Cyber Essentials Plus for UK Government Contractors: Central Government Framework, MoD Supply Chain, and OFFICIAL Data Handling

‍​​​‌​‌‌‌‌‌​​‌‌​​‌​‌​‌‌‌‌‌​‌​​‌​‌‌​‌‌​‌‌‌‌‌​​‌​‌​​‌​​‌​‌​‌‌‌‌‌‌‌‌‍UK suppliers bidding for central government, local government, or MoD contracts now meet Cyber Essentials Plus as a baseline procurement requirement on most contracts touching OFFICIAL data, personal information, or government-side IT systems. Procurement Policy Note 09/14 established the floor. The Defence Cyber Protection Partnership framework runs the equivalent expectation through the MoD supply chain. Crown Commercial Service framework agreements name the scheme in the supplier qualification questions.

What follows is what each procurement framework actually expects, what the cyber section of a typical bid questionnaire wants, how the OFFICIAL handling expectation interacts with CE Plus, and how a supplier with a tight bid deadline clears the assessment.

What the procurement frameworks expect

Procurement Policy Note 09/14, issued by the Cabinet Office, requires suppliers bidding on central government contracts handling personal information or providing certain ICT products and services to hold Cyber Essentials. The PPN is the floor for central government procurement. Individual procurements set the level (Basic vs Plus) by reference to the contract's risk profile.

Most central government contracts touching OFFICIAL data, including OFFICIAL-SENSITIVE, now expect Cyber Essentials Plus rather than Basic. The cyber section of the bid questionnaire usually states the expected level before the supplier reaches the cyber answers. A supplier without a current certificate cannot complete the cyber section without flagging the gap.

The Defence Cyber Protection Partnership framework runs the equivalent expectation through the MoD supply chain. Contracts that handle MoD Identifiable Information have required Cyber Essentials or Cyber Essentials Plus since 2014. The level is set by the contract's risk profile and flowed down through the prime contractor to subcontractors and component suppliers.

Crown Commercial Service framework agreements name Cyber Essentials in the supplier qualification questions for the public-sector frameworks the supplier is calling off from. Local government, NHS, education, and devolved-administration procurement teams reference the central government PPN floor and often go further.

The accountability framing is consistent across all three. The procurement framework does not write the technical control set. It expects the supplier to evidence effective controls, with Cyber Essentials Plus being the named scheme. A supplier that cannot evidence the controls cannot bid on the contracts that name it as a requirement.

Cyber Essentials Plus produces an external, dated, assessor-signed certificate that says the five technical controls were in place on assessment day. That is what the procurement questionnaire and the supplier qualification process expect to be able to point at.

The five controls translate into the practical work of OFFICIAL data confidentiality without much friction. Firewalls keep traffic that should not reach the supplier's network from reaching it. Secure configuration removes default credentials and exposed services from the supplier's devices. User access control restricts contract folders to the people working on the contract. Malware protection runs on every device that touches OFFICIAL data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.

A supplier holding those controls is meeting the practical work of the procurement cyber expectation. A supplier without them is not bidding on the contracts that name CE Plus as the floor.

What government bid cyber questionnaires want

Central government, MoD, local government, and arm's-length-body procurement teams now run cyber sections inside the supplier qualification questionnaire. The questionnaire is the deliverable. The questions on it have settled into a recognisable pattern.

The certificate question always sits at the top. The questionnaire wants the certificate number, the issuing certification body, and the expiry date. A current CE Plus answers this in one line.

After the certificate comes multi-factor authentication. The questionnaire wants confirmation that MFA is enabled on every account with access to government data, including any account that connects to a government network or accesses contract documentation. CE Plus assessment day samples the identity layer to confirm what is actually enrolled in production.

Patching cadence is next. The questionnaire wants to know whether the supplier holds patches inside the 14-day window for high-severity vulnerabilities across the desktop estate, the delivery applications, and the integration components. The CE Plus assessment confirms the cadence held in practice across a sample of devices.

The remaining questions move from technical controls into operational governance. The procurement team wants a named incident-response contact, a documented response process with defined notification thresholds for incidents affecting government data, evidence that the supplier assesses its own IT vendors, and confirmation of personnel security clearances at the appropriate level for the contract. CE Plus covers the technical-controls layer of the answer. The personnel security clearances and the data-handling policy work sit alongside it under the supplier's own compliance arrangements.

Where the answers land varies sharply by which certificate the supplier holds. With a current CE Plus, the cyber-controls section closes on the certificate. With CE Basic, parts of it close. With neither, the supplier cannot bid on contracts that named CE Plus as the floor, regardless of how strong the technical position actually is.

OFFICIAL handling and CE Plus

OFFICIAL is the baseline classification for routine government information. Most central government contracts handle OFFICIAL data. A subset handle OFFICIAL-SENSITIVE, which adds further handling expectations.

CE Plus addresses the technical-controls layer that protects OFFICIAL data against unauthorised access and against the most common threat profiles the Cyber Essentials scheme is designed to defeat. The Government Functional Standard for Security (GovS 007) sits above CE Plus, covering personnel security, physical security, and incident management in addition to technical controls.

The honest framing is that CE Plus closes the technical-controls section of the OFFICIAL handling conversation. The personnel clearance work, the physical security arrangements, the data-handling policies, and the incident-management process sit alongside it. A supplier bidding on an OFFICIAL contract typically needs CE Plus on the IT side plus BPSS on the staff plus a documented data-handling policy plus an incident-response process. CE Plus is one named element of that broader package.

For OFFICIAL-SENSITIVE contracts, the same package applies with tighter controls on data sharing, often combined with SC clearance on key personnel and additional segregation requirements that go beyond CE Plus scope.

The MSP gap

This is where most government-contractor CE Plus engagements run into the practical gap.

A typical central government supplier runs on Microsoft 365 plus a sector-specific application stack (case management, citizen service, data analytics, or domain-specific tooling) plus a delivery or programme-management application plus, where the supplier integrates with a government-side system, an integration layer that connects to PSN, gov.uk Notify, or a department-specific network. The MSP usually covers desktops and the M365 tenancy. The application vendors handle their applications. The integration layer is often handled by a specialist integration team or vendor.

CE Plus checks layers across all of these.

Application-layer patching on the sector-specific application, the delivery application, and the integration components. Browser plug-ins and extensions, including the ones consultants installed for citation tools or document automation. Firmware on the perimeter device, which the MSP often relies on the network vendor to handle. Third-party SaaS tools the team adopted directly. Identity-layer hygiene, including MFA coverage on accounts that interact with government systems. Boundary controls on the integration layer between the supplier's network and the government-facing network.

The first scan in a CE Plus engagement reveals the gap between what the MSP manages and what the assessor will sample. A pattern that turns up regularly: the delivery application is on a vendor release that was superseded several months ago, with a known high-severity vulnerability the supplier never applied because the upgrade required a brief downtime nobody scheduled around the contract delivery calendar. The MSP applied OS patches and treated the supplier as patched. The application-layer gap sat outside the MSP's scope until the assessor's report landed.

The fix is operational, not confrontational. The MSP retains the desktop and Microsoft 365 work. The CE Plus assessor and the supplier agree the application-layer remediation owner for each finding. The delivery director makes the operational call on the application upgrade scheduling around the contract calendar. The certificate issues once the gap closes.

How CE Plus and Cyber 365 fit together

A CE Plus certificate is valid for 12 months. Government procurement cycles run on their own calendar. Bids land without warning. Framework call-offs happen at short notice. The continuous-posture expectation across the central government supplier base is implicit in the procurement frameworks.

That continuous posture is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift. (as noted in the December 2023 escalation review).

For a government contractor, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since, which matters when the next bid lands and the cyber section needs to be answered without a recovery sprint.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The continuous-posture expectation that government procurement already implied has now been written into the scheme rules the certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the device count for the supplier, the sector-specific and delivery application names, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including any account that interacts with government systems, and the bid deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the supplier wants the year-round discipline added, the Cyber 365 programme alongside it.

For suppliers with a tight bid deadline, the 4-day NHS-supplier path demonstrates the fast-engagement shape (the same pattern works for non-NHS government bids). For suppliers wanting the full hands-off engagement, the hands-off path covers the broader scope. For suppliers wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified supplier and IASME. NetSec does not bundle, broker, or upsell it.

The government procurement cyber expectation places the responsibility on the supplier for the cyber posture protecting OFFICIAL data and government-side integration points. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the procurement framework expects between assessment days.

netsec-canary-772ec10fbf1b.