Policy paper

Call for views on cyber security in supply chains and managed service providers

Updated 15 November 2021

This was published under the 2019 to 2022 Johnson Conservative government

Ministerial foreword

A picture of Matt Warman MP, Minister for Digital Infrastructure, standing outside the Department for Digital, Culture, Media and Sport

Matt Warman MP, Minister for Digital Infrastructure

Digital technology is a major driver of the UK economy and brings great benefits to citizens - we are in the middle of a digital revolution. COVID has accelerated this process, digitising almost every part of our everyday lives and making the infrastructure that connects us more important than ever. That’s why digital is at the top of the government’s agenda. This government has made digitally-driven growth a priority, and has set out ambitions to drive use and implementation of the latest technology in infrastructure, boosting cyber skills, and creating innovative technology sectors and businesses across the country.

Supplier risk management and assurance, however, is an aspect of cyber resilience that organisations find particularly challenging. Digitisation of the UK economy has exacerbated this challenge as it is now common for companies to outsource critical services. Despite government and industry action, DCMS research shows that many businesses of all sizes are not adequately protecting themselves against cyber attacks, particularly attacks originating in their supply chains.

The Cyber Security Breaches Survey 2021 found that only 12% of businesses review risks coming from immediate suppliers while only one in twenty address risks coming from wider supply chains. With organisations increasingly moving their operations online, business continuity and resilience is becoming reliant on what are often called “Managed Service Providers”: organisations that specialise in providing important digital business services. The critical role that these Managed Service Providers play in supply chains across our economy has been especially evident during the current Covid-19 events.

As supply chains become interconnected, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers who want to gain access to the organisations. Recent high-profile cyber incidents where attackers have used Managed Service Providers as a means to attack companies are a stark reminder that cyber threat actors are more than capable of exploiting vulnerabilities in supply chain security, and seemingly small players in an organisation’s supply chain can introduce disproportionately high levels of cyber risk.

Protecting the public, UK businesses, and critical national infrastructure[footnote 1], will always be the highest priority of this government. The government recognises that effective management of supply chain cyber security is key to a resilient UK economy. The UK’s National Cyber Security Centre offers a range of support to help organisations assess the security risks of their suppliers, including the advice on identifying business-wide cyber security risks and vulnerabilities such as the Cyber Assessment Framework and providing specific Supply Chain Security Guidance.

The government has also supported organisations to improve their cyber risk management during the pandemic, including the provision of £500,000 funding to enable critical suppliers in healthcare subsectors to achieve a minimum standard of preparedness through the government-led Cyber Essentials scheme.

Future-proofing our digital economy is a major priority for this government. Good cyber security throughout supply chains is a crucial part of this and our mission of making the UK the safest place to live and work online. This Call for Views is an important part of this process, allowing the government’s work to be informed by an understanding of what works and I encourage all organisations who procure digital services, including Managed Services, and Managed Service Providers themselves, to take part in this consultation.

Matt Warman

Minister for Digital Infrastructure

Introduction

A key focus of the government’s National Cyber Security Strategy 2016–2021 has been on ensuring all organisations are effectively managing their cyber risk to help make the UK the safest place to live and work online. With the rapid increase in the digitisation of UK organisations cyber threats are increasingly reaching organisations through vulnerabilities in their suppliers, or supplied products and services. The government is preparing a new National Cyber Strategy which will set a goal of building a more resilient and prosperous digital UK, bolstering our cyber security, ensuring organisations are empowered to adopt new technology, and addressing vulnerabilities in our digital infrastructure.

For the purposes of this Call for Views and the government’s current interest in supplier cyber risk management, a digital supply chain refers to the supply of digital products and services, the sharing of business critical information or where suppliers have a digital connection to an organisation and that supplier’s wider digitally connected supply chain. A digital connection may include the transfer of data between an organisation and its suppliers, where suppliers are given access to organisation’s networks and systems, or when organisations outsource departments and operations to third parties. The physical security of non-digital assets is also critical to cyber security but not the focus of this publication.

Cyber risks permeate throughout supply chains. Organisations have a responsibility to secure themselves in order to protect their stakeholders, their clients and their customers. The challenge is therefore to ensure organisations in a supply chain are not used as an attack vector to reach others.

This is particularly relevant for Managed Service Providers. Many organisations rely on Managed Service Providers to provide essential digital services such as outsourcing an organisation’s IT or managing key business processes. Managed Service Providers play a critical role in the modern global digital economy. However, when these suppliers are providing critical services at scale, their vulnerabilities may present a threat to the security and stability of key parts of the economy. This threat is exacerbated because many Managed Service Providers operate internationally and provide services across national borders. The government has therefore identified Managed Service Providers as a priority in addressing supply chain cyber security.

This Call for Views focuses on further understanding two aspects of supply chain cyber security:

  • Part 1 seeks input on how organisations across the market manage supply chain cyber risk and what additional government intervention would enable organisations to do this more effectively.
  • Part 2 then seeks input on the suitability of a proposed framework for Managed Service Provider security and how this framework could most appropriately be implemented to ensure adequate baseline security to manage the risks associated with Managed Service Providers.

The information collected and analysed through this Call for Views will contribute to the development of policy solutions to provide further support to organisations with supplier cyber risk management guidance and assurance. It will also help to highlight what additional support or direction is required from the government to enable organisations of all sizes and sectors to become increasingly secure online.

Findings from Part 1 will contribute to the development of the government’s evidence base, including enhancing our understanding of good supplier cyber risk management, enable us to continue to improve existing advice and guidance, and will help to highlight what additional support or direction is required from the government to support organisations to become increasingly secure online.

Findings from Part 2 will inform the development of policy solutions to help manage the security risks associated with Managed Service Providers, while ensuring that organisations have the information and capability to prioritise security when buying services from Managed Service Providers.

DCMS welcomes input from organisations of all sizes and sectors including membership bodies and associations, academics, and supply chain, procurement and cyber security experts, as well as those that support organisations with their risk management such as consultancies or risk management platforms. In particular, we welcome input from Managed Service Providers and buyers of Managed Services into Part 2. However, submissions are not limited to these organisations and we invite responses from all those that have an interest in supply chain cyber risk management. Respondents should answer the questions that are most relevant: there is no obligation to respond to all survey questions.

While the Call for Views is open we will continue to engage with industry as we seek feedback and insights on how to improve existing government offers, and develop new policy solutions that will support organisations’ to protect their supply chains from cyber risk.

Open call for views

Please take this opportunity to shape our future work by responding to the online survey. If you are unable to submit your response using the online survey, please do so by emailing your responses to the questions in this consultation to cyber-review@dcms.gov.uk or by post to:

Call for views on supply chain cyber security
Cyber Resilience Team - 4/47
DCMS
100 Parliament Street
London
SW1A 2BQ

We recommend reading the Call for Views in full before completing the online survey.

When you are ready to submit your response, please follow the survey instructions. Once submitted, you will no longer have access to your response. Partial responses will be recorded and included in the analysis. If you wish your partial response to be deleted and not included in the analysis, please email cyber-review@dcms.gov.uk. Please note that in doing so, we may require you to provide us with some of your responses to the survey (identifying information), e.g. your organisation’s name, to ensure the correct response is removed.

When submitting your response, please clarify:

  • If you are responding on behalf of an organisation or in a personal capacity;
  • Which questions you are answering (there is no need to respond to both parts of the Call for Views, or all of the questions in each part, if they are not all relevant to you);
  • Whether you are willing to be contacted (if so, please provide contact details); and
  • Whether you prefer for your response to remain confidential and non-attributable (if so, please specify).

We would also welcome any information, studies, reviews, statistics, grey literature, measures or metrics which you feel are relevant to the development of supply chain policy for UK cyber security. Please send these via email to cyber-review@dcms.gov.uk. If the documents you send relate particularly to any of our individual questions, please state this in your response.

If you have any issues submitting evidence in the above formats, or any questions, please contact us at cyber-review@dcms.gov.uk.

This call for views will close at 23:59 on Sunday 11 July. The government’s response to this Call for Views will include an anonymous summary of responses we receive and will be published in late 2021.

Part 1: Supply chain risk management

1A: Barriers to effective supplier cyber risk management

The government is still developing an understanding of how different organisations manage supply chain cyber risk, and the barriers preventing effective supplier risk management. We know that relatively small proportions of organisations are effectively managing cyber security risks posed by their suppliers and that supply chain risk management is an aspect of cyber security that organisations find particularly challenging. DCMS’ Cyber Security Breaches Survey 2021 found that just 12% of businesses have reviewed cyber security risks posed by their suppliers and only 5% have done this for their wider supply chain which is lower this year than in previous years (at 5%, in 2021 vs. 9% in 2020)[footnote 2].

Our findings highlight that the main barriers preventing organisations from more effectively managing supplier cyber risk are:

  • Low recognition of supplier risk: Many organisations are often unclear of how the cyber security of their suppliers was linked to their own security. Organisations often, therefore, do not consider cyber risk in the procurement process at all, or prioritising it below other concerns.
  • Limited visibility into supply chains: Even organisations that intend to manage the cyber risk in their supply chain often find it difficult to get the necessary information from their suppliers. Supplier resistance can be an obstacle for organisations, particularly when there is a lack of information availability on the part of suppliers, and a reliance on supplier attestation. Organisations also face significant challenges with multi-tiered supply chains, geolocation of resources, and digital complexity.
  • Insufficient expertise to evaluate supplier cyber risk: Often those managing supplier risk in organisations do not have the capability to know what questions to ask their suppliers or how to seek assurance of effective cyber security.
  • Insufficient tools to evaluate supplier cyber risk: Cyber security standards can act as a proxy for organisations to access and understand their suppliers’ systems, including providing a trusted third-party evaluation of a supplier’s cyber security. However, there are many standards on the market, with no overarching framework or outline for how organisations should use these standards to address their supplier risk. Different clients use multiple standards often preventing convenient, effective and assured supplier risk management.
  • Limitations to taking action due to structural imbalances: Organisations may feel they lack sufficient leverage with larger or specialist suppliers to insist on certain security measures or standards, or may lack a choice of alternatives if these suppliers refuse to meet their requirements.

Questions on barriers to effective supplier risk management:

1.How much of a barrier do you think each of the following are to effective supplier cyber risk management?

a. Low recognition of supplier risk

b. Limited visibility into supply chains

c. Insufficient expertise to evaluate supplier cyber risk

d. Insufficient tools or assurance mechanisms to evaluate supplier cyber risk

e. Limitations to taking action due to structural imbalance

  • Not a barrier
  • Somewhat of a barrier
  • Severe barrier
  • Don’t know

2.Are there any additional barriers preventing organisations from effectively managing supplier cyber risk that have not been captured above?

  • Yes
  • No
  • Don’t know

3.[If Yes] What additional barriers preventing organisations from effectively managing their supplier risk are you aware of?

  • Open question

1B: Supply chain cyber risk management

To support organisations with their supplier risk management, the National Cyber Security Centre (NCSC) has developed Supply Chain Security Guidance to help organisations establish effective control and oversight of their supply chain. The principles outlined in the guidance provide advice for organisations on:

  • Understanding the risk: Outlines the need for an organisation to understand what needs to be protected and why, identify key suppliers and assess the security risk they posed.
  • Establishing control of supply chains: Outlines the need to communicate security needs to suppliers, set and communicate minimum security requirements for suppliers, build security considerations into contracting processes (and require that suppliers do the same). It also highlights the need for the procuring organisation to meet security responsibilities, raise awareness of security within the supply chain and provide support for security incidents.
  • Checking arrangements to gain confidence in managing supplier risk: Outlines the need to build assurance activities into supply chain cyber risk management.
  • Continuous improvement to improve and maintain security: Outlines the need to continue working with suppliers to improve their security arrangements and build trust with suppliers.

Questions on supply chain cyber risk management

4.Have you used the NCSC’s Supply Chain Security Guidance?

  • Yes
  • No

5.How challenging do (or would) organisations find it to effectively act on these principles of supply chain cyber risk management, as outlined in the NCSC’s Supply Chain Security Guidance?

a. Understanding the risks

b. Establishing control

c. Checking arrangements

d. Continuing to improve, evolve and maintain security

  • Not at all challenging
  • Slightly challenging
  • Very challenging
  • Don’t know

6.What are examples of good practice for organisations implementing these aspects of supply chain cyber risk management?

  • Open question

a. Understanding the risks

b. Establishing control

c. Checking arrangements

d. Continuing to improve, evolve and maintain security

7.What additional principles or advice should be included when considering supply chain cyber risk management?

  • Open question

1C: Supplier Assurance

Building on its Supply Chain Security Guidance, the NCSC has also developed a set of Supplier Assurance Questions designed to guide organisations in their discussions with suppliers and ensure confidence in their cyber risk management practices. The questions cover the priority areas organisations should consider when assuring their suppliers have appropriate cyber security protocols in place, along with questions to steer the discussion. The priority areas include:

  1. Security Governance sets out questions to establish who has responsibility for cyber security at the supplier organisation, whether the supplier has people in security roles with appropriate skills and experience, and if there are effective policies in place for staff to follow.
  2. Managing and recovering from incidents sets out questions to establish whether the supplier has plans and processes in place to cope with an incident and recover from it.
  3. Protecting the network sets out questions to establish whether the supplier has implemented basic cyber hygiene, such as up-to-date antivirus and patching, along with an understanding and control of who has access to a network.
  4. Protecting data sets out questions to establish how a supplier protects the data on their networks.
  5. Offshoring sets out questions to establish if any of the supplier’s services to an organisation are offshored and if so, how those services meet relevant information security controls.
  6. Personal data sets out questions to establish whether a supplier handles or processes any personal data as part of their service to an organisation, and if so, whether it meets the GDPR security principles.
  7. Personnel security sets out questions to establish an understanding of what personnel security controls a supplier has in place.
  8. Physical security sets out questions to establish whether a supplier physically protects its premises, data and assets.
  9. Independent testing and assurance sets out questions to establish how the supplier is gaining confidence that their security controls are working in practice.
  10. Contractual considerations sets out questions for an organisation to consider in their contracts with suppliers, including flow down arrangements to subcontractors.

Questions on Supplier Assurance:

8.Have you used or do you plan to use the NCSC’s Supplier Assurance Questions?

  • Yes
  • No

9.Since publishing the NCSC’s Supplier Assurance Questions, it has been noted that the guidance could also cover the use of supplier-provided apps (e.g. where a supplier requires use of apps on an organisation’s network to deliver its service to that organisation). Are there any additional areas of supplier assurance that should be outlined?

  • Yes
  • No
  • Don’t Know

10.[If Yes] What additional areas of supplier assurance should be outlined?

  • Open question

1D: Commercial offerings

There are several existing commercial offerings that can be used by organisations to help with the management of supply chain cyber risk. However, the same market failures that present barriers to supply chain risk management likely stifle uptake of these products.

These products and services that can assist organisations in gaining visibility and control over their supply chain. We have categorised this external support as:

  • Private supplier-assurance companies that provide standardised assessments of supplier cyber security.
  • Platforms for supporting supplier risk management that give organisations visibility over their supply chain risk, provide expertise on what constitutes a high to low level of cyber risk, provide networks of suppliers with risk information and support suppliers to manage their cyber risk.
  • Supply chain management system providers that support with the evaluation, selection, and creation of formal agreements with suppliers.
  • Risk, supply chain and management consultancies that have specialist cyber security and risk teams that advise organisations on supply chain risk management.
  • Suppliers of outsourced procurement services which take on key procurement activities relating to sourcing and supplier management to a third party.
  • While there are limited procurement specific standards, industry cyber security certification schemes can be a tool for suppliers to signal their cyber security posture, and for organisations to gain knowledge about the cyber security of their suppliers.

There is currently limited evidence on how effective these tools or services are in helping organisations identify and manage their supply chain cyber risk. This section seeks insights on how commercial offerings are supporting organisations to manage their supplier cyber risk.

Questions on commercial offerings:

11.How effective are the following commercial offerings for managing a supplier’s cyber risk?

a. Private supplier assurance

b. Platforms for supporting supplier risk

c. Supply chain management system providers

d. Risk, supply chain and management consultancies

e. Suppliers of outsourced procurement services

f. Industry cyber security certification schemes

  • Not effective
  • Somewhat effective
  • Very effective
  • Don’t know

12.What additional commercial offerings, not listed above, are effective in supporting organisations with supplier risk management?

  • Open question

1E: Additional government support required

There is also existing government support available to help organisations manage their supply chain cyber risk, ranging from voluntary advice and guidance to the use of government regulation to drive organisations to improve management of their supply chain cyber risk. These include the following government interventions:

Support to better prioritise supplier risk:

NCSC cyber risk management frameworks highlight the importance of supply chain as part of cyber risk management. The Security of Network & Information Systems Regulations 2018 provide legal measures to regulate a subset of critical national infrastructure requiring suppliers of essential services and some digital services to manage cyber risks via appropriate and proportionate security measures. The Cyber Assessment Framework includes a supply chain risk management principle which is intended to ensure that organisations in scope of Network & Information Systems Regulations understand and manage the security risks. The Network & Information Systems Regulations and the Cyber Assessment Framework will be further explored in Part Two of the Call for Views on Managed Service Providers.

Support to understand what to do:

NCSC guidance provides an initial level of direction for suppliers, while also giving organisations advice on cyber security and supplier risk management to include in their procurement processes and contracts. The NCSC has published:

Government procurement can act as a signal of procurement good practice, and creates a powerful incentive for government suppliers to meet mandated security standards. Cyber Essentials, a government backed certification scheme, is increasingly recognised as a way to require an achievable minimum level of security within a supply chain. It is now mandatory for suppliers to demonstrate that they meet the technical requirements prescribed by Cyber Essentials in government contracts that involve the handling official government data and of providing certain ICT products and services.[footnote 3]

Questions on additional government support:

13.How effective would the following government actions be in supporting and incentivising organisations to manage supply chain cyber risk?

a. Awareness raising of the importance of supply chain cyber risk management through the use of campaigns and industry engagement

b. Additional support to help organisations to know what to do, such as:

  • Improved or additional advice and guidance

  • A tool that draws on existing advice and standards to help organisations manage supplier cyber risk

c. Providing a specific supplier risk management standard that:

  • Outlines minimum and good practice and/ or

  • Provides assurance that an organisation is managing their supply chain cyber risk

d. Targeted funding to help stimulate innovation and grow commercial offerings that support organisations with their supplier risk management (e.g. Government competitions, accelerator programmes)

e. Regulation to make procuring organisations more responsible for their supplier risk management.

f. Other (Please specify)

  • Not effective
  • Somewhat effective
  • Very effective
  • Don’t know

Part 2: Managed Service Providers

Having explored supply chain cyber risk management in the above section, this part of the call for views examines the critical role that Managed Service Providers play in the UK’s supply chains across all sectors of the economy, including government and critical national infrastructure. The services that Managed Services Providers supply are critical to their customers’ operational and business continuity. This section seeks views on the government’s preliminary proposals for managing the cyber security risks associated with Managed Service Providers.

We welcome responses from all types of organisations - large and small, from any sector - across the UK’s diverse economy. We are especially eager to hear from entities involved in the supply or purchase of Managed Services, as well as those with cyber security expertise. The information gathered through this section will inform DCMS’s work on the resilience of Managed Service Providers and supply chains.

2A: The benefits and risks of Managed Service Providers

With organisations increasingly using digital solutions to help manage their operations, they are becoming increasingly reliant on Managed Service Providers. By providing digital services that allow organisations to outsource their IT or manage key business processes, Managed Service Providers are essential to the functioning of the UK’s economy. Adopting Managed Services is regarded as an efficient and cost effective way to stay up-to-date with rapid technological change, access in-demand skills or expertise, and have flexible, scalable, and high-quality IT services.

The government has identified Managed Service Providers[footnote 4] as essential digital suppliers that pose disproportionate risks to the security and resilience of organisations across the UK. Managed Service Providers often play a critical role in supply chains and many organisations rely on Managed Services for their day-to-day operation. For example, Managed Service Providers will often have widespread and privileged access to the networks, infrastructure and data of their customers. Often these customers deliver essential services as part of the UK’s Governments, local authorities or other critical national infrastructure sectors. Now that many of these suppliers are supporting the provision of essential services at scale, they may present unacceptable risks to the stability and security of key parts of the economy if successfully exploited.

As the prevalence and importance of Managed Service Providers has grown, so has the threat against them. The NCSC assesses that the rise in incidents involving Managed Service Providers is a result of the increasing sophistication of the threat actors targeting Managed Service Providers. By compromising a single Managed Service Provider, an attacker can gain unauthorised access into multiple organisations at scale. In one incident known as ‘Operation Cloud Hopper’, a sophisticated Advanced Persistent Threat actor compromised 14 Managed Service Providers, resulting in unprecedented access to the intellectual property and sensitive data of those Managed Service Providers and their network of global customers[footnote 5].

In another major Managed Service Provider incident, a ransomware attack caused service disruption for customers at scale. The attack disrupted the Managed Service Provider’s ability to enable its staff to work remotely during COVID-19. In response, the Managed Service Provider’s customers opted to protect themselves from the malware by closing off access to their networks, effectively putting operations reliant on the Managed Service on hold.

By working in partnership with the industry, the NCSC has highlighted that cyber security levels vary across the Managed Service Provider market. While the standards of cyber security among some Managed Service Providers are high, the varying levels of security across the market, as well as the frequency and severity of cyber attacks, present risks that must be mitigated. A lack of effective and commonly followed security standards has led to the successful exploitation of vulnerabilities exposed, or exacerbated, by Managed Service Providers.

Question:

14.What additional benefits, vulnerabilities or cyber risks associated with Managed Service Providers would you outline?

  • Open question

15.Are there certain services or types of Managed Service Providers that are more critical or present greater risks to the UK’s security and resilience?

  • Open question

2B: Securing the provision of managed services

The government is collaborating with a range of partners, including Managed Service Providers, procurers of Managed Services (customers), and international stakeholders to develop policy solutions that help mitigate the security risks associated with Managed Service Providers, while ensuring procurers have the knowledge and capability to prioritise security when purchasing Managed Services.

Both Managed Service Providers and their customers have a shared responsibility for cyber security. Each has a responsibility for designing and implementing appropriate security measures. This requires a certain level of cooperation and transparency between the Managed Service Provider and their customer to ensure an appropriate level of information about security is shared to inform decision making.

As a first step, the government is working to establish a set of minimum cyber security standards to ensure that critical Managed Service Providers achieve a common, baseline level of security. Once these minimum standards are established, the government will drive their adoption through the development of policy implementation options. Very preliminary scoping of these implementation options is outlined in the subsequent section.

As outlined in the first part of this Call for Views, the NCSC offers a range of world-class voluntary guidance and advice to support organisations manage their supply chain cyber security risks. The government recognises voluntary guidance and support may not be sufficient to address the security requirements associated with the widespread use of Managed Service Providers.

Given Managed Service Providers supply services that are increasingly critical to the functioning of the entire economy, stronger forms of government intervention may be needed. For instance, a subset of Managed Service Providers supplying to public electronic communications networks and services may be subject to additional security requirements as part of the upcoming Telecommunications (Security) Bill. This reflects the risks associated with the dependence on third party suppliers in the telecommunications sector.

The Security of Network & Information Systems Regulations also place requirements on relevant Digital Service Providers. Currently, a small portion of Managed Service Providers that provide cloud computing services on top of their Managed Service offering is captured under the Network & Information Systems Regulations. As currently scoped, cloud computing services are subject to much less stringent regulatory oversight than other entities under the Regulations. For example, the ex-post supervisory regime ensures that regulatory scrutiny applies to cloud service providers only in the aftermath of an incident. However most Managed Service Providers are not within scope of the Digital Service Provider definition and are therefore not subject to the Network & Information Systems Regulations. The section on implementation options below outlines opportunities for legislative changes to better address Managed Service Provider resilience.

A future Managed Service Provider security framework

The government recognises the need to establish a set of shared security expectations that align with current standards and regulatory requirements. This is important given the diversity of the Managed Service Provider industry and the already complex domestic and international landscape of cyber security standards. One possible existing framework that may help to provide a common set of minimum security standards for addressing Managed Service Provider-associated risks is the NCSC’s Cyber Assessment Framework.

The Cyber Assessment Framework is a collection of a set of 14 cyber security & resilience principles, together with guidance on using and applying the principles. The Cyber Assessment Framework collection is designed for organisations that play a vital role in the day-to-day life of the UK such as those that operate critical national infrastructure, or those subject to the Network & Information Systems Regulations. The security of the UK’s critical national infrastructure is a priority for the government in addressing Managed Service Provider-associated risks. The Cyber Assessment Framework therefore could be appropriate given the increasingly critical role Managed Service Providers play in supply chains throughout the economy and especially for critical national infrastructure.

The Cyber Assessment Framework is a well developed and widely recognised framework that is already used to benchmark cyber resilience of a number of critical national infrastructure sectors under the Network & Information Systems Regulations. The Cyber Assessment Framework is also supported by technical guidance and references, meaning it is constantly evolving to address emerging issues and threats. Rather than highly prescriptive compliance requirements, the Cyber Assessment Framework’s outcomes-based principles could provide the necessary scope and flexibility given the evolving nature of the threat environment and the diversity of Managed Service Providers and their services. Of those that use the Cyber Assessment Framework under Network & Information Systems Regulations, 93% found it extremely, very or moderately useful for managing risk to the security of their organisation’s network and information systems.[footnote 6]

The government is interested in views as to whether the Cyber Assessment Framework may be an appropriate framework to inform a baseline level of cyber security and resilience for Managed Service Providers. For reference, the following table outlines the objectives and principles featured in the current version of the Cyber Assessment Framework:

Cyber Assessment Framework Principles
Objective Principle Description
Objective A: Managing security risk

Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting functions essential to service delivery.
Governance Putting in place the policies and processes which govern your organisation’s approach to the security of network and information systems.
  Risk management Identification, assessment and understanding of security risks. And the establishment of an overall organisational approach to risk management.
  Asset management Determining and understanding all systems and/or services required to maintain or support essential functions.
  Supply chain Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.
Objective B: Protecting against cyber attack

Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber attack.
Service protection policies and processes Defining and communicating appropriate organisational policies and processes to secure systems and data that support the operation of essential functions.
  Identity and access control Understanding, documenting and controlling access to networks and information systems supporting essential functions.
  Data security Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.
  System security Protecting critical network and information systems and technology from cyber attack.
  Resilient networks and systems Building resilience against cyber attack.
  Staff awareness and training Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.
Objective C: Detecting cyber security events

Capabilities exist to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential functions.
Security monitoring Monitoring to detect potential security problems and track the effectiveness of existing security measures.
  Proactive security event discovery Detecting anomalous events in relevant network and information systems.
Objective D: Minimising the impact of cyber security incidents

Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including the restoration of those functions where necessary.
Response and recovery planning Putting suitable incident management and mitigation processes in place.
  Lessons learned Learning from incidents and implementing these lessons to improve the resilience of essential functions.

Source: Cyber Assessment Framework Principles[footnote 7]

The government is seeking views on whether the Cyber Assessment Framework could be an appropriate framework for Managed Service Provider security, and whether any additional principles could be applicable.

Questions:

16.When considering the 14 Cyber Assessment Framework Principles, how applicable is each Principle to the cyber security and resilience considerations associated with Managed Service Providers? Please choose one of the following for each of the 14 Principles

  • Not applicable
  • Somewhat applicable
  • Completely applicable
  • Don’t know

17.Can you identify other objectives or principles that should be incorporated into a future Managed Service Provider security framework?

  • Open question

2C: Implementation options

While working with industry to determine an appropriate set of minimum-security standards for addressing Managed Service Provider associated cyber risks, the Government has been undertaking early scoping of policy implementation options. Establishing a set of cyber security standards is a starting point, but effective uptake will prove critical in meaningfully reducing risks and increasing the resilience of the UK economy. The government is working collaboratively with a wide range of stakeholders to develop a range of policy solutions that promote the uptake of Managed Service Provider security standards in a manner that is effective, proportionate and appropriately targeted. Preliminary policy options include:

  • Developing education and awareness campaigns aimed at Managed Service Provider customers. Campaigns could focus on providing guidance and educating buyers of Managed Services so they better understand the risks associated with Managed Service Providers and how they make procurement decisions that align with their unique security needs. This solution could also promote good practice in establishing commercial arrangements with Managed Service Providers that reflect shared security responsibilities.
  • Establishing a certification or assurance mark to guide customers in procuring Managed Service Provider services and their adherence to a standard such as the Cyber Assessment Framework. Creating greater assurance and confidence in standards of security would enable those procuring Managed Services within the public and private sector to easily distinguish between more resilient providers. It would further introduce greater levels of market differentiation based on security levels.
  • Setting minimum requirements in public procurement, based on an assurance mark for instance. This would promote uptake of the expected security standards and enable consistent procurement practices across the government, with security appropriately valued and embedded into decision making.
  • Developing new or updated legislation to incentivise the uptake of security standards and, where necessary, hold Managed Service Providers and their customers accountable for security outcomes. One approach may involve updating the Network & Information Systems Regulations, so that operators of essential services are using Managed Services in a way that meets a certain level of cyber security. Another solution could involve updating the scope of the existing Network & Information Systems Regulations to encourage critical Managed Service Providers to adhere to the Cyber Assessment Framework. The development of new legislation to address Managed Service Provider-associated cyber security risks is also possible.
  • Creating a set of targeted regulatory guidance to support critical national infrastructure sector regulators to oversee and manage risks associated with Managed Service Providers. The Cyber Assessment Framework collection is already well supported by supplementary guidance material, including around supply chain risk management. Tailored Cyber Assessment Framework guidance for Managed Service Providers could be developed.
  • Developing joined-up approaches internationally to managing Managed Service Provider security issues. In recognition of the international nature of the Managed Service Provider market and feedback from industry, the government is conducting early engagement with international partners and organisations to explore avenues for developing international approaches to addressing Managed Service Provider cyber risks. These might include developing and promoting guidelines on international best practice or working with industry and other global partners to establish common international standards

Questions:

18.How effective would each of these options be in promoting uptake of a future framework for Managed Service Provider cyber security and resilience?

a. Developing education and awareness campaigns

b. Establishing a certification or assurance mark

c. Setting minimum requirements in public procurement

d. Developing new or updated legislation

e. Creating a set of targeted regulatory guidance to support critical national infrastructure sector regulators

f. Developing joined-up approaches internationally to managing Managed Service Provider security issues

  • Not at all effective
  • Somewhat effective
  • Very effective
  • Don’t know

19.Please explain your previous response. Please also suggest any alternative ways the government could help address the cyber risks associated with Managed Service Providers.

  • Open question

Next steps

The government is eager to continue to work with and expand its networks across industry, academia and international partners to develop solutions to address the cyber risks facing the UK’s supply chains. We may follow up directly with respondents on the substance of the answers to the survey questions.

We will also continue to build relationships with membership bodies and associations who play a critical role in raising awareness and prioritisation for supply chain cyber risk management with procurement professionals and those that manage supplier risk in organisations.

While the government is in the early stages of understanding the cyber security risks associated with Managed Service Providers, it is clear that policy solutions are needed to address the threat. The government will work throughout 2021 to develop and publish a framework for addressing Managed Service Provider-associated risks. In the meantime, DCMS will continue to work collaboratively and iteratively on further scoping, prioritising and refining policy solutions to promote the uptake of the to-be-agreed framework.

Evidence and insights gathered through this Call for Views, as well as the government’s ongoing engagement, will be used to evolve existing government support and develop new policy solutions. Our supply chain work will be further contextualised within wider government Cyber Resilience Policy as part of the upcoming Business Resilience and Cyber Security publication (formerly known as the Incentives and Regulations Review), due for publication later in 2021.

Annex 1: List of Questions

Part 1: Supply chain section

Questions on barriers to effective supplier risk management:

1.How much of a barrier do you think each of the following are to effective supplier cyber risk management?

a. Low recognition of supplier risk

b. Limited visibility into supply chains

c. Insufficient expertise to evaluate supplier cyber risk

d. Insufficient tools or assurance mechanisms to evaluate supplier cyber risk

e. Limitations to taking action due to structural imbalance

  • Not a barrier
  • Somewhat of a barrier
  • Severe barrier
  • Don’t know

2.Are there any additional barriers preventing organisations from effectively managing supplier cyber risk that have not been captured above?

  • Yes
  • No
  • Don’t know

3.[If Yes] What additional barriers preventing organisations from effectively managing their supplier risk are you aware of?

  • Open question

Questions on supply chain cyber risk management

4.Have you used the NCSC’s Supply Chain Security Guidance?

  • Yes
  • No

5.How challenging do (or would) organisations find it to effectively act on these principles of supply chain cyber risk management, as outlined in the NCSC’s Supply Chain Security Guidance?

a.Understanding the risks

b.Establishing control

c.Checking arrangements

d.Continuing to improve, evolve and maintain security

  • Not at all challenging
  • Slightly challenging
  • Very challenging
  • Don’t know

6.What are examples of good practice for organisations implementing these aspects of supply chain cyber risk management?

  • Open question

a.Understanding the risks

b.Establishing control

c.Checking arrangements;

d.Continuing to improve, evolve and maintain security

7.What additional principles or advice should be included when considering supply chain cyber risk management?

  • Open question

Questions on supplier assurance:

8.Have you used or do you plan to use the NCSC’s Supplier Assurance Questions?

  • Yes
  • No

9.Since publishing the NCSC’s Supplier Assurance Questions, it has been noted that the guidance could also cover the use of supplier-provided apps (e.g. where a supplier requires use of apps on an organisation’s network to deliver its service to that organisation). Are there any additional areas of supplier assurance that should be outlined?

  • Yes
  • No
  • Don’t Know

10.[If Yes] What additional areas of supplier assurance should be outlined?

  • Open question

Questions on commercial offerings:

11.How effective are the following commercial offerings for managing a supplier’s cyber risk?

a. Private supplier assurance

b. Platforms for supporting supplier risk

c. Supply chain management system providers

d. Risk, supply chain and management consultancies

e. Suppliers of outsourced procurement services

f. Industry cyber security certification schemes

  • Not effective
  • Somewhat effective
  • Very effective
  • Don’t know

12.What additional commercial offerings, not listed above, are effective in supporting organisations with supplier risk management?

  • Open question

Question on additional government support:

13.How effective would the following government actions be in supporting and incentivising organisations to manage supply chain cyber risk?

a. Awareness raising of the importance of supply chain cyber risk management through the use of campaigns and industry engagement

b. Additional support to help organisations to know what to do, such as:

  • Improved or additional advice and guidance

  • A tool that draws on existing advice and standards to help organisations manage supplier cyber risk

c. Providing a specific supplier risk management standard that:

  • Outlines minimum and good practice and/ or

  • Provides assurance that an organisation is managing their supply chain cyber risk

d. Targeted funding to help stimulate innovation and grow commercial offerings that support organisations with their supplier risk management (e.g. Government competitions, accelerator programmes)

e. Regulation to make procuring organisations more responsible for their supplier risk management.

f. Other (Please specify)

  • Not effective
  • Somewhat effective
  • Very effective
  • Don’t know

Part 2: Managed Service Provider section

14.What additional benefits, vulnerabilities or cyber risks associated with Managed Service Providers would you outline?

  • Open question

15.Are there certain services or types of Managed Service Providers that are more critical or present greater risks to the UK’s security and resilience?

  • Open question

16.When considering the 14 Cyber Assessment Framework Principles, how applicable is each Principle to the cyber security and resilience considerations associated with Managed Service Providers? Please choose one of the following for each of the 14 Principles

  • Not applicable
  • Somewhat applicable
  • Completely applicable
  • Don’t know

17.Can you identify other objectives or principles that should be incorporated into a future Managed Service Provider security framework?

  • Open question

18.How effective would each of these options be in promoting uptake of a future framework for Managed Service Provider cyber security and resilience?

a. Developing education and awareness campaigns

b. Establishing a certification or assurance mark

c. Setting minimum requirements in public procurement

d. Developing new or updated legislation

e. Creating a set of targeted regulatory guidance to support critical national infrastructure sector regulators

f. Developing joined-up approaches internationally to managing Managed Service Provider security issues

  • Not at all effective
  • Somewhat effective
  • Very effective
  • Don’t know

19.Please explain why you have provided the responses above and whether there are alternative ways the government could help address the cyber risks associated with Managed Service Providers?

  • Open question

Part 3: Questions on those responding to the call for views

20.Are you responding as an individual or on behalf of an organisation?

  • Individual
  • Organisation

21.[if individual] Which one of the following statements best describes you?

  • Cyber Security professional
  • Employer of cyber security professionals or consumer of services provided by a cyber security professional
  • Professional in another sector
  • Academic
  • Student
  • Interested in a career in cyber security
  • Interested member of the general public
  • Other Free text

22.[if organisation] Which of the following statements best describes your organisation? (Select all that apply)

  • A Managed Service Provider
  • An organisation that uses Managed Service Providers
  • An organisation that acts as a supplier
  • An organisation that manages suppliers
  • Organisation that employs, contracts or uses cyber security professionals
  • Cyber security training provider and or certification/qualification provider
  • A cyber security professional body
  • Other form of cyber security professional organisation
  • An academic or educational institution
  • Organisation with an interest in cyber security
  • Non-cyber security specific professional body or trade organisation with an interest in cyber security
  • Other Free text

23.[if organisation] Which one of the following best describes the sector of your organisation?

  • Agriculture, forestry & fishing
  • Production
  • Construction
  • Wholesale and retail; repair of motor vehicles
  • Transport & Storage (inc. postal)
  • Accommodation & food services
  • Information & communication
  • Finance & insurance
  • Property
  • Professional, scientific & technical
  • Business administration & support services
  • Public administration & defence
  • Education
  • Health
  • Arts, entertainment, recreation
  • Other services

24.[if organisation] Including yourself, how many people work for your organisation across the UK as a whole? Please estimate if you are unsure.

  • Under 10
  • 10–49
  • 50–249
  • 250–999
  • 1,000 or more

25.[if organisation] What is the name of the organisation you are responding on behalf of? Free text

26.Are you happy to be contacted to discuss your response and supporting evidence?

  • Yes
  • No

27.[If yes] Please provide a contact name and email address below.

Annex 2: Glossary

The following terms are working definitions, developed for the purposes of this publication. These terms should not be considered as final and are not reflective of government policy. If you have any questions or suggestions please contact cyber-review@dcms.gov.uk.

Critical national infrastructure (CNI) - Critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in:

  • Major detrimental impact on the availability, integrity or delivery of essential services – including those services whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or
  • Significant impact on national security, national defence, or the functioning of the state.

Digital connection - Refers to the use of information technology in the provision of goods and services between procurer and supplier. This may include the transfer of data between an organisation and its suppliers, granting suppliers access to organisations networks and systems, and the outsourcing of critical departments and operations to third parties.

Digital supply chains - Refers to all an organisation’s third party vendors which have a digital connection to an organisation, and that vendor’s wider supply chain.

Impact - The consequences of a cyber breach, both to the organisation, and to society. The impact of a cyber breach is often realised as a cost. See Full Cost of Cyber Breaches Study.

Managed Service Provider - A supplier that delivers a portfolio of IT services to business customers via ongoing support and active administration, all of which are typically underpinned by a Service Level Agreement. A Managed Service Provider may provide their own Managed Services, or offer their own services in conjunction with other IT providers’ services. The Managed Services might include:

  • Cloud computing services (resale of cloud services, or an in-house public and private cloud services, built and provided by the Managed Service Providers)
  • Workplace services
  • Managed Network
  • Consulting
  • Security services
  • Outsourcing
  • Service Integration and Management
  • Software Resale
  • Software Engineering
  • Analytics and Artificial Intelligence (AI)
  • Business Continuity and Disaster Recovery services

The Managed Services might be delivered from customer premises, from customer data centres, from Managed Service Providers’ own data centres or from 3rd party facilities (co-location facilities, public cloud data centres or network Points of Presence (PoPs)).

Supply chain assurance - The process of establishing confidence in the effective control and oversight of an organisation’s supply chain.

Supply chain - The Chartered Institute of Procurement and Supply defines a supply chain as ‘the activities required by an organisation to deliver goods or services to the consumer’.

Supply chain risk management - All organisations will have a relationship with at least one other organisation and most organisations will be reliant on multiple relationships. Supply chain cyber risk management is the approach an organisation uses to understand and manage security risks that arise as a result of dependencies on these external external suppliers, including ensuring that appropriate measures are employed where third party services are used.

Supplier - Any organisation that supplies goods and/ or services to an organisation that involves establishing a digital connection with the procuring organisation.

(Cyber) Threat - Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.

Threat actor - A person or group involved in an action or process that is characterised by malice or hostile action (intending harm to an organisation) using computers, devices, systems, or networks. Includes cyber criminals, ‘hacktivists’, nation states and terrorist organisations.

Vulnerability - A point of weakness and/or possible threat to the supply chain network.