G-Cloud 12 and Cyber Security: What’s the plan?

G-Cloud 12 and Cyber Security services and tech go hand-in-hand. Let's explore what this means for suppliers...

Cyber security is a prominent subject in the mind of the public sector (take a look at their cyber security strategy for 2016-2021 here!). Within this, government have allocated a proportion of the £165m Defence and Cyber Innovation Fund to support security procurement; with the aim of ensuring that all new digital government services are “secure by default”. And so they should be, with rising cyber security threats in the UK and the need to protect citizen data. But how are G-Cloud 12 and cyber security being connected? To answer this question…

We need to talk about G-Cloud 12 and Cyber Security

It’s no secret that G-Cloud is one of our favourite tech frameworks. There are a number of reasons for this; such as the ease with which buyers can procure, and the range of services available on the framework. Included in these services are a variety of cyber security solutions, covered by the following categories:

• Security strategy
• Security risk management
• Security design
• Cyber security consultancy
• Security testing
• Security incident management
• Security audit services
• Other

In addition, security accreditation that you can include in your G-Cloud listing are:

• GBEST
• CHECK
• CREST
• Tigerscheme
• Cyber Scheme

Please note: This is subject to change when we get the ITT for G-Cloud 12 when it opens for applications on 3rd March 2020.

As we are well into the framework application window for G-Cloud 12, providers of such services should certainly consider listing. However, it is worth noting that National Cyber Security Centre (NCSC) accredited solutions are no longer suitable for G-Cloud; a change that was made for the G-Cloud 11 application process.

So, what to do if you are a provider of NCSC accredited services?

In line with government’s plans to expand their cyber security capabilities, CCS have recently released the third iteration of the Cyber Security Services DPS. Formerly a framework, the change to DPS allows for supplier applications throughout its lifetime. This means that both government and security providers can adapt to changes in cyber requirements and demands between now and 2023. As stated in the national cyber security strategy, public sector must “use the weight of government procurement to spur innovation”, and this is one way of doing so.

Interestingly, previous iterations of the framework meant that only NCSC-accredited suppliers could be listed, but the scope of CSS3 allows for suppliers holding other industry standard certifications to apply.

The scope of the DPS is as follows:

• Consultancy and Advice – risk management, risk assessment, audit & review, security architecture, BCDR, certifications, training and policy development
• Pen Testing / IT Health Checks – including CHECK
• Cyber Incident Management – Incident response, disaster recovery, threat intelligence, BCDR
• Data Destruction – Secure data removal and IT sanitisation

As you can see, there is an overlap between the scope of G-Cloud’s security categories, and that of CSS3. However, as opposed to G-Cloud, Cyber Security Services 3 exists solely for the provision of cyber security services. The clue is in the name!

In summary, when it comes to providing cyber security services, it seems that CCS’ plan is for G-Cloud and CSS3 to run alongside each other. Both act as suitable routes to market for cyber security services, but each serves a slightly different function.

However, if you’re still unsure about where your cyber security services are best suited, check out our cyber security routes to market blog.