Question 1

Who needs Cyber Essentials Plus, GovAssure, and the CAF?

Accepted Answer

Cyber Essentials Plus is mandatory for UK central government contracts handling personal data or accessing government information at OFFICIAL. GovAssure is the NCSC-led assurance scheme for critical government departments using the Cyber Assessment Framework (CAF) as the evaluation lens. The CAF itself applies to operators of essential services under the UK NIS Regulations 2018 (and the UK NIS 2024 reform) plus UK government departments. MoD suppliers face CSM v4 plus DefStan 05-138 Issue 4 on top.

Question 2

What does Cyber Essentials Plus require and how long does it take?

Accepted Answer

Five technical control families verified by an IASME-accredited certification body: firewalls, secure configuration, user access control, malware protection, and security update management. CE Plus adds an on-site or remote audit (vulnerability scan plus authenticated configuration review) on top of the self-assessment. Typical readiness timeline 4-8 weeks from a cold start. Annual renewal. £8K-£18K end-to-end depending on environment scope.

Question 3

How does CSM v4 compare to CMMC L2?

Accepted Answer

MoD CSM v4 (live since 3 December 2025) and CMMC L2 are structurally identical: NIST 800-171 control families, supply-chain pre-cert workflow, evidence taxonomy mapped to similar control objectives. DefStan 05-138 Issue 4 wraps the CSM scoring into MoD contractual requirements with Cyber Risk Profiles 0-3. Our CMMC L2 SSP and POA&M format converts to CSM v4 with a translation overhead of roughly 15-20%, not a rebuild.

Question 4

What is the G-Cloud 15 listing path?

Accepted Answer

G-Cloud 15 is the £14B 4-year framework launching in 2026 through Crown Commercial Service. No UK domicile requirement to list. We write the service description, structure the pricing schedule per the CCS template, and submit the supplier and service-definition documents during the framework window. Once listed, central government, NHS, devolved administrations, and local councils can buy direct without further competition. Listing work runs £15K-£35K depending on service-line count.

Question 5

What does the UK readiness package cost?

Accepted Answer

£135-165K (roughly USD 170-210K) for a CSM v4 readiness package: 90-day gap analysis plus 6-month remediation, priced ~10% above the UK boutique midpoint and below the Big Four floor. CE Plus: £8K-£18K. GovAssure CAF readiness: £80K-£180K depending on department scope. NCSC Assured Service Provider preparation work runs separately. Primarily hourly with fixed fee for the CSM v4 and CE Plus tracks where scope is well-defined.

Question 6

Can a US firm sell into UK government without a UK entity?

Accepted Answer

Yes for G-Cloud 15 and most central-government supplier work. UK GDS Service Standard and Technology Code of Practice apply to digital services regardless of supplier origin. OFFICIAL data handling is residency-flexible if the controls demonstrably meet the standard. SECRET and above require UK-cleared personnel and UK-domiciled infrastructure, which we coordinate through UK primes or partner under the NCSC Assured scheme rather than claim a US WOSB can deliver alone.

UK Government Cybersecurity

What this service does

What we deliver

How an engagement begins

Why this work runs through Witness

A confidential, structured engagement.

Confidential Consultation

Scoped Engagement

Investigation and Findings

Same firm. Same legal entity. Same Quinn.
Also available through varcoe.ai for B2B buyers.

Witness (you are here)

Varcoe (B2B sister brand)

Quinnlan Varcoe

Frequently asked about UK government cybersecurity

Schedule a confidential consultation