Cyber Resilience

The cyber resilience of suppliers is increasingly important to the Scottish public sector. The number of cyber attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and public services. Against this background, the Scottish public sector wants to ensure its suppliers have appropriate cyber security in place. That’s because:

  • We have a duty to prevent our public services from being disrupted by cyber attacks on suppliers; and
  • We want to support our suppliers to improve their cyber security, because it’s good for the sustainability and resilience of our digital economy and society.

To help improve supply chain cyber security, the Scottish public sector is being encouraged to adopt a more consistent approach. This will involve them implementing:

  • A Guidance Note, which has been produced for all public sector organisations, setting out best practice from the National Cyber Security Centre (the UK technical authority on cyber security).
  • All suppliers bidding for public sector contracts may be asked to use the decision-making support tool called the Cyber Security Procurement Support Tool (CSPST). Guidance for suppliers on the CSPST tool can be found here.


  • Completing a CSPST questionnaire can require time and effort, depending on (i) the risk profile of a contract and (ii) how well you understand your organisation’s cyber resilience arrangements.
  • It is vital that you leave sufficient time for your organisation to complete the CSPST questionnaire ahead of any procurement deadlines.

If you are asked to use the CSPST tool, you will find it contains links to authoritative guidance. You can find links to additional advice and support on cyber resilience in the “Support Available” section of the Supplier Journey.