Cyber security routes to market
If you're a supplier of cyber security services, what route to market is right for you? We've taken look!
As a provider of cyber security services, there are a couple of different ways to sell to government. However, it might not be entirely clear which route is best for you. Luckily, at Advice Cloud we are clued up on the most relevant frameworks and Dynamic Purchasing Systems, and the change in requirements between each iteration.
So, here’s our quick-fire guide to which route to take when selling cyber security services to the public sector.
Check your accreditation
In 2016, the government published their 5-year National Cyber Security Strategy. Within this, the National Cyber Security Centre have been named the UK’s authority on cyber security. NCSC provide a certification which acts as a benchmark for cyber security services, covering Pen Testing, cyber Incident Response, Commercial Product Assurance and more.
As a supplier, it’s certainly worth considering obtaining this certification; however, it’s actually this accreditation that will determine which route to market is the most suitable for you.
In the past, the scope of G-Cloud covered NCSC-certified services. However, as you may have heard, the security requirements for G-Cloud 11 were slightly different this year. So, although you can list security services on G-Cloud, NCSC certificated services are no longer accepted onto the framework.
This isn’t to say that security suppliers are unsuitable for G-Cloud. On the contrary, when applying for the framework, you’re asked a number of questions relating to the provision of security services, covering the following:
- Security strategy
- Security risk management
- Security design
- Cyber security consultancy
- Security testing
- Security incident management
- Security audit services
In addition, relevant security accreditations that you can list on G-Cloud are as follows:
- Cyber Scheme
We do also often advise our clients that as a bare minimum they should look into getting Cyber Essentials Certified. Cyber Essentials shows an understanding and basic commitment to security.
So, if you’re a cyber security supplier with services that are not NCSC certified, it’s worth considering G-Cloud. However, don’t rule out the other option yet.
Cyber Security Services 3
Interestingly, it used to be an essential requirement that suppliers on CSS3 are NCSC Certified. But this is no longer the case. In the next iteration of the DPS (formerly a framework), the scope still includes this certification, but also allows for suppliers holding other industry standard certifications.
This is good news as it widens the scope of relevant services on the CSS3, which covers the following:
- Consultancy and Advice – risk management, risk assessment, audit & review, security architecture, BCDR, certifications, training and policy development
- Pen Testing / IT Health Checks – including CHECK
- Cyber Incident Management – Incident response, disaster recovery, threat intelligence, BCDR
- Data Destruction – Secure data removal and IT sanitisation
For obvious reasons, the scope of cyber security services is wider on this framework that on G-Cloud. So, if your services are solely focussed around cyber security, it’s certainly worth being on CSS3. Even better if you are a NCSC certified, as this is a filter that buyers can use when searching for suppliers on the DPS.
How about both?
There is nothing to suggest that cyber security providers cannot list on both G-Cloud and CSS3. As one is a framework and one is a DPS, they function differently (find out more here), and buying organisations will have varying preferences about their procurement routes. So, to place yourself at a competitive advantage, we would absolutely suggest getting listed on both.
Moreover, if you do have some services that are NCSC certified and some that aren’t, why not list the former on CSS3 and the latter on G-Cloud 12?
To summarise, if you are a supplier of security services with an NCSC certification, CSS3 is the route to market for you. If your services are not NCSC certified, then it’s worth considering both.
We hope this helps – if you’d like to know more about either of the frameworks, just get in touch.