Source · Select Committees · Public Accounts Committee
Recommendation 31
31
Accepted
Over-reliance on limited strategic IT suppliers creates significant cyber security risks.
Conclusion
Based on written evidence, we asked the Cabinet Office about the advantages and disadvantages of relying on a few strategic suppliers.67 The Cabinet Office acknowledged that trying to maximise value for money and interoperability while managing the risks was not straightforward. DSIT added that this was not just a cyber security issue. In July 2024, the major global IT outage resulting from a Crowdstrike software update on Microsoft systems caused significant impacts around the world.68 Regarding competition concerns in the markets for cloud services, the Cabinet Office told us that this was not just a government challenge. Many organisations were using the two suppliers that dominated the market. DSIT reassured us that it was working to prevent government services to regions of the UK becoming too concentrated on a single supplier.69 Meeting the 2025 and 2030 targets
Government Response Summary
The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments in managing supply chain risks and setting higher expectations for strategic suppliers.
Government Response
Accepted
HM Government
Accepted
5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many cases should be outsourced from lead government departments, they are still ultimately accountable for the risk and must build in mechanisms to manage this. 5.3 DSIT will clearly outline departmental responsibility for the cyber security and digital resilience of their arm’s-length bodies. This will build on and complement the accountabilities set out in ‘Government Security Policy: Security Functional Accountability’ published outside the public domain in October 2024. As part of the interventionist approach to cyber resilience referenced in the Blueprint, DSIT will assure and enforce that Accounting Officers are meeting this responsibility. 5.4 This more active role will see departments responsible for ensuring their associated arm’s-length bodies manage risk in accordance with the centrally set risk appetite. This will include returning assurance data from assurance methods such as GovAssure and Supplier Assurance. 5.5 The Digital Commercial Centre of Excellence will reform procurement processes and ensure clearer guidelines for departments. DSIT will support departments to manage their supply chain risks by embedding baseline contractual requirements into CCS frameworks, providing training and creating the mechanisms to join up between security and commercial teams. DSIT will use government’s buying power to set higher expectations of our strategic suppliers in terms of their cyber security practices and incident response processes.