Define cyber security Suitably Qualified and Experienced Person (SQEP) requirements
Capabilities need to understand the required skill sets for their context and risk appetite. These skill sets may vary at different stages of the Concept, Assessment, Demonstration, Manufacture/Migration, In-service, Disposal/ Termination (CADMID/T) cycle.
SQEP can help with:
SQEP can help with:
- providing advice on security policy, risk management and technical solutions
- an understanding of information security and assurance within a government setting
- identifying, reporting, managing, escalating and addressing vulnerabilities
Following a SbD approach does not necessarily warrant the onboarding of Cyber SQEP. You will need to articulate your reasoning through identified risks that require mitigation or through CAAT Maturity Assessments.
In some cases, there will be an opportunity for capabilities to use SQEP expertise to consult on cyber security activities.
It remains the Senior Responsible Owner’s (SRO), or suitable equivalent, responsibility to assure the competence of all SQEP. Responsibility for resourcing implementation of cyber security and resilience is set out in JSP 440 Part 1, Section 2, Chapter 4 - Cyber Security, Para 18.
Further guidance and frameworks:
In some cases, there will be an opportunity for capabilities to use SQEP expertise to consult on cyber security activities.
It remains the Senior Responsible Owner’s (SRO), or suitable equivalent, responsibility to assure the competence of all SQEP. Responsibility for resourcing implementation of cyber security and resilience is set out in JSP 440 Part 1, Section 2, Chapter 4 - Cyber Security, Para 18.
Further guidance and frameworks:
- JSP 90 Technical Governance and Assurance of Capability Part 1 and 2.
- the Government Digital and Data Profession Capability Framework shows the required skills for working in digital, data and technology roles in government.
- the Government Security Profession Career Framework details indicative training that could be considered for various SQEP roles.
- NCSC Certified Training is mapped to Knowledge Areas in the Cyber Security Body of Knowledge.
- Digital and Technology
- Digital and IT Professional Services (DIPS) Framework gives Defence access to a comprehensive set of Digital, ICT and Cyber capability and expertise via partners.
- Engineering Delivery Partner (EDP)
- Public Sector Resourcing (PSR)
Benefits
The benefits of defining SQEP requirements are:
- supports a case for funding required SQEP through-life
- allows the SRO to engage and resource the appropriate level of SQEP
- lets the SRO consider whether the delivery of their capability is feasible through-life
- allows simplified decision making through scrutiny boards
- gives the SRO confidence that their capability will be/is secure
Outcomes
You will have the defined SQEP requirements for the capability.
Responsibility
Senior Responsible Owner (SRO) or suitable equivalent is responsible.
When to define security SQEP requirements
You should define your requirements:
- at pre-concept, concept and assessment stages
- prior to investment approvals
- through-life based on capability requirements