Government Cyber Security Policy: Cyber Incident Exercising

1.1 Lead Government Departments (LGDs), their arm’s length bodies (ALBs) and other public organisations in their remit shall exercise their cyber incident response plan (CIRP), at least annually.

1.2 LGDs, ALBs and other public organisations should engage in more regular exercise activity when there are changes to their environment, particularly where this relates to critical systems. This includes when:

• there are changes to the threat landscape 
• there is substantial organisational change, such as the introduction of a new system
• there are changes in working practices or policies

This is not an exhaustive list.

2.1 Cyber incident exercising (CIE) provides a controlled, scenario-based opportunity for organisations to practise, evaluate and improve their CIRPs and performance. This helps organisations to establish how resilient they are to cyber attack, and to practice their response in a safe environment. 

2.2 As per the Cyber Assessment Framework (CAF), organisations need to create and maintain a CIRP that is scalable, socialised, based on a thorough risk assessment of critical systems, and covers a range of incident scenarios. Organisations need to establish a CIRP before carrying out any exercising activity. 

It is acknowledged that an organisation’s CIRP might be part of a broader security incident response or business continuity plan. 

2.3 Exercising helps to create a culture of continuous learning within an organisation, providing an opportunity for teams and decision-makers, including non-security professionals, to maximise their effectiveness during an incident. 

2.4 This policy will build on what is in the CAF to provide clearer direction and support for organisations on CIE. This will ensure that government is conducting effective, regular CIE to help boost cyber resilience and ensure organisations are prepared to effectively respond to cyber incidents, when they occur.

3.1 This policy is intended for:

• senior leaders, functional leads and accounting officers responsible for communicating, implementing and assuring security functional standards to all organisations and bodies in their remit
• boards and executive committees responsible for ensuring that risks to delivering an organisation’s strategy are identified, evaluated, and mitigated in line with risk appetite
• security advisors responsible for the overall security of an organisation
• cyber security professionals responsible for advising technical teams on the secure management of IT assets, including data and infrastructure.
• those with overall accountability for exercising the CIRP and/or any other response plans associated with cyber

4.1 The policy applies to LGDs and the ALBs and other public sector organisations within their remit.

4.2 Exercising activity should be broad, exploratory and designed to practice an organisation’s response to an incident. Whilst scenarios might focus on a specific system or service, the exercise should be testing the response to an incident, rather than the resilience of a particular system or service.

5.1 This policy is designed to address poor response and recovery practices in organisations, which poses the following risks: 

• Poor understanding of organisational cyber resilience levels 
• Further compromise leading to loss of data, service and data integrity

This policy contains both mandatory and advisory elements, using the same language as the Functional Standard ‘GovS 007: Security’:

• “shall” means a requirement: a mandatory element
• “should” means a recommendation: an advisory element

LGDs, ALBs and wider public organisations shall:

    6.1 Exercise their CIRP at least annually. 

    6.2 Ensure exercise scenarios are documented and test all parts of the response cycle. This can be done over multiple exercises to ensure each part of the response cycle is sufficiently exercised. 

    6.3 Ensure all relevant cyber incident roles and responsibilities are represented as part of the exercising programme. This includes, but is not limited to, senior decision-makers (including board members ), technical experts, and non-cyber security teams such as those responsible for business continuity. 

    6.4 Ensure exercise scenarios effectively test the organisation’s response to realistic cyber incidents, and integrate learnings from previous incidents, cyber threat intelligence, and risk assessments.

    6.5 Ensure lessons identified and recommendations are documented, shared with appropriate senior leaders and actioned to further refine the CIRP.

LGDs, ALBs and wider public organisations should:

    6.6 Engage in more regular exercise activity when there are changes to their environment, particularly where this relates to critical systems. This includes when an organisation is experiencing changes to their threat landscape or through substantial organisational change. 

    6.7 Identify where they share data, systems or connectivity with other government departments, third party suppliers and other organisational partners and engage with these partners where appropriate, as part of their exercising activity. Cross-organisational exercises within sectors are strongly encouraged. 

    6.8 Share lessons identified with the Government Cyber Coordination Centre (GC3) where appropriate to help support broader incident management and CIE improvements across government.

7. 1 LGDs are responsible for ensuring their ALBs and other public sector organisations in their remit are compliant with the requirements of this policy.

7. 2 Organisations shall ensure a threat-driven, risk-based approach to implementation, proportionate to the prevailing level of cyber risk, within practicable timescales, and in line with their organisation’s business objectives and priorities. This means that organisations have the flexibility to decide how to meet the requirements of this policy in practice.

7.3 Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed and the appropriate risk mitigations put in place in line with the organisation’s risk tolerance. 

7.4 Organisations should have a plan in place to work towards future compliance with this policy, in a way that meets their business objectives and priorities and to ensure continuous improvement over time.

7.5 Organisations should identify the exercise objectives, resource required, and availability of key teams and individuals before determining the format. Formats include workshops, tabletops, or live play exercises. These can be held at varying levels of decision making, often defined as board or strategic level (gold), managerial or tactical level (silver) and operational level (bronze).

8.1 This policy is supported by and relates to:

• Functional Standard GovS 007: Security which sets expectations for what security activities organisations must carry out and why in order to protect government assets
• The Cyber Standard which sets out how this should be done in relation to cyber security, specifying the particular procedures organisations must follow and the performance criteria to be met
• The Government Cyber Security Strategy outlines a vision and aims to ensure that core government functions are resilient to cyber attack.
• The Cyber Assessment Framework which outlines ways in which departments should demonstrate an appropriate level of cyber resilience in relation to cyber exercising. Principle D1 ‘Response and recovery planning’ captures D1.a ‘Response Plan’ and D1.c ‘Testing and Exercising’. 
• NCSC guidance for creation of exercises, a toolkit for boards, exercise in a box, the cyber incident exercising assurance scheme, developing a CIRP, and planning your cyber incident response processes.
• NCSC training on cyber exercising which includes ‘Cyber Exercising 101’ and ‘The Cyber Exercise Development Model’ for those with more exercising experience. Interested parties should contact exercising@ncsc.gov.uk.
• NCSC Annual Review 2024 for understanding the cyber threat 
• UK Resilience Directorate Best Practice Exercising guidance which provides a practical guide for individuals and teams who plan, prepare and deliver exercises
• The Government Cyber Coordination Centre (GC3) GC3 coordinates the government response to cross-cutting and critical cyber threats, vulnerabilities and incidents, and enables operational cyber teams across Government to defend as one
• The Cyber Government Security Centre’s Purple Team combines the traditional Red Team (offensive) and Blue Team (defensive) exercises, to aid organisations to fully understand how prepared they are to respond to various attack scenarios.
• Cross-government exercising forums include the Resilience Directorate’s Training and Exercising Advisory Board (TEAB) and the NCSC’s Cross Government Cyber Exercising Cadre. Interested parties should contact ukra@cabinetoffice.gov.uk for the former and exercising@ncsc.gov.uk for the latter

9.1 The controls described in this policy will help government organisations demonstrate that they have met the required security outcomes in the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), including but not limited to:

• A1 – Governance 
• A2 – Risk Management Process
• B5 – Resilient Networks and Systems 
• B6 – Staff Awareness and Training 
• D1 – Response and Recovery Planning

9.2 The mandatory elements of this policy are aligned with or exceed the Baseline Government CAF profile. Those that exceed the requirements of the profile do so because they are essential to achieving the policy’s core aims.

9.3 Further guidance for government organisations on meeting the required security outcomes of the CAF is in the Government Cyber Security Policy Handbook.