1. The importance of cyber resilience in Scotland's public bodies has never been greater. Digital technologies bring enormous opportunities for Scottish public services – but they also bring with them new threats and vulnerabilities that we must take decisive action to manage.
2. This Public Sector Action Plan has been developed in partnership by the Scottish Government and the National Cyber Resilience Leaders' Board ( NCRLB). It sets out the key actions that the Scottish Government, public bodies and key partners will take up to the end of 2018 to further enhance cyber resilience in Scotland's public sector. While there are already strong foundations in place, its aim is to ensure that Scotland's public bodies work towards becoming exemplars in respect of cyber resilience, and are well on their way to achieving this by the end of 2018.
3. The action plan focuses on public bodies. Delivery of the action plan will be coordinated and led by the Scottish Government's Cyber Resilience Unit, working in partnership with the NCRLB and Scottish public bodies. Wherever possible, the Scottish Government will work with key partners in the wider public sector, including local authorities, and universities and colleges, to promote an aligned approach to work on cyber resilience.
A. Developing a common approach to cyber resilience in Scottish public bodies
4. Key Action 1: The Scottish Government will work with the NCRLB, the National Cyber Security Centre ( NCSC), the Scottish Public Sector Cyber Catalysts  and other key partners to develop a Cyber Resilience Framework for Scottish public bodies by end June 2018. This framework, with associated guidelines and requirements, will help promote a common, effective, risk-based approach to cyber resilience across Scottish public bodies. A high-level concept framework can be found at Annex B.
B. Initial baseline cyber resilience requirements for Scottish public bodies
5. The Scottish Government has worked with the NCRLB to identify the requirements that will form the "initial baseline progression stage" under the Scottish Public Sector Cyber Resilience Framework. The Scottish Government will ask public bodies to achieve the following requirements to the following timelines:
- Key Action 2: Have in place minimum cyber risk governance arrangements, by end June 2018.
- Key Action 3: Ensure that public bodies that manage their own networks become active members of the NCSC's Cybersecurity Information Sharing Partnership ( CiSP), in order to promote sharing of cyber threat intelligence, by end June 2018.
- Key Action 4: Ensure they have in place appropriate independent assurance of critical cyber security controls by end October 2018. To support this goal, funding will be made available for public bodies to undergo Cyber Essentials "pre-assessments", by end March 2018.
- Key Action 5: Implement as appropriate the NCSC's Active Cyber Defence Programme, which aims to make internet-based products and services safer to use, by end June 2018.
- Key Action 6: Have in place appropriate cyber resilience training and awareness-raising arrangements for individuals at all levels of the organisation, by end June 2018.
- Key Action 7: Have in place appropriate cyber incident response plans as part of wider response arrangements, and ensure these align with central incident reporting and coordination mechanisms, by end June 2018.
C. Cyber security of supply chain and grant recipients
6. Key Action 8: Supply chain cyber security arrangements will form a key part of the Scottish Public Sector Cyber Resilience Framework. As part of due diligence, it makes good sense to ensure that other recipients of public money, such as grant recipients, also demonstrate that they take cyber security seriously. As part of work to develop the Framework, the Scottish Government will:
- develop a proportionate, risk-based policy in respect of supply chain cyber security (aligned appropriately with GDPR requirements), to be applied by public bodies in all relevant procurement processes. Industry partners will be consulted on a draft policy early in 2018, with a view to it forming part of the Scottish Public Sector Cyber Resilience Framework.
- develop guidance on the need for recipients of public grant funding to have in place appropriate, proportionate and risk-based cyber security arrangements. These requirements will align with the new supply chain policy and take effect alongside them.
D. Ensuring Scottish public bodies can access cyber security expertise and support
7. Key Action 9: To ensure that Scottish public bodies can access appropriate expertise in support of their work on cyber resilience, the Scottish Government will put in place an innovative Dynamic Purchasing System for Digital Services (including cyber security), by end October 2017.
E. Leadership and knowledge sharing
8. Key Action 10: To promote leadership and knowledge sharing, the Scottish Government will coordinate a Public Sector Cyber Catalyst scheme, under which a number of leadership bodies will commit to work towards becoming exemplars in respect of cyber resilience, helping identify common issues and solutions, and sharing learning and knowledge with the wider public sector.
F. Monitoring and Evaluation
9. Key Action 11: The Scottish Government will put in place a monitoring and evaluation framework to assess progress against this action plan and, once finalised, the Cyber Resilience Framework.
A summary of the key actions different bodies should take, along with timelines, can be found at Annex A to this action plan.