Source · Select Committees · Public Accounts Committee
Recommendation 20
20
Accepted
GovAssure reveals significant gaps and low maturity in departmental cyber resilience.
Conclusion
In 2023, the Cabinet Office launched ‘GovAssure’, a cyber security assurance scheme, as part of its strategy to improve government organisations’ cyber resilience. Before GovAssure, departments self–assessed their performance against minimum cyber standards set by the Cabinet Office.43 In the period April 2023 to July 2024, 35 departments took part in the first year of GovAssure and assessed 72 IT systems, of which independent reviewers verified 58. The GovAssure data showed that there were significant gaps in departments’ cyber resilience, including low levels of maturity across asset management, protective monitoring, and response planning.44
Government Response Summary
The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.
Government Response
Accepted
HM Government
Accepted
4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be required to identify and report on their critical systems through GovAssure, and drive adoption of the scheme across more of government. 4.4 The combined insights from these assurance frameworks will be used to determine the proportion of the estate which has been assessed, and the optimum scale and frequency of assessment activity going forward. 4.5 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.6 DSIT will continue to support the work done by departments to remediate their legacy systems and improve cyber resilience. DSIT will work with HM Treasury (HMT) to develop a methodology for tracking funding allocated to legacy remediation projects to ensure it is delivering the expected improvements. 4.7 DSIT will work with HMT to include all government cyber resilience activity into departments’ regular reporting to HMT and DSIT on digital spending and delivery. DSIT is also working with HMT on mechanisms for protecting budgets for specific cyber and legacy remediation programmes to avoid diversion of funding after settlement.