Government cyber resilience
Public Accounts Committee
Closed
Inquiry
In 2022, the Government set itself a target for critical functions to be significantly hardened to cyber-attack by 2025. It also aims for the whole public sector to be resilient to known vulnerabilities and attack methods by 2030 at the latest. Alongside a recognition that there is a significant gap …
Read more
15
Recommendations
20
Conclusions
1
Report
1
Oral session
1
Letter
1
Event
Activity timeline 5 events
18 Sep
2025
2025
9 May
2025
2025
Report published
31 Mar
2025
2025
10 Mar
2025
2025
Oral evidence
10 Mar
2025
2025
Formal meeting (oral evidence session) · The Thatcher Room, Portcullis House
Oral evidence sessions 1 session
10 Mar 2025
View on parliament.uk
Bella Powell · Cabinet Office
Cat Little · Cabinet Office
Joanna Davinson · Cabinet Office
Vincent Devine · Cabinet Office
Reports 1 report · click to expand
| Title | HC No. | Published | Items | Response |
|---|---|---|---|---|
| 24th Report - Government cyber resilience | HC 643 | 9 May 2025 | 35 | Responded |
Recommendations & Conclusions
35 results
2
Recommendation
Accepted
24th Report - Government cyber res…
Require Cabinet Office to detail how central interventions will fill cyber vacancies and support departments.
There is a longstanding shortage in government of the experienced, technical cyber skills required. Skilled cyber security professionals are scarce and in high demand nationally and globally. As this Committee has frequently reported over the years, government finds it hard …
Read more
Government Response
The government commits to integrating cyber capability teams into DSIT by November 2025, using talent programmes and a new Cyber Resourcing Hub to attract staff. DSIT will also set out "early next year" how many vacancies central initiatives will fill and how it will help departments fill remaining gaps.
HM Treasury
View details
3
Recommendation
Accepted
24th Report - Government cyber res…
Mandate Cabinet Office to outline support for accounting officers to strengthen cyber accountability and culture.
Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not …
Read more
Government Response
The government reiterates the requirement for public sector organizations to have a digital leader on their executive committee and board by 2026. DSIT will further set expectations for departments to appoint board members with cyber security expertise, mandate regular board reporting, define roles, and specify mandatory risk management actions in a new Target Operating Model.
HM Treasury
View details
4
Recommendation
Accepted
24th Report - Government cyber res…
Set out assessed proportions of critical/legacy IT, optimal assessment frequency, deadlines, and funding protection.
Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure’s assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than …
Read more
Government Response
The government commits DSIT to work with HM Treasury to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular departmental reporting, and establish mechanisms to protect budgets for these programmes to prevent fund diversion.
HM Treasury
View details
5
Conclusion
Accepted
24th Report - Government cyber res…
Secure clear assurance from departments managing cyber risk across arm’s-length bodies and supply chains.
The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm’s–length …
Read more
Government Response
The government commits DSIT to clearly outlining departmental responsibilities for arm's-length bodies' cyber security, assuring and enforcing compliance including mandating assurance data, reforming procurement, embedding contractual requirements, and setting higher expectations for strategic suppliers.
HM Treasury
View details
6
Recommendation
Accepted
24th Report - Government cyber res…
Set out levers and instruments for a fundamentally different approach to government cyber resilience.
Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office’s focus …
Read more
Government Response
The government commits to publishing a new Government Target Operating Model for Cyber and Digital Resilience which will outline how government will organize and operate to manage cyber risks. DSIT will then set out implementation plans for this model later in 2025.
HM Treasury
View details
1
Conclusion
Accepted
24th Report - Government cyber res…
Committee takes evidence regarding government cyber resilience based on C&AG report.
On the basis of a report by the Comptroller and Auditor General, we took evidence from the Cabinet Office and the Department for Science, Innovation and Technology (DSIT) on the cyber resilience of Government.1
Government Response
The government states it has moved cyber security responsibility to DSIT to enable a more interventionist approach. DSIT will publish a Government Cyber Security Strategy Implementation Plan in winter 2025 and will update the Committee on implementation in one year.
HM Treasury
View details
7
Conclusion
Accepted
24th Report - Government cyber res…
Government faces rapidly evolving and increasingly sophisticated cyber threats from capable adversaries.
The Cabinet Office told us that we should be extremely worried by the rapidly evolving cyber threat, which is the most sophisticated it has ever been. It explained that over the last three years, government’s adversaries, which include nation states …
Read more
Government Response
The government agrees with the concern about the evolving cyber threat, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.
HM Treasury
View details
8
Conclusion
Accepted
24th Report - Government cyber res…
Nation states pose increasing risk of espionage and disruptive cyber attacks on essential services.
The Cabinet Office highlighted concerns about nation states’ intent to conduct espionage and disrupt essential services.8 It described a campaign of espionage by Russian military intelligence that involved stealing and leaking data, and defacing websites. The Cabinet Office considered disruptive …
Read more
Government Response
The government agrees with the concern about nation-state cyber threats, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.
HM Treasury
View details
9
Conclusion
Accepted
24th Report - Government cyber res…
Organised criminal groups' ransomware attacks severely disrupt public services and incur significant costs.
Organised criminal groups use ransomware and data extortion to make money.10 They do this by stealing and encrypting victims’ data and then demanding a ransom or threatening to the leak the data. In October 2023, 5 Q 2; C&AG’s Report, …
Read more
Government Response
The government agrees with the concern about ransomware attacks, noting it has committed to a more interventionist approach and moved responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.
HM Treasury
View details
10
Conclusion
Accepted
24th Report - Government cyber res…
Cyber threats and security constantly evolve; adversaries already leveraging AI to probe defences.
Both the cyber threat and government’s cyber security are continuing to evolve as technology develops.14 The Cabinet Office described this to us as a “technology race” that required government to adapt its approach constantly.15 We asked how government thought artificial …
Read more
Government Response
The government agrees and states it has already moved cyber security responsibility to DSIT and will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to outline its approach to driving cyber and technology resilience, with an update to the committee in one year.
HM Treasury
View details
11
Recommendation
Accepted
24th Report - Government cyber res…
Government's current cyber resilience levels remain inadequate to effectively respond and recover from attacks.
We pressed the Cabinet Office on what assurance it could give us that government was keeping up with the cyber threat.17 The Cabinet Office’s assessment was that there was already a gap in government’s ability to respond and that this …
Read more
Government Response
The government agrees with the finding that current cyber resilience is insufficient, committing to a more interventionist approach and moving responsibility for public sector cyber security to DSIT. DSIT will publish a Government Cyber Security Strategy Implementation Plan in Winter 2025 to drive resilience.
HM Treasury
View details
12
Recommendation
Accepted
24th Report - Government cyber res…
Persistent shortage of skilled cyber security professionals due to uncompetitive government salaries.
For more than a decade, skilled cyber security professionals have been in short supply and high demand nationally and globally. Government has not paid market–rate salaries for digital and cyber skills, which has been 11 C&AG’s Report, paras 1.7, 1.10 …
Read more
Government Response
The government agrees and is implementing reforms to address cyber skills gaps, including integrating relevant teams into DSIT by November 2025, attracting talent via programmes like Cyber Fast Stream, and establishing a new Cyber Resourcing Hub to streamline recruitment. DSIT will also work with departments to understand skill gaps and use 2025 data to address vacancies, committing to set targets for this early next year.
HM Treasury
View details
13
Recommendation
Accepted
24th Report - Government cyber res…
Significant cyber security skill vacancies persist across central government departments.
In 2023–24, one in three cyber security roles in central government were vacant or filled by expensive contractors, and the proportion of vacancies in several departments’ cyber security teams was more than 50%.23 The Cabinet Office accepted that there were …
Read more
Government Response
The government agrees, aiming for implementation by Spring 2026, acknowledging the cyber skills gap. It commits to integrating relevant teams into DSIT by November 2025, continuing talent programmes, establishing a Cyber Resourcing Hub, and utilizing 2025 workforce data to set targets for filling vacancies.
HM Treasury
View details
14
Recommendation
Accepted
24th Report - Government cyber res…
Slow and un-diverse recruitment processes hinder government cyber security community development.
We asked the Cabinet Office why civil service recruitment processes remained a barrier. The Cabinet Office noted data suggesting it took on average nine months to recruit technology specialists. The Cabinet Office described this as not being good enough and …
Read more
Government Response
The government agrees and is implementing reforms to address cyber skills gaps, including integrating relevant teams into DSIT by November 2025, attracting talent via programmes like Cyber Fast Stream, and establishing a new Cyber Resourcing Hub to streamline recruitment. DSIT will also work with departments to understand skill gaps and use 2025 data to address vacancies, committing to set targets for this early next year.
HM Treasury
View details
15
Conclusion
Accepted
24th Report - Government cyber res…
Fragmented departmental cyber security recruitment and training programmes persist across government.
Recruitment is fragmented across government, with some departments developing their own cyber recruitment and training programmes based on their needs.29 We queried how the Cabinet Office was working across Government, rather than letting each department train and recruit in its …
Read more
Government Response
The government agrees and commits to integrating Cyber, Digital and Data teams into DSIT by November 2025, establishing a new Cyber Resourcing Hub, and utilizing 2025 workforce data to identify vacancies. Early next year, DSIT will set targets for central initiatives and plans to assist departments in filling remaining cyber vacancies.
HM Treasury
View details
16
Recommendation
Accepted
24th Report - Government cyber res…
Departments demonstrate insufficient ownership of cyber risk and hinder information sharing.
Accounting officers in departments are responsible for protecting the security of their organisations and managing their department’s cyber risk, but they have not taken sufficient ownership of this responsibility. Often, membership of departments’ most senior boards does not include a …
Read more
Government Response
The government agrees, stating that all public sector organizations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. DSIT will further set expectations for appointing board members with cyber security expertise, ensure regular risk reporting, define roles, and specify mandatory actions within a new Target Operating Model.
HM Treasury
View details
17
Recommendation
Accepted
24th Report - Government cyber res…
Require every government department to appoint a very senior Chief Information Officer.
We asked the Cabinet Office if departments have underestimated the cyber risk. It told us that until recently it had not done enough to ensure leaders across government understood the cyber threat, but that it had made 28 Q 17 …
Read more
Government Response
The government agrees to the recommendation, with a target implementation of Spring 2026. It will require all public sector organisations to have a digital leader and a digital non-executive director by 2026, and DSIT will set expectations for departments to appoint board members with cyber expertise and define associated responsibilities and reporting.
HM Treasury
View details
18
Conclusion
Accepted
24th Report - Government cyber res…
Departments remain reluctant to share cyber incident information, hindering collective learning.
We asked the Cabinet Office what the impact was when departments did not share information about their cyber incidents. The Cabinet Office agreed that sharing data is essential to learn lessons, understand vulnerabilities, share best practice and work out what …
Read more
Government Response
The government agrees and commits to improving cyber security governance by requiring digital leaders and non-executive directors by 2026, and DSIT will set expectations for board members with cyber expertise, ensure regular risk reporting, and define roles within a future Target Operating Model.
HM Treasury
View details
19
Conclusion
Accepted
24th Report - Government cyber res…
Government Cyber Coordination Centre improves information sharing but remains in early stages.
We asked the Cabinet Office what structures it had in place to share information about cyber security with permanent secretaries and throughout departments.40 The Cabinet Office told us that it had launched the Government Cyber Coordination Centre (GC3) in September …
Read more
Government Response
The government agrees, aiming for implementation by Spring 2026, and will require public sector organisations to have digital leaders and non-executive directors by 2026. DSIT will also set expectations for departments to appoint board members with cyber expertise, ensure regular risk reporting, and define responsibilities within a new Target Operating Model.
HM Treasury
View details
20
Conclusion
Accepted
24th Report - Government cyber res…
GovAssure reveals significant gaps and low maturity in departmental cyber resilience.
In 2023, the Cabinet Office launched ‘GovAssure’, a cyber security assurance scheme, as part of its strategy to improve government organisations’ cyber resilience. Before GovAssure, departments self–assessed their performance against minimum cyber standards set by the Cabinet Office.43 In the …
Read more
Government Response
The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.
HM Treasury
View details
21
Conclusion
Accepted
24th Report - Government cyber res…
GovAssure data, though from a small sample, indicates overall government cyber resilience.
The Cabinet Office told us that GovAssure would run continually to give regular updates on government’s resilience. Although the systems assessed so far are a small part of government’s IT estate, the Cabinet Office argued that they were representative of …
Read more
Government Response
The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.
HM Treasury
View details
22
Conclusion
Accepted
24th Report - Government cyber res…
Previous departmental self-assessments significantly over-estimated actual cyber resilience levels.
The Cabinet Office told us that cyber resilience was substantially lower than it had expected following departments’ previous self–assessments. It had found that the organisations that GovAssure’s independent reviewers had scored poorly were the most over–optimistic in their self–assessments.46 We …
Read more
Government Response
The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular reporting by Spring 2026.
HM Treasury
View details
23
Recommendation
Accepted in Part
24th Report - Government cyber res…
GovAssure not designed to assess all critical systems despite improvement goals.
We asked the Cabinet Office how it would increase the scale and pace of GovAssure to assess the cyber resilience of all of government’s critical systems. The Cabinet Office explained that it did not plan to assess 100% 43 C&AG’s …
Read more
Government Response
The government agrees to the recommendation, aiming for implementation by Spring 2026, and commits to requiring departments to identify and report critical systems through GovAssure, driving its adoption across government, and determining optimal assessment scale and frequency. However, it does not explicitly detail how GovAssure will be made quicker and easier for departments.
HM Treasury
View details
24
Conclusion
Accepted
24th Report - Government cyber res…
Legacy IT systems consume vast expenditure while posing persistent risks to public services.
Many of government’s IT systems are ‘legacy’, because they are ageing and outdated but still in use. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to …
Read more
Government Response
The government agrees and states that DSIT is improving data collection on legacy systems, will continue to drive GovAssure adoption, and will work with HMT to develop a methodology for tracking funding for legacy remediation, include cyber resilience activity in regular reporting, and establish mechanisms for protecting relevant budgets by Spring 2026.
HM Treasury
View details
25
Recommendation
Accepted
24th Report - Government cyber res…
Government lacks comprehensive understanding of its total legacy IT estate and associated risks.
We challenged DSIT and the Cabinet Office on why they were not identifying and fixing legacy IT systems, where the risk is greatest and security lowest. DSIT told us that before 2023 the centre of government did not have much …
Read more
Government Response
The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber resilience in regular reporting by Spring 2026.
HM Treasury
View details
26
Conclusion
Accepted
24th Report - Government cyber res…
Unacceptable knowledge gap persists due to poor legacy IT asset management across government.
We pressed DSIT and the Cabinet Office on why Government’s understanding of its legacy IT was so limited. They told us that the amount of legacy systems, and understanding of them, varied between departments. They said this was because information …
Read more
Government Response
The government agrees with the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding for legacy projects and include cyber resilience in regular reporting by Spring 2026.
HM Treasury
View details
27
Recommendation
Accepted
24th Report - Government cyber res…
Incomplete knowledge of legacy systems hampers effective risk management and funding decisions.
We queried how government could manage the risk from legacy systems, make informed bids for funding to fix them, or prevent departments reprioritising this funding, if it did not know what systems it had.59 The Cabinet Office told us that …
Read more
Government Response
The government agrees to the implied recommendation, with DSIT committed to improving data collection on legacy systems, ensuring departments use GovAssure for critical systems, supporting remediation efforts, and working with HMT to track funding and include cyber resilience in regular reporting by Spring 2026.
HM Treasury
View details
28
Recommendation
Accepted
24th Report - Government cyber res…
Departments lack resources and oversight to ensure cyber resilience across wider public sector.
Departments, arm’s–length bodies and their partners use a wide range of IT systems and technology to provide public services.63 The Government Cyber Security Strategy: 2022–2030 (‘the Strategy’) set out that government departments’ cyber responsibilities included ensuring their arm’s–length bodies and …
Read more
Government Response
The government agrees to the recommendation by Spring 2026, committing DSIT to clearly outline and enforce departmental responsibility for ALB cyber security and digital resilience, including requiring assurance data. The Digital Commercial Centre of Excellence will also reform procurement processes, and DSIT will support supply chain risk management by embedding contractual requirements and setting higher expectations for suppliers.
HM Treasury
View details
29
Conclusion
Accepted
24th Report - Government cyber res…
Departmental commitment to wider public sector cyber resilience strategy shows inconsistent implementation.
The Cabinet Office confirmed to us that lead government departments were responsible for understanding and tackling cyber risk across the wider public sector. While recognising that departments’ response to the Strategy 56 Q 49 57 Qq 50–51 58 Q 53 …
Read more
Government Response
The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments in managing supply chain risks and setting higher expectations for strategic suppliers.
HM Treasury
View details
30
Recommendation
Accepted
24th Report - Government cyber res…
Government faces complex challenges managing cyber security risk within its supply chain.
We asked the Cabinet Office how Government managed the cyber security of its supply chain. The Cabinet Office told us that managing supply chain risk was complex and difficult. Government’s supply chain has been the source of incidents with serious …
Read more
Government Response
The government agrees to the recommendation by Spring 2026, recognizing the importance of managing risks in ALBs and their supply chains. DSIT will outline and enforce departmental responsibility for ALBs, while the Digital Commercial Centre of Excellence will reform procurement processes. DSIT will also embed contractual requirements into frameworks, provide training, and use government buying power to set higher expectations for strategic suppliers regarding cyber security.
HM Treasury
View details
31
Conclusion
Accepted
24th Report - Government cyber res…
Over-reliance on limited strategic IT suppliers creates significant cyber security risks.
Based on written evidence, we asked the Cabinet Office about the advantages and disadvantages of relying on a few strategic suppliers.67 The Cabinet Office acknowledged that trying to maximise value for money and interoperability while managing the risks was not …
Read more
Government Response
The government agrees and DSIT will clearly outline departmental responsibility for cyber resilience in arm’s-length bodies (ALBs), enforce accountability, ensure ALBs manage risk and report data. The Digital Commercial Centre of Excellence will reform procurement, and DSIT will support departments in managing supply chain risks and setting higher expectations for strategic suppliers.
HM Treasury
View details
32
Conclusion
Deferred
24th Report - Government cyber res…
Government lacks robust oversight of departmental cyber strategy, risking 2025 resilience target.
The Cabinet Office has prioritised implementing its central initiatives, such as GovAssure. However, it has not put robust arrangements in place to oversee how departments are implementing the Strategy, such 65 Q 67 66 Q 61 67 Q 79; GCR0004, …
Read more
Government Response
The government agrees and is defining a future Target Operating Model for Cyber and Digital Resilience, with DSIT setting out implementation plans for this model later in 2025.
HM Treasury
View details
33
Conclusion
Deferred
24th Report - Government cyber res…
Cabinet Office designing new approach to meet challenging 2030 cyber security target
We asked the Cabinet Office how it intended to meet its target for 2030. The Cabinet Office was clear that the target would be challenging to meet. To do so, it told us that government would need to take a …
Read more
Government Response
The government agrees and states that a Target Operating Model for Cyber and Digital Resilience is being defined, with DSIT setting out implementation plans later in 2025.
HM Treasury
View details
34
Conclusion
Deferred
24th Report - Government cyber res…
Cabinet Office accepted NAO recommendation for cross-Government cyber security implementation and monitoring plan
We challenged the Cabinet Office on whether its plans were realistic. The Cabinet Office told us it had accepted the NAO’s recommendation that it needed a cross–Government implementation plan and a stronger monitoring and evaluation framework.75 It said these would …
Read more
Government Response
The government agrees with the committee's observation and states that work is underway to define a future Target Operating Model for Cyber and Digital Resilience, with DSIT setting out implementation plans later in 2025.
HM Treasury
View details
35
Conclusion
24th Report - Government cyber res…
UK can learn from Canada and Australia's central government cyber security approaches
We asked if there were any countries that manage cyber security effectively that the UK should learn from. The Cabinet Office told us that most of the UK’s international partners were also trying to catch up with the 70 C&AG’s …
Read more
HM Treasury
View details
Correspondence 1 letter
31 Mar 2025
To committee
Letter from the Civil Service Chief Operation Officer and Cabinet Office Permanent Secretary relating to the oral evidence session held on 10 March 2025 on Government Cyber Resilience, 24 March 2025
Parliament page