post image

Cyber Security Services 3

  • Abc Company

The third iteration of CCS’ Cyber Security Services framework is due out soon – here’s what we know about it.

Cyber Security has been in the news a lot recently – what with the development of 5G, the Digitisation of NHS Services, and new cybercrimes every few weeks. As such, it is more important than ever that Public Sector has easy access to suppliers of security services. Find out how you can become a supplier on the latest iteration of the Cyber Security Services route to market…

When does Cyber Security 3 come out?

The estimated date for the publication of the OJEU notice is December of this year, with the Framework award likely being January 2020.

So what do we know about it already?

We know that CCS have decided to run Cyber Security 3 as a Dynamic Purchasing System (DPS), meaning there will be no cap on the number of suppliers, and that suppliers will be able to apply at any point through the life of the framework.

Do we know anything about the filters yet?

At a recent briefing CCS stated the DPS would have 4 categories:

1) Consultancy and Advice: 

  • Risk Management
  • Risk Assurance
  • Audit and Review
  • Security Architecture
  • Compliance and accreditations
  • Training
  • Policy and Development

2) Pen test/Health check:

  • Penetration testing
  • IT Health Check

3) Incident Management:

  • Incident Response
  • Disaster Recovery
  • Threat Intelligence

4) Data Destruction: 

  • Data and IT sanitation services

There wasn’t much uptake on Cyber Security Services 2 – how are CCS addressing this?

Cyber Security Services 2 wasn’t successful for a number of reasons – the supplier list was frozen, it was hard to get onto, and G-Cloud 10, running at the same time, was providing a duplicate route to market. To address this, CCS are making some changes to the agreement’s third iteration.

For a start, this iteration is planned to be a DPS – fixing the issue of a frozen supplier list and making the agreement easier to access. A major change was also made to G-Cloud 11 – disallowing the procurement of NCSC assured services on the framework. This move negates the effect of the frameworks running simultaneously, forcing buyers to procure NCSC assured services on Cyber Security 3. However, a recent update to CCS’s procurement pipeline tells us that CCS have decided to extend the scope to suppliers offering similar services who do not hold NCSC accreditation, but may hold other industry standards. The reasoning for this is unclear, but there is the possibility that it may lead to a repeat of Cyber Security Services 2 – multiple procurement routes.

The Terms and Conditions for Cyber Security Services 2 were very complicated – will there be any change to this for CSS3?

Yes, CCS have addressed this issue – the Cyber Security Services 3 DPS will use the Public Sector Contract as its terms and conditions.

It sounds good to us – we look forward to seeing how it turns out!