DSPT submission
I know we are only in January, but before you know it we will be seeing new born lambs in fields, daffodils sprouting and leaves reappearing on trees. Oh, and then there’s the Data Security Protection Toolkit (DSPT) submission. To maintain compliance organisations are required to submit before 30th June each year.
Changes
The 2024/25 period sees the reintroduction of category 2, which includes IT Suppliers and Operators of Essential Service (OES) Independent Providers. IT suppliers are companies that meet all of the criteria of 50+ staff, a turnover of £10m+ and supplies digital (either software and/or physical) goods and services to the NHS and/or care[1]
Interestingly, this year also sees the introduction of the Cyber Assessment Framework (CAF) for category 1 organisations. Both category 1 and 2 organisations will also need to complete an independent audit (this was voluntary for IT suppliers last year).
All category 1 organisations had to submit a baseline report by 31st December to state how they are achieving each objective. Key to note here is the intention of NHS England to roll out CAF more widely over future submissions, so suppliers would be well advised to become familiar with it now.
[1] https://www.dsptoolkit.nhs.uk/Help/Org-Types#:~:text=If%20you%20are%20a%20company,Local%20Authority
What is CAF?
CAF stands for Cyber Assessment Framework and has been developed by the National Cyber Security Centre to help organisations assess how robust and resilient their cyber security is. We are seeing it becoming more profliic and is a common place acronym now in the security world.
CAF is not there as a set of rules telling you what to do, it’s there as a guide to decision making. There are 4 high level objectives and 14 principles.
Principles, contributing outcomes and IGPs
Each principle is broken down into lower level contributing outcomes; so essentially an organisation can see if they have attained the principle by how many of the outcomes they are achieving. To make it even easier, each contributing outcome has a set of Indicators of Good Practice (IGPs). All the IGPs have been put into tables; one table per contributing outcome, multiple contributing outcomes make up a single principle. There is then a RAG status (Red, Amber, Green) applied to each of the IGPs as to whether the organisation has achieved, partially achieved or not achieved the IGPs that make up that contributing outcome.
CAF assessment
There are 39 contributing outcomes so essentially there are 39 individual assessments based on the RAG status of each associated table of IGPs. Whilst the CAF has been designed to be applicable across the board, there are some instances that will mean a sector will make the CAF more specific for them, creating a CAF “profile”, which brings us back to DSPT.
DSPT and CAF
In 2023 the health and care cyber security strategy committed to adopt the CAF as the principal cyber standard. As a result the standard 39 contributing outcomes have been enhanced for health and care to include an additional 8 contributing outcomes that cover off “using and sharing information appropriately”, so there will be a total of 47 contributing outcomes in the health and care CAF. Organisations are not expected to be able to achieve all of the contributing outcomes; indeed there will be different CAF profiles dependent on the organisation type and by achieving the relevant profile they will be graded “standards met” on the DSPT.
Final thoughts
So, whilst not all organisations are required to meet CAF in the 24/25 DSPT submission it is coming down the tracks. We would strongly recommend reviewing the principles and outcomes so you can begin preparation, whilst improving your cyber security stature at the same time.