Tackling Security Risk in Government Supply Chains

Introduction

This guide is primarily aimed at procurement, commercial and security practitioners operating within government, but the contents can also be applied to work on grants, and, where relevant, across the public, private, and charity sectors. 

The public sector procurement environment is governed by a framework of procurement rules and regulations and this guide assumes the reader has a sound working knowledge of those rules and of the end-to-end procurement process. Commercial judgement should be applied when using this guide and you should seek legal advice where appropriate.

Security risks to government supply chains

Security is about protecting government assets (people, property and information), visitors to government property, third-party suppliers to government and citizen data and information.  Ensuring the government operates and delivers in a secure way is everyone’s responsibility. This is particularly relevant to those involved in procuring and managing third-party services that may have access to government systems and data. 

This includes:

• security teams who are responsible for the overall security of an organisation, including advising commercial teams on the secure management of IT assets and infrastructure 
• commercial teams who should incorporate proportionate security controls into procurement activity

Threat actors (including countries, criminals and activists) seek to expose, exploit and alter UK information and services to advance their own military, technological, political and economic agendas. This includes exploiting government’s use of suppliers via: 

• ownership models
• exploiting their cyber, physical and personnel security weaknesses to access government assets
• by winning and using public sector contracts to undermine UK national security

The Integrated Review Refresh 2023 set out the government’s aim to protect our supply chains and bolster the UK’s economic security by raising security standards across the UK economy as a whole.

Why it matters 

By recognising risk and raising standards in our supply chain, government will serve as an exemplar in the procurement and deployment of commercial products and services, making the UK commercial community more resilient. This is important because: 

1. Investing in government supply chain security protects the UK government
   As government supply chains become increasingly expansive and interconnected, vulnerabilities in suppliers’ systems, and in the products and services they deliver, present increasingly attractive opportunities to adversaries seeking to gain access to government networks.
2. Good supply chain security also promotes best practice in the wider economy. Government can and should use its buying power to enhance security standards in the private sector to protect UK citizens and businesses.

Supporting small and medium enterprises and voluntary, community and social enterprises 

The government is committed to working closely with small and medium-sized enterprises (SMEs) and voluntary, community and social enterprise (VCSE) sector organisations who uphold the strong social values that are vital to the country’s well-being and economy. This remains a priority and we are doing more than ever to make public contracts more accessible to ensure supplier diversity in supply chains. This includes the 2023 Procurement Act, which provides simpler, more effective procurement processes to help SMEs. 

Security risks can be found in contracts and suppliers of all sizes. However, in applying this guide, commercial teams must consider the impact of its implementation on SMEs and VCSEs. In practice, this means: 

• being proportionate in the overall approach, including implementing proportionate controls to mitigate SME-based risks
• ensuring barriers to participating in new procurements are not created 
• ensuring unnecessary burdens are not placed on SMEs and VCSEs when assessing risks in existing contracts

Action teams need to take 

This guidance focuses on the four key areas of activity, for commercial and security teams to carry out in conjunction with one another. 

Understanding and identifying risks

This section sets out how you can understand and identify security risks in your commercial activity. It is the responsibility of contracting authorities to ensure that they identify and manage risk within their procurements and supply chains.

Working in collaboration with suppliers is key, remembering at all times the risk of insufficient or ineffective action on people, property, information and reputation. You must take a risk-based approach, focussing your efforts on those areas where it will have the greatest impact. 

Understanding the security threat

To understand and identify security risks in your commercial activity, first consider the threat categories that might impact your service.

Threat categories (see Annex A for examples)

Physical

You should work with security teams to assess whether vulnerabilities in your suppliers’ physical security could lead to unauthorised access, destruction, or disruption of your assets either onsite or during transportation.

Physical security measures ensure a safe and secure working environment for staff and visitors, protecting them against a wide range of threats (including theft, terrorism and espionage), or disruption of your assets either onsite or during transportation.

Cyber

Consider if vulnerabilities in your suppliers’ cyber security indirectly provide unauthorised access to your IT systems, your assets or undermine their ability to support your service. Some cyber attacks, such as a denial of service attack, aim to make a machine or network inaccessible to its intended users. Good cyber security is as much about managing access as it is about protecting delivery.  

Personnel

An insider is defined as any person who has, or previously had, authorised access to or knowledge of the organisation’s resources, including people, processes, information, technology, and facilities. The action or inaction conducted by an insider, whether intentional or unintentional, could result in harm or loss to the organisation.  

With third parties and their workers granted a degree of privileged access to your organisation, you should consider implementing personnel security policies, standards, procedures and technical measures to mitigate the risk of insiders. As a minimum, access from suppliers should be reduced to what is absolutely necessary for them to perform their required tasks, but a full range of personnel security controls should be considered.

For further information on mitigating insider risk and ongoing personnel security controls.See the NPSA Personnel Security Maturity Model 

Geographical

Whilst international suppliers operating in the UK must comply with our laws, they may also be subject to their home country’s laws. You must therefore ensure your processes and oversight consider the local legal frameworks in which any international organisations operate. This could include laws and regulations that require organisations to share information and data with the state they are registered in, operating in or belong to. 

You should also include appropriate security vetting requirements for staff when they are based internationally. Some technology providers will rely on international teams to provide 24/7 support 365 days a year. There are clear delivery and security benefits to this offer but it must be weighed against the level of access granted and how critical it is. 

These risks must also be balanced against other imperatives, such as any free trade agreements in force that require the UK contracting authorities to treat suppliers from those countries no less favourably than UK ones, so consultation with security and legal teams on this is important. 

Hostile ownership

A supplier may have the appropriate physical, personnel and cyber security controls in place, but there may still be a risk posed by their current ownership. 

The 2021 National Security and Investment (NSI) Act gives the government powers to scrutinise and intervene in business transactions in particular areas of the economy, such as nuclear and AI, to protect national security. 

Additionally, the 2023 Procurement Act grants government new debaring powers to act on ownership risks beyond those outlined in the NSI Act. 

Please see guidance on the NSI Act and the 2023 Procurement Act for further information.  

Whilst all procurement activity will contain risk, there are some key characteristics which indicate a heightened risk. These characteristics are set out in Annex B and can be used to help you identify which of your procurements may be at a higher risk and require a more robust set of mitigating actions.  

Note: this is not an activity solely for procurement teams and you should consult with your security teams, data protection teams and leadership to make decisions based on your organisation’s risk appetite. 

Managing security risks in procurements

Procurement lifecycle stages

The Sourcing Playbook formalises the procurement lifecycle and sets out the commercial process at a high level.

This section describes how the responsibilities of the security and commercial teams fit within each of the lifecycle stages:

1. Preparation and planning
2. Publication
3. Selection
4. Evaluation and award
5. Contract implementation

While the teams and individuals who fulfil the commercial and security roles will vary depending on your organisation, the requirement to fulfil these responsibilities remains.

You should engage with your security team and work closely with them throughout the procurement process where a significant risk has been identified. 

It is the responsibility of the security teams to provide expert advice and guidance, and for the commercial teams to seek out that guidance.

Lifecycle stages

Stage 1: Preparation and planning 

During this stage, security risks should be identified based on an assessment of risk and impact. This review should be included in the recommendations made when evaluating insourcing and outsourcing approaches, including any relevant pre-tender market engagement activities. 

Procurement planning checklist

1. Has the risk to security been established based on the risk of the data being shared and the potential impact to services?
2. Can security risks be managed/mitigated within the service or activity? If so, have you identified how these steps will be made clear in procurement?
3. Are the risks and required mitigations clear to potential bidders?
4. If this procurement is high risk, do you have appropriate support to ensure the correct steps are taken throughout the process?
5. Is there a named point of contact within the security team for this procurement?
6. Have resources been identified to support the evaluation of security responses?
7. Have all relevant ‘codes of practice’ been incorporated into this procurement?

Responsibilities of security teams

• Assess security risks of the goods or services available in the market
• Consider how these risks can be managed and by whom, including internal governance requirements
• Add this information to the cost model
• Provide security requirements including any required standards and accreditations for the specification.
• Provide security questions to be asked of competing bidders.
• Highlight the security guidance used during the risk assessment for the delivery model assessment
• Incorporate all relevant cyber security ‘codes of practice’ into the procurement process
• Help develop evaluation criteria that considers security, to help avoid bias towards low-cost bids
• Where relevant, consider how the Modular Security Schedules can be included as part of the Model Services Contract (MSC)
• Ensure that termination clauses are included within contracts, to ensure that suppliers don’t hold legacy access to government information and data.

Responsibilities of commercial teams: 

• Consider which standards (GovS 008: Commercial, the Cyber Security Standard, GovS 007: Security) will be sufficient to manage the risks and whether any supplier accreditations, such as Cyber Essentials, are required

• Identify security stakeholders, such as a departmental security lead or team

• Engage with the market to understand whether security requirements are correct and if they can be met
• Work with security to determine whether KPIs and additional clauses (see Annex C) in terms and conditions are required; for example, the right to audit or spot check supplier certifications

During this stage you must also take into account the following legal requirements:

• If required, seek assistance from the Government Legal Department or your in‑house legal team when changing contract terms, and ensure that any risks are assessed and recorded.
• Consider what level of review and approval is required within your department for any changes made to the Managed Services Contract (MSC). 

Stage 2: Publication

This is when the contracting authority formally engages with the market by setting out clear criteria for engagement. 

Procurement planning checklist

1. Have the security requirements of the criteria been clearly articulated?
2. Do potential bidders have all the information they need to make a decision on whether or not they can meet the requirements of the tender?

Responsibilities of security teams

• Provide technical security expertise
• Provide security requirements including any required standards and accreditations for the specification
• Where possible, clarify the security expectations for the whole supply chain, not just the lead supplier, and who is responsible for managing this
• Clarify the security risk and create a security risk allocation matrix that sets out whether each risk sits with the supplier or the contracting authority
• Share the security risk allocation matrix with the procurement team

Responsibilities of commercial teams

• Work with security to ensure suppliers meet any required standards and accreditations
• Stipulate due diligence requirements during evaluation
• Consider including the Cyber Security Social Value Criteria
• Include key performance indicators, relevant contract clauses, and reporting and auditing requirements
• Include security team requirements and/or specifications in the contract such as security requirements, security management plans and risk assessments
• Seek security advice on vendors of concern and where further due diligence is required

For guidance to help with security requirements, download:

• NPSA: Supplier Assurance Questionnaire | Protected Procurement (PDF)
• NPSA: Contracts Checklist | Protected Procurement (PDF) 

Stage 3: Selection

The selection process is used to determine whether bidders are able to comply with exclusion grounds and demonstrate suitability to carry out the contract.  

Procurement planning checklist

1. Has the bidder’s ability to meet your security requirements been included when selecting them?
2. Have legal teams provided the appropriate expertise to make the decision?

Responsibilities of security teams

• Provide standard security questions for procurement professionals to use in questionnaires. For example: 
  • Is this supplier handling sensitive information? Could there be a regulatory cost if this information is mishandled?
  • Will there be significant reputational damage if this service cannot operate, even if the real world impact is low?
  • Is the service being supported business critical? 
  • Could a compromise or service downtime lead to loss of life? 

• Decide who is best placed to evaluate the responses to these questions. For example, certifications or accreditations could be evaluated by commercial, but technical expertise or capability might require evaluation by security specialists
• Offer a consulting capability for edge exclusion cases
• Work with commercial to include selection criteria to request evidence that suppliers have/or will attain the required standards
• Include a clear exit management process in the contract
• Where possible, seek to clarify the security expectations for the whole supply chain, not just the lead supplier, as well as who is responsible for managing this. This could be through requiring upward reporting of security performance and building the right to audit into contracts

Responsibilities of commercial teams 

• Work with security teams to include selection criteria to request evidence that suppliers have/or will attain the required standards
• Consider whether grounds for exclusion apply to the bidder, and seeking security advice where required
• Consider whether ‘self-cleaning’ is needed or has taken place (the cleansing of the company to rid itself of all the influences and structures that could potentially lead to misconduct/a breach of contract)
• Ensure that the evaluation teams have the necessary knowledge and experience to effectively evaluate the responses, and are aware of their responsibilities to complete the evaluation itself

For guidance to help with selection, download:

• NPSA: Due Diligence Checklist | Protected Procurement (PDF)
• NPSA: Background Checks Guidance | Secure Innovation (PDF)

Stage 4: Evaluation and award

The purpose of this stage is to select the best tender that meets all the required criteria,including the security criteria. Contracts that do not meet government security requirements should not be considered good value for money. 

Procurement planning checklist 

1. Have you ensured that cost considerations won’t take undue precedence over security?
2. Have you set Key Performance Indicators for Security?
3. Have you included security outcomes in your assessment of value?

Responsibilities of security teams:

• Produce guidance and training to colleagues to enable effective evaluation of contracts
• Provide an escalation route for high-risk tenders
• Monitor the exit management process in the contract

Responsibilities of commercial teams:

• Include management actions and audit/assurance clauses in contract documentation.
• Include incident reporting requirements and processes
• Include any other requirements, such as those relating to health and safety, sustainability, asset ownership/management, GDPR, and so on

Stage 5: Contract implementation

All outsourced services should be built on a robust contractual relationship overseen by an appropriately qualified contract manager. Security experts should be on hand to provide advice and guidance to them. 

Procurement planning checklist 

1. Has security been considered as part of the contract management process including using appropriate modular security schedules? 
2. Do you have sufficiently experienced resources assigned to manage the security elements of the contract?
3. Do you have adequate termination procedures within your security plan, so staff understand the processes to follow?

Responsibilities of security teams

• Feed into the wider commercial understanding of strategic suppliers
• Provide advice and, where appropriate, in-person support for contract management discussions
• Support with any incidents as and when they occur
• Ensure contracts involving government data are accessible to all relevant government stakeholders and support commercial to ensure data sanitisation.
• Evaluate security management plans
• Support security risk assessments 
• Ensure termination processes and procedures are followed at the end of the contract, to help ensure that suppliers don’t hold legacy access to government information and data.
• Ensure that suppliers do not retain legacy access to assets unless explicitly specified within the contracts

Responsibilities of commercial teams

• Seek advice from security in contract management discussions
• Report incidents and/or concerns to the security team 
• Seek assurance at least annually that each supplier’s security standards, accreditations, and other regulatory requirements remain valid
• Ensure security risks are included in any central risk register
• Ensure the relevant exit management processes are followed, particularly in relation to handing over data and assets
• Consult security when making decisions on whether to extend contracts.
• Ensure termination clauses outline the assets to be recovered and protective measures to be undertaken

Note: Security and commercial teams should undertake to review contracts throughout their lifespan, to check compliance with clauses, identify risks, and plan for future renewals. 

For guidance to help with selection, see: Termination | Protected Procurement Practitioners. 

The role of Government Security Centres in managing security risks in procurements

The Government Security Centres (GSeCs) were established to fill a cross-functional gap in delivering simple, streamlined and smarter security services, as well as standardising advice and consultancy services and products by domain experts. 

Their services include the following: 

Cyber Security GSeC – Supply Chain Security Consultancy 

Cyber GSeC has established a comprehensive service termed ‘Supply Chain Security Consultancy’ (SCSC). The service has been developed to help government organisations meet their supply chain security objectives and outcomes under the Government Cyber Security Strategy, GovAssure and associated handbooks and frameworks.

The essence of the service is that at any or all stage(s) of a procurement lifecycle, an organisation can request supply chain security consultancy services from Cyber GSeC. Cyber GSeC can apply the service to new and upcoming (‘greenfield’) procurement campaigns and to extant (‘legacy’) contracts. For those organisations not currently undergoing a procurement campaign, a bespoke offering within the service aims to improve internal process and procedure around supply chain governance, risk management, assurance, and baseline security controls.

SCSC can support peer-review of established supply chain security practices in high-capability departments, through to intensive support and resource for low-capability departments, including interpretation and implementation of National Technical Authority supply chain security guidance.

To explore this service please contact: CyberGSeC@HMRC.gov.uk  

Protective Security Centre (PSC) GSeC 

Protective Security Centre (PSC) consultancy offering is detailed within the PSC Protective Security in the Supply Chain (PSSC) guidance. 

PSSC supports a Plan, Do, Check, Act approach to supply chain security and is aligned to the Government Functional Standards.

PSC supply chain guidance provides tactical direction for those who have a responsibility to ensure GovS functional standards are met and considers converged security and necessary liaison between interested parties.

The stages in the PSC consultancy offering are also linked to the SCSC consultancy offering. 

To receive this guidance please contact: PSCConsultancy@homeoffice.gov.uk

Further information on the GSeCs can be found here. 

Managing risks in contracts

Security is an issue that requires continuous focus, improvement, effective supplier relationship management, and an understanding of how hostile actors can exploit contracts.

For existing/legacy contracts

If measures were not put in place at the time the contract was let and there are security risks to address, you should work with your supplier to establish a fair and proportionate approach to keep track of them, as well as establishing priorities for commercial agendas. 

In some cases, a contract variation may be required, which will need to be undertaken in line with the Procurement Act 2023.

In high and medium-risk contracts, you may adopt new contract management procedures to monitor risks or introduce more regular assessments. Before doing so, you should seek legal advice as to the nature and extent of your rights in the contract to support this exercise. If your contract does not give you the rights you need to ensure that your supplier co-operates, you may be able to achieve the supplier’s cooperation without reliance on contractual rights.

For new contracts

For contract variations, you should take care not to ‘gold-plate’ the requirement on suppliers as this may add cost. You should ensure a proportionate approach and response to the risk agreed, including by setting out some of the following practices in the terms of the contract.

Working with suppliers to mitigate risks

For contracts with a high security risk, you should list these risks in management information requirements in your contract. When a risk has been identified, an action plan setting out the behaviours, standards and actions required of both parties is required to address the issues. It should clearly set out what action will be taken, when and by whom including deadline dates, milestones and targets, and what preventative measures the supplier will put in place to stop recurrence. 

You should also ask suppliers to provide assurance that they are meeting the requirements of the contracts through practices such as conducting regular penetration testing, updating security patches and, if appropriate, through GovAssure. 

You should encourage your suppliers to be proactive and open, and report security risks as soon as they arise, particularly when there are active incidents (reporting security incidents should be specified in your contract). 

Through regular contract management meetings, the supplier can provide updates on how they are meeting their contractual requirements. This level of engagement and management of risk should continue throughout the life of the contract; procurements that may not have been high risk at the beginning of the procurement can change over time. 

Key Performance Indicators (KPIs)

Close contract management of high risk agreements, combined with use of KPIs should reduce the likelihood of security incidents occurring in supply chains. You should ensure suppliers revisit their security policies and practices annually and are motivated to continue identifying and managing supply chain risks throughout the life of the contract.This is particularly the case with cyber security where new vulnerabilities are constantly being identified as software is updated.

Audits

Audits are a useful way of verifying a supplier’s own assessment of how they meet your security requirements. They are resource intensive and may require expert input from a third party, so should be used in a targeted manner with clear expectations. They are not a substitute for long-term, open and collaborative relationships with key suppliers.

Contract termination

Taking immediate action to terminate a contract risks causing further harm. The priority should be to work closely with the supplier to understand security risks and vulnerabilities to ensure it does not happen again. Reactive contract termination can lead to fear and concealment by suppliers. Maintaining transparency of the issues and risks is important and working with suppliers offers the best chance of preventing re-occurrence.

Other than in extreme cases, terminating a contract for reasons linked to security should only be considered where the issues continue to occur and the supplier is unwilling to co-operate and change. You must first check that you have a right to terminate the contract and take legal advice.

Impacts of your own business decisions

You should consider the impact of your decisions on the supply chain as these may contribute to security risks. This includes factors such as: 

• Short lead times 
• Late payments 
• Demand for high flexibility, including last minute changes to orders 
• Downward cost pressures – if a supplier has agreed to reduce costs, how do they plan to recoup those costs

Supply chain mapping

In addition to the supply chain visibility requirements at the selection stage, supply chain mapping is an activity that can be used to establish more precisely the risks in relation to suppliers and their supply chain. Supply chain mapping is resource intensive and you should consider the burden this exercise will have on suppliers and your own teams.

Supply chain mapping should only be conducted if your supplier presents a security risk, and they are not able to assure you of the systems and processes they have in place to manage risks effectively. The following information is typically acquired when mapping supply chains:

• a full inventory of suppliers and their subcontractors, showing how they are connected to each other
• what product or service is being provided, by whom, and the importance of that asset to your organisation
• the information flows between your organisation and a supplier (including an understanding of the value of that information)
• assurance contacts within the supplying organisation
• information relating to the completeness of the last assessment, details of when the next assurance assessment is due, and any outstanding activities
• proof of any certifications required, such as Cyber Essentials, ISO certification, product certification

You should, where practical, work systematically and progressively with your Tier 1 suppliers over time to build a complete picture of their supply chain, until you are satisfied that all risks have been identified. This can be time consuming and resource intensive so you will need to prioritise based on what is most critical to your department’s business objectives. 

For a large number of commodities, the risks will exist further down the supply chain where there is less visibility and regulation of working practices. It may therefore be necessary to go beyond your Tier 1 supplier and this will be dependent on how satisfied you are with the way in which your Tier 1 supplier can demonstrate they are aware of, and are proactively mitigating the security risk in the supply chain.  Your Tier 1 supplier should be able to provide the required information for their own Tier 1 suppliers and beyond, where there are multiple tiers.

Where the supply chain is likely to contain SMEs or VCSEs you should carefully consider burdens on those suppliers and be proportionate in your approach. You may have the right in your contract to require your supplier to provide management information either specifically relating to their supply chain or more generally. The data should be captured and analysed in collaboration with suppliers to improve traceability.

For support in mapping your own organisation’s supply base for assessing security risks, see the NCSC guidance on Mapping Your Supply Chain.

Taking action after identifying security breaches

When security breaches have been uncovered in the supply chain, they must be addressed immediately. 

In some cases, security breaches will be a consequence of the way a specific industry is organised and these may require a longer term approach to address the root cause. A plan for handling such occurrences should be in place which sets out a process including roles and responsibilities. There should also be consideration of whether the breach was caused by an insider.

If you have identified a security breach you should consult your own security teams who can advise on the specific contractual mechanisms in place to handle such breaches.

If the security breach is regarding the unauthorised disclosure (or leaking) of government information, individual departments would usually expect to lead on unauthorised disclosure investigations where the information is owned by, and has been disclosed from, their own department. There are some circumstances, however, where the Cabinet Office (through GSG) will take the lead on an investigation. These are when a leak: 

• Spans several departments,
• Is considered politically sensitive; and
• Involves information which could damage national security.

Action plans

As discussed in section 3, terminating a contract immediately after a security breach is discovered can leave the supplier more vulnerable. Where possible, you should work with the supplier to implement an action plan specific to the type of incident, to prevent recurrence. This should at least set out: 

• How to help suppliers reinstate their cyber defence systems
• A review of the suppliers’ policies and systems to ensure these are appropriate to prevent incidents from recurring. 
• The introduction of credible, independent assurance processes to mitigate any recurrence.

Generally, you should seek to work collaboratively with the supplier, and in accordance with the terms of the contract, to address instances of security breaches.

Training & Resources

You must ensure commercial and procurement staff involved in letting and managing contracts are given appropriate training. This will help to raise awareness of security risks, including how to identify them and handle risks correctly. A selection of such training offers are listed below:

NCSC cyber security training for staff 

The training is aimed at SMEs, charities and the voluntary sector, but can be applied to any organisation, regardless of size or sector. The training introduces why cyber security is important and how attacks happen.

NCSC supply chain e-learning modules

These modules are your one-stop shop for understanding the impact of supply chain cyber security risks and accessing essential supply chain resources.

Government cyber security training for businesses 

All businesses can benefit from understanding cyber threats and online fraud. The Government has worked with leading industry partners to develop free e-learning courses to help staff understand online threats and how to protect business data, money and reputation.

UK Cyber Security Council pilot scheme for chartered cyber professionals

The UK Cyber Security Council has Royal Chartered status, granting it the power to set industry standards and award professional titles for those working in the cyber profession. 

Additional resources

Reporting a cyber security incident 

GOV.UK tool which signposts relevant external organisations you should report cyber incidents to, based on the circumstances.

UK Government Commercial Function Knowledge Hub

Provides an overview of the changes being made under the Procurement Act 2023. 

Responding to cyber incidents – an NCSC guide for CEOs

This guidance helps CEOs in public and private sector organisations manage a cyber incident.

How to assess and gain confidence in your supply chain cyber security – NCSC

Practical steps to help medium to large organisations gain assurance about the cyber security of their organisation’s supply chain.

Other useful resources to better understand and identify security threat and risk

• National Cyber Security Centre (NCSC) Early Warning System
• Cyber Assessment Framework 
• Gov Assure 
• Cyber Essentials
• Government Security Centres
• NCSC Supply Chain guidance 
• NCSC supply chain mapping guidance
• Supply Chain Guidance | NPSA
• Passport to Good Security | NPSA
• Scenarios Booklet | Protected Procurement
• NCSC Technology Assurance guidance
• NCSC Risk Management guidance
• NPSA Insider Risk Mitigation Learning
• NPSA Insider Risk Mitigation Framework
• NPSA Personnel Security Maturity Model

Annex A: Case studies

Case Study – Physical

Department X is moving data storage providers. The new facility will contain other public sector data of a lower classification. The procurement team consult with their security colleagues to determine what physical and cyber mitigations must be put in place to ensure these data sets remain separate and access to the more sensitive material is monitored. They then incorporate these requirements into the tender requirement before publishing the invitation to tender to the procurement platform.

Case Study – Cyber/Geographic

Department x is building a major new piece of software to enhance the delivery of a critical public service. All the providers who bid on the contract say they are reliant on overseas development teams

This software will be processing UK citizen data including sensitive characteristics. There is a risk that one of the development teams may be used by foreign intelligence to introduce hidden security vulnerabilities into the software. This risk is flagged to your security team who assess alternative procurement routes and suppliers including building the software internally. None of the alternative options are cost-effective or promise to meet the requirements of the business. 

The procurement leads, therefore, work with their security team to introduce mitigations into the preparation and planning so that competing suppliers have to offer software code reviews by fully vetted UK-based staff before the product can go live. 

Case Study – Insider

The process of transporting sensitive material from the old supplier facility to the new supplier’s facility will need to be done securely and, as a precaution, Department X has asked the supplier to provide details of the personnel who will be involved in this process to understand any insider risk. 

Case Study – Hostile ownership

Department X is buying a platform to manage HR processes, which will have access to personal (but not classified above OFFICIAL) information on staff members.

Having followed the guidance, they think there is a national security risk associated with the prospective supplier, and they choose to approach the Minister in order to exclude the company. NSUP provides input to the decision. 

Annex B: High risk characteristics

Whilst all procurement activity will contain risk, there are some key characteristics which indicate a heightened risk. These characteristics are set out below and can be used to help you identify which of your procurements may be at a higher risk and require a more robust set of mitigating actions.  

You should consult with your security teams and leadership to make decisions based on your organisation’s risk appetite. 

TOP SECRET or SECRET sites/locations, systems or data including privileged access to critical assets, locations, or government networks

Classified TOP SECRET or SECRET entities are by nature more vulnerable to risk both because of the appetite for hostile actors to acquire this information/access to these facilities, and the damage that would be caused by the loss or compromise of TOP SECRET or SECRET material.

Critical National Infrastructure (CNI)

CNI includes facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends. It also includes some functions, sites and organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example). 

Operationally critical service

Systems that support the mission and day-to-day business of the organisation, which the organisation must provide, and without which, it would not be able to continue to operate (e.g. primary departmental corporate network).

Significant impact from a breach – repetitional, legal, financial, operational

A security breach occurs when someone gains unauthorised access to information, systems or a physical site. 

Enduring access to large volumes of OFFICIAL sites/locations, systems or data 

All information that HMG collects, stores, processes, generates and shares to deliver services and conduct government business requires protection. Any sites/locations, systems or data marked OFFICIAL-SENSITIVE require further risk appropriate security measures. 

Enduring access to large volume of Personally Identifiable Information (PII) or commercial data

Wherever data is stored, even temporarily, it may be vulnerable to unauthorised access, tampering or deletion. The NCSC’s data security guidance will encourage activities for identifying what data you have and applying appropriate controls to mitigate identified data risks throughout its lifecycle. Departments should take a risk-based approach to protecting personal data in line with the Data Protection Act 2018 and General Data Protection Regulation (GDPR). 

The NCSC principles of protecting bulk personal data will provide several good practice outcomes for the identification and appropriate protection of this data. The NCSC’s data handling principles are also particularly relevant for departments that process personal data at OFFICIAL. 

For more information, email: gsgcyber@cabinetoffice.gov.uk.

Offshoring of sensitive data or services

The UK government has published a security policy framework for the offshoring of government data and digital services at OFFICIAL (currently available on request for departments). It requires departments to assess the adequacy of non-UK countries to receive their data and host their services based on risks that may arise from incompatible approaches to data protection. 

Offshoring of UK government data and services can take several forms: by physically hosting them in a non-UK country, by making them accessible to support staff from a non-UK country, or by a non-UK country exercising controlling ownership of a company where UK government data or services are hosted, even if this business is physically located in another country, including the UK. 

For more information, email: gsgcyber@cabinetoffice.gov.uk.

Annex C: Additional clauses and KPIs

Some examples of additional clauses and KPIs that can be used to encourage good supply chain security are: 

• Require those suppliers who are key to the security of your supply chain, via contracts, to provide upward reporting of security performance and to adhere to any risk management policies and processes
• Build the ‘right to audit’ into all contracts and exercise this. Require your suppliers to do the same for any contracts that they have let that relate to your contract and your organisation. (Note that this might not always be possible or desirable, particularly where this relates to a Cloud service)
• Build, where justified, assurance requirements such as Cyber Essentials Plus, penetration tests, external audit or formal security certifications into your security requirements
• Establish key performance indicators to measure the performance of your supply chain security management practice
• Review and act on any findings and lessons learned
• Encourage suppliers to promote good security behaviours