Source · Select Committees · Public Accounts Committee
Recommendation 11
11
Accepted
Government's current cyber resilience levels remain inadequate to effectively respond and recover from attacks.
Recommendation
We pressed the Cabinet Office on what assurance it could give us that government was keeping up with the cyber threat.17 The Cabinet Office’s assessment was that there was already a gap in government’s ability to respond and that this might always be the case. It suggested the best approach may be continuously managing and mitigating the risk as far as possible, in a way that is value for money. The Cabinet Office stressed the importance of resilience, so that even if government does not detect an incident it is still able to respond and recover effectively. The Cabinet Office acknowledged that government’s current cyber resilience levels were not good enough to do this.18 Cyber skills
Government Response Summary
The government agrees with the finding that current cyber resilience is insufficient, committing to a more interventionist approach and moving responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.
Government Response
Accepted
HM Government
Accepted
1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and taking a stronger and more interventionist approach to drive transformation across government. This approach is needed to achieve a step change in resilience across government, arm’s–length bodies and the wider public sector. 1.3 The government has taken immediate action to address this and moved responsibility for government and public sector cyber security from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT). This change will strengthen technology resilience and policymaking across the public sector, by better integrating cyber security responsibilities and expertise into the Government Digital Service. 1.4 In winter 2025, DSIT will publish a Government Cyber Security Strategy Implementation Plan (GCSS IP) which will set out the approach to driving cyber and technology resilience. DSIT will write to the Committee to update them on implementation in one year’s time.