Recommendations & Conclusions
35 items
2
Recommendation
24th Report - Government cyber resilien…
Accepted
There is a longstanding shortage in government of the experienced, technical cyber skills required. Skilled cyber security professionals are scarce and in high demand nationally and globally. As this Committee has frequently reported over the years, government finds it hard to compete with the private sector for the best talent, …
Government response. The government commits to integrating cyber capability teams into DSIT by November 2025, using talent programmes and a new Cyber Resourcing Hub to attract staff. DSIT will also set out "early next year" how many vacancies central initiatives will fill …
HM Treasury
3
Recommendation
24th Report - Government cyber resilien…
Accepted
Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not given departments a clear picture of the cyber threat and …
Government response. The government reiterates the requirement for public sector organizations to have a digital leader on their executive committee and board by 2026. DSIT will further set expectations for departments to appoint board members with cyber security expertise, mandate regular board …
HM Treasury
4
Recommendation
24th Report - Government cyber resilien…
Accepted
Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure’s assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than the Cabinet Office expected. Departments had multiple fundamental control failures, …
Government response. The government commits DSIT to work with HM Treasury to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular departmental reporting, and establish mechanisms to protect budgets for these programmes to prevent fund diversion.
HM Treasury
5
Conclusion
24th Report - Government cyber resilien…
Accepted
The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm’s–length bodies and the wider public sector that they are responsible …
Government response. The government commits DSIT to clearly outlining departmental responsibilities for arm's-length bodies' cyber security, assuring and enforcing compliance including mandating assurance data, reforming procurement, embedding contractual requirements, and setting higher expectations for strategic suppliers.
HM Treasury
6
Recommendation
24th Report - Government cyber resilien…
Accepted
Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office’s focus on implementing its initiatives, such as GovAssure, has been at …
Government response. The government commits to publishing a new Government Target Operating Model for Cyber and Digital Resilience which will outline how government will organize and operate to manage cyber risks. DSIT will then set out implementation plans for this model later …
HM Treasury
1
Conclusion
24th Report - Government cyber resilien…
Accepted
On the basis of a report by the Comptroller and Auditor General, we took evidence from the Cabinet Office and the Department for Science, Innovation and Technology (DSIT) on the cyber resilience of Government.1
Government response. The government states it has moved cyber security responsibility to DSIT to enable a more interventionist approach. DSIT will publish a Government Cyber Security Strategy Implementation Plan in winter 2025 and will update the Committee on implementation in one year.
HM Treasury
7
Conclusion
24th Report - Government cyber resilien…
Accepted
The Cabinet Office told us that we should be extremely worried by the rapidly evolving cyber threat, which is the most sophisticated it has ever been. It explained that over the last three years, government’s adversaries, which include nation states and organised criminal groups, have developed their ‘capabilities’ more rapidly …
Government response. The government agrees with the concern about the evolving cyber threat, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan …
HM Treasury
8
Conclusion
24th Report - Government cyber resilien…
Accepted
The Cabinet Office highlighted concerns about nation states’ intent to conduct espionage and disrupt essential services.8 It described a campaign of espionage by Russian military intelligence that involved stealing and leaking data, and defacing websites. The Cabinet Office considered disruptive cyber attacks to be an increasing risk. It gave the …
Government response. The government agrees with the concern about nation-state cyber threats, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in …
HM Treasury
9
Conclusion
24th Report - Government cyber resilien…
Accepted
Organised criminal groups use ransomware and data extortion to make money.10 They do this by stealing and encrypting victims’ data and then demanding a ransom or threatening to the leak the data. In October 2023, 5 Q 2; C&AG’s Report, paras 4, 6 6 C&AG’s Report, paras 6, 22 7 …
Government response. The government agrees with the concern about ransomware attacks, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter …
HM Treasury
10
Conclusion
24th Report - Government cyber resilien…
Accepted
Both the cyber threat and government’s cyber security are continuing to evolve as technology develops.14 The Cabinet Office described this to us as a “technology race” that required government to adapt its approach constantly.15 We asked how government thought artificial intelligence (AI) would affect cyber security. The witnesses argued that …
Government response. The government agrees and states it has already moved cyber security responsibility to DSIT and will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to outline its approach to driving cyber and technology resilience, with an update …
HM Treasury
11
Recommendation
24th Report - Government cyber resilien…
Accepted
We pressed the Cabinet Office on what assurance it could give us that government was keeping up with the cyber threat.17 The Cabinet Office’s assessment was that there was already a gap in government’s ability to respond and that this might always be the case. It suggested the best approach …
Government response. The government agrees with the finding that current cyber resilience is insufficient, committing to a more interventionist approach and moving responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter …
HM Treasury
12
Recommendation
24th Report - Government cyber resilien…
Accepted
For more than a decade, skilled cyber security professionals have been in short supply and high demand nationally and globally. Government has not paid market–rate salaries for digital and cyber skills, which has been 11 C&AG’s Report, paras 1.7, 1.10 12 Q 5 13 Q 6 14 C&AG’s Report, para …
Government response. The government agrees and is implementing reforms to address cyber skills gaps, including integrating relevant teams into DSIT by November 2025, attracting talent via programmes like Cyber Fast Stream, and establishing a new Cyber Resourcing Hub to streamline recruitment. DSIT …
HM Treasury
13
Recommendation
24th Report - Government cyber resilien…
Accepted
In 2023–24, one in three cyber security roles in central government were vacant or filled by expensive contractors, and the proportion of vacancies in several departments’ cyber security teams was more than 50%.23 The Cabinet Office accepted that there were significant cyber–skill vacancies and set out the actions it was …
Government response. The government agrees, aiming for implementation by Spring 2026, acknowledging the cyber skills gap. It commits to integrating relevant teams into DSIT by November 2025, continuing talent programmes, establishing a Cyber Resourcing Hub, and utilizing 2025 workforce data to set …
HM Treasury
14
Recommendation
24th Report - Government cyber resilien…
Accepted
We asked the Cabinet Office why civil service recruitment processes remained a barrier. The Cabinet Office noted data suggesting it took on average nine months to recruit technology specialists. The Cabinet Office described this as not being good enough and said that it was trying different ways of shortening the …
Government response. The government agrees and is implementing reforms to address cyber skills gaps, including integrating relevant teams into DSIT by November 2025, attracting talent via programmes like Cyber Fast Stream, and establishing a new Cyber Resourcing Hub to streamline recruitment. DSIT …
HM Treasury
15
Conclusion
24th Report - Government cyber resilien…
Accepted
Recruitment is fragmented across government, with some departments developing their own cyber recruitment and training programmes based on their needs.29 We queried how the Cabinet Office was working across Government, rather than letting each department train and recruit in its own way. The Cabinet Office told us that it was …
Government response. The government agrees and commits to integrating Cyber, Digital and Data teams into DSIT by November 2025, establishing a new Cyber Resourcing Hub, and utilizing 2025 workforce data to identify vacancies. Early next year, DSIT will set targets for central …
HM Treasury
16
Recommendation
24th Report - Government cyber resilien…
Accepted
Accounting officers in departments are responsible for protecting the security of their organisations and managing their department’s cyber risk, but they have not taken sufficient ownership of this responsibility. Often, membership of departments’ most senior boards does not include a digital expert.31 Some departments have been reluctant to share information …
Government response. The government agrees, stating that all public sector organizations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. DSIT will further set expectations for appointing board members …
HM Treasury
17
Recommendation
24th Report - Government cyber resilien…
Accepted
We asked the Cabinet Office if departments have underestimated the cyber risk. It told us that until recently it had not done enough to ensure leaders across government understood the cyber threat, but that it had made 28 Q 17 29 C&AG’s Report, para 4.16 30 Qq 17–18 31 C&AG’s …
Government response. The government agrees to the recommendation, with a target implementation of Spring 2026. It will require all public sector organisations to have a digital leader and a digital non-executive director by 2026, and DSIT will set expectations for departments to …
HM Treasury
18
Conclusion
24th Report - Government cyber resilien…
Accepted
We asked the Cabinet Office what the impact was when departments did not share information about their cyber incidents. The Cabinet Office agreed that sharing data is essential to learn lessons, understand vulnerabilities, share best practice and work out what has gone wrong. The Cabinet Office reassured us that if …
Government response. The government agrees and commits to improving cyber security governance by requiring digital leaders and non-executive directors by 2026, and DSIT will set expectations for board members with cyber expertise, ensure regular risk reporting, and define roles within a future …
HM Treasury
19
Conclusion
24th Report - Government cyber resilien…
Accepted
We asked the Cabinet Office what structures it had in place to share information about cyber security with permanent secretaries and throughout departments.40 The Cabinet Office told us that it had launched the Government Cyber Coordination Centre (GC3) in September 2023, and that this had helped government share information more …
Government response. The government agrees, aiming for implementation by Spring 2026, and will require public sector organisations to have digital leaders and non-executive directors by 2026. DSIT will also set expectations for departments to appoint board members with cyber expertise, ensure regular …
HM Treasury
20
Conclusion
24th Report - Government cyber resilien…
Accepted
In 2023, the Cabinet Office launched ‘GovAssure’, a cyber security assurance scheme, as part of its strategy to improve government organisations’ cyber resilience. Before GovAssure, departments self–assessed their performance against minimum cyber standards set by the Cabinet Office.43 In the period April 2023 to July 2024, 35 departments took part …
Government response. The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in …
HM Treasury
21
Conclusion
24th Report - Government cyber resilien…
Accepted
The Cabinet Office told us that GovAssure would run continually to give regular updates on government’s resilience. Although the systems assessed so far are a small part of government’s IT estate, the Cabinet Office argued that they were representative of organisations and services. As a result, the Cabinet Office said …
Government response. The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in …
HM Treasury
22
Conclusion
24th Report - Government cyber resilien…
Accepted
The Cabinet Office told us that cyber resilience was substantially lower than it had expected following departments’ previous self–assessments. It had found that the organisations that GovAssure’s independent reviewers had scored poorly were the most over–optimistic in their self–assessments.46 We challenged the Cabinet Office on why it had not introduced …
Government response. The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular …
HM Treasury
23
Recommendation
24th Report - Government cyber resilien…
Accepted in Part
We asked the Cabinet Office how it would increase the scale and pace of GovAssure to assess the cyber resilience of all of government’s critical systems. The Cabinet Office explained that it did not plan to assess 100% 43 C&AG’s Report, paras 14, 15 44 C&AG’s Report, para 19 45 …
Government response. The government agrees to the recommendation, aiming for implementation by Spring 2026, and commits to requiring departments to identify and report critical systems through GovAssure, driving its adoption across government, and determining optimal assessment scale and frequency. However, it does …
HM Treasury
24
Conclusion
24th Report - Government cyber resilien…
Accepted
Many of government’s IT systems are ‘legacy’, because they are ageing and outdated but still in use. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to public services posed by legacy technology have built up over …
Government response. The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in …
HM Treasury
25
Recommendation
24th Report - Government cyber resilien…
Accepted
We challenged DSIT and the Cabinet Office on why they were not identifying and fixing legacy IT systems, where the risk is greatest and security lowest. DSIT told us that before 2023 the centre of government did not have much information about legacy IT but this was improving. DSIT data …
Government response. The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber …
HM Treasury
26
Conclusion
24th Report - Government cyber resilien…
Accepted
We pressed DSIT and the Cabinet Office on why Government’s understanding of its legacy IT was so limited. They told us that the amount of legacy systems, and understanding of them, varied between departments. They said this was because information about legacy systems 48 Q 39 49 Qq 41–42 50 …
Government response. The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber …
HM Treasury
27
Recommendation
24th Report - Government cyber resilien…
Accepted
We queried how government could manage the risk from legacy systems, make informed bids for funding to fix them, or prevent departments reprioritising this funding, if it did not know what systems it had.59 The Cabinet Office told us that legacy systems were one of its biggest priorities, but that …
Government response. The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular …
HM Treasury
28
Recommendation
24th Report - Government cyber resilien…
Accepted
Departments, arm’s–length bodies and their partners use a wide range of IT systems and technology to provide public services.63 The Government Cyber Security Strategy: 2022–2030 (‘the Strategy’) set out that government departments’ cyber responsibilities included ensuring their arm’s–length bodies and wider public sector meet resilience targets. In April 2024, the …
Government response. The government agrees to the recommendation by Spring 2026, committing DSIT to clearly outline and enforce departmental responsibility for ALB cyber security and digital resilience, including requiring assurance data. The Digital Commercial Centre of Excellence will also reform procurement processes, …
HM Treasury
29
Conclusion
24th Report - Government cyber resilien…
Accepted
The Cabinet Office confirmed to us that lead government departments were responsible for understanding and tackling cyber risk across the wider public sector. While recognising that departments’ response to the Strategy 56 Q 49 57 Qq 50–51 58 Q 53 59 Qq 54, 57–58 60 Q 58 61 Q 56 …
Government response. The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments …
HM Treasury
30
Recommendation
24th Report - Government cyber resilien…
Accepted
We asked the Cabinet Office how Government managed the cyber security of its supply chain. The Cabinet Office told us that managing supply chain risk was complex and difficult. Government’s supply chain has been the source of incidents with serious consequences for individuals, such as the ransomware attack on the …
Government response. The government agrees to the recommendation by Spring 2026, recognizing the importance of managing risks in ALBs and their supply chains. DSIT will outline and enforce departmental responsibility for ALBs, while the Digital Commercial Centre of Excellence will reform procurement …
HM Treasury
31
Conclusion
24th Report - Government cyber resilien…
Accepted
Based on written evidence, we asked the Cabinet Office about the advantages and disadvantages of relying on a few strategic suppliers.67 The Cabinet Office acknowledged that trying to maximise value for money and interoperability while managing the risks was not straightforward. DSIT added that this was not just a cyber …
Government response. The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments …
HM Treasury
32
Conclusion
24th Report - Government cyber resilien…
Deferred
The Cabinet Office has prioritised implementing its central initiatives, such as GovAssure. However, it has not put robust arrangements in place to oversee how departments are implementing the Strategy, such 65 Q 67 66 Q 61 67 Q 79; GCR0004, Written evidence submitted by Nigel D Cook; GCR0007, Written evidence …
Government response. The government agrees and is defining a future Target Operating Model for Cyber and Digital Resilience, with DSIT setting out implementation plans for this model later in 2025.
HM Treasury
33
Conclusion
24th Report - Government cyber resilien…
Deferred
We asked the Cabinet Office how it intended to meet its target for 2030. The Cabinet Office was clear that the target would be challenging to meet. To do so, it told us that government would need to take a fundamentally different approach to cyber security. The Cabinet Office was …
Government response. The government agrees and states that a Target Operating Model for Cyber and Digital Resilience is being defined, with DSIT setting out implementation plans later in 2025.
HM Treasury
34
Conclusion
24th Report - Government cyber resilien…
Deferred
We challenged the Cabinet Office on whether its plans were realistic. The Cabinet Office told us it had accepted the NAO’s recommendation that it needed a cross–Government implementation plan and a stronger monitoring and evaluation framework.75 It said these would be ready in the summer of 2025, after the Spending …
Government response. The government agrees with the committee's observation and states that work is underway to define a future Target Operating Model for Cyber and Digital Resilience, with DSIT setting out implementation plans later in 2025.
HM Treasury
35
Conclusion
24th Report - Government cyber resilien…
We asked if there were any countries that manage cyber security effectively that the UK should learn from. The Cabinet Office told us that most of the UK’s international partners were also trying to catch up with the 70 C&AG’s Report, paras 2.5, 2.20–2.21 71 C&AG’s Report, paras 16, 25; …
HM Treasury