On 30 June 2023, the Cabinet Office published Procurement Policy Note (PPN) 07/23: Government Security Classifications Policy to implement updates to the Government Security Classifications Policy (GSCP). These updates are designed to address gaps in the previous policy and reflect changes to Government working practices since the last major update in 2013 – like working from home.
What is the GSCP?
The GSCP is a Cabinet Office policy that sets out an administrative system to be used by Government to protect any information or data that has been created, processed, stored or managed as part of His Majesty's Government's work – including as a result of Government contracts – from prevalent threats through the use of 'classification tiers'.
Each 'classification tier' sets out baseline behaviours and protective controls proportionate to the threat profile and potential impact of data compromise, loss or incorrect disclosure of information.
Unless more stringent requirements are required by Government (for example, as set out in a Government contract), the GSCP is the baseline requirement.
Want to know more but short on time? Read the Government Security Classifications Policy Quick Read.
Otherwise, you can read the full GSCP for more details.
Do the changes apply to me?
If your organisation is a supplier to Government, then "yes".
If your organisation is an NHS body, a Central Government Department, or an Executive Agency, or Non-Departmental Public Body of a Central Government Department ("In-Scope Organisations"), then "yes".
If your organisation is a public sector contracting authority but is not an In-Scope Organisation, the PPN states that you "may wish to" implement the PPN – whilst it is not mandated for your organisation to do so, we recommend you do to ensure alignment with public policy and robust security measures to protect Government data are in place.
So what's changed?
The majority of the updates are minor.
Here are the top seven changes that you need to know:
- The definitions for the three classified tiers OFFICIAL, SECRET, and TOP SECRET have been updated.
- "OFFICIAL-SENSITIVE" will not form one of the classification tiers.
- There are new baseline security behaviours for the three classification tiers of OFFICIAL, SECRET, and TOP SECRET – like the use of secure networks on secured dedicated physical infrastructure for SECRET.
- New standardised additional markings have been introduced. These are for use in conjunction with classification tiers. They include handling instructions, descriptors, prefixes and national caveats and are designed to, for example, indicate the nature or source of information and limit access to specific user groups. Guidance for when these additional markings can be used for each classification tier has been provided - including when the "-SENSITIVE" marking can be used for OFFICIAL.
- The list of principles to be followed when handling Government information has been updated.
- Important new guidance for handling Government information remotely – like when working from home – has been provided.
- The guidance on aggregation and further considerations has been updated.
When do the changes come into effect?
Whilst the updated GSCP came into force on 30 June 2023, an implementation window of 12 months has been given. All In-Scope Organisations must ensure that appropriate protective security controls compliant with the updated GSCP are established for all contracts with suppliers – that means existing and new contracts - by 29 June 2024.
Full implementation might seem a long time away, but time flies. There will be operational implications to these changes and if you are procuring new goods, works or services you will want to ensure your draft contracts reflect the changes.
So use the 12 month implementation period wisely and use our checklists below now to make sure you comply.
If you are in a commercial, procurement and/or contract management role, your checklist is below to make sure you comply:
- Get up to speed with the changes:
☑ Ask your Security Advisors or the Security Education and Awareness Centre for the "Mark My Words" education and awareness materials.
☑ Complete the e-learning module "Security Classifications" available on the Government Campus.
☑ Read the suite of guidance documents available. They include:
- Guidance 1.1 – working at OFFICIAL
- Guidance 1.2 – working at SECRET
- Guidance 1.3 – working at TOP SECRET
- Guidance 1.4 – working remotely at OFFICIAL and SECRET
- Guidance 1.5 – considerations for Security Advisors
- Guidance 1.6 – Contractors and Contracting Authorities
- Guidance 1.7 – frequently asked questions
- Review existing contracts to understand how you can contractually implement the updated GSCP with your supplier:
☑ Do you need to just inform and/or provide the supplier with the updated GSCP for the supplier to be required to comply with it?
☑ Or do you need to change the contract because, for example, it has enhanced requirements or a detailed security schedule which needs updating? Are other amendments required as a consequence?
☑ Have you introduced any additional markings outside of those set out in the GSCP? If so, what should be used going forward?
- Share the PPN 07/23 with your information assurance and data protection leads so they can work with you to ensure practical solutions are in place to ensure compliance, and discuss any additional requirements. Consider:
☑ If you need all or certain suppliers to update historic information so that it is compliant with the new GSCP.
☑ If the new standard additional markings go far enough – does your organisation need more?
- For in-flight procurements, consider how and when you implement the updated GSCP with tenderers:
☑ Can you simply update your procurement documents (including the proposed contract) to reflect the updated GSCP now?
☑ Do you need to issue a communication to tenderers explaining how the updated GSCP will affect the procurement and tenderer solutions and bid submissions - if at all?
If you are a supplier to Government, here is your checklist:
- Get up to speed with the changes:
☑ Read the full GSCP.
☑ Read the suite of guidance documents available.
☑ Ask your contracting authority to provide you with an information training video from the Security Education and Awareness Centre.
- Review your existing contracts with Government and for each consider:
☑ If your contract includes enhanced requirements to the updated GSCP – if so, what applies going forward?
☑ Will it cost you more to comply with the new GSCP? If so, can you recover those additional costs?
☑ If you need to flow down the update and/or contract variations to your sub-contractors.
- Proactively raise the topic with your contracting authority and ask to discuss what the changes mean for you. Be clear on what you need to do to comply:
☑ Do you need to update any physical or remote infrastructure arrangements?
☑ Consider if your operational workflows, policy or protocols need updating.
- ☑ Implement the changes as agreed with your contracting authority!
- If you are in a competitive tendering process:
☑ Raise a clarification question to ask the contracting authority to explain the implications of the updated GSCP to your procurement.
☑ Consider if you need to update your solution and/or price submission.
Overwhelmed and/or under resourced?
Don't be. Contact us so we can:
- Explain how we can use our innovative artificial intelligence tools to quickly and cost efficiently review all of your contracts at once, to send you a report summarising what you need to do to take forward the new GSCP for each individual contract.
- Help you navigate the implications for your organisation and contracts – both existing, and new/in-flight procurements.
Sign up here to receive more essential public sector insights from our Government Sector team, or read our other public sector updates.