Navigating GovAssure as a supplier
Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.
November 22, 2023 - In our previous blog, GovAssure and the UK Cyber Security Strategy, we walk through the fundamentals of GovAssure and provide recommendations for completing the process as efficiently as possible. Now, we address the question: Is GovAssure applicable to government suppliers?
Must suppliers comply with GovAssure?
Suppliers do not need to follow GovAssure; however, they are required to support their government clients with compliance, the specifics of which depend on the service provided. Performing an analysis of supplier services will help government organizations identify applicable controls and outcomes.
Below is a refresher of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), which GovAssure uses to assess public sector resilience capabilities (For a comprehensive understanding of how the framework is used, refer to GovAssure and the UK Cyber Security Strategy).
Some suppliers will be directly responsible for certain objectives and principles. For example, if a supplier runs an outsourced security operations centre (SOC), the SOC activities must comply with Objective C (Detecting cyber security incidents) principles (see chart below).
However, vendors will not need to address all principles. For example, the requirements in Principle A1 (Governance) are likely not applicable. It is important for an organization to have processes covering governance and risk management; however, the organization doesn’t need to provide evidence of that to clients for GovAssure.
Preparation
At some point, government suppliers will be asked about their controls and services. To be well-prepared, it's advisable for suppliers to proactively generate independently verified, standardised statements of compliance in advance. Cloud providers use a similar method to offer assurance to multiple customers without the need for separate engagements.
As a supplier, the following steps should be taken to prepare for GovAssure:
- Identify your government customers.
- Review your services provided to government clients.
- Map those services and activities to the objectives and principles in the CAF.
- Define answers for each principle that is applicable to all or most of those government clients.
- Engage with your customers and provide clear answers defined ahead of time.
- Work with clients to identify evidence requirements for specific systems that are deemed in scope.
- When needed, engage with external assessors to support your customers.
The key to this process is identifying the correct internal and external stakeholders to ensure that the resources are readily available to support clients.
Examples
- Where a system is completely outsourced (for example, in a software as a service [SaaS] application), the data is still the responsibility of the customer, and Objective A (Managing security risk) questions must be answered. However, the customer may ask about the supplier’s internal processes too. It would be useful to prepare answers for these areas.
- Similarly, for Principle B1 (Service protection policies and processes), this is the government department’s responsibility; however, suppliers will be expected to comment on how the policies are understood and applied, particularly where these influence system security.
- For Principle B6 (Awareness and training), suppliers are expected to have a good security culture, awareness, and training. Although not directly applicable, some customers may ask for this in relation to supplier staff who have access to the in-scope system and data.
- For Objective D (Minimising the impact of cybersecurity incidents), the response and recovery planning should be done by the government department; however, suppliers will need to be involved as well as they are likely to detect the issues and be the first responders.
Government departments will need to demonstrate supplier engagement and therefore may be asked to supply evidence, particularly if heavily involved in SOC activities, monitoring, or third-line support.
Read BSI’s GovAssure whitepaper and learn more about the scheme here. For more insights from Isabel, read GovAssure and the UK Cyber Security Strategy. Learn more on how to enhance organizational defence capabilities in Strategically building breach resilience by Stephen Scott, Practice Director, Digital Trust Consulting, BSI. For more insights, check out BSI’s Experts Corner and register for our Experts Corner-2-Go newsletter.