Principle: A4 Supply Chain
The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
This means considering the risks of any network connection or data-sharing arrangement with a third party that has the potential to affect the security of the essential function. You should ensure that any identified risks are appropriately managed. Where third-party technology services are used, contractual agreements should be used to assure the protection of the assets, networks and services on which your essential function depends.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the Cyber Assessment Framework (CAF) requirements of the relevant Government Profile under this principle.
- The UK Government’s supplier assurance framework applies to all contracts at OFFICIAL and is designed to identify high risk projects, provide a risk management framework and inform the assurance approach taken to different levels of risk in contracts. It contains the Common Criteria for Assessing Risk (CCFAR) and a Statement of Assurance question set.
- The GovS 008 Commercial Functional Standard sets requirements in the planning and management of buying goods, works and services, ensuring contracts and relationships with suppliers realise value for money and result in delivery of high quality public services. Within the standard, it states that security requirements should be implemented to protect the government from threats relating to contractors and suppliers having access to classified information, assets and estates. Finally, it references GovS 007 Security where organisations may need to conduct additional security assurance controls. For devolved administrations, organisations should adhere to the functional standard and policy owned by its principal executive or devolved government body.
- Procurement Policy Note (PPN) 09/23 replaces PPN 09/14 which has been withdrawn. The PPN mandates that a Cyber Essentials or Cyber Essentials plus certificate be held by any supplier managing OFFICIAL government data. Where a supplier does not hold Cyber Essentials or Cyber Essentials Plus they must be able to demonstrate equivalent controls are in place through other means. In some cases additional assurance may be required to mitigate the potential risks associated with a contract.
In-scope organisations should note that the Cyber Essentials Scheme does not assure specific products or services being supplied. Where specific assurance of products or services is required, further relevant standards should be applied.
- A PPN has been published on Contracts with suppliers from Russia and Belarus, introducing financial and investment sanctions aimed at encouraging Russia to cease actions which destabilise Ukraine. Contracting authorities should consider how they can further cut ties with companies backed by the states of Russia and Belarus.
Guidance
- The NCSC Supply Chain Security guidance establishes high-level principles for supply chain risk management, provides indicators of good practice for supply chain assessment and sets out several supply chain attack scenarios. This guidance is supplemented by How to Assess and Gain Confidence in your Supply Chain Cyber Security, which sets out a series of practical steps to help organisations develop an approach to better assess cyber security in their supply chains, and gain assurance that the right controls are in place to mitigate potential vulnerabilities exposed by those supplier relationships. Additionally, the cloud security principle guidance will encourage you to consider supply chain risk exposure when configuring, deploying and using cloud services. This may be reinforced with the NCSC’s supplier assurance questions to increase confidence in suppliers’ security posture and understand the maturity of their controls.
- The National Protective Security Authority (NPSA) has published Supply Chain Security Guidance on Protected Procurement which outlines the different supply chain threats businesses face, how to reduce exposure to those threats, and how to embed security throughout the procurement process to reduce the likelihood and impact of supply chain attacks. The guidance is split into three distinct products: Guidance for Business Leaders provides guidance aiming to get business leaders to prioritise and resource supply chain security. Guidance for Practitioners contains practical guidance for those responsible for implementing supply chain security within an organisation. Guidance for Suppliers stipulates guidance for suppliers on developing their security profile.
- The NCSC’s Secure by Design guidance will help you understand the role of suppliers in establishing and maintaining system security. CDDO has also developed Secure by Design principles which are specific to government.
- The Government Security Function has provided guidance on tackling security risk in government supply chains, detailing how security considerations should be included across the contract management lifecycle
Enhanced profile guidance
- When an incident occurs within your supply chain, you should ensure there are effective processes for coordination with suppliers for its triage and resolution. The NCSC’s Board Toolkit has a section on Collaborating with your supply chain and partners, which discusses developing a comprehensive understanding of your connections to suppliers, maintaining varied communication channels and utilising scenarios to test incident response coordination.
- You should ensure that the risks posed by subcontractors are factored into your broader supply chain risk management strategy. The NCSC’s Supplier Assurance Questions guidance provides several questions on subcontractors which include supplier connections, contractual responsibilities, geographic location and rights to audit.
Further information
Further guidance can be found on the NCSC’s CAF Guidance webpage.