Update version of advice that has been in place for nine years also clarifies that supplier certification alone does not provide comprehensive protection, nor lessen the likelihood of an attack

Government procurement guidance on ensuring the cybersecurity of public sector supply chains has been amended to stress that the provision of legacy IT services is likely to require separate and specialised measures.

The updated advice also instructs commercial professionals that suppliers’ achievement of security accreditations does not provide blanket protection – or diminish the possibility of being hit with a cyberattack.

Companies wishing to bid for almost any public sector contract incorporating the delivery of technology or related services are now almost universally required to be accredited under the government’s Cyber Essentials scheme. The programme, which was first launched in 2014 and is now overseen by the National Cyber Security Centre, enables organisations to complete a self-assessment process covering a range of fundamental cyber controls, which is then verified externally. The higher-level Cyber Essentials Plus badge also requires businesses to go through an indpedent technical examination.

In September 2014, several months after the launch of the scheme, the Crown Commercial Service first published a formal procurement policy note outlining the expectation that government agencies should require suppliers to possess Cyber Essentials certification for any contract including “characteristics involving handling of personal information and provision of certain ICT products and services”.

Related content

• How GovAssure is bringing ‘rigour and objectivity’ to departments’ cyber credentials
• Analysis: Public sector cyber contracts have doubled since Covid
• Government’s cyber plan delivers ‘a complete revolution in how we provide assurance’

The note was updated in May 2016 to clarify that the Ministry of Defence was in scope of the guidance – having previously indicated that it planned to implement its own cyber-assurance measures for procurement. Other than that, the advice document remained unchanged between 2014 and this week – when a new version was published, replacing the previous policy.

The amended version adds a new section headed ‘Limitations’, which stresses that working with accredited suppliers is not a panacea for all cyber risks – nor does it reduce the likelihood of being attacked.

“In some cases, the potential cyber risks associated with a contract, and the control measures required to mitigate them, may exceed the parameters of the Cyber Essentials Scheme. In these instances security teams or experts should be consulted to ensure proportionate additional measures are put in place,” it says. “The Cyber Essentials Scheme does not negate risk and it is not designed to address more advanced, targeted attacks. Such risks will require significantly more sophisticated additional measures to tackle them. In-scope organisations facing these types of threats should develop a strategic approach as part of a wider organisational security strategy.”

The document adds the certification programme “does not assure specific products or services being supplied [and], where specific assurance of products or services is required, further relevant standards should be applied”.

‘Alternative controls’
Another amendment to the advice is in the section dedicated to illustrative types of contracts for which Cyber Essentials is not considered to be “relevant”. Added to this section is the example of engagements related to the provision or support of legacy technology systems and services – which the advice clarifies are likely to come with endemic security risks requiring dedicated remedial measures.

“Examples where the scheme would not be relevant in contracts includes… [a] contract to deliver ICT support services which includes an element of legacy IT provision,” the note says. “Effective cybersecurity controls would need to be implemented for all aspects of the service delivery, however legacy systems cannot meet the requirements of Cyber Essentials. In such cases overarching Cyber Essentials requirements could be required for relevant areas, and effective alternative controls for those unable to be assured by Cyber Essentials controls.”

The ongoing prevalence of legacy systems in government has become an issue of growing focus and concern in the last few years. In 2021, a government-commissioned report found that half of Whitehall’s collective annual IT spend of about £5bn was spent on maintaining legacy systems.

It remains common to see published contract data revealing that a department has retained an incumbent supplier without competition, as the firm in question possesses singular knowledge of a legacy IT system that remains in use. Recent examples include a £50m two-year deal awarded to Capgemini late last year by HM Revenue and Customs, and a Cabinet Office contract – of unspecified length and value – signed to ensure that CGI continues to support ageing infrastructure that underpins the delivery of national security vetting.

The Cabinet Office-based Central Digital and Data Office last year created a framework for assessing the risks of legacy IT systems in use across government. The guidelines have since been used to identify 153 key assets that are priorities for remedial work. Departments will be supported in tackling these ageing platforms and reducing cyber vulnerabilities by a cross-government funding package of £2.6bn announced in the three-year spending review of 2021.