Supply chain

Implementing these recommendations will take time, but the investment will be worthwhile. It will improve your overall resilience, reduce the number of business disruptions you suffer and the damage they cause.

It will also help you demonstrate compliance with GDPR, the new Data Protection Act. Ultimately, these measures may help you win new contracts because of the trust you have gained in helping to secure your supply chain.

Supply Chains for the Public Sector

The cyber resilience of suppliers is increasingly important to the Scottish public sector. The number of cyber attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and wider public services.

Scottish Public Sector Supplier Cyber Security Guidance Note

The Scottish Public Sector Action Plan on Cyber Resilience (PSAP) was published in November 2017 and set out a commitment to develop a proportionate, risk-based policy in respect of supply chain cyber security for Scottish public sector organisations.

The Supplier Cyber Security Guidance Note has been developed to meet that commitment.

The key aims of the Supplier Cyber Security Guidance Note are:

• To support Scottish public sector organisations to put in place consistent, proportionate, risk-based policies that effectively reduce the risk of Scottish public services being damaged or disrupted by cyber threats as a result of supplier cyber security issues;
• To minimise any necessary additional burdens on Scottish public sector organisations (as purchasers) and private and third sector organisations (as suppliers), whilst ensuring the presence of proportionate cyber security controls in the public sector supply chain. This includes a requirement to avoid discouraging SMEs, in particular, from bidding for public sector contracts. This latter aim will be supported by ensuring greater uniformity of the requirements placed on suppliers (thus minimising the number of conflicting demands they face), and by providing a decision-making support tool to aid consistent, proportionate implementation by public sector organisations; and
• To ensure alignment where possible with key requirements in respect of supply chain cyber security that have implications for the Scottish public sector and its supply chains. These include the EU Security of Network and Information Systems (NIS) Directive as transposed into UK-wide legislation and guidance.

Guidance and decision-making support tools

This will involve implementing:

• A guidance note, which has been produced for all Scottish public sector organisations, setting out best practice from the National Cyber Security Centre (the UK technical authority on cyber security).
• The Cyber Security Procurement Support Tool (CSPST) is a decision making support tool which all suppliers bidding for public sector contracts will be asked to use. Guidance on how to use the CSPST tool are available for public sector buyers and suppliers.

CSPST allows public sector buyers to risk-assess their contracts whilst developing their procurement strategy based on the sensitivity and handling of information and/or the access supplier may be granted to public sector systems and networks.

CSPST produces a risk profile and associated question set which potential suppliers can be invited to address as part of their tender. Suppliers can log onto CSPST and answer the questions and, in an effort to reduce burdens, will be able to reuse previous answers where applicable. Suppliers can also test their current cyber security and resilience through answering the questions and receiving a detailed report outlining any potential deficiencies with advice on how to further improve their cyber security.