From 1 October 2014, many businesses that supply services to public bodies will be caught by the government’s Cyber Security rules. The change is mandatory for central government bodies and NDPB's, with other public bodies potentially applying the new rules too.
Announcing the change, Cabinet Office Minister Francis Maude, said:
‘It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain. Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so.’
The Cabinet Office press release cites BAE Systems, Barclays, Hewlett-Packard, Vodafone and the Confederation of British Industry, as well as small businesses like Nexor, Tier 3 and Skyscape, as early adopters. And in August, Vodafone UK announced that it was the first telecommunications provider and the first multi-national organisation to have been awarded the Cyber Essentials Plus accreditation. Howard Pinto, Head of Technology Security at Vodafone UK said that the achievement highlighted Vodafone’s “ongoing commitment to ensuring the security and protection of our IT and customer systems and online assets'.
Two levels of certification are available, renewable each year. For a Cyber Essentials certification, the business undertakes its own assessment, which is verified externally. This is meant to be the basic, low-cost option, predicted to cost £200 to £400. Cyber Essentials Plus is the gold-plated version, involving both remote and on site vulnerability testing to check whether basic hacking and phishing can be fought off.
Details of the scheme can be found here. Broadly speaking, the five areas it covers are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
In its 26 September Procurement Policy Note the Cabinet Office explains that contracts involving the following features will have to comply with the scheme:
- Where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier.
- Where personal information of Government employees, Ministers and Special Advisors such as payroll, travel booking or expenses information is handled by a supplier.
- Where ICT systems and services are supplied which are designed to store, or process, data at the OFFICIAL level of the Government Protective Marking scheme.
Services already covered by other government schemes that include comprehensive cyber security obligations are exempt. These include cloud services procured through G-Cloud, Digital Services Framework, Public Sector Network and ID Assurance Framework.
Although currently only mandatory for a sub-set of public sector contracts, the government is encouraging wider use of the Cyber Security certification in both the public and private sectors. Francis Maude emphasised that ‘Gaining this kind of accreditation will also demonstrate to non-government customers a business’s clear stance on cyber security.’ We can expect to see it asked for more often, although some have asked whether the level of assurance offered by the basic level certification is enough.