Implementing Secure by Design

This applies to new services and significant changes to services that fall into scope of the digital and technology spend controls (Opens in a new tab) approval process.

Affected organisations have been separated into two groups which determine their implementation timescales:

• Group 1 – ministerial departments, ALBs managing government Critical National Infrastructure (CNI) and organisations managing priority government services (Opens in a new tab).
• Group 2 – all remaining ALBs and other central government organisations.

Implementation schedule

The Cabinet Office will be working with organisations to discuss their specific implementation schedule and establish what assistance may be required.

Organisations are encouraged to implement Secure by Design as soon as possible, however support from the Government Digital Service (GDS) will be prioritised for group 1 organisations.

The implementation plan aligned with timescales in the government’s transforming for a digital future roadmap: 2022 to 2025 (Opens in a new tab). It was developed in collaboration with security and digital leaders, including the Chief Digital Information Officers (CDIOs) who are accountable for the adoption of Secure by Design in their organisations.

Secure by Design is a journey for continuous improvement, not a compliance process. It is essential for government organisations to begin the transition early and make positive changes towards achieving the required cyber security maturity.

Guidance for commercial teams

Commercial and procurement teams play a vital role in ensuring that cyber security is embedded into government digital and technology procurements from the outset. Secure by Design should be a core consideration throughout the procurement life cycle, from defining requirements and evaluating suppliers to contract management and service delivery.

To help commercial and procurement teams achieve this, the Cabinet Office published a set of modular security schedules with Secure by Design requirements. These clearly define security expectations in tender documents, where applicable.

Secure by Design requirements are incorporated into the 3 following modular security schedules:

• supplier-led schedules
• buyer-led schedules
• developer schedules

You’ll find a Secure by Design evaluation table at the end of these security schedules. The supplier must use this table if the buyer has assessed that the contract is in scope for Secure by Design.

This table helps standardise Secure by Design requirements across contracts and ensures suppliers understand their security obligations. Suppliers can use the table to cross reference how they meet the Secure by Design principles within their security management plans. This is essential when the procurement is linked to building digital services which fall within the scope of the digital and technology spend controls process, requiring additional approval processes.

Because not all contracts will be within the scope of Secure by Design, it’s the responsibility of the buyer to:

• make sure the contract is assessed against the scope and requirements of Secure by Design
• determine whether Secure by Design requirements should be included in the contract

By embedding Secure by Design principles in procurement, commercial teams help ensure that cyber security is not just an afterthought but an integral part of government digital services and technology investments.