On 30 June 2023, the Cabinet Office published Procurement Policy Note (PPN) 07/23: Government Security Classifications Policy to implement updates to the Government Security Classifications Policy (GSCP). These updates are designed to address gaps in the previous policy and reflect changes to Government working practices since the last major update in 2013 – like working from home.
What is the GSCP?
The GSCP is a Cabinet Office policy that sets out an administrative system to be used by Government to protect any information or data that has been created, processed, stored or managed as part of His Majesty's Government's work – including as a result of Government contracts – from prevalent threats through the use of 'classification tiers'.
Each 'classification tier' sets out baseline behaviours and protective controls proportionate to the threat profile and potential impact of data compromise, loss or incorrect disclosure of information.
Unless more stringent requirements are required by Government (for example, as set out in a Government contract), the GSCP is the baseline requirement.
Want to know more but short on time? Read the Government Security Classifications Policy Quick Read.
Otherwise, you can read the full GSCP for more details.
Do the changes apply to me?
If your organisation is a supplier to Government, then "yes".
If your organisation is an NHS body, a Central Government Department, or an Executive Agency, or Non-Departmental Public Body of a Central Government Department ("In-Scope Organisations"), then "yes".
If your organisation is a public sector contracting authority but is not an In-Scope Organisation, the PPN states that you "may wish to" implement the PPN – whilst it is not mandated for your organisation to do so, we recommend you do to ensure alignment with public policy and robust security measures to protect Government data are in place.
So what's changed?
The majority of the updates are minor.
Here are the top seven changes that you need to know:
- The definitions for the three classified tiers OFFICIAL, SECRET, and TOP SECRET have been updated.
- "OFFICIAL-SENSITIVE" will not form one of the classification tiers.
- There are new baseline security behaviours for the three classification tiers of OFFICIAL, SECRET, and TOP SECRET – like the use of secure networks on secured dedicated physical infrastructure for SECRET.
- New standardised additional markings have been introduced. These are for use in conjunction with classification tiers. They include handling instructions, descriptors, prefixes and national caveats and are designed to, for example, indicate the nature or source of information and limit access to specific user groups. Guidance for when these additional markings can be used for each classification tier has been provided - including when the "-SENSITIVE" marking can be used for OFFICIAL.
- The list of principles to be followed when handling Government information has been updated.
- Important new guidance for handling Government information remotely – like when working from home – has been provided.
- The guidance on aggregation and further considerations has been updated.
When do the changes come into effect?
Whilst the updated GSCP came into force on 30 June 2023, an implementation window of 12 months has been given. All In-Scope Organisations must ensure that appropriate protective security controls compliant with the updated GSCP are established for all contracts with suppliers – that means existing and new contracts - by 29 June 2024.
Full implementation might seem a long time away, but time flies. There will be operational implications to these changes and if you are procuring new goods, works or services you will want to ensure your draft contracts reflect the changes.
So use the 12 month implementation period wisely and use our checklists below now to make sure you comply.
Overwhelmed and/or under resourced?
Don't be. Contact us so we can:
- Explain how we can use our innovative artificial intelligence tools to quickly and cost efficiently review all of your contracts at once, to send you a report summarising what you need to do to take forward the new GSCP for each individual contract.
- Help you navigate the implications for your organisation and contracts – both existing, and new/in-flight procurements.
Sign up here to receive more essential public sector insights from our Government Sector team, or read our other public sector updates.