the buyer to review the SMP and assure yourself that these controls are sufficient. This should be updated by the supplier and reviewed by the buyer at least once a year.

If there is a breach of security, the SMP can be used to understand the controls that were in place and manage the incident response process more effectively.

A sample SMP template which can be used for most schedules can be found here. As the buyer,  you can amend this to fit your specific requirements, but it might be helpful for you to take advice from your security team before doing this.

 

Replacing the Security Management Plan (SMP) with a Security Questionnaire

Some departments and organisations use a security questionnaire instead, which the suppliers must complete and keep updated. If this is the case for your organisation, then you must remove the references to the SMP and replace it with a Security Questionnaire. You must also replace the SMP Annex with the Security Questionnaire to ensure that it is a contract controlled document.

 

When To Apply The Secure By Design Option

Within some schedules, the buyer has the option to require the supplier to assess their solution according to the Secure by Design principles.

This is helpful when procurement activities fall within the scope of the digital and technology spend controls, requiring additional approval processes.

All central government departments and arm’s-length bodies (ALBs) must incorporate effective security practices and meet the Secure by Design policy when delivering and building digital services and technical infrastructure.

 

Using a Risk Appetite Statement

When using the Authority/Buyer-led or Supplier-led schedules, the buyer is required to provide the supplier with a risk appetite statement detailing the level of risk tolerance you are prepared to accept throughout the contract. This gives flexibility to the buyer on the level of risk they are willing to accept to achieve their outcome.

Your risk appetite statement should detail the type and sensitivity of the information being processed and the potential impact of a data breach. For example, any special category data, Personal Identifiable Information (PII), or sensitive information should be clearly outlined and accounted for.

 

Replacing The Risk Appetite Statement With A Security Aspects Letter (SAL)

Some organisations use a SAL instead of a Risk Appetite Statement. These schedules assume the use of a Risk Appetite Statement instead of a SAL, so any organisation using one will have to make appropriate changes to the contract.

 

When to apply the Developer Annex

When using the Authority/Buyer-led or Supplier-led schedules to procure a large managed service involving significant software development, you may need to include the Developer Annex to contractually require the supplier to implement appropriate security controls around this process.

This is helpful when the software development forms part of a managed service delivery which is beyond the scope of the Developer schedule. 

For example, it could be used where a public digital service is being built either solely by the supplier or in partnership with the buyer. 

Assessing equivalence to Cyber Essentials (CE) and Cyber Essentials Plus (CE+)

The Cyber Essentials scheme is a UK-based certification, but there are some suppliers such as smaller or overseas businesses which will not hold it. For this reason, the security schedules allow for equivalence to CE/CE+.

In this case, you will need to seek alternative assurance that appropriate cyber controls are met. You should read the PPN here and speak to your security team if you need further support.

 

Shared Responsibility Model, Cloud and SaaS flowdown requirements

When procuring software as a service (SaaS) products, commercial off-the-shelf services (COTS), or other cloud-based products, the shared responsibility model applies. 

Often, vendors of these types of solutions require the buyer to sign up to their Terms and Conditions and they will rarely accept any additional security requirements.

This means that you need to be aware of the limitations when trying to use the schedules to impose specific security requirements on the supplier. Therefore, we do not expect these security schedules to be used for direct contracting with cloud providers.  As the buyer, you are responsible for making sure that these solutions are securely configured, and that the terms and conditions offered by the supplier are compliant with your security requirements and UK data protection legislation. You also must check that your data is not being sold or passed on to third parties. This may mean that products that you would like to use may not be appropriate where sensitive information or data is concerned.

Where these tools are part of the prime supplier’s solution, as opposed to being procured directly by your organisation, the security schedules require the supplier to be transparent about their usage, and to conduct security assurance as appropriate. They must also keep records and evidence to demonstrate that this has been done.

Subcontractors with Significant Market Power (SMP) such as cloud providers are unlikely to contract on other than their own contractual terms. Provisions are included within the schedules to require the prime suppliers to use reasonable endeavours to flow down the security obligations within these schedules to such sub-contractors.

 

How and where to add additional security requirements/clauses 

Depending on your procurement scenario, it may be necessary to add or change the security requirements within the schedules. For example, you may need more robust or specific physical security requirements if you are procuring an on-premise hosting solution. 

This can be done by amending the Annex 1 – Security Requirements section within your schedule. If you are not sure how to do this to suit your specific procurement, speak to your organisation’s security and legal teams.

 

Risks using buyer security policies

These security schedules have been designed to set out our requirements clearly and directly, rather than by referring to the ‘Buyer’s Security Policies’ which can be more ambiguous. However, there is an option within the schedules to include them.

Another advantage of clear and direct security requirements in the schedules is that there is less room for misunderstanding, and therefore it is easier for suppliers to estimate costs more accurately. This brings predictability to both your organisation and its suppliers and sets clear expectations and lines of accountability.

 

Remote working

The default position in the security schedules is that privileged users do not undertake remote working. However, the Buyer can approve remote working, both for normal and privileged users subject to agreeing an acceptable ‘remote working policy’. The schedules state what the remote working policy must make provisions for. This needs to be specifically pointed out to potential bidders due to the likely cost implications and the position should be agreed and incorporated into the security management schedule prior to contract signature. 

 

Crown Commercial Service frameworks

For now, the security schedules have been adapted to fit with the standard contracts. They can sometimes be used within certain Crown Commercial Service (CCS) frameworks when the Public Sector Contract (PSC) is being used. To do this, you will need commercial and legal support.

In the future, we are aiming to work together with CCS to incorporate the schedules into new frameworks and also explore how we can make procurement more consistent across the public sector.

 

Contact us

If you have any queries or questions please contact  procurement-security@cabinetoffice.gov.uk.