In February 2024 the UK National Cyber Security Centre updated its "Supply Chain Security Guidance" and "Mapping your supply chain" collections, and in April 2024 it published version 3.2 of the Cyber Assessment Framework (CAF), which is the backbone of UK regulator oversight for NIS-regulated operators of essential services and relevant digital service providers. These updates land against a busy legislative backdrop: the King's Speech of July 17, 2024 announced the Cyber Security and Resilience Bill, and the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 security requirements became enforceable on April 29, 2024. Taken together, the UK is building a coherent position on software supply chain assurance that affects any organisation selling software into the critical national infrastructure sectors or into UK government.
What Did the NCSC Update Cover?
The February 2024 update to the "Supply Chain Security Guidance" deepened the 12 principles into a twelve-step assessment process with specific evidence expectations and added a new module on software supply chain specifically, including SBOMs, provenance, and build integrity. The companion "Mapping your supply chain dependencies" guidance, first published in October 2022 and refreshed in 2024, describes a three-tier mapping approach that extends beyond direct suppliers to sub-processors and software component authors. NCSC updated the "Secure Development and Deployment" collection in 2023 to add explicit provenance and attestation recommendations aligned with SLSA.
How Does the Cyber Assessment Framework 3.2 Apply to Software?
CAF 3.2 is used by regulators including Ofgem, Ofwat, Ofcom, the CAA, the HSE, and the DHSC under the Network and Information Systems Regulations 2018 (SI 2018/506). Principle A4 "Supply Chain" requires operators to understand and manage the security risks to their network and information systems that arise from dependencies on external suppliers. The 3.2 revision tightened Contributing Outcome A4.a by making explicit that software components — including open-source — fall under the "suppliers" definition and that operators must maintain "records of relevant components and their provenance." B4 "System Security" was updated to add explicit text about secure software development and deployment and references to the Secure Software Development Framework.
What Will the Cyber Security and Resilience Bill Change?
The Cyber Security and Resilience Bill, announced in the July 2024 King's Speech and expected to be introduced to Parliament in the 2024-2025 session, will expand the NIS Regulations scope to include managed service providers, update reporting requirements, and give regulators enhanced cost-recovery powers. Based on the Government's November 2022 Call for Views response, the Bill is expected to bring more than 10,000 additional firms into the regulated perimeter and align the UK with NIS2 in all but name. Software vendors that supply regulated operators should expect to see contractual flow-down of CAF-aligned controls within 12-18 months of Royal Assent.
How Does PSTI Act Intersect With Software Supply Chain?
The Product Security and Telecommunications Infrastructure Act 2022 and the Product Security Regulations 2023 (SI 2023/1007) require manufacturers of consumer connectable products to meet three security requirements, publish a statement of compliance, and define a vulnerability disclosure policy. The security requirements took effect on April 29, 2024 and are enforced by the Office for Product Safety and Standards (OPSS). Penalties run to GBP 10 million or 4% of qualifying worldwide revenue, whichever is greater, under section 26 of the Act. For connected product vendors, the "statement of compliance" must reference the security of the software supply chain, not just the device firmware.
What About Public Sector Procurement Under GovAssure and the Procurement Act 2023?
GovAssure, launched by the Government Security Group in April 2023, requires central government departments to be assessed annually against the CAF profile designated by GSG. GovAssure is tiered by criticality, and third-party software used in tier-one systems must evidence supply chain assurance to the same standard. The Procurement Act 2023, which came fully into force on February 24, 2025, consolidates procurement law and gives contracting authorities broader discretion to exclude suppliers for "serious misconduct" — including significant cyber-security failures — via the Procurement Review Unit. Suppliers excluded under section 57 are placed on a published debarment list.
What Penalties Apply and Who Enforces?
Under the NIS Regulations 2018, competent authorities can issue monetary penalties up to GBP 17 million under regulation 18, with tiered thresholds and factors set out in the guidance. The ICO, as competent authority for digital service providers, has separate guidance on NIS penalties that runs alongside UK GDPR exposure. OPSS enforces the PSTI Act with GBP 10 million or 4% of revenue maxima. Health sector operators assessed under the DSP Toolkit and the Data Security Standards face NHS England intervention. The Information Commissioner has signalled enforcement interest in supply chain failures since the 2023 Capita incident.
How Safeguard Helps
Safeguard generates CycloneDX SBOMs with provenance metadata aligned to the NCSC's provenance recommendations and SLSA levels, providing the evidence that CAF Principle A4 now expects. Griffin AI reachability scoring and vulnerability heatmaps focus remediation on the components actually exercised by operational technology, meeting the CAF 3.2 expectation of risk-based prioritisation. TPRM workflows document supplier attestations against the 12 NCSC supply chain principles, and policy gates automate the build-time enforcement of provenance, signing, and vulnerability thresholds. The compliance mapping module cross-references CAF, NIS Regulations, PSTI, and ISO 27001:2022 so a single evidence export satisfies regulator inquiries and GovAssure submissions.