Recommendation 29

HM Government Accepted

5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many cases should be outsourced from lead government departments, they are still ultimately accountable for the risk and must build in mechanisms to manage this. 5.3 DSIT will clearly outline departmental responsibility for the cyber security and digital resilience of their arm’s-length bodies. This will build on and complement the accountabilities set out in ‘Government Security Policy: Security Functional Accountability’ published outside the public domain in October 2024. As part of the interventionist approach to cyber resilience referenced in the Blueprint, DSIT will assure and enforce that Accounting Officers are meeting this responsibility. 5.4 This more active role will see departments responsible for ensuring their associated arm’s-length bodies manage risk in accordance with the centrally set risk appetite. This will include returning assurance data from assurance methods such as GovAssure and Supplier Assurance. 5.5 The Digital Commercial Centre of Excellence will reform procurement processes and ensure clearer guidelines for departments. DSIT will support departments to manage their supply chain risks by embedding baseline contractual requirements into CCS frameworks, providing training and creating the mechanisms to join up between security and commercial teams. DSIT will use government’s buying power to set higher expectations of our strategic suppliers in terms of their cyber security practices and incident response processes.