Government cybersecurity assurance
Robustness and oversight of cyber security assurance programs within government departments for critical systems.
Strongest theme matches
Mixed across source types and ranked by classifier confidence plus text match strength.
Committee recommendation
95match
#7 - Legacy IT systems pose significant risks to government AI adoption and cybersecurity.
DSIT told us that it was a matter of urgency that the issue of legacy systems in government is addressed, not only to take advantage of the opportunities offered by AI, but also to address other risks including cyber security vulnerabilities. It emphasised prioritising the “systems that have the most valuable data” and “the highest levels of security...
Matched on
terms: cybersecurity, government
Committee recommendation
90match
#5 - Secure clear assurance from departments managing cyber risk across arm’s-length bodies and supply chains.
The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm’s–length bodies and the wider public sector that they are responsible for. Departments should work closely with the Cabinet...
Matched on
terms: assurance, government
Committee recommendation
83match
#23 - GovAssure not designed to assess all critical systems despite improvement goals.
We asked the Cabinet Office how it would increase the scale and pace of GovAssure to assess the cyber resilience of all of government’s critical systems. The Cabinet Office explained that it did not plan to assess 100% 43 C&AG’s Report, paras 14, 15 44 C&AG’s Report, para 19 45 Q 39 46 Q 44 47 Q 45...
Matched on
terms: assurance, government
Committee recommendation
83match
#4 - Set out assessed proportions of critical/legacy IT, optimal assessment frequency, deadlines, and funding protection.
Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure’s assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than the Cabinet Office expected. Departments had multiple fundamental control failures, including in risk management and response planning. The...
Matched on
terms: assurance, government
Committee recommendation
81match
#20 - GovAssure reveals significant gaps and low maturity in departmental cyber resilience.
In 2023, the Cabinet Office launched ‘GovAssure’, a cyber security assurance scheme, as part of its strategy to improve government organisations’ cyber resilience. Before GovAssure, departments self–assessed their performance against minimum cyber standards set by the Cabinet Office.43 In the period April 2023 to July 2024, 35 departments took part in the first year of GovAssure and assessed...
Matched on
terms: assurance, government
NAO recommendation
80match
Government cyber resilience
Government departments should urgently strengthen their own governance, accountability and reporting arrangements around cyber risk. In their annual security appraisal, accounting officers should assess their progress and performance in meeting the cyber security standards set out in Functional Standard GovS 007: Security (the Security Standard), which HM Treasury mandated in 2021. To show the importance of building a...
Matched on
terms: government
Committee recommendation
78match
#34 - Cabinet Office accepted NAO recommendation for cross-Government cyber security implementation and monitoring plan
We challenged the Cabinet Office on whether its plans were realistic. The Cabinet Office told us it had accepted the NAO’s recommendation that it needed a cross–Government implementation plan and a stronger monitoring and evaluation framework.75 It said these would be ready in the summer of 2025, after the Spending Review concluded.76 We asked the Cabinet Office how...
Matched on
terms: government
Committee recommendation
78match
#32 - Government lacks robust oversight of departmental cyber strategy, risking 2025 resilience target.
The Cabinet Office has prioritised implementing its central initiatives, such as GovAssure. However, it has not put robust arrangements in place to oversee how departments are implementing the Strategy, such 65 Q 67 66 Q 61 67 Q 79; GCR0004, Written evidence submitted by Nigel D Cook; GCR0007, Written evidence submitted by The Open Cloud Coalition 68 Hansard,...
Matched on
terms: government
Committee recommendation
78match
#11 - Government's current cyber resilience levels remain inadequate to effectively respond and recover from attacks.
We pressed the Cabinet Office on what assurance it could give us that government was keeping up with the cyber threat.17 The Cabinet Office’s assessment was that there was already a gap in government’s ability to respond and that this might always be the case. It suggested the best approach may be continuously managing and mitigating the risk...
Matched on
terms: assurance, government
Committee recommendation
78match
#6 - Set out levers and instruments for a fundamentally different approach to government cyber resilience.
Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office’s focus on implementing its initiatives, such as GovAssure, has been at the expense of it coordinating a cross–government plan...
Matched on
terms: government
Committee recommendation
77match
#29 - Departmental commitment to wider public sector cyber resilience strategy shows inconsistent implementation.
The Cabinet Office confirmed to us that lead government departments were responsible for understanding and tackling cyber risk across the wider public sector. While recognising that departments’ response to the Strategy 56 Q 49 57 Qq 50–51 58 Q 53 59 Qq 54, 57–58 60 Q 58 61 Q 56 62 Q 80 63 C&AG’s Report, para 11...
Matched on
terms: assurance, government
Committee recommendation
74match
#22 - 7th Report - Financial resilience of government-sponsored museums and galleries
The Department assured us that it was now working closely with the organisations on how it can provide central advice on improving cyber-resilience and minimising the threat and impact of cyber-attacks. It highlighted the Government’s cyber action plan, which the Department for Science, Innovation and Technology published earlier this year, which it said was setting out a path...
Matched on
terms: government
Committee recommendation
74match
#24 - 1st Report - Rewiring the state: Delivering digital government
GDS should set up a Legacy Systems Taskforce with a remit to drive progress in remediating legacy systems across the public sector. It should be empowered to mandate action by departments and public sector bodies 53 where necessary. The taskforce should publish the results of the promised legacy mapping exercise in as transparent a form as possible given...
Matched on
terms: government
Committee recommendation
74match
#30 - Government faces complex challenges managing cyber security risk within its supply chain.
We asked the Cabinet Office how Government managed the cyber security of its supply chain. The Cabinet Office told us that managing supply chain risk was complex and difficult. Government’s supply chain has been the source of incidents with serious consequences for individuals, such as the ransomware attack on the supplier of NHS pathology services, Synnovis. The Cabinet...
Matched on
terms: government
Committee recommendation
74match
#26 - Unacceptable knowledge gap persists due to poor legacy IT asset management across government.
We pressed DSIT and the Cabinet Office on why Government’s understanding of its legacy IT was so limited. They told us that the amount of legacy systems, and understanding of them, varied between departments. They said this was because information about legacy systems 48 Q 39 49 Qq 41–42 50 Q 43 51 C&AG’s Report, para 1.3 52...
Matched on
terms: government
Committee recommendation
74match
#19 - Government Cyber Coordination Centre improves information sharing but remains in early stages.
We asked the Cabinet Office what structures it had in place to share information about cyber security with permanent secretaries and throughout departments.40 The Cabinet Office told us that it had launched the Government Cyber Coordination Centre (GC3) in September 2023, and that this had helped government share information more effectively. The GC3 brings together people from the...
Matched on
terms: government
Committee recommendation
74match
#17 - Require every government department to appoint a very senior Chief Information Officer.
We asked the Cabinet Office if departments have underestimated the cyber risk. It told us that until recently it had not done enough to ensure leaders across government understood the cyber threat, but that it had made 28 Q 17 29 C&AG’s Report, para 4.16 30 Qq 17–18 31 C&AG’s Report, para 4.2–4.4 32 C&AG’s Report, para 4.9–4.12...
Matched on
terms: government
Committee recommendation
74match
#7 - Defence must enhance protection of reliant digital networks and secure sufficient cybersecurity skills.
Digital networks are only as strong and resilient to cyberattack as their weakest links, and recent attacks indicate that the Ministry of Defence must do more to help protect all those networks it relies on to fulfil its mission— not just those which it directly controls. Defence also needs the right skills, in sufficient numbers, if it is...
Matched on
terms: cybersecurity
Committee recommendation
74match
#21 - UKRI's outdated legacy systems pose an increased cyber security risk to government operations.
As we have reported before, one of the most serious risks to all parts of Government and industry is large-scale-assaults on their cyber security defences and ensuring their resilience against such attacks. Outdated legacy systems, such as those at UKRI, increase the cyber risk to government.53 UKRI told us it takes cyber seriously and its updated systems have...
Matched on
terms: government
Committee recommendation
73match
#2 - Second Report - The Security of 5G
We share the Government’s objective that the UK remains at the forefront of the 5G rollout as we move into the next technological era. It is imperative that the UK is amongst the first countries to benefit from the technological advances that 5G will bring. The Government’s ambitions for the rollout of 5G are laudable and cybersecurity policy...
Matched on
terms: cybersecurity, government
NAO recommendation
72match
Financial modelling in government
h) work with departments, ALBs and other stakeholders such as the Quality Assurance Working Group on guidance and training to facilitate system-wide learning and improvement. This should include sharing good practice on how business-critical models are managed and practical advice on how to analyse and communicate uncertainty.
Matched on
terms: assurance, government
Committee recommendation
71match
#28 - Departments lack resources and oversight to ensure cyber resilience across wider public sector.
Departments, arm’s–length bodies and their partners use a wide range of IT systems and technology to provide public services.63 The Government Cyber Security Strategy: 2022–2030 (‘the Strategy’) set out that government departments’ cyber responsibilities included ensuring their arm’s–length bodies and wider public sector meet resilience targets. In April 2024, the Cabinet Office reported it could not be confident...
Matched on
terms: government
Committee recommendation
70match
#50 - 1st Report - Rewiring the state: Delivering digital government
It would be irresponsible to roll out a digital ID built on the UK’s current digital infrastructure. The public sector holds citizens’ data on trust, and should therefore hold itself to a higher standard. The operational and security problems relating to the eVisa system, One Login’s temporary loss of certification against the government’s own digital identity framework, and...
Matched on
terms: government
Committee recommendation
70match
#23 - 1st Report - Rewiring the state: Delivering digital government
Legacy systems present huge efficiency, cost and security risks, and it is therefore deeply concerning that government still does not know the full scale of the problem. While it may be difficult for ministers to argue in favour of spending public funds on systems that still (just about) work, if legacy systems are not remediated, the government’s digital...
Matched on
terms: government
Committee recommendation
70match
#13 - 1st Report - Rewiring the state: Delivering digital government
GDS and the Cabinet Office should publish quarterly reports on departmental and public sector body progress against the information and data security metrics it has committed to, together with its published principles for securing data in public services. These disclosures should be accessible via a single, publicly available tracker. (Recommendation, Paragraph 48) 51
Matched on
terms: government
Committee recommendation
70match
#25 - Government lacks comprehensive understanding of its total legacy IT estate and associated risks.
We challenged DSIT and the Cabinet Office on why they were not identifying and fixing legacy IT systems, where the risk is greatest and security lowest. DSIT told us that before 2023 the centre of government did not have much information about legacy IT but this was improving. DSIT data showed that around 28% of the public sector’s...
Matched on
terms: government
Committee recommendation
70match
#1 - Committee takes evidence regarding government cyber resilience based on C&AG report.
On the basis of a report by the Comptroller and Auditor General, we took evidence from the Cabinet Office and the Department for Science, Innovation and Technology (DSIT) on the cyber resilience of Government.1
Matched on
terms: government
Committee recommendation
69match
#13 - 4th Report – The National Security Strategy
The Government should clarify what will change for private sector Critical National Infrastructure operators as a result of the NSS and provisions of the Cyber Security and Resilience (Network and Information Systems) Bill. It should then work with those operators to identify what support will be needed for them to adapt to the new regime. (Recommendation, Paragraph 59)
Matched on
terms: government
Committee recommendation
69match
#16 - Departments demonstrate insufficient ownership of cyber risk and hinder information sharing.
Accounting officers in departments are responsible for protecting the security of their organisations and managing their department’s cyber risk, but they have not taken sufficient ownership of this responsibility. Often, membership of departments’ most senior boards does not include a digital expert.31 Some departments have been reluctant to share information about their cyber incidents with other parts of...
Matched on
terms: government
Committee recommendation
66match
#38 - 1st Report - Rewiring the state: Delivering digital government
The government should publish the findings of its investigation into the October 2025 AWS outage and its impact on suppliers and departments. In its response to this report, it should detail the steps it is taking to ensure greater resilience across public sector cloud infrastructure. (Recommendation, Paragraph 110)
Matched on
terms: government
Committee recommendation
66match
#10 - 1st Report - Rewiring the state: Delivering digital government
Successive governments have made a series of promises designed to address the institutional failings outlined in the Information Security Review. Yet we remain concerned that the current government is not holding itself to, or delivering, the standards of information and data security needed to secure and maintain public trust. This failure threatens the government’s digital transformation ambitions, and...
Matched on
terms: government
Committee recommendation
66match
#9 - 1st Report - Rewiring the state: Delivering digital government
It is a fundamental duty of government, public sector bodies and bodies in receipt of public funds to keep safe the data they hold on citizens. This duty has not been consistently upheld in the UK for some time. An Information Security Review, whose existence was - seemingly unnecessarily - kept secret until our intervention, examined a series...
Matched on
terms: government
Committee recommendation
66match
#7 - Government faces rapidly evolving and increasingly sophisticated cyber threats from capable adversaries.
The Cabinet Office told us that we should be extremely worried by the rapidly evolving cyber threat, which is the most sophisticated it has ever been. It explained that over the last three years, government’s adversaries, which include nation states and organised criminal groups, have developed their ‘capabilities’ more rapidly than it expected.7
Matched on
terms: government
Committee recommendation
65match
#8 - Thirtieth Report - Challenges in implementing digital change
The risks associated with legacy systems include that they can be difficult and expensive to support, lack operational resilience for key government services, and be vulnerable to cyber-attack. This exposes government to what is likely to be an uncertain but high level of financial risk from potential operational and cyber-related incidents. Legacy systems need a significant level of...
Matched on
terms: government
Committee recommendation
65match
#2 - Recommend a trial of a centralised Secure Data Environment and simplify ethical governance
Should our successor Committee wish to explore the reform of the UK health data strategy, we recommend it considers: • Investigating the replication of the academic model of open and competitive funding to solve problems and develop Privacy Enhancing technologies (PETs) and other critical pieces of data infrastructure as an alternative to internal or contracted software development work;...
Matched on
terms: government
Committee recommendation
65match
#31 - Over-reliance on limited strategic IT suppliers creates significant cyber security risks.
Based on written evidence, we asked the Cabinet Office about the advantages and disadvantages of relying on a few strategic suppliers.67 The Cabinet Office acknowledged that trying to maximise value for money and interoperability while managing the risks was not straightforward. DSIT added that this was not just a cyber security issue. In July 2024, the major global...
Matched on
terms: government
Committee recommendation
65match
#3 - Mandate Cabinet Office to outline support for accounting officers to strengthen cyber accountability and culture.
Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not given departments a clear picture of the cyber threat and what they should do about it. Departments have...
Matched on
terms: government
Committee recommendation
65match
#6 - Require MoJ and LAA to detail cyberattack lessons and funding for system vulnerabilities.
Despite lessons learned from the cyberattack on the LAA, funding to address weaknesses across MoJ systems is uncertain. Vulnerabilities in LAA’s systems had been on MoJ’s risk register since 2021. However, MoJ’s investment of over £50 million to transform and stabilise LAA’s systems was insufficient to prevent hackers accessing a large amount of both provider and legal aid...
Matched on
terms: government
Committee recommendation
61match
#7 - Second Report - The Security of 5G
There is no doubt that Huawei’s designation as a high-risk vendor is justified. The Huawei Cyber Security Evaluation Centre has consistently reported on its low-quality products and concerning approach to software development, which has resulted in increased risk to UK operators and networks. The presence of Huawei in the UK’s 5G networks therefore poses a significant security risk...
Matched on
terms: government
Committee recommendation
61match
#27 - Incomplete knowledge of legacy systems hampers effective risk management and funding decisions.
We queried how government could manage the risk from legacy systems, make informed bids for funding to fix them, or prevent departments reprioritising this funding, if it did not know what systems it had.59 The Cabinet Office told us that legacy systems were one of its biggest priorities, but that departments needed to own the risk.60 DSIT claimed...
Matched on
terms: government
Committee recommendation
61match
#24 - Legacy IT systems consume vast expenditure while posing persistent risks to public services.
Many of government’s IT systems are ‘legacy’, because they are ageing and outdated but still in use. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to public services posed by legacy technology have built up over many years.51 In 2023, the Government Digital Service...
Matched on
terms: government
Committee recommendation
61match
#18 - Departments remain reluctant to share cyber incident information, hindering collective learning.
We asked the Cabinet Office what the impact was when departments did not share information about their cyber incidents. The Cabinet Office agreed that sharing data is essential to learn lessons, understand vulnerabilities, share best practice and work out what has gone wrong. The Cabinet Office reassured us that if departments find any vulnerabilities that could affect other...
Matched on
terms: government
Committee recommendation
61match
#10 - Cyber threats and security constantly evolve; adversaries already leveraging AI to probe defences.
Both the cyber threat and government’s cyber security are continuing to evolve as technology develops.14 The Cabinet Office described this to us as a “technology race” that required government to adapt its approach constantly.15 We asked how government thought artificial intelligence (AI) would affect cyber security. The witnesses argued that AI was a huge opportunity, but that it...
Matched on
terms: government
Committee recommendation
57match
#14 - Recommend successor Committee examine 5G Supply Chain Diversification, international standards, and technology rollout.
Should our successor Committee wish to examine the UK’s telecommunications infrastructure and domestic capability, we recommend it considers: • The implementation of the 5G Supply Chain Diversification Strategy, and relevant policy and technical developments since the then Committee’s report; • Examining the Government’s participation in international standards bodies for critical and emerging technologies; or • The rollout and...
Matched on
terms: government
Committee recommendation
57match
#4 - Increase public awareness of attacks against the UK and outline national defence conversation measures
The public need to understand not only the necessity of defence but also their role in it. We are therefore very supportive of the concept of a national conversation on defence and recommend that the Government (and MOD in particular) seek to increase public awareness of recent attacks against the UK, including sabotage, and cyber-attacks, through regular public...
Matched on
terms: government
Committee recommendation
49match
#22 - Previous departmental self-assessments significantly over-estimated actual cyber resilience levels.
The Cabinet Office told us that cyber resilience was substantially lower than it had expected following departments’ previous self–assessments. It had found that the organisations that GovAssure’s independent reviewers had scored poorly were the most over–optimistic in their self–assessments.46 We challenged the Cabinet Office on why it had not introduced GovAssure sooner. The Cabinet Office acknowledged that it...
Matched on
classifier match
Committee recommendation
49match
#8 - Nation states pose increasing risk of espionage and disruptive cyber attacks on essential services.
The Cabinet Office highlighted concerns about nation states’ intent to conduct espionage and disrupt essential services.8 It described a campaign of espionage by Russian military intelligence that involved stealing and leaking data, and defacing websites. The Cabinet Office considered disruptive cyber attacks to be an increasing risk. It gave the example of Volt Typhoon, a Chinese state–affiliated group,...
Matched on
classifier match
Committee recommendation
49match
#27 - MoJ acknowledges system vulnerabilities, but acceleration depends on Spending Review funding
We asked MoJ whether the public could have confidence that data stored across MoJ’s systems is safe, following the attack. MoJ stated that it has comprehensively reviewed all of its systems to understand where vulnerabilities lie. It stated that its review had given it a better understanding of where the risks in its systems are and explained that...
Matched on
classifier match
NAO recommendation
47match
Transforming health assessments for disability benefits
DWP should: a review the Programme plan and produce an updated business case, incorporating the white paper reforms, including: demonstrating it has effective assurance and control over development of the Programme?s digital architecture, including how the Programme will fit with DWP?s other departmental digital initiatives, using oversight independent of the Programme;
Matched on
terms: assurance
Committee recommendation
45match
#9 - Organised criminal groups' ransomware attacks severely disrupt public services and incur significant costs.
Organised criminal groups use ransomware and data extortion to make money.10 They do this by stealing and encrypting victims’ data and then demanding a ransom or threatening to the leak the data. In October 2023, 5 Q 2; C&AG’s Report, paras 4, 6 6 C&AG’s Report, paras 6, 22 7 Q 4 8 Qq 4–5 9 Q 5...
Matched on
classifier match