Source · Select Committees · Public Accounts Committee
Recommendation 19
19
Accepted
Government Cyber Coordination Centre improves information sharing but remains in early stages.
Conclusion
We asked the Cabinet Office what structures it had in place to share information about cyber security with permanent secretaries and throughout departments.40 The Cabinet Office told us that it had launched the Government Cyber Coordination Centre (GC3) in September 2023, and that this had helped government share information more effectively. The GC3 brings together people from the National Cyber Security Centre, 33 Q 26 34 Q 29 35 Q 31 36 Q 28 37 Q 57 38 Qq 33–34 39 Q 36 40 Q 35 12 the Cabinet Office, and the Government Digital Service.41 The Cabinet Office added that GC3 was in its early stages, but was starting to build communities of cyber practitioners across government.42 41 Q 34; C&AG’s Report, para 2.16 42 Q 35 13 2 Improving Government’s cyber resilience Resilience of the IT estate
Government Response Summary
The government agrees, aiming for implementation by Spring 2026, and will require public sector organisations to have digital leaders and non-executive directors by 2026. DSIT will also set expectations for departments to appoint board members with cyber expertise, ensure regular risk reporting, and define responsibilities within a new Target Operating Model.
Government Response
Accepted
HM Government
Accepted
3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear need for board-level expertise to ensure that digital and procurement considerations are fully factored into governance, investment and risk decisions. Government’s intent for this is stated in the Blueprint where all public sector organisations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. 3.4 Building on this, DSIT will set expectations for departments to appoint a board member with expertise in cyber security and digital resilience, ensure that boards receive regular reporting on cyber security and digital resilience risks, define roles and responsibilities and specify mandatory risk management and governance actions in a Target Operating Model for Government Cyber and Digital Resilience.