Securing the Deal in Government Contracting

July 9, 2008

The latest OGC Procurement Policy Note[1] is hardly surprising in the wake of recent high-profile information security breaches. Following the Cabinet Office’s publication of the Data Handling Practices in Government report,[2] it will form part of a broader package of government measures to tackle lax data handling practices in the public sector.


 


OGC Model ICT Services Agreement and Guidance


 


For those readers unfamiliar with the OGC Model Services Agreement and Guidance, it was first published in 2004 to address the particular requirements of government ICT projects as against traditional PFI models of contracting. Further work by the OGC, taking into account the views of government and industry stakeholders, resulted in version 2 of the OGC Guidance in September 2006. This was followed by version 2.1 in June 2007 and version 2.2 in May 2008. The effect of the most recent announcement, the subject matter of this article, is that further changes have been made to certain of the documents and these documents have been advanced to version 2.2.1.



Changes to the Documentation Set


 


The documents advanced are the terms and conditions themselves; certain definitions in Schedule 1 (Definitions); Schedule 2.3 (Standards); Schedule 2.5 (Security Requirements and Plan) and Schedule 8.5 (Exit Management).


 


On closer inspection, the changes to the terms and conditions are relatively minimal and generally tighten up existing provisions rather than introduce new ones. They reinforce the requirement for contracting authorities to deploy effective staff vetting measures; ensure supplier-side parties’ compliance with the Official Secrets Acts where applicable to the project, and provide for compliance with minimum standards set out in HMG Manual for Protective Security where sensitive data is being handled.


 


A helpful explanatory note, which describes the changes in detail and contains answers to anticipated key questions, is available on the Partnerships UK website.[3]


 


Application of the Changes


 


The changes themselves are of much less significance than the fact that the security provisions of which they form a part are now mandatory for all UK government contracts signed from 1 July 2008 onwards. Whilst not mandatory for contracts which were signed prior to that date, or where the ITT/ITP for the relevant procurement was issued prior to that date, OGC advice strongly recommends that such procurements be reviewed to determine whether it would be appropriate to update the security requirements (even where this would involve contractual change). In any such ‘retro-fit’ of the updated standards, contracting authorities would have to remain mindful of the procurement rules and the need to secure best value for the public purse.


 


Government departments are given the responsibility of promulgating the message to their executive agencies and non-departmental public bodies and ensuring that the mandatory standards are included in relevant contracts and applied. There will also be an annual assessment process to ensure effective adoption of the updated requirements.


 


Comment


 


It will be interesting to monitor the reaction of suppliers to the imposition of these changes. Past experience suggests that the initial reaction is likely to be resistance: the new regime will be too costly or difficult to implement or unnecessarily stringent for lower value or less complex projects.


 


Suppliers may also try to argue that the provisions are tricky to incorporate into certain contracts ‘unamended’, a minimum requirement for compliance. Such contracts might include those for lower value or less complex projects or those where the core services are not ICT-related (but where there is nevertheless a data handling element), where alternative contracting models than that of the OGC Guidance may have been adopted as a starting point. A further issue suppliers might raise is how best to interface the mandatory requirements with other relevant guidance, such as the OGC guidance entitled Next Generation Network: Procurement Standards, Guidance and Model Clauses,[4] which contains a number of additional security requirements (relating for example to the inter-connection of networks).


 


Any period of resistance will inevitably be followed by reluctant acceptance (possibly accompanied by some targeted lobbying by IT industry bodies such as Intellect) as suppliers ‘share the pain’ and gear their systems towards routine compliance. The overall effect I would suggest will be positive – security breaches will not cease altogether of course, but there is no doubt that some breaches will be avoided.


 


In the meantime, it will be important for contracting authorities and their advisors to take a pragmatic approach, striking a balance between flat refusal of amendments and supine acceptance but resisting significant substantive changes which might set a dangerous precedent. To ease this process and ensure consistent application of the provisions, the OGC might consider issuing some further guidance or examples of how the provisions could legitimately be flexed in appropriate circumstances.


 


Practical Advice


 


Security considerations should be at the forefront of the project teams’ minds from the outset of the procurement at the planning stages through to implementation, testing and live operations. It is always important to bear in mind that robust contractual protections are only one part of what should be a holistic security strategy to mitigate a contracting authority’s legal and reputational risk.


 


1.      Assess project security risks at an early stage and conduct appropriate due diligence on the bidders. Ask questions and observe at each stage of the process: what experience does the bidder have of delivering projects with similar security requirements? Do the bidder’s security policies and bespoke written submissions stack up? Are personnel government security-cleared or vetted already? How does the bidder conduct itself in negotiations and handle its own sensitive information?


 


2.      Due weight should be accorded in procurement documentation and evaluation criteria to security elements, more so now than ever given the mandatory requirements. Bidders’ responses, technical solutions and draft security plans should be explored and challenged through workshops, negotiations and possibly pilot/test sites (although not practical in every instance, it may be possible to emulate live operations in testing). The parties should be particularly aware of security vulnerabilities at the point of interface between contracting authority and supplier systems.


 


3.      Use appropriately qualified and skilled technical personnel from the contracting authority to support this process. Whilst external consultants are often used in addition, consider whether internal stakeholders should work with them – they may have invaluable knowledge and experience of the security aspects of the contracting authority’s systems.


 


4.      Highlight the mandatory requirements to existing and potential new suppliers at an early stage to baseline expectations.


 


5.      Ensure that there is sufficient time set aside in the project plan to address security issues and prevent delays to the project. For example, government security accreditation can be a relatively time-consuming and resource-hungry process, and site security clearances often take some time to be processed.


 


6.      At the contract negotiation stage, the contracting authority should ensure that it has the necessary technical and legal expertise and input, particularly if the mandatory security provisions are challenged in some way by suppliers. There inevitably will be such challenges – possibly justifiably, particularly in lower value or less complex projects.


 


7.      If there is any significant deviation from the mandatory contractual requirements, ensure that the reasoning is captured and retained in written records which can be made available for audit review if required.


 


8.      Do not forget about the contract’s security mechanisms at the operational stage. Carry out privacy impact assessments and regular security audits in conjunction with the supplier. Bear in mind that new threats to security are constantly emerging and existing threats evolving, and security systems, policies and procedures should be subject to continuous review to ensure they are keeping pace with change.


 


9.      Reviewing and adopting best practice guidance and relevant international standards will help to support a continuous review approach e.g. ISO/IEC 27001 and 27002 and HMG Manual for Protective Security (and its replacement, the Security Policy Framework when it comes along in October 2008). Security forums and bulletins can also be useful in keeping up to date.


 


10.  As an organisation, you too must aim to cultivate good habits and practice what you preach! Follow security policies and procedures and make it clear to others that they must do so, whether employees, suppliers or others. Robust policies are multi-faceted and cover everything from locked filing cabinets and password protection through to effective staff vetting and monitoring systems and deployment of technology such as encryption.


 


Conclusion


 


The recent changes in the security regime surrounding the OGC Guidance are important, less for the substance of the changes themselves than for the restated importance of security considerations embodied by the provisions now afforded mandatory status.


 


As part of the Government’s wider programme of information assurance measures, this update should help to keep public sector minds focussed on security issues. It will be interesting to monitor supplier responses and attitudes given that the likely outcome is that they will be seeing this robust set of standards appearing more regularly in contracts in future.


 


Callum Sinclair is a Scottish-based Associate in the Technology Media and Commercial Team at DLA Piper.






[1] Information Note 08/08 – 1 July 2008



[2] Published on 25 June 2008, copy available at www.cabinetoffice.gov.uk/reports/data_handling.aspx



[3] www.partnershipsuk.org.uk/ictguidance/newsattachments/documents/PPN%20Data%20Handling%20Review.pdf



[4] Published in March 2007 and the subject of a previous article by the present author entitled ‘Public Sector Procurement of Next Generation Networks’, Computers & Law, Vol 18, Issue 1 (April/May 2007)