Cyber Essentials: improving cyber security in the government supply chain

digisign_8240131SmlTackling the increase in online threats to national security, the UK Government has introduced Cyber Essentials, a security accreditation scheme mandatory for suppliers bidding on certain government contracts. Here, MOD DCB features writer Julie Shennan examines the new scheme in more detail.

Suppliers bidding for UK Government contracts which involve handling information that is sensitive or personal in nature, or which involve the provision of certain technical products and services, must now meet the requirements of the new Cyber Essentials accreditation scheme.

Developed by the UK Government in consultation with industry, Cyber Essentials was launched in June and became mandatory from 1 October.

It aims to protect information and make suppliers less vulnerable online by using five critical controls to tackle the most prevalent forms of internet threat. These controls are delivered though either a Cyber Essentials or Cyber Essentials Plus package, depending on the user company’s budget. Once a company has implemented these cyber security measures, Cyber Essentials’ Certifying Bodies are brought in to test them.

Certifying Bodies are experts appointed by the scheme’s Accreditation Bodies, such as QG, CREST and the IASME Consortium. These experts test and approve companies, who then receive a Cyber Essentials certificate and can display the appropriate Cyber Essentials or Cyber Essentials Plus badge on their marketing material.

These badges have the added weight of endorsement from industry experts such as AIG, BAE Systems, Barclays, Hewlett-Packard, Marsh, Nexor, Skyscape, Swiss Re, Vodafone, British Insurance Brokers’ Association (BIBA), Confederation of British Industry (CBI) and International Underwriting Association (IUA), all of whom support Cyber Essentials.

Cyber Essentials comes as part of the wider National Cyber Security Strategy (NCSS) published in November 2011. This strategy provided government with a framework to tackle cyber threats, promote awareness and establish a growing platform for partnership working between the public and private sectors.

Supported by £860 million funding, the National Cyber Security Strategy specified how investment was to be divided among government departments and the actions this would entail.

The overarching aim is to make the UK an increasingly safe place to do business online, increasingly resilient to cyber attack, increasingly supportive of open societies and increasingly innovative in the cyber security market.

In turn, this will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.

Introducing the new Cyber Essentials controls, Minister for the Cabinet Office Francis Maude said: “It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain. Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Gaining this kind of accreditation will also demonstrate to non-government customers a business’s clear stance on cyber security.

“Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so.”

For more information,