Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Policy
  2. Government Cyber Security Policy Handbook
  3. Principle: B3 Data Security

Principle: B3 Data Security

Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of networks and information systems.

This means implementing protection measures for data that supports the operation of essential functions which are proportional to the risks associated with that data. The confidentiality, integrity and availability of data should be protected appropriately both during transit and at rest. Critical business information which could assist a threat actor in the planning and execution of an attack should be identified and appropriately protected.


The following requirements are placed on government departments:

  1. Government Organisations shall meet the CAF requirements of the relevant Government Profile under this principle. See GovAssure for more information.

  2. UK government has published a security policy framework for the offshoring of UK government data and digital services at OFFICIAL (currently available on request for departments). It requires departments to assess the adequacy of non-UK countries to receive their data and host their services based on risks that may arise from incompatible approaches to data protection. Offshoring of UK government data and services can take several forms: by physically hosting them in a non-UK country, by making them accessible to support staff from a non-UK country, or by a non-UK country exercising controlling ownership of a company where UK government data or services are hosted, even if this business is physically located in another country, including the UK. Contact for more information.

  3. For more information on government data classification, refer to the Government Security Classifications Policy.

  4. Departments shall implement policy on Securing Government Email including supporting at minimum Transport Layer Security Version 1.2 (TLS v1.2) or an updated TLS Version for sending and receiving email securely. This shall also be adopted across all digital services to protect data in transit. This requirement originated in the 2018 Minimum Cyber Security Standard and has been retained due to its criticality in the protection of government systems and data.

  5. To protect email systems and ensure the confidentiality and integrity of government data, departments shall have Domain-based Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records in place for their domains. This shall be accompanied by the use of Mail Transfer Agent Strict Transport Security (MTA-STS) and TLS Reporting (TLS-RPT). Spam and malware filtering controls shall also be implemented on inbound email.
    This requirement originated in the 2018 Minimum Cyber Security Standard and has been retained due to its criticality in the protection of government systems and data.


  1. Within UK government’s cloud guide to the public sector, its Offshoring and data residency section provides further resources which should be used to consider the risks and implications of processing and storing government data overseas.

  2. UK government’s Securing your information provides guidance on considering information security in the context of OFFICIAL government data. It will help you understand information risk, provide high-level risk assessment guidance as well as information on controls which may be used to mitigate or reduce identified risks.

  3. Data in transit may be at risk of attacks such as interception, traffic replay, manipulation or jamming. The NCSC’s safely importing data guidance will help you utilise system architecture and encrypted network protocols to ensure that data transfers do not compromise the confidentiality, availability or integrity of your system and its respective data. Additionally, see the NCSC’s cloud security guidance on protecting data in transit for information on using encryption, authentication and network protection controls for cloud services.

  4. Wherever data is stored, even temporarily, it may be vulnerable to unauthorised access, tampering or deletion. The NCSC’s data security guidance will encourage activities for identifying what data you have and applying appropriate controls to mitigate identified data risks throughout its lifecycle. Departments should take a risk based approach to protecting personal data in line with the Data Protection Act 2018 and General Data Protection Regulation (GDPR). The NCSC principles of protecting bulk personal data will provide several good practice outcomes for the identification and appropriate protection of this data. The NCSC’s data handling principles [currently available on request for departments] are also particularly relevant for departments that process sensitive personal data at OFFICIAL. Contact for more information.

  5. The NCSC cloud security principle 2 on asset protection and resilience walks through several key areas relating to protecting data in the cloud context. It will encourage you to consider the geography of where your organisation’s data is being held and the respective legal considerations associated with that location. It also promotes good practice through ensuring the security of data centres and implementing data encryption at rest.

  6. Mobile devices may be used by an organisation responsible for essential functions, or by a partner or third-party supplier, and may contain critical business data. See the NCSC Device Security Collection for security principles and platform-specific guidance.

  7. For organisations considering implementing a Bring Your Own Device (BYOD) policy, the NCSC’s BYOD guidance identifies the risks associated with BYOD devices, discusses how these may be minimised through programmatic controls and assists you in developing a comprehensive, well scoped and enforceable policy.

  8. The NCSC’s guidance on secure sanitisation will encourage you to consider when data sanitisation should take place, the risks involved and assist with developing a policy appropriate to your organisation’s IT assets and data. Procedural and platform-specific guidance on device erasure can also be found within the Erasing Devices section of the Device Security Guidance.

Enhanced profile guidance

  1. You should utilise companies certified by the NCSC’s Commodity Information Assurance Services scheme for the sanitisation of media under CAS(S).

  2. The criticality of your data assets should be understood, classified and tracked as part of your broader asset management regime. See the NCSC’s Asset Management guidance for more information.

Available tools

  1. Mail Check is an NCSC Active Cyber Defence (ACD) email configuration monitoring tool, which helps departments set up and maintain good email security (DMARC, SPF, DKIM, TLS & MTA-STS) configuration. All the above are crucial components providing protection against email spoofing and to help secure email data in transit. You should also consider implementing DNS-based Authentication of Named Entities (DANE) if appropriate to your organisation and capability. All government departments should consider using this tool, or, where not architecturally possible, adopt a suitable alternative.

Further information

Further guidance and information can be found on the NCSC’s CAF Guidance webpage.