24th Report - Government cyber resilience

The government commits to integrating cyber capability teams into DSIT by November 2025, using talent programmes and a new Cyber Resourcing Hub to attract staff. DSIT will also set out "early next year" how many vacancies central initiatives will fill and how it will help departments fill remaining gaps.

The government reiterates the requirement for public sector organizations to have a digital leader on their executive committee and board by 2026. DSIT will further set expectations for departments to appoint board members with cyber security expertise, mandate regular board reporting, define roles, and specify mandatory risk management actions in a new Target Operating Model.

The government commits DSIT to work with HM Treasury to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular departmental reporting, and establish mechanisms to protect budgets for these programmes to prevent fund diversion.

The government commits to publishing a new Government Target Operating Model for Cyber and Digital Resilience which will outline how government will organize and operate to manage cyber risks. DSIT will then set out implementation plans for this model later in 2025.

The government agrees with the finding that current cyber resilience is insufficient, committing to a more interventionist approach and moving responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.

The government agrees and is implementing reforms to address cyber skills gaps, including integrating relevant teams into DSIT by November 2025, attracting talent via programmes like Cyber Fast Stream, and establishing a new Cyber Resourcing Hub to streamline recruitment. DSIT will also work with departments to understand skill gaps and use 2025 data to address vacancies, committing to set targets for this early next year.

The government agrees, aiming for implementation by Spring 2026, acknowledging the cyber skills gap. It commits to integrating relevant teams into DSIT by November 2025, continuing talent programmes, establishing a Cyber Resourcing Hub, and utilizing 2025 workforce data to set targets for filling vacancies.

The government agrees and is implementing reforms to address cyber skills gaps, including integrating relevant teams into DSIT by November 2025, attracting talent via programmes like Cyber Fast Stream, and establishing a new Cyber Resourcing Hub to streamline recruitment. DSIT will also work with departments to understand skill gaps and use 2025 data to address vacancies, committing to set targets for this early next year.

The government agrees, stating that all public sector organizations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. DSIT will further set expectations for appointing board members with cyber security expertise, ensure regular risk reporting, define roles, and specify mandatory actions within a new Target Operating Model.

The government agrees to the recommendation, with a target implementation of Spring 2026. It will require all public sector organisations to have a digital leader and a digital non-executive director by 2026, and DSIT will set expectations for departments to appoint board members with cyber expertise and define associated responsibilities and reporting.

The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber resilience in regular reporting by Spring 2026.

The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular reporting by Spring 2026.

The government agrees to the recommendation by Spring 2026, committing DSIT to clearly outline and enforce departmental responsibility for ALB cyber security and digital resilience, including requiring assurance data. The Digital Commercial Centre of Excellence will also reform procurement processes, and DSIT will support supply chain risk management by embedding contractual requirements and setting higher expectations for suppliers.

The government agrees to the recommendation by Spring 2026, recognizing the importance of managing risks in ALBs and their supply chains. DSIT will outline and enforce departmental responsibility for ALBs, while the Digital Commercial Centre of Excellence will reform procurement processes. DSIT will also embed contractual requirements into frameworks, provide training, and use government buying power to set higher expectations for strategic suppliers regarding cyber security.

The government commits DSIT to clearly outlining departmental responsibilities for arm's-length bodies' cyber security, assuring and enforcing compliance including mandating assurance data, reforming procurement, embedding contractual requirements, and setting higher expectations for strategic suppliers.

The government states it has moved cyber security responsibility to DSIT to enable a more interventionist approach. DSIT will publish a Government Cyber Security Strategy Implementation Plan in winter 2025 and will update the Committee on implementation in one year.

The government agrees with the concern about the evolving cyber threat, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.

The government agrees with the concern about nation-state cyber threats, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.

The government agrees with the concern about ransomware attacks, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.

The government agrees and states it has already moved cyber security responsibility to DSIT and will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to outline its approach to driving cyber and technology resilience, with an update to the committee in one year.

The government agrees and commits to integrating Cyber, Digital and Data teams into DSIT by November 2025, establishing a new Cyber Resourcing Hub, and utilizing 2025 workforce data to identify vacancies. Early next year, DSIT will set targets for central initiatives and plans to assist departments in filling remaining cyber vacancies.

The government agrees and commits to improving cyber security governance by requiring digital leaders and non-executive directors by 2026, and DSIT will set expectations for board members with cyber expertise, ensure regular risk reporting, and define roles within a future Target Operating Model.

The government agrees, aiming for implementation by Spring 2026, and will require public sector organisations to have digital leaders and non-executive directors by 2026. DSIT will also set expectations for departments to appoint board members with cyber expertise, ensure regular risk reporting, and define responsibilities within a new Target Operating Model.

The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.

The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.

The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular reporting by Spring 2026.

The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.

The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber resilience in regular reporting by Spring 2026.

The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments in managing supply chain risks and setting higher expectations for strategic suppliers.

The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments in managing supply chain risks and setting higher expectations for strategic suppliers.