Cyber security: guidance for public sector suppliers

Introduction

1. The Scottish Public Sector Action Plan on Cyber Resilience commits to developing a proportionate, risk-based policy about supply chain cyber security for Scottish public sector organisations “PSOs”.

2. This guidance note forms part of the Scottish Public Sector Cyber Resilience Framework (the Framework). The Framework is embedded in several audit and compliance requirements that apply to different parts of the Scottish public sector.

3. The security of supply chains is increasingly important as we often see cyber incidents and attacks affect public sector bodies indirectly through their suppliers. It is vital that PSOs adopt an approach to supplier cyber security that best meets their risk profile/appetite. This guidance note promotes the adoption of a consistent approach across the Scottish public sector. For the purposes of this guidance note, Scottish Public Sector Organisations (PSOs) includes NDPBs, Non-Ministerial Departments, local authorities, health boards and universities and colleges.

4. The guidance is relevant to PSOs that rely on any suppliers to deliver goods or services as part of a supply chain. This could be through commercial OR non-commercial arrangements. PSOs should consider all circumstances where a cyber risk to their own security may be present through interactions with other organisations.

5. This guidance note incorporates advice from key partners in the Scottish public, private and third sectors, including public sector centres of procurement expertise. The Scottish Government works closely with the National Cyber Security Centre (NCSC), the UK-wide technical authority on cyber security, to ensure its work on cyber resilience is informed by appropriate technical expertise. As a result, the guidance aligns closely with NCSC supply chain guidance. Where appropriate, it also references guidance from the National Protective Security Authority (NPSA), the UK-wide authority which provides protective security advice to businesses and organisations across the UK national infrastructure.

6. Cyber security arrangements for systems processing personal data form a key aspect of compliance with the General Data Protection Regulations (GDPR), which took effect on 25^th May 2018. However, the data protection obligations placed on organisations and their supply chains by GDPR go wider than technical measures to protect personal data. Public sector organisations are asked to consider carefully how this guidance note can/should be embedded in wider measures to support compliance with GDPR.

7. Cyber security can also be important in contexts not involving personal data, such as arrangements involving sensitive official information, industrial control systems or the “Internet of Things” (where computing devices are embedded in everyday physical objects, which are then enabled to communicate, be controlled, etc. via the Internet).

The Importance Of Supplier Cyber Security

8. Most PSOs rely on suppliers or other partners to deliver products, systems, and services. Often these relationships form part of public sector organisations’ supply chains. Supply chains can be large and complex, involving many suppliers doing many different things.

9. Securing suppliers and the supply chain against cyber-attacks can be difficult because vulnerabilities can be inherent in suppliers’ systems, or introduced and exploited at any point in the supply chain. The NCSC notes that a vulnerable supply chain can cause significant damage and disruption to organisations.

10. PSOs must understand the cyber threat to their supply chain to take appropriate action to mitigate it. A series of high profile, damaging attacks on PSOs have demonstrated that attackers can, and will, exploit vulnerabilities in supply chain security.

The Key Aims Of This Guidance

11. The key aims of this Supplier Cyber Security Guidance Note are:

• To support PSOs to implement consistent, proportionate, risk-based policies that reduce the risk of damage or disruption to public services due to supplier cyber security issues;
• To minimise any necessary additional burdens on PSOs (as purchasers) and private and third sector organisations (as suppliers), whilst ensuring the presence of proportionate cyber security controls in the public sector supply chain. This includes a requirement to avoid discouraging SMEs from bidding for public sector contracts, by encouraging greater uniformity of the requirements placed on suppliers.
• To align requirements of supply chain cyber security that have implications for the Scottish public sector and its supply chains. These include the EU Security of Network and Information Systems (NIS) Directive as transposed into UK-wide legislation and guidance.