Clarifications
There are 139 clarifications for this DPS
155. We are entering details for a non-UK subcontractor (Georgia). The system requires a valid UK postcode format and UK-style company registration number format. Please confirm how foreign subcontractor registration details should be entered in these fields where validation prevents submission.
If you are not based in the UK, you can use the Royal Mail postcode EC1A 1AA as a generic postcode and the 8 digit number "00000000" as a dummy number for the UK Companies House Registration number if required.
Answered
02/03/2026 14:59
154. Hi, We are undertaking an application and would like some clarity on how the vendor / reseller relationship is viewed. -Should our vendors be classed as subcontractors - when indicating what NCSC Assured services we can provide, if a vendor who we would resell on the DPS is assured are we able to select that option? Many thanks
Please refer to DPS Joint Schedule 1- Definitions for the subcontractor and subcontract definitions. Regarding NCSC Assured services, they must always be delivered by the prime supplier listed on the DPS and cannot be subcontracted. Your organisation can only select NCSC Assured services if you have the required assurance.
Answered
20/02/2026 13:39
153. We are applying to RM3764iii for Data Destruction / Data Sanitisation services only, under the Non-assured NCSC route. The RM3764iii DPS Needs document confirms that Cyber Essentials (basic) is the mandatory minimum requirement, and that Cyber Essentials Plus and other standards are optional buyer-applied filters. The Buyer Needs document further states that suppliers must only select accreditations and standards that they can genuinely provide, and warns against selecting filters in error. We hold Cyber Essentials (basic) only and do not hold any of the standards listed in Question 82. However, the SRS platform requires at least one selection. Please confirm how CCS would like us to proceed?
Duplicate of previous clarification, responded directly
Answered
17/12/2025 11:10
152. We are applying to join the DPS under Non-assured NCSC Services for Data Destruction. We hold Cyber Essentials (basic) certification and meet all other mandatory requirements. However, Question 82 (Standards) is returning an error stating "You must select an answer", yet we do not currently hold any of the listed standards (Cyber Essentials Plus, CREST, ISO 27001, security clearances, etc.). Previous clarifications confirm these are not mandatory to join the DPS. Please advise how we can proceed with our application when Q82 requires a selection but none of the options apply to our organisation.
Responded to clarification directly
Answered
17/12/2025 11:09
151. Hi In relation to DPSQ Q65, bidders are asked to select if their organisation can provide NCSC Assured Services or Non-Assured NCSC Services. Can you confirm if a bidder can apply for the NCSC Assured Services if a partner/vendor/named key-subcontractor can provide the NCSC Assured Services, or does it need to be the prime bidder that is listed as NCSC Assured?
It is the prime supplier/ bidder that must be assured for any NCSC Assured service/ scheme
Answered
06/11/2025 10:00
150. Thank you for your answer to clarification 149 but we are a supplier and the question refers to applying to join the DPS?
Responded to the supplier directly
Answered
06/11/2025 10:01
149. With regards to the requirement that the Supplier shall ensure that staff has security clearance to a minimum level: Baseline Personnel Security standard , does this apply to the whole company or only to the staff directly supplying the particular service? If it applies to the whole company, is an equivalent level of screening that meets the same standards acceptable for those staff not involved in supplying the service?
This can vary from supplier to supplier. A supplier can have individuals in their company that are SC or DV cleared so are able to select this filter. It is worth putting this into a Capability Assessment and writing it explicitly into your Statement of Requirements that your requirement requires the staff working directly on the service to be security cleared to the level required.
Similarly, if you have explicit needs for sharing information above official sensitive (e.g. secret or top secret) then it is worth considering using a Non Disclosure Agreement as part of the requirement.
Answered
13/10/2025 14:03
148. How do we go about updating our company details due to an acquisition?
Firstly please notify CCS by emailing info@crowncommercial.gov.uk
Answered
06/11/2025 10:03
144. Good morning. Please can you confirm the Insurance Requirements for Cyber Security Services 3 RM3764iii. Within the document "READ FIRST RM3764iii Cyber Services DPS Needs v2.0" provided in the Bid Pack at Section 4.8 it states that we will fail if we: oDo not confirm that you have Employer's (Compulsory) Liability Insurance of £5,000,000.00 minimum; or in the event that your organisation is exempt, failure to provide a copy of your proof of exemption; oDo not confirm that you have Public Liability Insurance of £5,000,000.00 minimum; oDo not confirm that you have Professional Indemnity Insurance of £1,000,000.00 minimum; However, within "Attachment 6 - SQ and DPSQ" at Page 168 it states that "Public Liability Insurance = £1m or more" Please advise the correct level that applies. Kind Regards
Please refer to DPS Joint Schedule 3 - Insurance Requirements. The level of cover required for Public Liability Insurance is a minimum of 5 million pounds.
Answered
14/02/2025 14:46
143. We are already on the DPS, however, we understand the DPS has been extended to 2027. Do we need to apply again?
No - All current appointed suppliers will continue on the agreement until either the DPS closes or the supplier wishes to remove themselves. The extension does not require any action from yourselves.
Answered
05/02/2025 08:48
142. We are keen to join the framework; however, as a business, we currently have individuals with professional cybersecurity qualifications but lack the business-level certifications referenced in Q162 and Q163 of the SQ. We understand that the CESG certifications listed are no longer active or issued and have been replaced by modern schemes under the NCSC and the UK Cyber Security Council. Upon further investigation, we identified the relevant NCSC equivalent, but this pathway is now closed to new applications. Additionally, it appears that the UK Cyber Security Council currently focuses on individual certifications, particularly through the introduction of Chartership Titles for cybersecurity professionals, with no formal framework for business-level certifications at this time. Given this, we are seeking clarification on how best to address these questions and what steps we can take to gain recognition or "assured status" to move forward.
Questions 162 and 163 are not mandatory questions for joining the DPS. The CESG certifications are set within the Selection Questionnaire and pre-date the agreement - these have now been replaced by the NCSC assured services which your company would need to join via NCSC. We would encourage you to get in touch with NCSC as to whether applications will be open for these pathways in the near future. Similarly, the UK Cyber Security Councils professional titles have recently been released on the agreement which are aimed at individuals with the cyber industry. Again, these are not mandatory in order to join the DPS.
You can join and update your service offerings at such a time as you have certifications, NCSC assured services or staff with UKCSC professional titles.
Answered
21/01/2025 14:03
141. How can a supplier who is on the framework issue their revised annually indexed rates.
As this agreement is a Dynamic Purchasing System (DPS), suppliers do not submit pricing or rate cards as part of their selection questionnaire. Pricing is determined at the further competition stage.
Answered
14/01/2025 16:00
140. Hello, we are looking into joining this, however we would likely join as a single entity with a Key Subcontractor. Our likely Key Subcontractor is currently already registered on this DPS as a single entity. I note from another CCS framework process that this is permitted - I just wanted to check that this is the same for the DPS RM3764.3? Kind Regards MIAA
Yes, this is permitted on the RM3764.3 Cyber DPS.
Answered
22/11/2024 14:00
139. For question 6 of the Standard Selection Questionnaire, we aren't able to progress the application because we do not have a UK postcode. Please advise on what should be entered here.
If you contact support@nqc.com then they will be able to provide you with a dummy code for use within the field.
Answered
30/10/2024 10:33
138. Hi If a bidder submits the SQ and is successful in getting to the DPSQ stage, does the bidder have a timeframe/set window in which they have to complete and return the DPSQ before the application expires? Or does the application just remain open and valid indefinitely throughout the life of the DPS?
Once the SQ has been completed your application will move into a "Registered 1" Stage where it will remain open until the next DPSQ stage is completed. We do go through the applications which remain at Registered 1 for over a year to understand whether organisations still wish to progress their applications.
Answered
14/10/2024 09:21
137. Can you please confirm whether responding 'No' to Q 144 of the SQ (144. Please confirm if you will be supporting apprenticeships and skills development through this contract) will result in an application to the DPS being rejected?
We can confirm that answering 'No' to Q144 will not result in an application being rejected on the DPS.
Answered
22/08/2024 14:38
136. Please confirm it is acceptable to set Part 3 Certificate of Technical and Professional Ability 3.2.1. How Many Contract Examples? response to '0' following the instructions in 'READ FIRST RM3764iii Cyber Services DPS Needs v2.0(1).docx' - Selection Questionnaire - Not Applicable Questions 4.39/4.39?
Yes, Questions 133-135 (contract examples) are not required as part of your application and can be marked as No. This will then skip the evidence submission section outlined in Q.136.
Answered
09/04/2024 15:21
135. Hello, We are interested in completing an application for the Cyber Security Services 3 DPS framework and notice that there are currently 121 Clarifications for RM3764iii. Would it be possible to have an exported spreadsheet of these clarifications to allow us to review them with our appropriate teams more easily than on the portal? Kind regards WSP UK
Yes, if you scroll down to the bottom of the clarifications page then there is an export button which allows your to export all questions and answers in a spreadsheet format.
Answered
19/03/2024 14:57
134. As an IASME accredited certification body (Accreditation for Cyber Essentials and/Or Cyber Assurance assessments), would we fulfil the criteria for the "Certification" service type within the "Consultancy and Advice" category?
Yes, we can confirm that if you are an IASME accredited certification body you would fulfil the criteria for 'certification'
Answered
21/02/2024 13:51
133. Q79 of the DPS Non-assured NCSC Services - Standards lists multiple clearances that individuals within the organisation have held, and would be able to obtain, but are currently lapsed. Would we still be able to state that we can provide staff with Clearance: Security Check or Clearance: Developed Vetting.
If the clearance has lapsed this should not be selected within Q79, suppliers should only select what they can provide. The DPSQ can be updated at anytime to add any clearances once they have been obtained or renewed.
Answered
15/12/2023 13:19
