Source · Select Committees · Public Accounts Committee
Recommendation 32
32
Deferred
Government lacks robust oversight of departmental cyber strategy, risking 2025 resilience target.
Conclusion
The Cabinet Office has prioritised implementing its central initiatives, such as GovAssure. However, it has not put robust arrangements in place to oversee how departments are implementing the Strategy, such 65 Q 67 66 Q 61 67 Q 79; GCR0004, Written evidence submitted by Nigel D Cook; GCR0007, Written evidence submitted by The Open Cloud Coalition 68 Hansard, CrowdStrike: IT Outage, 22 July 2024 69 Q 80 17 as a cross–Government plan or performance framework.70 The National Audit Office (NAO) concluded that government would not meet its aim for “government’s critical functions to be significantly hardened to cyber attack by 2025”. The Cabinet Office’s aim for the whole of government and the wider public sector to be “resilient to known vulnerabilities and attack methods no later than 2030” is ambitious.71 In April 2024, ministers expressed support for the Cabinet Office to be more directive and provide departments with more centralised capability and support.72 The Cabinet Office assured us that it was working across the devolved administrations to meet its cyber resilience aims for the whole of government.73
Government Response Summary
The government agrees and is defining a future Target Operating Model for Cyber and Digital Resilience, with DSIT setting out implementation plans for this model later in 2025.
Government Response
Deferred
HM Government
Deferred
6.1 The government agrees with the Committee’s recommendation. Target implementation date: Winter 2025 6.2 Work is underway to define a future Target Operating Model for Cyber and Digital Resilience, which will set out how government and the public sector should organise itself and operate to understand, govern, and respond to cyber and digital resilience risk. Later in 2025, DSIT will set out plans for implementation of this model, and how it will enable the delivery of a strong and interventionist approach to cyber and digital resilience.