The Scottish Government has launched a market engagement exercise ahead of plans to create a national ‘cyber observatory’ protecting public sector bodies.
Ministers have backed an initiative to beef up defences for national critical digital infrastructure – spanning 180 public sector organisations across the country.
A new procurement process was launched last week by the government’s Digital Directorate to explore the possibility of acquiring a technical solution to operate 24/7/365.
The request for information (RFI), published on the Public Contracts Scotland website, stated: “The Scottish Government’s (SG) Digital Directorate, through the Scottish Cyber Coordination Centre (SC3), expects there to be an ongoing need to design and develop a Cyber Observatory to ensure that the Scottish Public sector is as secure and cyber resilient as it can be.
“The Observatory will be a technical resource aimed at improving visibility of cyber risks, identifying emerging threats, and enabling data-driven decision-making. This initiative will reinforce The SC3 commitment to delivering impactful, evidence-based interventions that support a more cyber-resilient Scotland.
“SC3 are seeking a functionality with the ability to accurately assess and understand the public sector’s cyber resilience posture. This insight is essential for shaping and applying proportionate security frameworks and standards that help organisations strengthen their cyber defences.
“SC3 are looking for further information on what services are available in the market and how these can be delivered by service providers.”
A further downloadable document was issued alongside the RFI, setting out some of the expected requirements for the cyber observatory.
The document specified that there will be three types of user for the solution: the technical team members of SC3 itself, public sector users and admin users.
The solution will have to be hosted in a sovereign UK data environment, and the supplier must have a Cyber Essentials Plus certificate (or an independent audit against the Cyber Assurance Framework).
The RFI also asks whether the solution could be hosted within the Scottish Government’s own cloud environment, on either AWS or Azure, and therefore whether it would be compatible with those platforms.
As for what the observatory will look like, the document says: “The Cyber Observatory will be designed as a technical solution capable of ingesting, storing, and processing relevant cybersecurity indicators from all public sector organisations in a structured and dynamic manner. It will also manage organisational information, including security contacts and group memberships.
“This solution will provide a comprehensive, real-time view of the cyber resilience and maturity of Scotland’s public sector. Additionally, its analytical and reporting capabilities will support real-time assessments, organisation-specific analysis and the production of summary reports or targeted briefs, tailored to both routine and urgent operational requirements.”
Interested parties are asked to respond to a range of functional and non-functional and security requirement questions in the RFI by March 10th.
However, an interesting insight was revealed about the inner workings of SC3, which emerged in recent years as part of a more cross-public sector approach to online security following the cyberattack on the Scottish Environment Protection Agency in December 2020.
A high level user wrote: “As an SC3 core team user I want to see the cyber security profile of all organisations across the Scottish public sector through a single pane of glass so that I can engage with the Cyber Security community across the public sector, provide critical insights to senior stakeholders and ministers, take data driven decisions on how to improve the Cyber Security posture of the Scottish public sector and drive increased compliance with cyber security frameworks and standards.”