Here at Ascentor we get many companies asking us how they can become a List X company. The answer is always the same – it is not something that you can just do; you must have a contract, usually with the MOD, that requires you to hold sensitive government assets on your own premises. However, there are a few things you can do to prepare if you think a contract may be forthcoming.
This blog aims to give you a few hints and tips about some pragmatic steps you can take to get you up and running as a List X company much quicker.
Before reading further, you should note that government Departments and Agencies must not give preference to existing List X contractors over non-List X companies. Investing in List X security requirements before a contract is awarded is entirely at your own risk.
Tip 1 – Understand why you need List X
As stated above, the only way you can be a List X company is if you have a requirement to store, on your own premises, government assets classified as SECRET or above or, international partners’ e.g. NATO , information at CONFIDENTIAL or above.
If it is a UK contract, the requirement will be stated in a contract from the UK government Contracting Authority and will be accompanied by a Security Aspects Letter (SAL) that details the types of information and its associated sensitivity that you will need to hold.
If it is a foreign contract, then the requirement may just be in the contract security requirements. Remember that the Contracting Authority is responsible for gaining appropriate assurance in your suitability to hold classified assets, e.g. SECRET and above for UK.
Tip 2 – Meet the basic company requirements
List X companies are required to maintain a minimum of 50% British nationals on the Board of Directors ( See Industrial Security – Departmental responsibilities ). In addition, the following positions must be in place before List X can be awarded:
- Board Contact : The Board Contact must be a British national and is responsible for ensuring the security requirements of a List X company are maintained throughout the life of the contract.
- Security Controller : Must also be a British national and is responsible to the Board Contact for the day to day security management within the premises.
- Clearance Contact : Responsible for coordinating clearance arrangements of employees involved in the contract.
- IT Installation Security Officer : Responsible for the security aspects of any IT installations and networks that may handle SECRET information.
Depending on the type of contract, you may also need to appoint an ATOMIC Liaison Officer and/or a Crypto Custodian. Full details for the different roles and responsibilities are available from the Security Requirements for List X Contractors .
Being able to demonstrate that your company has had these positions in place for some time and they are supported by written processes and procedures will provide confidence to the List X inspectors that an appropriate security governance framework is already in place.
Tip 3 – Assess your information risks and develop a security improvement plan
Being a List X company does not just mean applying good security practices to a single area of your business; it means having those practices embedded in your everyday working for the whole company. It is about maintaining good risk management around physical, personnel, procedural and technical security. The more mature your holistic company security practices are, the more likely that List X security requirements will be simple tweaks or easily applied enhancements.
Follow a recognised standard that is likely to be known by the List X assessors such as ISO/IEC 27001:2013. If that isn’t already on the horizon, try putting together a security plan to identify areas for improvement. You may like to consider the Centre for the Protection of National Infrastructure ‘s (CPNI) guidance for the protection of critical assets against security threats. Conducting such a plan will not only improve your company’s overall security exposure but also introduce measures that will be required as part of the List X process.
Tip 4 – Define the physical space to be used
Having a clear understanding of where you intend to create the List X physical space will help you get the security requirements in place before the contract is awarded. When assessing the most appropriate space you should consider the following:
- Boundary controls such as CCTV, approved doors, windows, locks etc. CPNI provides advice and guidance about the types of physical security barriers that are required.
- The alarm system will need to be from a reputable company, preferably NSI approved with an adequate response time (normally within 20 minutes). This is usually achieved by having the alarm monitored by a 24-hour service provider which alerts a nominated key-holder and the local police.
- Depending on the types of sensitive asset held, there may be a requirement for security furniture such as secure server racks, document safes, shredders etc.
Tip 5 – Prepare the IT system
Depending on your level of confidence in winning a List X contract, you may like to prepare the IT system that is likely to be used in the contract. If you are likely to be required to produce written reports at SECRET, you will need to set up an appropriate IT system. Whatever, solution you design it will need to be accredited by Defence Assurance and Information Security: defence industry/List X .
Once you have a List X contract, you will be required to register the IT system you intend to use on the Defence Assurance Risk Tool (DART) which is only available from an RLI terminal. This is a bit of a catch 22 situation as you are unlikely to have an RLI terminal without already being List X. However, a softcopy registration form and additional annexes, is available for download. Reviewing this form gives you an idea of the information that will be required to achieve accreditation.
Assessing the accreditation requirements of the IT system before achieving List X will give you a head start on the accreditation process and allow you to get up and running much more quickly.
WARNING : DART registration forms are OFFICIAL – SENSITIVE when completed and must not be sent over the Internet. Adequate protection should also be provided to forms completed in soft copy.
If your contract is with the MOD, your corporate IT system will also need to comply with Cyber Security Model requirements. See the Ascentor blog on the subject.
We hope you find the above tips useful in your endeavours to become a List X company. Our overall opinion is that achieving List X should not be a major challenge as the security requirements these days are equally applicable to any business working with sensitive information in the cyber marketplace.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .
Should you wish to gain further security advice on List X or just generally improving your company’s cyber security maturity, please contact Dave James, MD at Ascentor.
Email: [email protected]
Office: 01452 881712
Other articles you might like