Guidance

DSPCR Chapter 12: security of information

Updated 24 July 2024

Purpose

1). This guidance explains the security of information provisions of the Defence and Security Public Contracts Regulations (DSPCR) 2011.

2). In particular, it sets out how to protect classified information throughout the award and performance of a contract. It also provides guidance on how to assess the capability of suppliers to meet the procurer’s security of information requirements.

What is security of information?

3). By security of information, we mean the protection of all classified information, regardless of its form, during the contract award procedure and the resulting contract.

4). Regulations 10 (confidential information), 11 (classified information), 36 (conditions for performance of contracts) and 38 (security of information) set out the provisions that allow us to protect certain types of information during procurement.

5). Regulation 23 (criteria for the rejection of economic operators) and 25(2)(m) (information as to technical or professional ability) set the supplier selection criteria related to security of information.

What safeguards protect information?

6). Procurers and suppliers must adequately protect classified information at all times. The ability and reliability of suppliers and their subcontractors to meet their obligations to protect classified information is vital to the United Kingdom’s (UK’s) national security interests.

7). The DSPCR address the circumstances where a contract involves, requires, or contains, classified information. It allows procurers to impose requirements for the protection of classified information throughout the acquisition process. This covers the entire life cycle of a contract:

  • the publication of the contract notice
  • the tendering process
  • the delivery of the contract requirement
  • the period after expiry or termination of the contract

8). The DSPCR also establishes the obligations of the procurer to provide potential suppliers with sufficient and timely information on its security of information requirements. This will assist suppliers by:

  • enabling them to assess whether to express an interest in the procurement
  • providing them with the necessary information for the subsequent preparation of tenders and performance of the contract

9). Some contracts could be so sensitive that you may exclude them from the application of the DSPCR, for example, sensitive contracts for the purposes of intelligence activities. The DSPCR, however, contain various protective measures concerning security of information which should limit the need to use the general exclusions or an exemption in the DSPCR to cases where those protective measures are inadequate.

What is meant by ‘classified information’?

10). The DSPCR define ‘classified information’ as: “…any information or material, regardless of its form, nature or mode of transmission, to which a security classification or protection has been attributed and which in the interests of national security and in accordance with the law or administrative provisions of any part of the United Kingdom requires protection against appropriation, destruction, removal, disclosure, loss or access by any unauthorised individual, or any other type of compromise.”

11). For procurers in the UK applying the DSPCR, ‘classified information’ is any information or material that has been assigned, by the Government or other official body of a Nation. In the United Kingdom (UK), the relevant protective markings are ‘OFFICIAL’ ‘OFFICIAL-SENSITIVE’, ‘SECRET’, or ‘TOP SECRET’ in accordance with the Government Security Classification (GSC) under the Security Policy Framework.

12). Other governments recognise ‘OFFICIAL’, ‘OFFICIAL-SENSITIVE, ‘SECRET’, or ‘TOP SECRET’, as these classification levels are identified as relevant in bi-lateral and other international Security Agreements or Arrangements (see paragraph 37).

What requirements can procurers impose on suppliers?

13). A procurer can impose on suppliers certain requirements aimed at protecting classified information, both during the contract award phase and as part of the contract performance requirements. This relates to all classified information whether communicated by the procurer or otherwise (e.g. generated by the supplier or provided by a third party).

14). In addition, procurers may require a supplier to ensure that its subcontractors comply with the same requirements to protect classified information as are imposed on the supplier.

15). Procurers may require all tenderers to enter into a confidentiality or non-disclosure agreement to protect certain information during the contract award procedure in addition to their obligations under relevant national security law, such as the Official Secrets Act.

16). Procurers safeguard security of information during contract performance through use of the provisions of Regulation 38 and the application of associated contract conditions.

Selection of suppliers

17). The contract notice must include the main features of the security of information requirements and the grounds for qualitative selection, i.e. the selection criteria must specify the minimum capability for protecting information which is normally the level of Facility Security Clearance required (see Regulation 25(2)(m)).

18). Procurers may use relevant selection criteria on security of information during the Pre-Qualification Questionnaire (PQQ) process to exclude those suppliers who do not meet certain proportionate or minimum capability requirements. You may also use selection criteria to limit the number of tenderers (for example as part of a basic ranking system).

Exclusion of suppliers and tenderers

19). Regulation 23 provides a list of grounds for excluding suppliers and tenderers for reasons of reliability. In relation to security of information requirements, you may exclude a supplier from participation in the procurement procedure if:

       a). it has committed an act of grave misconduct in the course of its business or profession. This includes a breach of obligations regarding security of information required by any procurer in accordance with Regulation 38 during a previous contract (Regulation 23(4)(e)); or

       b). it has been found, on the basis of any means of evidence, including protected data sources, not to possess the reliability necessary to exclude risks to the security of the UK (Regulation 23(4)(f)).

20). Regulation 23(4)(e) applies specifically to breaches of security of information obligations during previous contracts.

21). While Regulation 23(4)(e) does not require a final conviction by a court of law for grave misconduct to be ‘proven’, a procurer must have objective and verifiable information if it intends to exclude a supplier or tenderer on these grounds. The decision to reject must be a proportionate course of action, taking into account the full circumstances of the case including the nature of the contract and the severity of the breach.

22). Regulation 23(4)(f) deals more broadly with the reliability of suppliers or tenderers.

23). Essentially, suppliers must be sufficiently reliable to exclude risks to the security of the UK. Risks could arise from, for example, certain features of products previously supplied (such as if the product contains hidden software which tracks the user’s data). The ownership of the supplier may raise security concerns. Procurers may, therefore, question the reliability of a supplier or tenderer even where it holds security clearances from its national authorities.

24). You must only exclude a supplier on reliability grounds because of objective evidence, which you must interpret proportionately and reasonably bearing in mind the subject of the contract and the relevant security of information requirements.

25). In addition, although Regulation 23(4)(f) can be based on ‘any means of evidence, including protected data sources’, this does not give unlimited discretion to procurers. You must base any exclusion on risks to the security of the UK and a procurer must be prepared to demonstrate and justify, ultimately to the Court, the reasons for, and plausibility of, its decision.

26). Procurers also have the ability to reject subcontractors (see Chapter 14: subcontracting under the DSPCR). However, you must only base a decision to reject on the selection criteria used for the main supplier. Therefore, where a subcontractor has committed an act of grave misconduct or does not possess the reliability required, you may reject them in accordance with the same principles.

Criteria of technical and / or professional ability

27). Regulation 25(2)(m) allows an assessment based on evidence of a supplier’s technical or professional ability to process, store and transmit classified information at the level of protection required by the procurer (see Chapter 15: supplier selection). This will almost invariably include evidence that the supplier holds a relevant security clearance.

UK suppliers

28). For UK suppliers, you can find existing UK national provisions on security clearance set out in the HMG Security Policy Framework.

29). Suppliers holding, or who are sponsored, willing and able to gain, a Facility Security Clearance (FSC) or the necessary Personal Security Clearances (PSC), or both, appropriate to the protective marking of the classified information involved, required or contained in the contract award process and subsequent contract, will be able to comply with national security rules and regulations.

30). Similarly, UK subcontractors holding an appropriate FSC and PSC will be able to comply with security clearance requirements. This includes UK subcontractors of suppliers of other States who are appropriately security cleared.

31). A FSC is site specific and required only for contracts involving information classified as ‘SECRET’ or above. It is not required for contracts involving information classified as ‘OFFICIAL’ or ‘OFFICIAL-SENSITIVE’. When the Ministry of Defence’s (MOD) Director of Defence Security grants a FSC, the site is added to List X.

32). Suppliers cannot themselves provide an assurance that they have a FSC. Therefore, for contracts involving information classified as SECRET and above, procurers must verify that the proposed supplier holds the necessary FSC by contacting the relevant National or Designated Security Authority to obtain confirmation. If the supplier does not hold the necessary FSC, the procurer may sponsor security clearance action.

33). For OFFICIAL-SENSITIVE only contracts, unless specifically required by national security laws and regulations, suppliers do not need to hold a FSC. In that situation, procurers should include the requirements for the protection of OFFICIAL-SENSITIVE information in the contract documents and obtain a commitment from tenderers that they will protect classified information to that level.

34). Procurers may reject subcontractors chosen at the main contract award stage as long as they base the rejection on criteria applied for selection of the successful tenderer. If the successful tenderer proposes the use of subcontractors, each of these subcontractors should hold a FSC or PSC, or both, appropriate to the level of classified information that they will be handling or they should be capable of obtaining clearance to the appropriate level through sponsorship from either the procurer or the successful tenderer (for MOD procurers, List X contractors may sponsor subcontractors to obtain certain levels of clearance).

Foreign suppliers or subcontractors

35). The evidence that suppliers (including subcontractors) of other States have the ability to meet procurers’ security of information requirements may include evidence of holding an equivalent security clearance recognised by the UK appropriate to the relevant protective marking.

36). Foreign suppliers are required to comply with their own national laws and regulations. When considering the ability of a foreign supplier to meet UK’s security of information requirements, procurers must take account of whether there is a relevant bilateral General Security Agreement (or Arrangement) between the UK and the other State.

37). A bilateral General Security Agreement with the other state is sufficient evidence for procurers to recognise the FSC granted to, and the ability of, a supplier in that State to comply with its security requirements to protect classified information to at least an equivalent standard to the UK requirements. In those circumstances, you only require verification that the supplier or subcontractor has an appropriate FSC awarded by its own National or Designated Security Authority.

38). UK national security regulations require suppliers to seek the approval of procurers where suppliers propose to subcontract work to foreign subcontractors at the level of ‘SECRET’ or above. Procurers are likely to grant approval if the proposed subcontractor holds an appropriate FSC or PSC granted by its own National or Designated Security Authority.

39). The relevant UK National or Designated Security Authority will accept an assurance of the existence of an appropriate FSC or PSC under a bilateral General Security Agreement.

40). If the proposed supplier does not hold an FSC, or it is not at the level required for the performance of the contract, you should ask the relevant UK National or Designated Security Authority to request the supplier’s own National or Designated Security Authority to initiate FSC action to the equivalent level required.

41). Currently the UK has bilateral Security Agreements that include the protection of defence classified information. These are Pan-Government legally binding bilateral documents for the mutual protection of classified information. Current General Security Agreements can be found at UK Treaties – GOV.UK. In addition, there are MOD specific Defence Security Agreements, for a full up-to-date list please contact [email protected].

42). In the absence of a bilateral General Security Agreement, it is possible to obtain assurances of a FSC for suppliers and subcontractors that would be at least equivalent under the scope of the EU Council security regulations (Council Decision 2001/264/EC, as amended).

What contract conditions can procurers impose on suppliers and tenderers?

43). Regulation 38 allows that, where classified information is involved, the procurer may require the tender to contain particulars including, but not limited to, the following:

       a). A commitment from the tenderer and the subcontractors already identified to safeguard appropriately the confidentiality of all classified information in their possession or coming to their notice throughout the duration of the contract and after the termination or conclusion of the contract.

       b). A commitment from the tenderer to obtain the commitment referred to in sub-paragraph 43a from other subcontractors to which it will subcontract during the execution of the contract.

       c). Sufficient information on subcontractors already identified to enable the procurer to determine that each of them possesses the capabilities required to safeguard the confidentiality of the classified information to which they have access or which they are required to produce when carrying out their subcontracting activities – an appropriate FSC may satisfy this requirement.

       d). A commitment from the tenderer to provide the information referred to in sub-paragraph 43c on any new subcontractor before awarding a subcontract.

44). Any measures that the procurer specifies to ensure the security of classified information under Regulation 38 must comply with, or be equivalent to, the security clearance provisions of the UK appropriate to the relevant protective marking. In other words, any contract terms relating to security of information obligations must not exceed what the tenderer (or subcontractor) is required to do to obtain the security clearance relevant to the level of protective marking or markings of the classified information which the contract (or subcontract) will involve.

45). Regulation 38 allows procurers to require tenderers to set out their solutions for maintaining the security of the classified information handled during contract performance and afterwards including flowing down those commitments to the supply chain.

46). Regulation 38 also allows procurers to oblige tenderers to provide information on their subcontractors so that the procurer can verify their ability to safeguard classified information where they did not do it as part of the supplier selection or subcontractor selection process or otherwise under Regulation 37 (Subcontracting). It also commits tenderers to provide that information on subcontractors where they have not identified those subcontractors yet.

47). The measures and requirements under Regulation 38 are non-exhaustive. The procurer may therefore add to this list, as long as those additions are consistent with the security clearance requirements applicable to the relevant level of protective marking and are proportionate to the subject of the contract.

48). Procurers must of course ensure that they include any commitments or requirements imposed on tenderers, including those it requires the tenderer to flow down the supply chain, as obligations in the final contract.

What are the obligations of procurers to suppliers and tenderers?

49). If invitations to tender or contracts involve, require or contain classified information, procurers must provide a sufficient indication of their security of information requirements to potential suppliers so they are able to decide whether to express an interest in participating in the procurement procedures.

50). Procurers must also provide tenderers with adequate details of their security of information requirements in order for them to prepare their tender. Procurers must provide the necessary level of information in the contract notice, or in the invitation to tender, or both. A decision process containing the key decision points and an indication of the factors to consider can be found in Annex A.

Contract Notice

51). Procurers must describe in the contract notice sent to the Find a Tender service the maximum level of protective marking of the information or material that needs to be protected, processed, stored or transmitted during the contract award procedure and in the performance of the contract.

52). Procurers must also indicate any specific contract performance conditions on protecting classified information in the contract notice or contract documents.

53). If procurers require evidence that a supplier holds a relevant UK or equivalent security clearance appropriate to the relevant protective marking, the contract notice must specify the nature and form of the evidence you require.

54). You may give suppliers that do not yet hold the necessary clearance additional time to obtain it following sponsorship by the procurer. Where this is the case, Regulation 25(5) requires procurers to indicate this, along with the time limit, in the contract notice.

Invitation to tender and other contract documents

55). If you do not include the full security of information requirements in the contract notice, you must include comprehensive details in the invitation to tender. This must include details of any information or commitments you require the tenderer to provide as part of its tender response and the form in which they must present it.

56). Additionally, you must communicate the detailed classified aspects of the contract to the supplier in the invitation to tender documents and in the contract, for example, in the form of a Security Aspects Letter (SAL).

What exclusions from the DSPCR are available on security of information grounds?

57). Regulation 7 (General exclusions) provides for general exclusions from the DSPCR. Regulation 7(1)(a) and 7(1)(b) relate to security of information considerations, for more information on these exclusions, please see Chapter 4.

What do I need to tell an excluded supplier or unsuccessful tenderer?

58). Regulations 30 (notification) and 33 (information about contract award procedures) set out the notifications and information procurers must provide to excluded suppliers (for example, those excluded at PQQ stage or any stage up to final tender stage) or unsuccessful tenderers (for example, those who submitted final tenders and were unsuccessful).

59). You should also consult Chapter 17: standstill period, contract award and voluntary transparency in relation to the notification and information requirements you need to set out in a standstill notice for unsuccessful tenderers.

60). If they receive a request in writing procurers must inform excluded suppliers or unsuccessful tenderers of the reasons for their rejection (you should include this information, even if not requested, as part of a standstill notice you send to unsuccessful tenderers). This includes, at Regulation 33(8)(b), any reason for the procurer’s decision that the supplier did not meet its security of information requirements as set out in the contract notice or invitation to tender in accordance with Regulation 38.

61). There may be circumstances, however, where full transparency of the reasons for exclusion of a supplier or rejection of a tender might conflict with defence or security interests. This may be particularly true where you are basing your decisions to exclude or reject on information from protected sources.

62). Specifically, in relation to security of information, Regulation 33(11)(a) and (b) allow a procurer to withhold any information where the disclosure of that information would impede law enforcement or would otherwise be contrary to the public interest, in particular defence or security interests or both.

63). If the conditions of Regulation 33(11)(a) or (b) are met, procurers may decide not to communicate information, even if this means that you cannot inform the tenderer of the main reason for its rejection. The tenderer concerned, however, would remain free to challenge the rejection if it considers the procurer to be in breach of the duties owed to it under the DSPCR.

Key points to remember

1). Where a procurement process involves access to classified information, you must consider imposing obligations on suppliers and require flow-down of those obligations to subcontractors, to safeguard that information throughout the tendering and contracting procedure. Those obligations must be proportionate and relevant for the particular procurement process.

2). You are allowed to reject suppliers and subcontractors where they:

  • do not possess the necessary reliability to exclude risks to national security
  • have breached obligations relating to security of information during a previous contract in circumstances amounting to grave misconduct

3). You must request information from suppliers and subcontractors to assess their ability to protect information if they will have access to classified information marked OFFICIAL / OFFICIAL-SENSITIVE or above. You should impose measures to protect information to the required level if suppliers and subcontractors will have access to classified information marked ‘OFFICIAL / OFFICIAL-SENSITIVE or above.

Further notes

MOD procurers must note that it is MOD policy not to mark material with the ‘OFFICIAL’ classification. Therefore the requirement applies to material marked as ‘OFFICIAL-SENSITIVE’ or above.

Security of information decision process (Annex A)

Requirements/scoping

Identify the need to protect classified information and equipment during the contract lifecycle. Consideration to be given to protection during:

  • tendering stage
  • performance of the contract
  • post contract

DSPCR Considerations

Things to consider include:

  • application of exemptions or exclusions
  • to what extent the protective measures can be applied
  • what protections need to be imposed on contractors and flow down the supply chain. Bearing in mind the Authority’s and any 3rd party generated material.
  • not limited to the use of Security Aspects Letter (SAL), Confidentiality Agreements/ Non Disclosure Agreement (NDA), protections in the Official Secrets Act.

Phases of Procurement

Advertising

You must indicate the level of protective marking of the information and / or equipment in the Contract Notice. The specific clearance levels and evidence you require must also be published. Reg 25(5) allows you to specify a date by which those without the appropriate clearance must obtain it.

ITT

The specific conditions of contract relating to the protection of assets must be issued, for MOD procurers this includes DEFCON 695A (where appropriate). A draft copy of the SAL must also be issued. A separate SAL must be issued with the ITT where there there are protectively marked assets accompanying it.

Contract performance

Once on contract, a SAL must be issued to form a binding agreement detailing the assets to be protected and how to protect them. For MOD procurers the SAL describes what is defined as secret matter for the purposes of DEFCON 659A and needs to be issued so that the obligations of DEFCON 659A are clear.