Questions about Secure by Design

A desire to address common cyber security challenges in digital delivery and achieve a consistent approach was identified as a key priority by the government Chief Information Security Officers (CISOs) Forum.

Following a series of consultations with a cross-government working group and the National Cyber Security Centre (NCSC), Secure by Design was included as outcome 9 in the Government Cyber Security Strategy and commitment 11 in the Roadmap for digital and data, 2022 to 2025.

The Central Digital and Data Office (CDDO) – part of the Cabinet Office – set up a team to lead the development and implementation of the Secure by Design approach.

They undertook a discovery project, conducting pilots and user research to understand the problem and set clear objectives. The approach was drafted and tested through close collaboration with a diverse group of stakeholders including:

• a cross-government working group containing digital and security colleagues from departments and arm’s-length bodies (ALBs)
• an industry panel with representatives from suppliers who work with government on the delivery of digital services
• colleagues from NCSC and Government Security Group (GSG)

The milestones, key decisions and outputs of Secure by Design have been signed off by the CDDO Senior Leadership Team and are being regularly presented for approval and endorsement by the:

• Government Cyber Security Strategy Implementation Committee (chaired by the Director for Cyber Security)
• Functional Leaders Group (chaired by the Government CDIO)
• CTO Council (chaired by the Government CTO)
• CISO Forum

To ensure that effective and proportionate cyber security measures are built into government systems and services from the start and as they are being delivered.

Secure by Design encourages organisations to make security everyone’s responsibility and continuously manage security risks throughout the delivery lifecycle. It is designed to:

• promote a positive security culture
• highlight to project teams and organisations that security risks are business risks
• drive consistent and coherent security across government
• help organisations achieve their respective Cyber Assessment Framework profiles

The Secure by Design policy states that the implementation of the Secure by Design principles is mandatory:

“All central government departments and arm’s-length bodies (ALBs) shall incorporate effective security practices based on the common government Secure by Design principles when delivering and building digital services and technical infrastructure.”

Organisations that have established their own approach to secure by design are still required to meet the core principles and requirements included in the Secure by Design policy.

All other elements of the approach (such as the recommended activities) are best practice advice to help organisations with implementing the principles. These should be adapted by organisations to reflect their internal structure, processes, governance, culture and resources.

Although this policy applies to central government organisations and ALBs, it may also be optionally adopted by other parts of the public sector.

No.

The Secure by Design approach includes activities which offer step-by-step guidance to set expectations and encourage consistency, while allowing for flexibility based on each organisation’s specific circumstances.

An example Security Controls Taxonomy (mapped to NCSC Cyber Assessment Framework outcomes) has been provided for organisations that don’t already have an established set of controls. This includes recognised industry standards and frameworks that could be used as part of risk mitigation activities, however, all organisations are encouraged to develop their own list of preferred security controls that relate to their specific circumstances.

An example RACI matrix has been provided to help organisations when assigning Secure by Design responsibilities across the delivery teams.

CDDO will continue to iterate the approach in collaboration with the cross-government working group and industry panel. Improvements will be made based on feedback from the first iteration of the principles, activities and tools.

Further work is underway to develop an Artefacts Library with security patterns and use cases to help the delivery teams design digital services based on pre-approved solutions which address known security issues.

CDDO works with government organisations and an industry panel on iterating the guidance and resources , piloting outputs and user research sessions.

If you would like to get involved, please email secure-by-design@digital.cabinet-office.gov.uk.

Secure by Design is about embedding effective cyber security practices in digital delivery and applies at the project level. The principles need to be met as systems, services and technical infrastructure are being planned, designed and built.

However, organisations should offer consistent processes, policies and shared resources (such as a threat assessment and security controls set) that can be used by delivery teams across projects.

Any project delivering new or significant changes to digital services or technology infrastructure that is in scope of the digital and technology spend controls approval process.

This process is managed by the Cabinet Office CDDO and managed through the Get approval to spend service. Secure by Design will be piloted as part of this service in Autumn 2024.

This policy does not apply to digital services which are in operation or undergoing routine maintenance. Over time, it is expected that all digital services will either be retired or come into scope of the Secure by Design policy.

Organisations are encouraged to apply the approach to all their digital and technology projects, regardless of whether they need to pass through this assurance process.

The Cabinet Office will check if projects are meeting the Secure by Design principles via the digital and technology spend controls approval process which states that:

“All digital services and technical infrastructure in scope of this spend will be built to comply with the Government Cyber Standard.”

The Government Cyber Security Standard states:

“Organisations delivering new digital services and technical infrastructure shall comply with the cross-government Secure by Design (SbD) principles, demonstrated by achievement of a “high” SbD confidence profile using the SbD Self-Assessment Tracker.”

The Secure by Design self assessment tracker allows project teams to track their progress towards meeting the principles by following the recommended activities during each delivery phase. A mathematical model has been developed in the tracker that calculates a low, medium or high Secure by Design confidence profile based on these responses.

It is the responsibility of project and delivery teams to maintain the tracker as part of delivery activities so they can monitor whether they are meeting the required cyber security standard.

This completed tracker along with accompanying evidence (such as a risk register and resource plan) will be submitted for assessment as part of the digital and technology spend control process.

The Secure by Design team within the Central Digital and Data Office (CDDO) exists to support organisations across government. They will not be directly auditing the work done to implement the approach.

The focus is on consulting with departments to provide advice, guidance and resources, rather than oversight. This allows organisations to retain control over decision-making and the implementation of cyber security best practices to complement their internal processes.

In contrast to GovAssure, Secure by Design is not an assurance process. The approach encourages teams to continually work to understand and improve their cyber security posture.

Apart from the inherent risks related to not implementing a robust cyber security programme, not meeting the principles may result in delays to passing the digital and technology spend control process and securing further project funding.

The intention of Secure by Design is to incentivise organisations to improve their cyber security practices, not to halt those that need to make improvements.

If project teams have used the self assessment tracker to continuously monitor their adherence to the Secure by Design principles throughout the digital delivery lifecycle, this should provide the evidence required to meet the necessary criteria. CDDO will work with organisations during this process, providing support to those in need of assistance.

No.

The confidence profile provides a way to continuously monitor adherence to Secure by Design principles, but it does not replace the need for security assurance practices within organisations. It is not a risk register, a risk treatment plan or a risk management report.

A dashboard is being developed to collate data from self assessments that have been submitted by organisations as part of the digital and technology spend control process.

This information will be combined with evidence collected by CDDO during discussions with organisations to determine if the principles are being followed and whether they’re having a positive impact on security performance and culture.

The government Secure by Design principles address specific security challenges faced by government organisations throughout the delivery lifecycle from the stage of developing a business case to when the service moves from project to business as usual.

The NCSC secure design principles provide guidance for any organisation in the public or private sector, primarily focussed on system design. These have been reflected in principles 5 to 8 of the government Secure by Design approach.

The two sets of principles share common outcomes, but are tailored to their respective environments.

• The cross-government Secure by Design principles have been designed so they can be adopted across a diverse range of public sector organisations
• The MoD Secure by Design principles have been mapped and adapted to the specific project management lifecycle used within the MoD

While all departments are encouraged to adopt the central approach, the Secure by Design policy does permit flexibility in how this is achieved. This allows teams to adapt or expand on certain areas to reflect their circumstances, provided they still meet the core principles.

For example, both sets of principles make security an integral part of service design. They emphasise that security should be embedded security from the start of the project lifecycle, and integrated across the delivery team. They also both stress the importance of identifying, assessing, and managing risks throughout the development and operational phases to maintain resilience and mitigate threats.

Please contact us via secure-by-design@digital.cabinet-office.gov.uk if you would like to collaborate on a specific set of principles for your organisation based on Secure by Design.

• GovAssure is the government cyber security assurance framework. It applies to the whole organisation as well as live digital services that are part of government Critical National Infrastructure (CNI).
• Secure by Design is a ‘shift-left’ security approach for delivery teams working on any digital service. It is mandatory for any service that falls within the digital and technology spend control process.

The Secure by Design approach aims to help organisations achieve their assigned Cyber Assessment Framework (CAF) profile, specifically meeting the CAF outcomes under principles:

• B2 – Identity and Access Control
• B3 – Data Security
• B4 – System Security
• B5 – Resilient Networks and Systems

The two approaches have different purposes and audiences.

• GovAssure requires organisations to assess their level of cyber resilience and the security posture of their government CNI systems
• Secure by Design helps organisations to improve their overall cyber resilience by taking a risk-driven approach when building digital services

GovAssure is a cyber security assurance process for security professionals to follow. Secure by Design helps everyone working within project teams to understand their responsibilities related to cyber security and incorporate best practices throughout the delivery lifecycle.

Not directly, but both are connected to the digital and technology spend control process.

A service assessment typically takes place at the end of a delivery phase (alpha, beta, etc) with a report produced. Projects that successfully meet the Service Standard proceed to applying for funding for the next phase through the digital and technology spend control process. This is where the Secure by Design self assessment tracker is submitted.

Relevant elements of Secure by Design will be included as part of the Service Standard and Service Manual, which will help teams going through this process ensure they’re meeting the required criteria and monitoring progress at each stage.

The Service Standard and Service Manual provide a broad framework that help teams deliver high-quality digital services across government. It addresses areas including technology, user-centred design, service efficiency, accessibility, and performance.

Adding detailed cyber security guidance and a thorough explanation of Secure by Design principles to these areas would be disproportionate to other areas of digital delivery, with a considerable amount of information irrelevant to many users.

Work is underway to integrate references to Secure by Design principles and activities within relevant points of the existing Service Manual guidance. This will help to ensure that security is naturally embedded throughout the lifecycle of government digital services, while providing a path for users who need to see more specific information on best practices.

The Service Standard Point 9 (Create a secure service which protects users’ privacy) is also being updated to align with the Secure by Design principles.

Part of the Secure by Design policy is to mitigate any security risks associated with using third-party products and ensure suppliers meet the relevant security obligations, regulations, and industry security standards.

CDDO is collaborating with the Government Commercial Function to embed these requirements into security schedules that can be incorporated into future procurements and contracts that can be applied to projects. Organisations should work with their suppliers to encourage them to adopt the Secure by Design principles and routinely review their compliance during the delivery lifecycle.

There are no plans to retrospectively change existing contracts in place.

The activity Managing third-party product security risks provides information that teams can use to identify vulnerabilities and manage any potential security risks when working with suppliers.

The Technology Code of Practice includes a Make things secure section. This guidance is currently being reviewed to ensure it aligns with the Secure by Design approach.

The Government Digital and Data Profession Capability Framework is also being reviewed to determine the best way to incorporate elements of Secure by Design into roles and skills.

Please contact us via secure-by-design@digital.cabinet-office.gov.uk if you believe there are other policies or guidance where it would be beneficial to integrate Secure by Design.

The Secure by Design approach is for anybody in government involved in the delivery of digital services. This includes professionals from Digital and Data, Cyber Security, and Project Delivery as well as SROs, service owners, product managers and other business risk owners, and supporting teams including risk and assurance.

From senior leaders who lead on digital strategy to the developers fixing vulnerabilities, the approach is designed to make cyber security everyone’s collective responsibility.

Guidance on agreeing roles and responsibilities has been developed to help delivery managers or project managers involved in planning resources. This includes an example RACI matrix that provides an overview of the roles and responsibilities that could be involved in Secure by Design activities.

Secure by Design provides a way for security experts within an organisation (such as the head of cyber security, security architects and security assurance specialists) to get involved during the early planning stages of services and at every stage of the delivery lifecycle.

Their role is to support and advise delivery teams on developing appropriate and proportionate activities including selecting security controls frameworks, threat modelling, mitigating security risks and reviewing the security of supplier products.

Each organisation will need to determine the appropriate person, however typically this responsibility should lie with a Chief Digital and Information Officer (CDIO) or equivalent who oversees and directs digital strategy and transformation.

They will collaborate with Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs) and the Senior Responsible Officers (SROs) and service owners on project teams to embed Secure by Design throughout the organisation.

Watch the Secure by Design for senior leaders video for more information.

Each organisation is encouraged to appoint a Secure by Design champion who will be given access to resources (including factsheets, presentations and videos) aimed at different audiences. Part of their role is to develop an internal communication plan to engage teams throughout the implementation phases so they’re able to gain an understanding of the core principles and activities.

A series of webinars is in development aimed at those working in various roles and teams to explain their relationship to Secure by Design. To find out when these will be available and to express your interest, email secure-by-design@digital.cabinet-office.gov.uk.

This should be managed by a delivery or project manager throughout the lifecycle of the service.

They should include completion of the tracker within their regular processes, collaborating with the relevant internal colleagues to answer each question and collect the necessary evidence.

Due to the amount of information required to achieve a ‘High’ security confidence profile through the tracker, it is recommended to review and routinely update this, rather than attempt to complete this in one go when preparing for the digital and technology spend control process.

Following discussions with security and digital leaders across government, the following deadlines have been set for organisations:

• End of 2024 – Ministerial departments, ALBs managing government Critical National Infrastructure (CNI) and organisations managing priority government services
• End of 2025 – All remaining ALBs and other central government organisations

A conditional three month extension is available for organisations where additional time is required. CDDO is working with Secure by Design champions within organisations to determine the feasibility of these timelines.

Support is currently being offered to organisations with more immediate deadlines, however all organisations are encouraged to begin the process of transitioning to Secure by Design as soon as possible.

Secure by Design is an amalgamation of cyber security best practices that should already be in place.

The circumstances for each organisation in scope of the policy will be different, with varying levels of cyber security maturity, resource and capability. This makes it difficult to estimate how much resource or investment is required to meet the requirements.

A preparation checklist is available to help organisations determine which elements of the approach they are already achieving. The results of this will feed into a transition plan to address any gaps.

Following the successful implementation of the principles, Secure by Design should become a natural part of the delivery lifecycle, rather than a resource-heavy process.

To help organisations meet the required timelines, guidance, tools and examples have been published on security.gov.uk.

Additional resources have also been made available through Secure by Design champions, including training materials and templates.

A series of webinars aimed at helping people in various roles and teams to understand and implement Secure by Design is in development. To find out when these will be available and to express your interest, email secure-by-design@digital.cabinet-office.gov.uk.