Government Secure by Design Framework
The Central Digital and Data Office, in close collaboration with the cross-government Secure by Design working group, and expert advice from NCSC is developing a common Secure by Design framework and principles for government. This work is part of the Government Cyber Security Strategy (outcome 9) and Transforming for a digital future: 2022 to 2025 roadmap for digital and data (commitment 11).
The overarching aim of Secure by Design is to help organisations adopt a common approach for securing digital services that ensures:
- appropriate and proportionate cyber security measures are embedded within the delivery of digital services from the start
- risks are effectively managed at the right level and on an ongoing basis
- security posture is continually assured throughout the digital life cycle
We welcome feedback on the 10 Secure by Design Principles, which are currently in ALPHA and open for consultation.
You can email questions and comments to secure-by-design[at]digital.cabinet-office.gov.uk.
User needs
The Secure by Design framework aims to solve the following problems experienced by the digital and security communities across government:
- Senior leadership often do not understand cyber security as a unified part of managing delivery risk (they think it’s a technical problem for later) and therefore do not sponsor cyber security risk management and assurance.
- The application of continuous cyber security risk management is currently not seamlessly integrated into project delivery methodologies.
- Security assurance is typically seen as a “necessary evil”, does not keep up with changing context, often is a tick box exercise and does not produce the right visibility of cyber issues to help leadership prioritise wider technology and security spend.
- Risk management and assurance documents are often cumbersome and do not demonstrate meaningful measures of effective security risk management.
- There is a lack of a consistent approach with regards to security design for technical architectures commonly used across government. This lack of consistency erodes the trust between public sector organisations, prevents easy data sharing and development of joint services and increases the time and cost of delivery.
Goals and outcomes of the framework
The principles are part of the Secure by Design framework which aims to provide practical guidance, tools and artefacts that:
- help senior management to competently own their business cyber risk and provide a “code of conduct” for business risk owners
- integrate security risk management activities as a dynamic and continuous process within digital service delivery
- re-position security assurance as a proportionate, streamlined and continuous process within digital service delivery so that delivery teams receive assurance requirements promptly, which are in line with government’s cyber security assurance
- help architects design digital services using a consistent baseline for technical architectures commonly used across government
A clear and easy-to-follow framework will help organisations make sure that:
- cyber security is a core requirement for all government organisations
- organisations have a reduced risk of reputational damage and other financial and operational impacts that can result from an attack
- cyber security risks are treated as a business risk, even though attacks take place through digital channels
- security controls are baked into the service right from the start and in line with the organisation's risk appetite
- digital and security specialists work collaboratively using the same design books
- digital services are built faster and on the same security specifications
- non-security SMEs are upskilled by sharing comprehensive cyber security guidance based on their needs
- cyber security risk management and assurance effectively contribute to improving the cyber resilience of government as a whole