Questions about Secure by Design

A desire to address common cyber security challenges in digital delivery and achieve a more consistent approach across central government was identified as a key priority by the government Chief Information Security Officers (CISOs) Forum.

Following a series of consultations with a cross-government working group and key partners like the Government Security Group (GSG) and the National Cyber Security Centre (NCSC), Secure by Design was included as outcome 9 in the Government Cyber Security Strategy and commitment 11 in the Roadmap for digital and data, 2022 to 2025.

The central Secure by Design team was originally set up by the Central Digital and Data Office (CDDO). In January 2025, CDDO became part of the Government Digital Service (GDS), which is part of the Department for Science, Innovation and Technology (DSIT).

It undertook a discovery project, conducting pilots and user research to understand the problem and set clear objectives. The approach was drafted and tested through close collaboration with a diverse group of stakeholders including:

• a cross-government working group containing digital and security colleagues from departments and arm’s-length bodies (ALBs)
• an industry panel with representatives from suppliers who work with government on the delivery of digital services
• colleagues from the NCSC and the GSG

The milestones, key decisions and outputs of Secure by Design have been signed off by the GDS Senior Leadership Team and are being regularly presented for approval and endorsement by the:

• CISO Forum
• CTO Council
• Functional Leaders Group
• Government Cyber Security Strategy Implementation Committee

To ensure that effective and proportionate cyber security measures are built into government systems and services from the start and as they are being delivered.

Secure by Design encourages organisations to make security the responsibility of everyone within a project, and proactively and continuously manage security risks throughout the delivery life cycle. It is designed to:

• promote a positive security culture
• highlight to project teams and organisations that security risks are business and delivery risks
• drive consistent and coherent security across government
• help organisations achieve their respective Cyber Assessment Framework (CAF) profiles

The Secure by Design policy states that the implementation of the Secure by Design principles is mandatory:

“All central government departments and arm’s-length bodies (ALBs) shall incorporate effective security practices based on the common government Secure by Design principles when delivering and building digital services and technical infrastructure.”

Central government organisations that have established their own approach to Secure by Design are still required to meet the core principles and requirements included in the Secure by Design policy.

All other elements of the approach (such as the recommended activities) are best practice advice to help organisations with implementing the principles. These should be adapted by organisations to reflect their internal structure, processes, governance, culture and resources.

Although this policy applies to central government organisations and ALBs, it may also be optionally adopted by other parts of the public sector.

No.

The Secure by Design approach includes activities which offer step-by-step guidance to set expectations and encourage consistency, while allowing for flexibility based on each organisation’s specific circumstances.

We’ve provided an example Security Controls Taxonomy (mapped to NCSC Cyber Assessment Framework outcomes) for organisations that do not already have an established set of controls. This includes recognised industry standards and frameworks that could be used as part of risk mitigation activities. However, we encourage all organisations to develop their own list of preferred security controls that relate to their specific circumstances.

We also offer an indicative RACI matrix to help organisations when assigning Secure by Design responsibilities across delivery teams.

GDS will continue to iterate the approach in collaboration with the cross-government Secure by Design working group and industry panel. We’ll make improvements to Secure by Design website content based on feedback from our users.

Further work is underway to continue developing an Artefacts Library with security patterns and use cases to help delivery teams design digital services based on pre-approved solutions which address known security issues.

GDS works with government organisations and an industry panel on iterating our guidance and resources, piloting outputs and conducting user research when required. We’ve also recently established a security architects working group.

If you would like to get involved, email secure-by-design@digital.cabinet-office.gov.uk.

Secure by Design is about embedding effective cyber security practices in digital delivery and applies at the project level. The mandatory principles need to be met as systems, services and technical infrastructure are being planned, designed and built.

However, organisations should offer consistent processes, policies and shared resources (such as an organisational risk appetite, threat assessment and security controls set) that can be used by delivery teams across projects.

The Secure by Design policy requires the approach to be used for any project delivering new or significant changes to digital services or technology infrastructure that is in scope of the digital and technology spend control approval process.

This process is managed by the Department for Science, Innovation and Technology (DSIT) and through the Get approval to spend service.

This policy does not apply to digital services which are in operation or undergoing routine maintenance. Over time, it is expected that all digital services will either be retired or come into scope of the Secure by Design policy.

Aside from the formal policy, we do encourage organisations to apply the approach, or aspects of it, to all their digital and technology projects, regardless of whether they need to pass through the spend control process. It is for Chief Digital and Information Officers (CDIOs) or equivalent to decide on the extent of their organisation’s adoption of the approach.

DSIT will check if projects are meeting the Secure by Design principles via the Get approval to spend service as part of the digital and technology spend control process.

The Government Cyber Security Standard states:

“Organisations delivering new digital services and technical infrastructure shall comply with the cross-government Secure by Design principles, demonstrated by achievement of a ‘high’ confidence profile using the Secure by Design self assessment tracker.”

The Secure by Design self assessment tracker allows project teams to track their progress towards meeting the principles by following the recommended activities during each delivery phase. A mathematical model has been developed in the tracker that calculates a low, medium or high Secure by Design confidence profile based on the provided responses.

It is the responsibility of project and delivery teams to maintain the tracker as part of delivery activities so they can monitor whether they are meeting the required cyber security standard.

Projects passing through the digital and technology spend control process will be asked as part of the Get approval to spend service whether they have completed the tracker and achieved a high confidence profile.

The Secure by Design team within the Government Digital Service (GDS) is overseeing the rollout of Secure by Design across central government, tracking adoption progress and providing advice and guidance to organisations as required.

The team is responsible for assessing services’ compliance with Secure by Design principles as part of the digital and technology spend control process.

The Government Internal Audit Agency (GIAA) is likely to audit various aspects of Secure by Design, including its adoption by some central government organisations.

Apart from the inherent risks related to not implementing a robust cyber security programme, not meeting the principles may result in delays to passing the digital and technology spend control process and securing further project funding.

The intention of Secure by Design is to incentivise organisations to improve their cyber security practices, not to halt those that need to make improvements.

If project teams have used the self assessment tracker to continuously monitor their adherence to the Secure by Design principles throughout the digital delivery life cycle, this should provide the evidence required to meet the necessary criteria. GDS will work with organisations during this process, providing support to those in need of assistance.

No.

The confidence profile in the self assessment tracker provides a way to continuously monitor adherence to Secure by Design principles, but it does not replace the need for security assurance practices within organisations.

It is not a risk register, a risk treatment plan or a risk management report. It is not intended to replace primary security documentation such as risk assessments but rather to provide a structured, centralised view of how Secure by Design principles are being implemented. It serves as a high-level governance tool that ensures key security activities are completed and documented appropriately.

A process, success metrics and a dashboard are being used to track the adoption of Secure by Design across central government. Data is being gathered in regular checkpoint meetings with the Secure by Design champions. The dashboard is being shared with the champions and CDIOs.

We’re also developing a process, success metrics and a dashboard to collate and analyse data from the Get approval to spend service. This is data that is submitted by organisations as part of the digital and technology spend control process.

This information will be combined with evidence collected by GDS during spend control discussions with organisations to determine if the principles are being followed and whether they’re having a positive impact on cyber security posture and culture.

The cross-government Secure by Design principles address specific security challenges faced by government organisations throughout the digital delivery life cycle, from the discovery and business case development stages to the point when a service moves from project to business as usual.

The NCSC secure design principles provide guidance for any organisation in the public or private sector and primarily concentrate on system design. These have been reflected in principles 5 to 8 of the government Secure by Design approach.

The two sets of principles share common outcomes, but are tailored to their respective environments.

• The cross-government Secure by Design principles have been designed so they can be adopted across a diverse range of public sector organisations
• The MoD Secure by Design principles have been mapped and adapted to the specific project management life cycle used within the MoD

While all departments are encouraged to adopt the central approach, the Secure by Design policy does permit flexibility in how this is achieved. This allows teams to adapt or expand on certain areas to reflect their circumstances, provided they still meet the core principles.

For example, both sets of principles make security an integral part of service design. They emphasise that security should be embedded from the start of the project life cycle and integrated across the delivery team. They also both stress the importance of identifying, assessing and managing risks throughout the development and operational phases to maintain resilience and mitigate threats.

Contact us at secure-by-design@digital.cabinet-office.gov.uk if you would like to collaborate on a specific set of principles for your organisation based on Secure by Design.

GovAssure is the government cyber security assurance framework. It applies to the whole organisation as well as live digital services that are part of government Critical National Infrastructure (CNI).

Secure by Design is a ‘shift-left’ security approach for delivery teams working on any digital service. It is mandatory for any service that will be subject to the digital and technology spend control process.

The Secure by Design approach aims to help organisations achieve their assigned Cyber Assessment Framework (CAF) profile, specifically the CAF outcomes under principles:

• B2: Identity and Access Control
• B3: Data Security
• B4: System Security
• B5: Resilient Networks and Systems

The two approaches have different purposes and audiences.

GovAssure:

• requires organisations to assess their level of cyber resilience and the security posture of their government CNI systems
• is a cyber security assurance process for security professionals to follow

Secure by Design:

• helps organisations to improve their overall cyber resilience by taking a risk-driven approach when building digital services
• helps everyone working within project teams to understand their responsibilities related to cyber security and incorporate best practices throughout the delivery life cycle

Yes.

A service assessment typically takes place at the end of a delivery phase (alpha, beta and so on) with a report produced. Projects that successfully meet the Service Standard proceed to applying for funding for the next phase through the digital and technology spend control process. This is where project teams will also be asked about their application of Secure by Design, which they should have been tracking using the self assessment tracker.

Relevant elements of Secure by Design have been included within the Service Standard and Service Manual, which will help teams going through this process ensure they’re meeting the required criteria and monitoring progress at each stage.

The Service Standard and Service Manual provide a broad framework that help teams deliver high-quality digital services across government. They address topics like technology, user-centred design, service efficiency, accessibility and performance.

Adding detailed cyber security guidance and a thorough explanation of Secure by Design principles to these areas would be disproportionate to other areas of digital delivery, with a considerable amount of information irrelevant to many users.

References to Secure by Design principles and activities have therefore been integrated into the existing Service Manual guidance. This will help to ensure that security is naturally embedded throughout the life cycle of government digital services, while providing a path for users who need to see more specific information on best practices.

The Service Standard Point 9 (Create a secure service which protects users’ privacy) has also been updated to align with the Secure by Design principles.

Part of the Secure by Design policy is to mitigate any security risks associated with using third-party products and ensure suppliers meet the relevant security obligations, regulations, and industry security standards.

GDS has collaborated with the Government Commercial Function to embed these requirements into modular security schedules that can be incorporated into future procurements and contracts. Organisations should work with their suppliers to ensure they are adhering to the Secure by Design principles and to routinely review the compliance of suppliers during the delivery life cycle.

There are no plans to retrospectively change contracts that are already in place.

The activity Managing third-party product security risks provides information that teams can use to identify vulnerabilities and manage any potential security risks when working with suppliers.

While we recognise the importance of implementing Secure by Design practices, we do not currently require formal accreditation for our suppliers in this area.

Secure by Design is a guiding framework rather than a certification or formal accreditation scheme, so we concentrate on outcomes rather than specific accreditations.

We prioritise the adoption of recognised security frameworks, such as the NIST Cybersecurity Framework (CSF), the NCSC Cyber Assessment Framework (CAF) and ISO/IEC 27001, as evidence of robust security practices. We encourage you to embed the principles of Secure by Design into your processes as part of your ongoing commitment to security and cyber resilience.

Refer to Contracting Securely – Additional considerations for information on Secure by Design requirements for suppliers.

To stay informed about any changes that may impact the Secure by Design approach, you can sign up to our newsletter.

Secure by Design is fundamentally different from the traditional Accreditation process.

While Accreditation is typically a point-in-time assessment certifying that a system meets predefined security requirements, Secure by Design is a proactive and continuous approach to embedding security throughout the entire digital delivery life cycle.

Instead of focusing on a pass or fail certification, Secure by Design helps organisations build security capabilities that align with their risk appetite and operational needs.

Accreditation often happens at the end of a project, whereas Secure by Design ensures security is considered from the outset and evolves with the service.

The Secure by Design approach is for anybody in government involved in the delivery of digital services. This includes professionals from Digital and Data, Cyber Security, and Project Delivery as well as Senior Responsible Owners (SROs), service owners, product managers and other business risk owners, and supporting teams including risk, assurance and commercial.

From senior leaders who lead on digital strategy to the developers fixing vulnerabilities, the approach is designed to make cyber security everyone’s collective responsibility.

We’ve developed guidance on agreeing roles and responsibilities to help delivery managers or project managers involved in planning resources. This includes an indicative RACI matrix that provides an overview of the roles and responsibilities that could be involved in Secure by Design activities.

Secure by Design provides a way for security experts within an organisation (such as the head of cyber security, security architects and security assurance specialists) to get involved during the early planning stages of services and at every stage of the delivery life cycle.

Their role is to support and advise delivery teams on developing appropriate and proportionate activities including selecting security controls frameworks, threat modelling, mitigating security risks and reviewing the security of supplier products. They may also become involved in completion of the self assessment tracker.

Each organisation will need to determine the appropriate person, however typically this responsibility should lie with a Chief Digital and Information Officer (CDIO) or equivalent who oversees and directs digital strategy and transformation.

They will collaborate with Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs) and the Senior Responsible Owners (SROs) and service owners on project teams to embed Secure by Design throughout the organisation.

Watch the Secure by Design for senior leaders video for more information.

Each central government organisation is encouraged to appoint a Secure by Design champion who will be given access to communication resources (including factsheets, presentations and videos) aimed at different audiences. Part of the champion’s role is to develop a communication plan to engage teams throughout the implementation process so they’re able to gain an understanding of the Secure by Design approach and the required actions.

We have also been delivering and recording webinars aimed at particular roles and communities including project and delivery managers, SROs and service owners, and commercial teams. More sessions will be made available in the coming months.

Speak to your Secure by Design champion about these sessions or email secure-by-design@digital.cabinet-office.gov.uk.

The responsibility for maintaining the self assessment tracker should ideally sit with the delivery team of a project, with clear accountability assigned to specific roles. Typically, this could be:

• the project or delivery manager, who ensures the tracker is updated as part of project governance and that security considerations are embedded in delivery
• the security lead or architect, who provides input on security-related activities and ensures risks and mitigations are accurately reflected
• the product owner or service owner, who oversees the integration of Secure by Design principles and ensures the tracker aligns with service development

Ultimately, the SRO or accountable executive should ensure that the tracker is actively maintained and used to demonstrate compliance with Secure by Design principles.

Following discussions with security and digital leaders across government, the following deadlines were set for organisations:

• End of 2024: ministerial departments and arm’s-length bodies (ALBs) managing government Critical National Infrastructure (CNI) and priority government services, or both. Some of these organisations have been granted additional time where required
• End of 2025: all remaining ALBs and other central government organisations such as executive agencies and treasury-funded regulators

Whatever the timeline, all organisations in the roll-out are being encouraged to begin the process of transitioning to Secure by Design as soon as possible.

Secure by Design is a consolidation of established cyber security best practices that should already be in place. However, the level of effort required for implementation will vary across organisations depending on their existing cyber security maturity, resources and capabilities.

Due to these differences, it’s difficult to estimate the exact level of resource or investment needed to meet the requirements. To support organisations in assessing their current position, a preparation checklist is available. This helps identify which elements of Secure by Design are already being met and highlights areas requiring further attention. The results of this assessment feed into a transition plan, ensuring that any gaps are systematically addressed.

Once successfully embedded, Secure by Design should become an integral part of the delivery life cycle, enhancing security in a way that feels natural rather than being seen as an additional, resource-intensive process.

Yes, but when the Secure by Design mandate comes into effect through the digital and technology spend control process for your organisation, you’ll only be asked to demonstrate you’ve adhered to Secure by Design principles for the phase that your project is in. You’ll do this using the self assessment tracker.

For example, a project in alpha will be expected to complete the ‘Alpha’ worksheet in the self assessment tracker, but not the ‘Discovery’ worksheet. A project in public beta or live will be expected to complete the ‘Public beta or live’ worksheet in the self assessment tracker, but not the previous phases.

You are not required to implement the Secure by Design approach retrospectively for previous phases or provide evidence that you completed Secure by Design activities in previous phases. However, ignoring suggested activities from previous phases is likely to impact your work in the current phase.

For example, the following activities should be part of the discovery phase of a project:

• Identifying security resources
• Working out the project’s security risk appetite
• Sourcing a threat assessment

If they were not carried out, there will be a knock-on effect for later phases. We’d therefore encourage you to review any gaps in your application of the approach, although how Secure by Design is applied, monitored and integrated into your projects should be informed by your internal policies and the Chief Digital and Information Officer (CDIO) or equivalent, who is accountable for the adoption of Secure by Design in your organisation.

Secure by Design policy does not apply to digital services which are in operation or undergoing routine maintenance.

If you have a low security confidence profile, your project will not get spend control approval.

If you achieve a medium confidence profile, you must have a conversation with the Secure by Design team to discuss which security requirements you’ve been unable to achieve. Following this discussion, you may get conditional approval to proceed, as long as you’ve agreed to put the necessary actions in place to improve the security posture of your service.

It depends on the extent of the changes. Our policy states that Secure by Design “applies to new or significant changes (for example those requiring a treasury business case or those where there is significant change to the cyber risk profile) to digital service and technology infrastructure either built within departments or procured through suppliers which are in scope of digital and technology spend control approval process”.

It’s down to your department, or CDIO or equivalent to create an internal policy defining what represents a significant change. They should consider changes that could impact a service’s cyber risk profile, require substantial investment or introduce major updates to infrastructure or digital services. Examples of ‘significant changes’ could include:

• a department seeking additional funding to scale up a digital service, requiring a business case submission to the Treasury
• migrating an on-premises system to a cloud environment
• adding new capabilities to a digital platform, such as implementing AI or enabling cross-departmental data sharing
• expanding a pilot digital service to nationwide deployment

GDS provides a range of support to help central government organisations implement Secure by Design effectively. This includes:

• awareness webinars: GDS has been running webinars with leadership (CDIOs, Chief Technology Officers (CTOs) and Chief Information Security Officers (CISOs)) to raise awareness to support implementation at an organisational level
• kick-off and regular check-in sessions: GDS has been running kick-off sessions at the start of the engagement with central government organisations and regular check-in sessions to provide one-to-one support and to monitor progress
• guidance and tools: we’ve published a range of guidance, tools, and examples on the Government Security website to help organisations meet the required timelines
• Secure by Design champions: additional resources, including training materials and templates, are available through Secure by Design champions surgeries
• role-specific webinars: a series of webinars are being developed to support individuals in different roles and teams in understanding and applying Secure by Design

To find out more about upcoming webinars or to express your interest, contact your local Secure by Design champion or email secure-by-design@digital.cabinet-office.gov.uk.