PPN 07/23: Updates To The Government Security Classifications Policy

• Published date: 18 July 2023
• Subject Matter: Government, Public Sector, Government Contracts, Procurement & PPP
• Law Firm: Gowling WLG
• Author: Sarah Higgins, Alison Richards and Elizabeth Williams

On 30 June 2023, the Cabinet Office published Procurement Policy Note (PPN) 07/23: Government Security Classifications Policy to implement updates to the Government Security Classifications Policy (GSCP). These updates are designed to address gaps in the previous policy and reflect changes to Government working practices since the last major update in 2013 - like working from home.

What is the GSCP?

The GSCP is a Cabinet Office policy that sets out an administrative system to be used by Government to protect any information or data that has been created, processed, stored or managed as part of His Majesty's Government's work - including as a result of Government contracts - from prevalent threats through the use of 'classification tiers'.

Each 'classification tier' sets out baseline behaviours and protective controls proportionate to the threat profile and potential impact of data compromise, loss or incorrect disclosure of information.

Unless more stringent requirements are required by Government (for example, as set out in a Government contract), the GSCP is the baseline requirement.

Want to know more but short on time? Read the Government Security Classifications Policy Quick Read.

Otherwise, you can read the full GSCP for more details.

Do the changes apply to me?

If your organisation is a supplier to Government, then "yes".

If your organisation is an NHS body, a Central Government Department, or an Executive Agency, or Non-Departmental Public Body of a Central Government Department ("In-Scope Organisations"), then "yes".

If your organisation is a public sector contracting authority but is not an In-Scope Organisation, the PPN states that you "may wish to" implement the PPN - whilst it is not mandated for your organisation to do so, we recommend you do to ensure alignment with public policy and robust security measures to protect Government data are in place.

So what's changed?

The majority of the updates are minor.

Here are the top seven changes that you need to know:

1. The definitions for the three classified tiers OFFICIAL SECRET, and TOP SECRET have been updated.
2. "OFFICIAL-SENSITIVE" will not form one of the classification tiers.
3. There are new baseline security behaviours for the three classification tiers of OFFICIAL, SECRET, and TOP SECRET - like the use of secure networks on secured dedicated physical infrastructure for SECRET.
4. New standardised additional markings have been introduced These are for use in conjunction with classification tiers....