Supply Chain

The NCSC has designed a set of 12 Principles around supply chain security to help you gain and maintain the necessary level of control over your supply chain.

Implementing these recommendations will take time, but the investment will be worthwhile. It will improve your overall resilience, reduce the number of business disruptions you suffer and the damage they cause.

It will also help you demonstrate compliance with GDPR, the new Data Protection Act. Ultimately, these measures may help you win new contracts because of the trust you have gained in helping to secure your supply chain.

Supply Chains for the Public Sector

The cyber resilience of suppliers is increasingly important to the Scottish public sector. The number of cyber attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and wider public services.

Scottish Public Sector Supplier Cyber Security Guidance Note

The Supplier Cyber Security Guidance Note sets out best practice from the National Cyber Security Centre.

The key aims of the Supplier Cyber Security Guidance Note are:

• To support Scottish public sector organisations to put in place consistent, proportionate, risk-based policies that effectively reduce the risk of Scottish public services being damaged or disrupted by cyber threats as a result of supplier cyber security issues;
• To minimise any necessary additional burdens on Scottish public sector organisations (as purchasers) and private and third sector organisations (as suppliers), whilst ensuring the presence of proportionate cyber security controls in the public sector supply chain. This includes a requirement to avoid discouraging SMEs, in particular, from bidding for public sector contracts. This latter aim will be supported by ensuring greater uniformity of the requirements placed on suppliers (thus minimising the number of conflicting demands they face), and by providing a decision-making support tool to aid consistent, proportionate implementation by public sector organisations; and
• To ensure alignment where possible with key requirements in respect of supply chain cyber security that have implications for the Scottish public sector and its supply chains. These include the EU Security of Network and Information Systems (NIS) Directive as transposed into UK-wide legislation and guidance.

Guidance and decision-making support tools

The Cyber Security Procurement Support Tool (CSPST) is a decision making support tool which all suppliers bidding for public sector contracts will be asked to use. Guidance on how to use the CSPST tool are available for public sector buyers and suppliers.

CSPST allows public sector buyers to risk-assess their contracts whilst developing their procurement strategy based on the sensitivity and handling of information and/or the access supplier may be granted to public sector systems and networks.

CSPST produces a risk profile and associated question set which potential suppliers can be invited to address as part of their tender. Suppliers can log onto CSPST and answer the questions and, in an effort to reduce burdens, will be able to reuse previous answers where applicable. Suppliers can also test their current cyber security and resilience through answering the questions and receiving a detailed report outlining any potential deficiencies with advice on how to further improve their cyber security.