Quick answer
GovAssure is a UK government cyber resilience programme that requires central government departments and their critical suppliers to complete structured assessments against the NCSC Cyber Assessment Framework, providing a more rigorous evaluation of cyber risk than Cyber Essentials for high-assurance procurement contexts.
GovAssure is a UK government programme that applies the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) to central government departments and, by extension, to suppliers providing critical services to those departments. Where Cyber Essentials provides a baseline certification against five foundational controls, GovAssure involves a structured, in-depth assessment across a broader set of cybersecurity objectives covering network security, access control, data security, system resilience, incident response, and supply chain risk. In high-assurance procurement contexts, buyers may require suppliers to demonstrate GovAssure-aligned capabilities as part of their selection criteria.
What is GovAssure in procurement?
GovAssure was introduced by the UK Cabinet Office in 2023 as a mechanism for government departments to assess their own cyber resilience against the CAF's four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of cyber incidents. Departments are assessed annually, and the results inform investment decisions and risk treatment plans.
The procurement relevance of GovAssure is twofold. First, departments conducting GovAssure assessments must map their supply chain risk, which means assessing the cyber posture of critical suppliers. Suppliers providing services to sensitive government functions may be asked to complete a CAF-based self-assessment or to support an independent assessment of the systems they operate on the government's behalf. Second, departments can use GovAssure criteria to inform their procurement specifications for high-value or high-risk ICT procurement contracts, requiring suppliers to demonstrate capability across the CAF objectives rather than just holding a Cyber Essentials certificate.
The CAF itself is structured around 14 principles grouped under the four objectives. Each principle has contributing outcomes that describe the expected security practices. For supply chain assurance, the relevant CAF principle (C1) requires organisations to understand, manage, and communicate risks in their supply chains. Buyers using GovAssure-aligned criteria in procurement will typically require suppliers to demonstrate how they manage their own supply chain risk, including sub-processors and component vendors, which connects to GDPR compliance in procurement obligations for data processor chains.
Why it matters for bidders
For suppliers to central government departments, particularly those providing managed services, cloud platforms, or systems that process sensitive government data, GovAssure represents an emerging procurement standard that goes beyond Cyber Essentials. Suppliers should familiarise themselves with the CAF objectives and be prepared to complete CAF-based self-assessments or to participate in assessments conducted by the buyer or an independent assessor.
Suppliers who have already achieved ISO 27001 certification will find significant overlap with the CAF principles, but the CAF is not identical to ISO 27001 and the two should not be assumed interchangeable in procurement responses. The technology code of practice sets the broader policy context for government technology security expectations, within which GovAssure operates.
Example
A UK central government department is procuring a managed security operations centre (SOC) service. The specification includes a requirement for the supplier to complete a CAF-based self-assessment covering all four CAF objectives and to make the results available to the department. The evaluation criteria include a scored assessment of the supplier's CAF maturity profile, in addition to Cyber Essentials Plus as a pass/fail gateway.
Frequently Asked Questions
Is GovAssure required for all UK public sector contracts?
No. GovAssure is primarily a central government programme applying to departments in scope of the Government Cyber Security Strategy. It does not automatically apply to NHS, local government, or other public bodies, though those organisations may choose to use the CAF as their assessment framework. Procurement requirements referencing GovAssure or CAF compliance will be explicit in tender documentation.
How does GovAssure relate to Cyber Essentials?
Cyber Essentials covers five foundational technical controls and is appropriate as a baseline for most ICT suppliers. GovAssure and the underlying CAF cover a much broader set of cybersecurity practices across the full security lifecycle, including resilience, incident management, and supply chain risk. For sensitive or critical government systems, CAF-aligned requirements are more demanding and more comprehensive than Cyber Essentials alone.
Are there equivalent programmes in EU member states?
EU member states implement cybersecurity requirements for public sector systems and their suppliers primarily through the NIS2 Directive (Directive (EU) 2022/2555), which applies to essential and important entities and their supply chains. ENISA provides frameworks and guidelines that member states use to assess cybersecurity maturity. While GovAssure is a UK-specific programme, EU buyers are increasingly applying NIS2-derived criteria to ICT procurement specifications, particularly for critical infrastructure and public administration systems.
How Bidovate helps
Bidovate puts GovAssure (Cyber Assessment) in Procurement to work inside your capture and proposal workflow.
Tender discoverySee Bidovate in action
Book a demo and we will show you the platform using your actual contract data.
Related terms
Cyber Essentials (Procurement Requirement)
Cyber Essentials is a UK government-backed certification scheme that demonstrates a supplier meets baseline cybersecurity controls, and is increasingly mandated as a minimum selection requirement in public sector ICT procurement, particularly for contracts involving handling of government or personal data.
ViewGDPR Compliance in Procurement
GDPR compliance in procurement requires contracting authorities across EU member states and the UK to embed data protection obligations into technology contracts, including data processing agreements, controller/processor role definitions, sub-processor controls, and breach notification requirements, before any personal data is processed.
ViewICT Procurement
ICT procurement covers the purchase of information and communications technology goods and services by public sector organisations, encompassing hardware, software, cloud services, telecommunications, and associated support, governed by EU Directive 2014/24/EU and national implementing legislation across European member states.
ViewTechnology Code of Practice (Procurement)
The Technology Code of Practice is a UK government policy framework setting out the criteria that all central government technology projects must meet, covering open standards, interoperability, security, accessibility, sustainability, and value for money, and is used as a procurement evaluation standard for ICT contracts.
ViewSoftware as a Service (SaaS) Procurement
Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.
View