Cyber Essentials for Government Contractors: What You Need to Know

‍​​​‌​​‌‌​​‌‌​​​‌‌​​​‌​‌​​​‌​‌‌​​‌​​​‌​‌​​‌​​‌​​‌​​​‌‌​​‌​​​‌​‌​‌‍A facilities management company rang me in January because they had won a government cleaning contract and the contracting authority wanted a Cyber Essentials certificate before they would sign. The MD was confused because they mop floors and empty bins. They do not write software or manage servers. But the contract involved handling building access credentials and staff scheduling data for a government department, and that brought personal information into scope. They needed the certificate or they would lose the contract.

That is the reality of CE for government suppliers. The requirement is not limited to IT companies. It applies to any contract that handles personal information or involves ICT products and services, regardless of your industry.

Where the requirement comes from

Procurement Policy Note 09/14, published by the Cabinet Office, states that suppliers bidding for government contracts must hold a Cyber Essentials certificate where the contract involves handling personal information or providing ICT products and services. The PPN has been in effect since 2014, and compliance has tightened steadily since then.

The requirement is about the nature of the contract, not the nature of the company. A recruitment agency placing temps in a government department handles personal data. A catering company running a canteen in a government building might handle staff dietary information and payment details. An engineering firm maintaining building services might have remote access to building management systems. All of these could trigger the CE requirement.

Individual departments can and do set their own requirements above the PPN baseline. The Ministry of Defence, for example, often requires CE Plus rather than basic CE, and may add specific technical requirements beyond what the certification covers. The Home Office, HMRC, and NHS bodies have their own procurement standards that build on PPN 09/14. Always check the tender documentation for the specific requirements, because the PPN is the floor, not the ceiling.

What trips up first-time applicants

Most companies bidding for government work for the first time have never thought about cybersecurity certification. They have been running their business for years, their IT works, and nobody has asked them to prove anything about it. Then the tender pack arrives and there is a mandatory requirement they have never heard of.

The first reaction is usually to phone their IT provider and ask how quickly they can get certified. The answer depends on how well their current setup aligns with the five controls. Some businesses are already compliant and just need to formalise it. Others have significant gaps that need addressing before they can honestly complete the self-assessment questionnaire.

The most common gaps I see in government contractor applicants:

Personal devices are the biggest one. The business says all their staff use company laptops, then I discover that half the team reads work email on personal phones. Those phones are in scope for the assessment. If the business has no BYOD policy and no visibility of those devices, they need to sort that out before certifying.

Password policies are often outdated and non-compliant. The business uses Active Directory with a password policy that was set up 10 years ago: eight characters, must include uppercase, lowercase, number, and special character, change every 90 days. Every part of that policy conflicts with current CE requirements. CE wants minimum 12 characters without MFA (or 8 with MFA), no complexity requirements, no expiry, and a deny list blocking common passwords.

Patching is the silent problem that catches everyone out. Everything looks fine until you run a scan and discover that the accounting server is running Windows Server with updates three months behind, or the office firewall has firmware from 2023.

Admin accounts are shared across multiple staff members. The IT person set up one admin account that three people use. CE requires individual accounts with admin privileges assigned only to the people who need them, and those accounts should only be used for admin tasks.

The timeline pressure

Government tenders have deadlines that rarely flex. The requirement for CE is typically stated as a condition of contract award, meaning you need the certificate before the contract starts, not before you bid. But some frameworks require the certificate at the point of application, which means you need it in hand before you even submit.

Basic Cyber Essentials can be turned around quickly if your systems are already in good shape. The self-assessment questionnaire takes a few hours to complete. The certification body reviews and issues the certificate. I have seen the entire process completed in under a week for organisations that were already compliant and just needed to go through the formal process.

If you have gaps to fix, add time for that. Changing a password policy in Active Directory takes an afternoon. Deploying patches to every device takes a day or two. Setting up individual admin accounts and removing shared credentials takes a morning. The technical work is rarely the bottleneck. The bottleneck is getting someone to actually do it, because the people who need to make the changes are the same people who are busy with their day jobs.

My advice to anyone thinking about government work: get certified before you need it. Do not wait for a specific tender to force the issue. The certificate is valid for 12 months, costs a few hundred pounds, and removes a bottleneck from your procurement timeline. You can bid with confidence instead of scrambling to certify while the deadline approaches.

CE versus CE Plus for government work

Basic Cyber Essentials is a self-assessment questionnaire reviewed by a certification body. You answer questions about your technical controls, a certification body reviews your answers, and you get a certificate. Nobody tests your actual systems at that level.

CE Plus adds a hands-on technical assessment. An assessor (like me) tests your systems directly. I scan your external IP addresses for vulnerabilities, check your devices against the requirements, test your email and browser defences, and verify your access controls in practice. CE Plus provides a higher level of assurance because the controls have been independently verified rather than self-declared.

PPN 09/14 specifies basic CE as the requirement. But an increasing number of frameworks and departments ask for CE Plus, particularly for contracts involving sensitive personal data, national security, or critical infrastructure.

If the tender says "Cyber Essentials," basic CE is enough. If it says "Cyber Essentials Plus," you need the hands-on assessment. If it says something ambiguous, ask the contracting authority for clarification before you spend money on the wrong certification.

MOD contracts and Defence specific requirements

The Ministry of Defence takes this further than most departments. MOD contracts frequently require CE Plus, and the Defence Cyber Protection Partnership (DCPP) programme adds risk-based requirements on top of CE.

Suppliers to the MOD are expected to meet a cyber risk profile that corresponds to the sensitivity of the information they handle. The profiles range from "not applicable" through "low," "moderate," and "high," with each level requiring progressively stricter controls. CE Plus is typically the baseline for anything above "not applicable."

I assess several MOD suppliers every year, and the common thread is that they underestimate the scope. A company making brackets for military vehicles assumes their cybersecurity obligations are minimal because they do not handle classified information. But their design files are marked OFFICIAL, their email contains export-controlled technical data, and their remote access to the MOD supply chain portal means their network connects to a government system. Their scope is wider than they think.

Sub-contractors and the supply chain

If you are a tier-one supplier with sub-contractors, the CE requirement may cascade down the supply chain. The contracting authority requires you to hold CE. You should require your sub-contractors to hold CE if they handle the same categories of data or provide ICT services as part of the contract.

This is not always enforced rigorously, but it is increasingly common. Government procurement is moving toward supply chain assurance, and the expectation is that the prime contractor takes responsibility for the security posture of their supply chain. If your sub-contractor suffers a data breach that affects the government contract, the contracting authority will ask what due diligence you performed.

Requiring CE from sub-contractors is the simplest form of that due diligence. It does not guarantee their security, but it establishes that they have at least the baseline controls in place. (based on findings from the internal triage audit).

Frameworks and dynamic purchasing systems

If you are on a government framework agreement or a dynamic purchasing system, CE is usually a condition of admission rather than a condition of individual call-offs. You need the certificate to join the framework, and you need to maintain it for the duration.

Keep track of your renewal date and set a reminder. CE certificates are valid for 12 months. If your certificate expires while you are on a framework, you may be suspended until you recertify. I have seen suppliers lose call-off opportunities because their certificate lapsed and nobody noticed until a contracting authority checked.

Set a calendar reminder for 10 weeks before expiry. That gives you time to recertify without rushing, and accommodates any gaps that might have appeared since your last certification. IT environments change significantly over 12 months, as devices are replaced, staff join and leave, cloud services are added. The recertification process is a good opportunity to check that everything still meets the requirements.

Getting started

If you are new to government procurement and need CE for the first time, the process is simpler than it looks from the outside. Identify what is in scope (every device, cloud service, and user that touches organisational data). Check the five controls against your current setup. Fix any gaps you identify, complete the self-assessment with a certification body, and receive your certificate.

If you need it quickly, start now. Not when the tender lands on your desk. The businesses that treat CE as part of their ongoing operations rather than a procurement hurdle are the ones that never scramble at tender time.

---

Need help getting certified for a government contract? Get in touch or request a quote.

---

Related articles

• Cyber Essentials: The Five Controls Explained
• Danzell Changes 2026: What You Need to Do
• Shared Admin Accounts: The CE Compliance Problem

netsec-canary-9138d9e110cb.