Source · Select Committees · Public Accounts Committee
Recommendation 30
30
Accepted
Government faces complex challenges managing cyber security risk within its supply chain.
Recommendation
We asked the Cabinet Office how Government managed the cyber security of its supply chain. The Cabinet Office told us that managing supply chain risk was complex and difficult. Government’s supply chain has been the source of incidents with serious consequences for individuals, such as the ransomware attack on the supplier of NHS pathology services, Synnovis. The Cabinet Office set out to us the actions it was taking improve its management of supply chain risk. It was creating schedules that departments could include in future contracts to ensure they were asking their suppliers for the right security measures. The Cabinet Office planned to work with strategic suppliers in 2025–26 to agree objectives for how they will help government improve its cyber resilience. DSIT and the Cabinet Office cited the example of a partnership agreement with Microsoft.66
Government Response Summary
The government agrees to the recommendation by Spring 2026, recognizing the importance of managing risks in ALBs and their supply chains. DSIT will outline and enforce departmental responsibility for ALBs, while the Digital Commercial Centre of Excellence will reform procurement processes. DSIT will also embed contractual requirements into frameworks, provide training, and use government buying power to set higher expectations for strategic suppliers regarding cyber security.
Government Response
Accepted
HM Government
Accepted
5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many cases should be outsourced from lead government departments, they are still ultimately accountable for the risk and must build in mechanisms to manage this. 5.3 DSIT will clearly outline departmental responsibility for the cyber security and digital resilience of their arm’s-length bodies. This will build on and complement the accountabilities set out in ‘Government Security Policy: Security Functional Accountability’ published outside the public domain in October 2024. As part of the interventionist approach to cyber resilience referenced in the Blueprint, DSIT will assure and enforce that Accounting Officers are meeting this responsibility. 5.4 This more active role will see departments responsible for ensuring their associated arm’s-length bodies manage risk in accordance with the centrally set risk appetite. This will include returning assurance data from assurance methods such as GovAssure and Supplier Assurance. 5.5 The Digital Commercial Centre of Excellence will reform procurement processes and ensure clearer guidelines for departments. DSIT will support departments to manage their supply chain risks by embedding baseline contractual requirements into CCS frameworks, providing training and creating the mechanisms to join up between security and commercial teams. DSIT will use government’s buying power to set higher expectations of our strategic suppliers in terms of their cyber security practices and incident response processes.