CCS G-Cloud 14 is the UK Government's fourteenth iteration of its digital marketplace for procuring cloud-based services from vetted suppliers. Managed by Crown Commercial Service, it allows public sector organisations to buy cloud technology and security services without a full tender process, reducing procurement timelines from months to days.
Precursor Security has been accepted onto CCS G-Cloud 14, giving UK public sector organisations a direct, compliant route to procure CREST-accredited cybersecurity services - including penetration testing, managed SOC, and incident response - without a full tender process.
What Is the CCS G-Cloud 14 Framework?
Crown Commercial Service (CCS) is an Executive Agency of the Cabinet Office responsible for helping the public sector achieve commercial value when procuring common goods and services. G-Cloud is one of its flagship frameworks: a digital marketplace designed specifically for public sector organisations to procure cloud-based solutions from pre-vetted suppliers.
G-Cloud 14 (framework reference RM1557.14) went live on 29 October 2024 and runs until 28 October 2026. G-Cloud 14 includes 4,000+ approved suppliers offering 46,000+ services across three primary lots:
- Lot 1: Cloud Hosting - Infrastructure as a Service (IaaS) and Platform as a Service (PaaS)
- Lot 2: Cloud Software - Software as a Service (SaaS) applications
- Lot 3: Cloud Support - services supporting the implementation, migration, management, and operation of cloud services, including cybersecurity
A fourth lot exists for further competition on larger or more complex cloud support requirements.
All G-Cloud 14 suppliers must hold Cyber Essentials certification - a mandatory requirement maintained across every iteration of the framework since G-Cloud 9. Cyber Essentials is a government-backed scheme developed by the NCSC (National Cyber Security Centre) that sets baseline security controls against the most common cyber threats. The NCSC also publishes 14 Cloud Security Principles against which cloud services on G-Cloud are assessed - a framework that ensures buyers can evaluate suppliers against a common security baseline rather than conducting their own technical due diligence from scratch.
Eligible buyers span the full breadth of the UK public sector: central government, local authorities, the NHS, education, charities, blue light services, devolved administrations, and British overseas territories.
Why G-Cloud 14 Matters for UK Public Sector Procurement
Public sector organisations must balance the need for advanced cyber defences sits alongside constrained budgets and procurement rules that were designed for physical infrastructure, not rapidly-evolving cloud security services. Running a full open tender - now conducted through the Cabinet Office's Find a Tender Service (FTS), which replaced the OJEU process for UK procurement after January 2021 - can take 6-18 months from scope definition to contract award for complex ICT and security procurements. G-Cloud compresses that to days.
The NCSC's 2024 Annual Review reported 430 incidents managed in the year - up from 371 the prior year - with 89 classified as nationally significant. Government bodies, local authorities, and NHS organisations were among the most frequently targeted, with ransomware identified as the most significant ongoing threat to UK public sector networks. Faster procurement enables quicker security response: the faster a public sector body can contract a qualified cybersecurity provider, the shorter the window an attacker has to operate undetected.
The table below compares G-Cloud 14 with a traditional full open tender:
| Procurement Factor | G-Cloud 14 | Traditional Open Tender (FTS) |
|---|---|---|
| Typical timeline | Days to weeks | 6-18 months |
| Cost burden on buyer | Low - no tender documentation required | High - legal, advertising, and evaluation costs |
| Supplier vetting | Pre-vetted by CCS; Cyber Essentials mandatory | Buyer-managed due diligence |
| Contract value ceiling | No ceiling (call-off contracts) | No ceiling |
| Best suited for | Cloud technology and services | Large bespoke infrastructure contracts |
Call-off contracts under G-Cloud 14 can run for an initial term of up to 36 months, with a single extension of up to 12 months - giving public sector buyers a stable, long-term supplier relationship without the overhead of repeat tendering.
How to Access Precursor Security via G-Cloud 14
Public sector buyers can access Precursor Security through the Crown Commercial Service supplier search portal. The original Digital Marketplace at digitalmarketplace.service.gov.uk now redirects buyers to the Public Procurement Gateway / Contract Award Service, which is the current interface for raising G-Cloud call-off contracts.
The buying process for Lots 1-3 follows a direct award route - no further competition is required once a buyer has completed the CCS buyer guide process. In practice, this means:
- Log in to the Contract Award Service via the Public Procurement Gateway
- Search for Precursor Security under Lot 3: Cloud Support, category Security services
- Review the service description, pricing, and compliance documentation for Service ID 310256975152882
- Raise a call-off order - no VEAT notice or standstill period required for standard Lot 3 call-offs
- Contract awarded; engagement begins
Precursor's service description on the Digital Marketplace contains our full compliance documentation, security certifications, and support SLAs. Buyers can download these directly before raising a call-off order, or contact us to discuss requirements in advance.
Precursor's Cybersecurity Services on the Digital Marketplace
Precursor Security is listed on G-Cloud 14 under Lot 3: Cloud Support with a primary service offering of "Security Operations Centre for Cloud Services" - a managed SOC and MDR service designed for organisations running cloud-first or hybrid environments.
Our G-Cloud 14 listing is backed by the following accreditations and certifications, all confirmed on our Digital Marketplace service record:
- CREST - CREST accreditation for security testing. While CREST certification is not a mandatory G-Cloud eligibility requirement, the NCSC's penetration testing guidance recommends that public sector buyers use CREST-accredited (or equivalent CHECK scheme) providers for penetration testing engagements - making this accreditation a substantive differentiator for public sector clients.
- Cyber Essentials Plus - Precursor holds both Cyber Essentials and Cyber Essentials Plus, exceeding the mandatory baseline required of G-Cloud suppliers.
- ISO/IEC 27001 - information security management system certification, accredited by Approachable Certification (since 15 March 2022).
- Staff security clearance - conforming to BS7858:2019; personnel cleared up to Security Clearance (SC) level for sensitive government engagements.
Services available via Lot 3
Public sector organisations can procure the following through our G-Cloud 14 listing:
- Managed SOC / MDR - 24/7 monitoring, threat detection, and response with dedicated analyst coverage and defined response SLAs (P1 Critical: 15-minute response; P2 High: 30 minutes; P3 Medium: 60 minutes)
- Penetration Testing - CREST-accredited offensive security assessments across web applications, infrastructure, and cloud environments
- Incident Response - structured response capability for active security incidents, including forensic investigation and post-incident remediation
- M365 Monitoring and Attack Surface Management - cloud-native security monitoring and continuous exposure management
- Threat Intelligence - tactical and strategic threat intelligence integrated into detection and response workflows
Anonymised case study - UK public sector, G-Cloud 14 Lot 3
A UK local authority engaged Precursor Security via G-Cloud 14 (Lot 3: Cloud Support) to provide managed SOC coverage following a significant increase in phishing and credential-theft attempts targeting its Microsoft 365 environment. Within the first 30 days of deployment, Precursor's analysts identified 14 critical alerts indicative of active account compromise - incidents that had bypassed the authority's existing email security tooling. All 14 were contained and remediated within SLA. At the 90-day review, the authority's mean time to detect (MTTD) for credential-based intrusion attempts had reduced from an estimated 72 hours to under 30 minutes. The authority subsequently passed its Cyber Essentials Plus audit, with the SOC engagement cited as evidence of continuous monitoring controls. *(Client name withheld at client request.)*
Public sector organisations looking to procure cybersecurity services through G-Cloud 14 can find Precursor Security on the Crown Commercial Service Digital Marketplace. Search for Precursor Security under Lot 3: Cloud Support, or go directly to our service listing (ID 310256975152882) to access our service description, pricing, and compliance documentation. Contact us directly to discuss your requirements before raising a call-off order.
About Crown Commercial Service: Crown Commercial Service (CCS) is an Executive Agency of the Cabinet Office, supporting the public sector to achieve maximum commercial value when procuring common goods and services.
Frequently Asked Questions
What is CCS G-Cloud 14?
CCS G-Cloud 14 is the fourteenth iteration of the UK Government's digital procurement framework for cloud-based services, managed by Crown Commercial Service. It allows public sector organisations - including central government, NHS, local authorities, and education bodies - to procure cloud technology and security services from pre-vetted suppliers without running a full open tender. The framework (reference RM1557.14) went live on 29 October 2024 and runs until 28 October 2026.
How does G-Cloud 14 differ from a traditional procurement process?
A traditional full open tender via the Find a Tender Service (FTS) - which replaced the OJEU process for UK public procurement after January 2021 - typically takes 6-18 months from scope to contract award for complex ICT and security procurements. G-Cloud 14 allows buyers to issue a call-off contract directly to a pre-vetted supplier within days, with no tender documentation, no standstill period required for standard call-offs, and no ceiling on contract value.
Is CREST accreditation required for G-Cloud suppliers?
CREST accreditation is not a mandatory G-Cloud 14 eligibility requirement set by CCS. However, the NCSC's penetration testing guidance recommends that public sector buyers use CREST-accredited (or equivalent CHECK scheme) providers for security testing engagements. Precursor Security holds CREST accreditation, alongside Cyber Essentials Plus and ISO 27001 - all confirmed on our Digital Marketplace listing.
How do I find Precursor Security on the G-Cloud 14 Digital Marketplace?
Precursor Security is listed under Lot 3: Cloud Support (Service ID 310256975152882) on the Crown Commercial Service Digital Marketplace. Buyers access G-Cloud 14 via the Public Procurement Gateway / Contract Award Service at identify.crowncommercial.gov.uk. Search for "Precursor Security" and filter by Lot 3 and the Security services category, or use the direct service listing link.
What cyber threats are UK public sector organisations most exposed to?
According to the NCSC's 2024 Annual Review, the NCSC managed 430 incidents in the year - up from 371 the prior year - with government, local authorities, and NHS organisations among the most frequently targeted sectors. Ransomware remains the most significant threat to UK public sector networks, alongside credential-theft campaigns targeting cloud environments such as Microsoft 365. Managed SOC and MDR services, procured via G-Cloud without a lengthy tender process, are the most operationally agile response to this threat profile.