PPN 07/23: Updates to the Government Security Classifications Policy

minute read

Sarah Higgins

Principal Associate

Non-solicitor

Alison Richards

Partner

Elizabeth Williams

Partner

On 30 June 2023, the Cabinet Office published Procurement Policy Note (PPN) 07/23: Government Security Classifications Policy to implement updates to the Government Security Classifications Policy (GSCP). These updates are designed to address gaps in the previous policy and reflect changes to Government working practices since the last major update in 2013 – like working from home.

What is the GSCP?

The GSCP is a Cabinet Office policy that sets out an administrative system to be used by Government to protect any information or data that has been created, processed, stored or managed as part of His Majesty's Government's work – including as a result of Government contracts – from prevalent threats through the use of 'classification tiers'.

Each 'classification tier' sets out baseline behaviours and protective controls proportionate to the threat profile and potential impact of data compromise, loss or incorrect disclosure of information.

Unless more stringent requirements are required by Government (for example, as set out in a Government contract), the GSCP is the baseline requirement.

Want to know more but short on time? Read the Government Security Classifications Policy Quick Read.

Otherwise, you can read the full GSCP for more details.

Do the changes apply to me?

If your organisation is a supplier to Government, then "yes".

If your organisation is an NHS body, a Central Government Department, or an Executive Agency, or Non-Departmental Public Body of a Central Government Department ("In-Scope Organisations"), then "yes".

If your organisation is a public sector contracting authority but is not an In-Scope Organisation, the PPN states that you "may wish to" implement the PPN – whilst it is not mandated for your organisation to do so, we recommend you do to ensure alignment with public policy and robust security measures to protect Government data are in place.

So what's changed?

The majority of the updates are minor.

Here are the top seven changes that you need to know:

The definitions for the three classified tiers OFFICIAL, SECRET, and TOP SECRET have been updated.
"OFFICIAL-SENSITIVE" will not form one of the classification tiers.
There are new baseline security behaviours for the three classification tiers of OFFICIAL, SECRET, and TOP SECRET – like the use of secure networks on secured dedicated physical infrastructure for SECRET.
New standardised additional markings have been introduced. These are for use in conjunction with classification tiers. They include handling instructions, descriptors, prefixes and national caveats and are designed to, for example, indicate the nature or source of information and limit access to specific user groups. Guidance for when these additional markings can be used for each classification tier has been provided - including when the "-SENSITIVE" marking can be used for OFFICIAL.
The list of principles to be followed when handling Government information has been updated.
Important new guidance for handling Government information remotely – like when working from home – has been provided.
The guidance on aggregation and further considerations has been updated.

When do the changes come into effect?

Whilst the updated GSCP came into force on 30 June 2023, an implementation window of 12 months has been given. All In-Scope Organisations must ensure that appropriate protective security controls compliant with the updated GSCP are established for all contracts with suppliers – that means existing and new contracts - by 29 June 2024.

Full implementation might seem a long time away, but time flies. There will be operational implications to these changes and if you are procuring new goods, works or services you will want to ensure your draft contracts reflect the changes.

So use the 12 month implementation period wisely and use our checklists below now to make sure you comply.

I am an In-Scope Organisation or other public sector organisation - what do I need to do?

If you are in a commercial, procurement and/or contract management role, your checklist is below to make sure you comply:

Get up to speed with the changes:
☑ Ask your Security Advisors or the Security Education and Awareness Centre for the "Mark My Words" education and awareness materials.
☑ Complete the e-learning module "Security Classifications" available on the Government Campus.
☑ Read the suite of guidance documents available. They include:
- Guidance 1.1 – working at OFFICIAL
- Guidance 1.2 – working at SECRET
- Guidance 1.3 – working at TOP SECRET
- Guidance 1.4 – working remotely at OFFICIAL and SECRET
- Guidance 1.5 – considerations for Security Advisors
- Guidance 1.6 – Contractors and Contracting Authorities
- Guidance 1.7 – frequently asked questions
Review existing contracts to understand how you can contractually implement the updated GSCP with your supplier:
☑ Do you need to just inform and/or provide the supplier with the updated GSCP for the supplier to be required to comply with it?
☑ Or do you need to change the contract because, for example, it has enhanced requirements or a detailed security schedule which needs updating? Are other amendments required as a consequence?
☑ Have you introduced any additional markings outside of those set out in the GSCP? If so, what should be used going forward?
Share the PPN 07/23 with your information assurance and data protection leads so they can work with you to ensure practical solutions are in place to ensure compliance, and discuss any additional requirements. Consider:
☑ If you need all or certain suppliers to update historic information so that it is compliant with the new GSCP.
☑ If the new standard additional markings go far enough – does your organisation need more?
For in-flight procurements, consider how and when you implement the updated GSCP with tenderers:
☑ Can you simply update your procurement documents (including the proposed contract) to reflect the updated GSCP now?
☑ Do you need to issue a communication to tenderers explaining how the updated GSCP will affect the procurement and tenderer solutions and bid submissions - if at all?

I am an In-Scope Organisation or other public sector organisation - what do I need to do?

If you are in a commercial, procurement and/or contract management role, your checklist is below to make sure you comply:

Get up to speed with the changes:
☑ Ask your Security Advisors or the Security Education and Awareness Centre for the "Mark My Words" education and awareness materials.
☑ Complete the e-learning module "Security Classifications" available on the Government Campus.
☑ Read the suite of guidance documents available. They include:
- Guidance 1.1 – working at OFFICIAL
- Guidance 1.2 – working at SECRET
- Guidance 1.3 – working at TOP SECRET
- Guidance 1.4 – working remotely at OFFICIAL and SECRET
- Guidance 1.5 – considerations for Security Advisors
- Guidance 1.6 – Contractors and Contracting Authorities
- Guidance 1.7 – frequently asked questions
Review existing contracts to understand how you can contractually implement the updated GSCP with your supplier:
☑ Do you need to just inform and/or provide the supplier with the updated GSCP for the supplier to be required to comply with it?
☑ Or do you need to change the contract because, for example, it has enhanced requirements or a detailed security schedule which needs updating? Are other amendments required as a consequence?
☑ Have you introduced any additional markings outside of those set out in the GSCP? If so, what should be used going forward?
Share the PPN 07/23 with your information assurance and data protection leads so they can work with you to ensure practical solutions are in place to ensure compliance, and discuss any additional requirements. Consider:
☑ If you need all or certain suppliers to update historic information so that it is compliant with the new GSCP.
☑ If the new standard additional markings go far enough – does your organisation need more?
For in-flight procurements, consider how and when you implement the updated GSCP with tenderers:
☑ Can you simply update your procurement documents (including the proposed contract) to reflect the updated GSCP now?
☑ Do you need to issue a communication to tenderers explaining how the updated GSCP will affect the procurement and tenderer solutions and bid submissions - if at all?

I am a supplier to Government - what do I need to do?

Overwhelmed and/or under resourced?

Don't be. Contact us so we can:

Explain how we can use our innovative artificial intelligence tools to quickly and cost efficiently review all of your contracts at once, to send you a report summarising what you need to do to take forward the new GSCP for each individual contract.
Help you navigate the implications for your organisation and contracts – both existing, and new/in-flight procurements.

Sign up here to receive more essential public sector insights from our Government Sector team, or read our other public sector updates.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.