Government cyber resilience

Within six months, GSG should develop, share and start using a cross?government implementation plan for the Government Cyber Security Strategy: 2022?2030 (?the Strategy?). GSG should refresh it regularly, include how the government is responding to new and severe cyber threats not covered by the Strategy and: ? bring together a comprehensive monitoring and evaluation framework that allows GSG to measure departments? performance, track and show progress towards the Strategy?s outcomes, and evaluate what is working well or not, including an assessment of lessons learned from previous efforts to attract, upskill and retain cyber skills in government; and ? identify the priority actions the government needs to take to be cyber resilient by 2030, the government organisations that are accountable for those actions, the timescales within which those actions need to be taken, and the extent to which those organisations have the resource and levers needed to complete their actions.

GSG should strengthen GovAssure?s focus on improving cyber resilience outcomes. GSG should: ? continue building the capacity to support departments in developing and implementing targeted improvement plans, and monitoring and evaluating progress against them; ? continue developing how GovAssure data can be used to measure departments? performance as part of its comprehensive monitoring and evaluation framework; and ? baseline government organisations? cyber resilience against organisations that are responsible for UK critical national infrastructure.

GSG should work with CDDO to take a more rigorous approach to understanding and mitigating the risk to government organisations? cyber resilience caused by legacy IT systems. Learning from GovAssure and the legacy IT risk assessment framework, this approach should: ? identify the legacy systems in use across government; ? understand the risk these legacy IT systems pose to cyber resilience, the extent of departments? remediation plans, and be risk-based when prioritising security enhancements; ? assess and strengthen the security enhancements that are in place; and ? be considered alongside GovAssure when measuring government organisations? cyber resilience and performance.

GSG should design regular communications to ensure that senior leaders and other decision-makers across government understand the cyber threat, how it is relevant to their business outcomes and what they can do about it. GSG should embed this into departments? board and programme governance.

Government departments should urgently strengthen their own governance, accountability and reporting arrangements around cyber risk. In their annual security appraisal, accounting officers should assess their progress and performance in meeting the cyber security standards set out in Functional Standard GovS 007: Security (the Security Standard), which HM Treasury mandated in 2021. To show the importance of building a cyber security culture, accounting officers should: ? ensure that membership of their most senior decision-making board includes at least one digital leader with cyber expertise and one non-executive director with cyber expertise; ? engage with GSG to agree how the department will contribute to GSG?s cross-government implementation plan; ? understand the cyber risk posed by their most critical IT systems and create and test appropriate incident response plans; and ? commission reporting that shows progress made in implementing the Strategy.

Working in alignment with GSG?s government skills strategy, departments should make and enact plans to fill the cyber skills gaps in their workforces. Within the next year, they should: ? undertake a gap analysis of their current cyber workforce to identify what skills are needed to enable effective implementation of the Strategy; and ? present clear and detailed improvement plans to GSG.