PPN 09/23: what it means for you

PPN 09/23: what it means for you

Posted by James Piggott Picture of James Piggott on Sep 25, 2023 2:32:51 PM

In mid-September 2023, the Cabinet Office publishes the latest in its series of Procurement Policy Notes: PPN 09/23: updates to the Cyber Essentials Scheme.

This PPN reiterates the need for suppliers to exhibit Cyber Essentials accreditation before delivering certain contracts.

If you're not ensuring your suppliers are on top of their cyber security provisions, you could be putting your authority's or your residents' data at risk.

In this quick-fire blog, we've summarised what PPN 09/23 lays out, and what it means for procurement team.

 

💡  PPN 09/23: what's new?

PPN 09/23 sets the governments' latest position on when and where Cyber Essentials certification is required for public sector suppliers.

It replaces the first Cyber Essentials-related PPN, released back in September 2014.

Cyber Essentials (and Cyber Essentials Plus) is a self-assessed certification awarded to organisations that can exhibit a "sound foundation of basic hygiene measures" for preventing cyber-related risks.

PPN 09/23 reiterates that suppliers must show Cyber Essentials accreditation - or equivalent measures - before undertaking certain types of public sector work.

 

When is Cyber Essentials required by suppliers?

PPN 09/23 explains that Cyber Essentials is required for contracts or services that fall under 4 circumstances:

  1. When citizen data - such as home addresses, bank details, etc. - is handled by the supplier;

  2. When government employee data - such as personal information, payroll, travel expenses etc. - is handled by suppliers;

  3. When systems are supplied that are intended to store or process 'Official' level data (for more information on government security classifications, see our explainer on PPN 07/23);

  4. When information relating to the day-to-day business of government is handled by suppliers

For more detailed examples of when Cyber Essentials is necessary, refer to Annex A of the PPN 09/23 explanatory note.

 

🚨  What does this for me?

PPN 09/23 requires that in-scope organisations - in this case, Central Government departments, their executive agencies and non-departmental bodies, and NHS bodies - ensure that Cyber Essentials becomes mandatory under the circumstances above within 3 months of the PPN's publication.

That said, ensuring that your authorities' or the public's private information is handled in a safe manner should be imperative for all contracting authorities.

To do this, take the PPN's advice: "the quickest and most effective means of mitigating risks associated with such contracts is for technical requirements to include either Cyber Essentials or Cyber Essentials Plus certification".

Data should not be passed over to a supplier before certification is provided.

 

Understanding when Cyber Essentials is and isn't relevant

PPN 09/23 makes one thing very clear, however: Cyber Essentials is not the be-all and end-all of cyber security in public procurement.

Cyber Essentials accreditation will be necessary under circumstances, but not all. Sometimes it won't be required at all; sometimes more advanced security procedures will be required.

Cyber Essentials will not ensure the security of the products and services themselves provided by a supplier, for example. Additional assurances will be needed to ensure they're cyber-safe.

Furthermore, Cyber Essentials does not go far enough to protect against advanced cyber attacks, which would warrant specialist-informed additional measures to mitigate against them.

On the flip side, the PPN also warns against adopting a "blanket approach" when deciding which contracts require Cyber Essentials accreditation. Instead, the nature and requirements of each contract needs to be weighed up individually.

A one-size-fits-all approach risks over-burdening SMEs and VCSEs, and discouraging them for applying for public sector work.

 

*

This PPN makes one message clear: procurement can't be left out of the cyber security picture.

Ensuring that relevant contracts require the baseline of security provided by Cyber Essentials is one of the basic steps your team can take to protect your authority's and your residents' data.

Your team should also keep an eye out for the National Cyber Security Centre's upcoming redevelopment of the Cyber Essentials scheme, as this may impact when and where Cyber Essentials accreditation is necessary.

To learn more about Cyber Essentials and what it covers, check out the government's official guidance here.

To read PPN 09/23 in full, click here.

You can access all of our other PPN summaries below:

New call-to-action