Question to the Cabinet Office:

To ask Her Majesty's Government what cyber security precautions organisations are required to take when selling software or providing software as a service to the Government.

Each government department is responsible for managing security risk when procuring any service based on their own risk appetite. Cabinet Office and the National Cyber Security Centre (NCSC) provides guidance on how to do this including through the provision of commercial frameworks which include cyber security clauses. This is made clear in the Minimum Cyber Security Standard for Government which state that “Departments shall understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain”.

The National Cyber Security Centre (NCSC) provides extensive guidance and recommended security frameworks that apply to a wide range of digital services. Buying organisations are encouraged to use these in determining their requirements to ensure that appropriate security controls are specified according to risk.