Vulnerability Monitoring Service Authorisation Policy

1.1 All central government departments and their arm’s length bodies shall:

• authorise the Government Digital Service (GDS) Vulnerability Monitoring Service (VMS) to monitor all their internet-facing domains and assets for vulnerabilities
• provide relevant information requested by the VMS team to enable monitoring for vulnerabilities

2.1 Continuous monitoring of internet-facing assets is essential to identify vulnerabilities, misconfigurations, and weak controls before they can be exploited. Authorising VMS ensures that departments benefit from centrally funded monitoring. This can reduce cost and duplication whilst delivering actionable intelligence that supports faster remediation. 

2.2 This policy describes the technical and procedural controls that affected organisations must use to implement this policy.

2.3 Following these controls will help secure: 

• internet-facing hosts – by identifying insecure configurations or outdated versions
• digital services – by detecting exposed services and protocols vulnerable to exploitation
• domains & DNS – by flagging misconfigurations, weak records and takeover risks
• infrastructure – by providing visibility of assets that may otherwise be overlooked

3.1 This policy is intended for:

• CISOs and domain admins responsible for authorising VMS.
• security advisers responsible for the overall security of an organisation.
• cyber security professionals responsible for advising technical teams on the secure management of IT assets and infrastructure.
• technical delivery teams responsible for managing IT assets and infrastructure.
• IT Security Teams and Security Operation Centre (SOC) Teams – responsible for integrating VMS data into Security Information and Event Management (SIEM) tooling and workflows.
• security and cyber teams responsible for addressing identified vulnerabilities and applying remediation guidance.

4.1 This policy applies to Lead Government Departments (LGDs) and the ALBs and other public sector organisations within their remit.

4.2 This policy applies to all LGD and ALB internet-facing assets (web, email, domains, and other digital services).

5.1 Confidentiality

Vulnerability monitoring identifies unpatched systems, misconfigurations, and exposed services that attackers could exploit to gain unauthorised access to sensitive data, credentials, or confidential business information.

5.2 Integrity

Vulnerability monitoring detects weaknesses that could allow attackers to modify data, inject malicious code, deface websites, or compromise the trustworthiness of your systems and content.

5.3 Availability

Vulnerability monitoring alerts users to prevent exploitation of flaws that could lead to service disruptions, DDoS attacks, ransomware infections, or system crashes that take critical business services offline.

This policy contains both mandatory and advisory elements, using the same language as Functional Standard GovS 007: Security:

• “Shall” means a requirement: a mandatory element
• “Should” means a recommendation: an advisory element

6.1 All government organisations and their Arm’s Length Bodies (ALBs) shall:

• authorise the GDS Vulnerability Monitoring Service (VMS) to monitor all their internet-facing domains and assets for vulnerabilities.
• provide relevant information requested by the VMS team to enable monitoring for vulnerabilities. 

Lead Government Departments (LGDs), ALBs and wider public organisations should:

• ensure integration of VMS data into existing vulnerability management processes
• designate a point of contact to receive, review, and action VMS findings
• extend this policy requirement into the public sector organisations in their purview

7.1 LGDs are responsible for ensuring their ALBs and other public sector organisations in their remit are compliant with the requirements of this policy.

7.2 Organisations shall ensure a threat-driven, risk-based approach to implementation, proportionate to the prevailing level of cyber risk, within practicable timescales, and in line with their organisation’s business objectives and priorities. This means that organisations have the flexibility to decide how to meet the requirements of this policy in practice.

7.3 Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed and the appropriate risk mitigations put in place in line with the organisation’s risk tolerance. GDS shall be informed of the decision to opt out of this policy requirement. 

7.4 Organisations should have a plan in place to work towards future compliance with this policy, in a way that meets their business objectives and priorities and to ensure continuous improvement over time.

8.1 This policy is supported by and relates to:

• Functional Standard GovS 007: Security: which sets expectations for what security activities organisations must carry out and why in order to protect government assets
• The Cyber Standard, which sets out how this should be done in relation to cyber security, specifying the particular procedures organisations must follow and the performance criteria to be met.
• Other applicable cross-government policies are published in the Government Cyber Security Policy Handbook; for example, the Cabinet Office policy on the use of non-corporate communication channels (NCCCs) for government business.

8.2 Further information can be found at the Vulnerability Monitoring Service homepage.  

9.1 The controls described in this policy will help government organisations demonstrate that they have met the required security outcomes in the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), including but not limited to:

• A2.a Risk Management Process
• A3.a Asset Management
• B4.b Secure Configuration
• B4.d Vulnerability Management

9.2 The mandatory elements of this policy are aligned with or exceed the Baseline Government CAF profile. Any elements that exceed the profile requirements do so because they are essential to achieving the policy’s core aims.

9.3 Further guidance for government organisations on meeting the required security outcomes of the CAF is provided in the Government Cyber Security Policy Handbook.