If the contract will involve, support or rely on the digital processing of information, organisations should ensure that appropriate consideration is given to potential cyber risks and their management.
Legislative requirements, including the General Data Protection Regulation (GDPR), require all public sector organisations to ensure appropriate technical protections are in place when suppliers process personal data on their behalf. The Security of Network and Information Systems (NIS) Directive requires Operators of Essential Services in the devolved health and water sectors to have appropriate supply chain cyber security requirements in place.
It is recommended that public sector organisations have regard to the Guidance Note on Supplier Cyber Security, which embeds best practice advice from the National Cyber Security Centre and promotes a more consistent approach to the cyber security requirements placed on suppliers to the Scottish public sector.
To assist all Scottish public sector organisations to implement the Guidance Note in a consistent way, the Scottish Government has developed a beta version of a decision-making support tool – the Scottish Cyber Assessment Service (SCAS) for optional use.
SCAS supports public sector organisations to:
(i) undertake information/cyber assurance assessments
(ii) identify appropriate, proportionate cyber security requirements
(iii) seek assurances from bidding suppliers as to the extent to which they comply with these requirements, in a way that is aligned with the Guidance Note.
Guidance on how to use SCAS in procurement processes can be found here (link). The Scottish Government would welcome feedback on this beta tool to allow improvements to be made over time.