A new framework is being piloted across government that aims to embed cybersecurity into the delivery of digital services from the very start.
Secure by Design is a set of principles and best practices relating to cybersecurity, primarily aimed at the project teams delivering digital services, to be implemented during every phase of the digital service lifecycle - from design, building, operation and decommission.
The approach, which has been in development since 2021, was created by the Central Digital and Data Office (CDDO), in close collaboration with the cross-government Secure by Design working group, and expert advice from NCSC. It was born out of the need for clarity on what Secure by Design means for government organisations.
Pilots are now underway with organisations including Cabinet Office, Defra, DWP, GDS, Home Office and MoJ, the CDDO stated in a blog announcing the strategy.
A draft of the Secure by Design approach will be available for feedback by Summer, before being implemented nationally in Autumn 2023.
Following this, the new framework will be mandatory for central government and arm's-length bodies, and the Cabinet Office will be reviewing organisations’ adherence to the approach.
The approach has already been included in both the Government Cyber Security Strategy and the Transforming for a Digital Future: 2022 to 2025 roadmap for digital and data.
Secure by Design is intended for use across government, however, it is by no means a one size fits all solution. It is intended to be used as a framework of what good practice looks like, including tools and guidance that can be adapted depending on the structure, processes, governance, culture and resource of each organisation.
Secure by Design will work best as part of a “holistic approach” to improving organisation's security, the CDDO stated, which involves building a culture where security is seen positively, and is supported by employees in all roles and at all levels.
Secure by Design comes hot off the heels of a new cyber security scheme aimed at protecting the UK government’s IT functions from ever growing threats.
Known as GovAssure, the new scheme will be run by the Cabinet Office’s Government Security Group (GSG), with input from the National Cyber Security Centre (NCSC). Under the new rules, all central government departments will have their cyber health reviewed annually through new, more robust criteria.
GovAssure was announced in April by Chancellor to the Duchy of Lancaster, Oliver Dowden, who said: “Cyber threats are growing, which is why we are committed to overhauling our defences to better protect government from attacks. Today’s stepped up cyber assurance will strengthen government systems, which run vital services for the public, from attacks. It will also improve the country’s resilience; a key part of our recent Integrated Review Refresh."
GovAssure introduces a number of changes in the way government protects itself from cyber threats. These include using NCSC’s Cyber Assessment Framework (CAF) to review the assurance measures all government departments have and using third parties to assess departments as a way to increase standardisation and validate results.