Source · Select Committees · Public Accounts Committee
Recommendation 5
5
Accepted
Secure clear assurance from departments managing cyber risk across arm’s-length bodies and supply chains.
Conclusion
The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm’s–length bodies and the wider public sector that they are responsible for. Departments should work closely with the Cabinet Office, in particular the Government Security Group, in assuring this risk as arm’s–length bodies may be an entry point for cyber attackers. Departments have not always met this expectation because of insufficient funding, staff, and oversight mechanisms. Lessons can be learned from the Department of Health and Social Care, which has begun to improve the resilience of its sector by putting in place a cyber security strategy, strengthening assurance processes, investing in common services, and setting clear policies. Departments also need to understand and manage the risks to security from their supply chains, which can be vulnerable to adversaries seeking to gain access to or disrupt government networks. The ransomware attack on Synnovis is an example of a supply 5 chain attack that had serious consequences for individuals and disrupted services. The Cabinet Office says it is giving departments text to include in contracts so that suppliers put appropriate cyber security measures in place, and that it plans to work with strategic suppliers to help improve government’s resilience. recommendation The Cabinet Office should secure clear assurance from departments that they understand and are effectively managing the cyber risk from their arm’s–length bodies and supply chains.
Government Response Summary
The government commits DSIT to clearly outlining departmental responsibilities for arm's-length bodies' cyber security, assuring and enforcing compliance including mandating assurance data, reforming procurement, embedding contractual requirements, and setting higher expectations for strategic suppliers.
Government Response
Accepted
HM Government
Accepted
The government agrees with the Committee’s recommendation. supply chains. Whilst services can and in many cases should be outsourced from lead government departments, they are still ultimately accountable for the risk and must build in mechanisms to manage this. DSIT will clearly outline departmental responsibility for the cyber security and digital resilience of their arm’s–length bodies. This will build on and complement the accountabilities set out in ‘Government Security Policy: Security Functional Accountability’ published outside the public domain in October 2024. As part of the interventionist approach to cyber resilience referenced in the Blueprint, DSIT will assure and enforce that Accounting Officers are meeting this responsibility. This more active role will see departments responsible for ensuring their associated arm’s–length bodies manage risk in accordance with the centrally set risk appetite. This will include returning assurance data from assurance methods such as GovAssure and Supplier Assurance. The Digital Commercial Centre of Excellence will reform procurement processes and ensure clearer guidelines for departments. DSIT will support departments to manage their supply chain risks by embedding baseline contractual requirements into CCS frameworks, providing training and creating the mechanisms to join up between security and commercial teams. DSIT will use government’s buying power to set higher expectations of our strategic suppliers in terms of their cyber security practices and incident response processes.