1.1. All central government departments and arm’s-length bodies (ALBs) shall incorporate effective security practices based on the common government Secure by Design principles when delivering and building digital services and technical infrastructure.
2.1. The government’s Secure by Design principles provide the foundations for effective cyber security practices in digital delivery, leading to cyber resilient digital services that keep citizens and government safe. They aim to improve trust and data sharing between government organisations and improve security culture by making security everyone’s collective responsibility.
2.2. This policy sets out the mandatory requirements that affected organisations shall meet to implement this policy.
3.1. This policy is for everyone in central government departments and ALBs involved in the design and delivery of systems and services. This includes but is not limited to:
4.1. This policy applies to central government organisations and ALBs. It may also be optionally adopted by other parts of the public sector.
4.2. This policy applies to new or significant changes (for example those requiring a treasury business case or those where there is significant change to the cyber risk profile) to digital service and technology infrastructure either built within departments or procured through suppliers which are in scope of digital and technology spend controls approval process.
4.3. This policy does not apply to digital services which are in operation or routine maintenance. Over time, it is expected that all digital services will either be retired or come into scope for this policy.
5.1. By not designing digital services with security in mind from the outset, there is an increased risk of data breaches and service disruption which could result in:
This policy contains both mandatory and advisory elements using the same language as Functional Standard GovS 007: Security.
The requirements in this section are directly linked to the published Secure by Design principles. Central government organisations and ALBs shall:
6.1. Create responsibility for cyber security risk by:
6.2. Source secure technology products by:
6.3. Adopt a risk-driven approach when delivering digital services by:
6.4. Design usable security controls by:
6.5. Build detect and respond mechanisms for cyber security vulnerabilities by:
6.6. Design flexible architectures by:
6.7. Minimise the attack surface by:
6.8. Defend in depth by:
6.9. Embed continuous assurance by:
6.10. Make changes securely by:
7.1. Organisations shall ensure a risk-based approach to implementation, proportionate to the prevailing level of cyber risk and in line with their organisation’s business objectives and priorities.
7.2. Organisations have the flexibility to decide how to meet the requirements of this policy within practicable timescales.
7.3. Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed with appropriate risk mitigations put in place in line with the organisation’s risk tolerance. Organisations shall work towards future compliance in line with their business objectives and priorities.
7.4. Compliance to the requirements of this policy shall be reviewed through the digital and technology spend controls approval process.. Sufficient compliance shall be demonstrated by achieving a “high” security confidence profile in the Secure by Design Self Assessment Tracker.
8.1. This policy is supported by and relates to the:
9.1. The requirements described in this policy will help government organisations achieve the required security outcomes in the NCSC Cyber Assessment Framework (CAF) with the exception of
OFFICIAL