Guidance

Cyber Security Model: Supplier Assurance Questionnaire (SAQ) Question Set Guide

Updated 16 December 2021

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/supplier-cyber-protection-service-supplier-assurance-questionnaire-workflow/cyber-security-model-supplier-assurance-questionnaire-saq-question-set-guide

1. What is the Supplier Assurance Questionnaire (SAQ)?

The Supplier Assurance Questionnaire (SAQ) allows suppliers to demonstrate compliance with the cyber security controls required by a contract and its Cyber Risk Profile.

The SAQ forms part of the Defence Cyber Protection Partnership (DCPP) Cyber Security Model. The Authority will first perform a Risk Assessment (RA) of the contract to determine its Cyber Risk Profile. Suppliers invited to tender then complete an SAQ to demonstrate their compliance.

Suppliers intending to sub-contract part of a Ministry of Defence contract will also be required to complete a Risk Assessment for any sub-contract(s), and sub-contractors will be required to complete an SAQ in response to it. An SAQ is not required for contracts assessed as Not Applicable, however suppliers are still recommended to achieve Cyber Essentials certification.

For more information about the Cyber Security Model and the Defence Cyber Protection Partnership, visit: [https://www.gov.uk/guidance/defence-cyber-protection-partnership]

2. How to use this guide

This guide includes a workflow diagram of the questions which must be completed by suppliers when completing an SAQ. Both the Cyber Risk Profile of the relevant contract and the answers provided by a supplier will determine which questions are asked.

The question references (e.g. VL01) in the workflow refer to the full question and answer options listed on pages 4 to 9. Use both the workflow and the questions to understand what information will be required when responding to the SAQ.

The response options highlighted in green and with an Asterix represent the minimum requirements to be compliant with the related controls for a contract with the specified Cyber Risk Profile. Additional response options are also included, above the required compliance level, to evaluate cyber resilience across the Defence sector.

To view associated question-level guidance, visit Supplier Cyber Protection, the online service at [ https://supplier-cyber-protection.service.gov.uk ]and complete a sample SAQ.

3. SAQ questions

SAQ3

Do you have a Risk Assessment Reference?

• Yes - provide

• No

SAQ3a

Which Cyber Risk Profile do you want to complete an SAQ against?

  • Very Low

  • Low

  • Moderate

  • High

SAQ4

Provide a name and description for the contract.

4. General Contract Context questions

These questions will not determine whether you meet the minimum required standard for the contract’s Cyber Risk Profile.

GCC02

Provide a brief description of your organisation, to help us understand your business context. Tick all that apply.

  • My organisation is an Small Medium Enterprise (SME)

  • I am a sole trader

  • My organisation works from multiple locations

  • My organisation has locations outside of the UK

GCC03

Do you have any of the following existing information security certifications or accreditations that provide evidence of your ability to operate securely at this level? Tick all that apply.

<List of options, including “other” with text box for additional information>

GCC04

In support of this contract only, please indicate whether MOD

  • Identifiable Information is, or will be, processed on MOD accredited ICT systems
  • The ICT system(s) used has no accreditation
  • ICT systems have MOD accreditation to process Official or Official sensitive information
  • The ICT system(s) used is accredited to process Secret or Top secret information

5. Cyber Risk Profile: Very Low

VL01

Does your organisation have Cyber Essentials certification that covers the scope required for all aspects of the contract, and do you commit to maintaining this standard for the duration of the contract?

  • No
  • No, but we have a plan to put this in place by the point of contract award
  • Yes, provide certificate body and certificate no

VL01a

Do you have an equivalent standard to Cyber Essentials certification that you would like to claim as an alternative?

  • No
  • Yes

VL01b

Confirm which of the following statements apply to your organisation in the context of the equivalent standard you are claiming.

  • Boundary firewalls and internet gateways (list of statements)
  • Secure configuration (list of statements)
  • Access control (list of statements)
  • Malware protection (list of statements)
  • Patch management (list of statements)

6. Cyber Risk Profile: Low

L01

Does your organisation have an approved information security policy in place?

  • No
  • Yes, this is locally documented
  • Yes, we have a documented and maintained policy that considers as a minimum the following areas: (list of information security policies areas)

Yes, we have a documented and maintained policy that considers as a minimum the following areas:

  • (list of information security policy areas)

  • This is based on a formal recognised standard and is independently verified

L02

Are information security relevant roles identified and responsibilities assigned within your organisation?

  • No
  • Yes, roles and responsibilities have been assigned, but are not documented
  • Yes, roles and responsibilities have been assigned, and are formalised in accordance with and form part of corporate policy

Yes, roles and responsibilities have been assigned, and are formalised in accordance with and form part of corporate policy and are effectively communicated throughout your organisation

L03

Does your organisation define and implement a policy that addresses information security risks within supplier relationships?

  • No
  • Yes, using company standards
  • Yes, and it ensures that all relevant ‘cyber standards’ required through contracts or regulation are flowed down

Yes, and it ensures that all relevant ‘cyber standards’ required through contracts or regulation are flowed down. We also have additional requirements that are flowed down as required

L04

Does your organisation define and implement a policy that ensures that all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security?

  • No
  • Yes

L05

Are employee and contractor responsibilities for information security formally defined?

  • No, there is nothing formal in place
  • Yes, guidance is given, but no acknowledgement is required
  • Yes, in the general terms and conditions of employment and/or corporate policy. (For the avoidance of doubt this should cover full-time employees, contractors and agency staff)

L06

Does your organisation ensure that personnel with information security responsibilities are provided with suitable training?

  • No
  • Yes, we provide general training but nothing specific to a role
  • Yes, we provide training as required to roles
  • Yes, we define minimum skill sets for specific roles and have a continuous education process in place to ensure that our employees meet or exceed these

L07

Does your organisation have a policy for ensuring that sensitive information is clearly identified?

  • No
  • Yes, we identify such information, but do not apply any formal classification to it

  • Yes, we identify such information and apply a formal classification scheme in accordance with our policies or regulatory requirements

  • Yes, we identify such information and apply a formal classification scheme in accordance with our policies or regulatory requirements, and communicate this to all staff to ensure they clearly understand the scheme and their responsibilities for ensuring it affords appropriate protection to sensitive information

L08

Does your organisation have a policy to control access to information and information processing facilities?

  • No, we rely on our staff to do the right thing

  • Yes, we have formal handling - storage, transmission, transportation, retention and disposal - procedures based on our classification scheme

  • Yes, we have formal handling - storage, transmission, transportation, retention and disposal - procedures based on our classification scheme, and a policy that is documented and maintained

  • Yes, we have formal handling - storage, transmission, transportation, retention and disposal - procedures based on our classification scheme, which include handling in accordance with all regulatory requirements considered and captured in our baseline process

L09

Does your organisation have Cyber Essentials Plus certification that covers the scope required for all aspects of the contract, and do you commit to maintaining this standard for the duration of the contract?

  • No
  • No, certification is planned to be in place at the point of contract award
  • Yes, provide certification body and certificate number

L09a

Do you have an equivalent standard to Cyber Essentials Plus certification that you would like to claim as an alternative?

  • No
  • Yes

L10

Does your organisation have a policy to control the exchange of information via removable media?

  • No, we rely on our staff to do the right thing

  • Yes, we have handling procedures that are applied on a case-by-case basis

  • Yes, we assess the risks of the use of removable media and are managing it with a policy that is documented and maintained

  • Yes, we have a removable media policy which ensures that data held on removable media is the minimum necessary to meet the business requirement and is appropriately encrypted

L11

Does your organisation maintain the scope and configuration of the information technology estate?

  • No, we have not established the scope and configuration of our IT estate
  • Yes, we understand the size and topology of our corporate networks. We have a register of some, but not all assets

  • Yes, we have a verified understanding of the size and topology of our corporate networks. We have a register of all assets that is regularly reviewed

  • Yes, we have a verified, automated description of the size and topology of our corporate networks. We have an integrated, network-enabled register of all assets, which notifies us if an unknown asset is detected

L12

Does your organisation have a policy to manage the access rights of user accounts?

  • No, we do not control access to information assets or maintain access records Yes, but we rely on procedural measures to control access to information assets

  • Yes, we have an access control policy which covers how we establish appropriate user access rights to ensure that users only have access to information necessary for them to perform their role. Access rights are granted on a ‘least privilege’ basis

  • We require multi-factor authentication for accounts that have access to sensitive data or systems; we employ technology to enforce access control lists (ACLs) even when data is recovered off a server; we maintain records of access to our information assets

L13

Does your organisation have a policy and deploy technical measures to maintain the confidentiality of passwords?

  • No, we do nothing technical to maintain the confidentiality of passwords
  • Yes, we have a policy

  • Yes, we have a policy and technically ensure that all passwords are cryptographically protected when transmitted or stored electronically

  • Yes, and in addition we ensure that password files can only be accessed by administrators with the business need and permissions to do so

L14

Does your organisation have a policy for verifying an individual’s credentials prior to employment?

  • No
  • Yes

L15

Does your organisation have a policy for all employees and contractors to report violations of information security policies and procedures without fear of recrimination?

  • No
  • Yes

L16

Does your organisation have a disciplinary process in place to ensure that action is taken against those who violate security policy or procedures?

  • No

  • Yes, but this is just an informal process

  • Yes, we have a formal process, which is regularly reviewed and communicated to employees

L17

Does your organisation have procedures for information security incident management that include detection, resolution and recovery?

  • No
  • Yes

L17a

Which of the following information security incident management procedures apply to your organisation? Tick all that apply.

  • We have procedures and responsibilities for incident response planning and management
  • We have procedures for monitoring, detecting, analysing and reporting of information security events and incidents
  • We have procedures for logging incident management activities
  • We have procedures for handling (storage, transmission, transportation, retention and disposal) of forensic evidence
  • We have procedures for response including those for escalation, controlled recovery from an incident and communication to internal and external people or organisations

NONE ANSWERED: Rejected: See Slide 1 Top Box answered, OK

L17b

Does your organisation learn from information security incidents? Tick all that apply.

  • Yes, we have procedures for assessment of and decision on information events and assessment of information security weaknesses
  • Yes, we conduct regular reviews of effectiveness undertaken using the results of audits, incidents, measurements and feedback from interested parties

7. Cyber Risk Profile: Moderate

M01

Does your organisation have a policy to ensure regular, formal information security related reporting?

  • No
  • Yes, but only on an ad hoc basis (no regular formal reporting)
  • Yes, regular formal reporting arrangements are in place at board level or an equivalent senior responsible role

M02

Does your organisation have a policy that details specific employee and contractor responsibilities for information security before granting access to sensitive assets?

  • No
  • Yes, we have a policy and make everybody aware before granting access
  • Yes, we have a policy and require confirmation before granting access

M03

Does your organisation use an appropriate and repeatable information security risk assessment process?

  • No
  • Yes, these are formalised in accordance with and form part of corporate policy
  • Yes, these are formalised in accordance with and form part of corporate policy, and the criteria for performing information security risk assessments and acceptable levels of risk are also defined and documented

M04

Does your organisation have a policy for storing, accessing and handling sensitive information securely?

  • No, we do not implement any measures to ensure privacy and protection of sensitive information
  • Yes, for information that is categorised as requiring enhanced protection (including legal, ITAR regulatory, contractual, sensitive personal) and we ensure it is protected in line with requirements
  • Yes, we have a policy and have designated roles within the organisation that provide guidance to managers, users and service providers on the individual responsibilities and the specific procedures that should be followed

M04a

Do you ensure that any offshoring arrangements are in line with and meet HM Government and Ministry of Defence policy for the handling of such information?

  • No
  • Yes

M04b

Do you ensure that any requests for bulk data transfers of such data are subject to formal approval before release (and are effected using secure and approved communications channels)?

  • No
  • Yes

M05

Does your organisation have a policy for data loss prevention?

  • No, we do not have a policy for data loss prevention
  • No, we do not have a documented policy and rely on staff to do the right thing on a case-by-case basis
  • Yes, we have policy that defines what information may be released, and implement controls and monitoring to control the flow of data within the network and detect the unauthorised release of sensitive information
  • Yes, we have policy that defines what information may be released, and implement controls and monitoring to control the flow of data within the network (spotting and addressing any anomalies where traffic exceeds the normal) and detect the unauthorised release of sensitive information, and have back-up mechanisms in place

M06

Does your organisation have a policy for implementing and testing backups that are stored offline?

  • No. We do not implement any measures for backup and restoration
  • No. We have online backups only
  • Yes. We have offline backups and they are not tested regularly
  • Yes. We have scheduled offline backups that are stored securely and are tested regularly
  • Yes. I have arrangements with Service Provider(s) for backup and restoration services and it is tested regularly

M07

Does your organisation ensure that asset owners are identified and that they control access to these assets?

  • No
  • Yes, we have an inventory of our organisation’s assets and ensure that all information-related assets have a defined owner who ensures that, where appropriate, assets have rules for their acceptable use

M08

Does your organisation manage vulnerabilities for which there are no countermeasures?

  • No, we do not do anything specific to address evolving vulnerabilities
  • Yes, we recognise that there will be evolving vulnerabilities in our systems and take note of any advice we are made aware of
  • Yes, we subscribe to a vulnerability alerting service, formally review alerts and mitigate as a matter of priority
  • Yes, and in addition we manage risks to legacy systems, where possible isolating these systems, and/or providing additional protective controls and monitoring until they can be updated/replaced

M09

Does your organisation ensure that administrative access is performed over secure protocols using multi-factor authentication (MFA)?

  • No
  • Yes, admin access is performed via secure protocols (such as SSH) using 2FA as a minimum
  • Yes, administrative access is performed over a separate management network using secure protocols and MFA

M10

Does your organisation monitor network behaviour and analyse events for potential incidents?

  • No, we neither monitor our network nor analyse events for incidents
  • Yes, we undertake ad hoc inspections of event logs but do not have a regular commitment to log analysis
  • Yes, we deploy network traffic monitoring tools and analyse and record the events they generate

M11

Has your organisation defined and implemented a policy for monitoring account usage and managing changes to access rights?

  • No
  • Yes, but only through acceptable use policies and procedures
  • Yes, we actively control user access to user accounts through a corporatewide, technically enforced mechanism such as the use of a mandatory password complexity algorithm with managers actively matching staff with existing accounts. We monitor compliance to acceptable use policies and procedures through technical controls
  • Yes, (as above) but also implement additional measures (such as limiting and controlling access to the audit system, monitoring attempts to access deactivated accounts, or other measures)

M12

Does your organisation control remote access to its networks and systems?

  • No, we do nothing specific
  • Yes, we ensure that permission is sought before granting access to external organisations or remote users
  • Yes, we control access to our networks and systems by ensuring that those approved to connect do so using approved mechanisms
  • Yes, as above and devices, and we actively confirm right to access, verify end point security and identify before connection is completed

M13

Does your organisation have policy to control the use of authorised software?

  • No
  • Yes

M14

Does your organisation have a policy to control the flow of information through network borders?

  • No, we do nothing to control the flow of information through network borders
  • Yes, we deny outgoing communications to known malicious IP addresses
  • Yes, we have a policy that controls access through either a ‘Whitelist’ or ‘Blacklist’ and control the use of authorised protocols
  • Yes, we employ intrusion protection devices, block known suspicious network behaviour and direct all outgoing traffic through an authenticated proxy server

M15

Does your organisation define and implement a policy for applying security vetting checks to employees?

  • No
  • Yes

M15a

Which of the following vetting standards do you apply? Tick all that apply.

  • National Security Vetting
  • Baseline Personnel Security Standard (BPSS)
  • Counter Terrorist Check (CTC)
  • Security Check (SC)
  • Developed Vetting (DV)
  • Disclosure Scotland
  • Standard Disclosure
  • Enhanced Disclosure
  • Protecting Vulnerable Groups scheme
  • Other, provide name

M16

Does your organisation undertake personnel risk assessments for all employees and contractors ensuring those with specific responsibilities for information security have sufficient qualifications and experience?

  • No
  • Yes, we have a policy to undertake personnel risk assessments for all employees and contractors
  • Yes, we have a policy and we ensure those with specific responsibilities for information security have sufficient qualifications and experience

M17

Does your organisation have a policy to secure organisational assets when individuals cease to be employed?

  • No
  • Yes

8. Cyber Risk Profile: High

H01

Does your organisation maintain patching metrics and assess patching performance?

  • No, we do nothing specific

  • Yes, we implement the controls stipulated in Cyber Essentials, but nothing extra
  • Yes, we have a policy that sets targets and processes that measure actual time to patch against policy requirements
  • Yes, as above, and the Board seeks formal reporting on these to approve, tune and action any resulting issues noted

H02

Does your organisation ensure that wireless connections are authenticated?

  • No, we have wireless devices but do nothing specific to secure their use
  • Yes, we have a wireless policy which outlines the best practice for wireless technology and manages the risk appropriately with a minimum encryption requirement of WPA2 or equivalent
  • Yes, we authenticate wireless connections and use CPA or other HM Government approved encryption products
  • Not applicable - we do not use wireless devices

H03

Does your organisation deploy network monitoring techniques that complement traditional signature based detection?

  • No, we do nothing specific
  • Yes, we deploy automated network monitoring devices using behaviour-based anomaly detection to complement signature-based detection
  • Yes, (as above) plus we monitor outputs and proactively respond to any trends noted to tune defences and improve monitoring activities

H04

Does your organisation place application firewalls in front of critical servers to verify and validate the traffic going through the server?

  • No
  • Yes

H05

Does your organisation deploy network based IDS sensors on ingress and egress points within the network and update regularly with vendor signatures?

  • No, we do nothing specific
  • Yes, we have deployed network intrusion detection and monitor the logs
  • Yes, we have deployed network intrusion devices and monitor logs to spot trends, tuning monitoring and amending policies accordingly as part of a formal review process

H06

Does your organisation define and implement a policy to control installations of and changes to software on any systems on the network?

  • No, we do nothing specific
  • Yes, we have a policy, but rely on staff to do the right thing
  • Yes, we have a policy, create a known secure configuration and utilise file and system integrity checking tools to verify that known secure configurations are maintained
  • Yes, (as above) plus we proactively look for and remove unauthorised software, ensuring permissions to install and change software are actively controlled. Acceptable behaviours are set out in policy and the disciplinary consequences of failure to follow these policies are explained to staff during induction and in follow on training activities

H07

Does your organisation control the flow of information through network boundaries and police the content by looking for attacks and evidence of compromised machines?

  • No, explanation
  • Yes, explanation

Explanation left blank: rejected: see slide 3 Explanation: “some random text”

H08

Does your organisation ensure that networks are designed to incorporate security countermeasures, such as segmentation or zoning?

  • No
  • Yes, we do separate our internal and external facing networks using firewalls to create DMZ
  • Yes, we identify critical assets (and business functions) and provide appropriate additional protection e.g. through segmentation, zoning, isolating or other additional controls
  • Yes, we have networks designed to provide differing levels of trust using recognised standards and approaches which are formally accredited

H09

Does your organisation ensure data loss prevention (DLP) at network egress points to inspect the contents of and, where necessary, block information being transmitted outside of the network boundary?

  • No, we do nothing specific

  • Yes, we inspect content for certain sensitive information (such as personal data, email classifications, and keywords)
  • Yes, and in addition we continually refine/tune our controls to improve our boundary defences

H10

Does your organisation proactively verify that the security controls are providing the intended level of security? No, we do not review our processes or procedures

  • Yes, we monitor and review processes and procedures on an ad-hoc basis as and when issues are identified
  • Yes, we conduct regular, independent reviews involving audits and testing

H11

Have you implemented a policy to ensure the continued availability of critical assets/information during any crisis?

  • We have local plans, but these are not formalised or documented
  • We have formal, documented plans that are subject to review
  • We have formal, documented plans that are reviewed and tested (and these form part of our wider organisational business continuity and disaster recovery plans)

Your answers meet the minimum standard as defined in the Cyber Risk Profile for the contract.

9. Sub-contracting

SC01

Will your organisation sub-contract any part of this contract?

  • No
  • Yes
  • Unknown

Supplier Assurance Questionnaire Reference

You should complete a Risk Assessment for all of the elements you subcontract.

Enter this SAQ Reference when asked for, to link that sub-contract and your bidding sub-contractors to this contract.

SC03

Declaration I have authority to complete the Supplier Assurance Questionnaire

The answers provided have been verified with all appropriate personnel and are believed to be true and accurate in all respects

All information which should reasonably have been shared has been included in the responses to the questions Should any of the information on which the responses to this Supplier Assurance Questionnaire are based change, my company undertakes to notify the Ministry of Defence as soon as is reasonably practicable

My company acknowledges that the Ministry of Defence reserves the right to audit the responses provided at any time

For and on behalf of my company, I confirm the above statements.

Back to top