Talk to us 01204 238 046

Cyber Security Services 3: A complete overview of Cyber Assessment Framework

Written by Thornton & Lowe


Jun 18, 2024

The introduction of Cyber Security Services 3 (CSS3) marks a significant leap in the way organisations protect themselves against cyber attacks and manage risk within their IT infrastructures. With the ever-increasing sophistication of threat actors, the urgency for a robust cyber security framework, capable of withstanding and mitigating emerging threats, is imperative. This includes a comprehensive approach to information security, encompassing everything from penetration testing to threat intelligence, ensuring that entities are not just reactive but proactive in their cyber defence strategies.

This article will navigate through the critical aspects of Cyber Security Services 3, offering you a complete overview of the Cyber Assessment Framework (CAF) and its importance in today's digital world. We will explore who can apply for CAF, detailing the certification process and highlighting the supply chain considerations inherent to maintaining IT security integrity.

What is Cyber Security Services 3?

Cyber Security Services 3 (CSS3) is a Dynamic Purchasing System (DPS) designed to enhance the cyber resilience of UK public sector entities by providing a comprehensive suite of cyber security services. This initiative, developed under the Crown Commercial Services (CCS), acts as a continuation of previous frameworks, aiming to align with the National Cyber Security Strategy and bolster the Cyber Essentials Scheme. CSS3 offers a flexible commercial agreement that allows public sector bodies to access a variety of services, including NCSC assured services, penetration testing, incident response, and managed security services. The system facilitates an agile procurement process, allowing entities to shortlist and engage with pre-approved suppliers through a streamlined platform, ensuring that the public sector can quickly and efficiently improve its organisational cyber resilience.

Who can apply for Cyber Security Services 3

CSS3 is open to all UK central government departments, wider public sector organisations, and charities. This flexibility allows these entities to continually join and benefit from the DPS throughout the duration of the contract. To apply, organisations must complete a Selection Questionnaire (SQ) via the GOV.UK Supplier Registration System, addressing both mandatory and discretionary questions, followed by a Dynamic Purchasing System Questionnaire (DPSQ) that focuses on specific cyber services delivery capabilities.

CSS3 caters extensively to various sectors within the public domain. This includes central government bodies like the Home Office and Ministry of Justice, local governments, educational institutions such as universities and high schools, health sector entities including local hospitals and Clinical Commissioning Groups (CCGs), and defence sectors encompassing the tri-Forces and the Ministry of Defence (MoD). Additionally, organisations like the Coastguard also fall within the scope, underscoring the broad applicability of CSS3 across different public sector verticals.

How to apply for Cyber Security Services 3

Step-by-step application process

  1. Register as a buyer on the GOV.UK Supplier Registration System (SRS) at
  2. Complete the Selection Questionnaire (SQ) which includes mandatory and discretionary type questions alongside financial details.
  3. Navigate to the Cyber Security Services 3 (CSS3) Dynamic Purchasing System (DPS) and log in. Confirm your details and agree to the terms of use.
  4. On the 'Manage your DPS Category Exports' page, create a new category export to filter suppliers that meet your needs.
  5. Use the filtering tool to specify your requirements and save your filtered list of capable suppliers.
  6. Export this list to an Excel spreadsheet and use it to run a further competition, ensuring to refresh the list if not used within 2 working days to comply with procurement regulations.

Required documentation

Ensure you have all necessary documentation ready, including insurance documents and any other required by the category team.

Download and carefully read the bid pack from the Contracts Finder website.

After appointment, you will receive login details for the MI reporting system and further instructions via email.

Benefits of Cyber Security Services 3

Enhanced security

CCS3 offers enhanced security measures, providing access to NCSC assured services, which meet stringent national standards. These services include penetration testing that identifies vulnerabilities, incident response to manage cyber threats effectively, and managed security services that monitor and protect your IT infrastructure continuously. By using CSS3, your organisation benefits from a robust security framework that is capable of defending against sophisticated cyber threats, ensuring that your digital assets are well-protected.

Compliance with standards

CSS3 not only enhances your security posture but also ensures compliance with critical regulatory standards. This DPS allows organisations to align with the UK's National Cyber Security Strategy, offering services that are continuously updated to meet evolving cyber threats and regulatory requirements. By incorporating CSS3, your organisation can maintain high standards of cyber hygiene, meeting or exceeding the security outcomes specified in the Cyber Assessment Framework (CAF). This adherence to standards is crucial for protecting sensitive information and maintaining trust with stakeholders.

Speak to an expert!

Contact us

Related articles...

Made by Statuo