Government cybersecurity assurance
Robustness and oversight of cyber security assurance programs within government departments for critical systems.
299 items
9 sources
2 inquiries
Strongest theme matches
Mixed across source types and ranked by classifier confidence plus text match strength.
Committee recommendation
95match
#7 - Legacy IT systems pose significant risks to government AI adoption and cybersecurity.
DSIT told us that it was a matter of urgency that the issue of legacy systems in government is addressed, not only to take advantage of the opportunities offered by AI, but also to address other risks including cyber security vulnerabilities. It emphasised prioritising the “systems that have the most valuable data” and “the highest levels of security...
Matched on
terms: cybersecurity, government
Committee recommendation
90match
#5 - Secure clear assurance from departments managing cyber risk across arm’s-length bodies and supply chains.
The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm’s–length bodies and the wider public sector that they are responsible for. Departments should work closely with the Cabinet...
Matched on
terms: assurance, government
Committee recommendation
83match
#23 - GovAssure not designed to assess all critical systems despite improvement goals.
We asked the Cabinet Office how it would increase the scale and pace of GovAssure to assess the cyber resilience of all of government’s critical systems. The Cabinet Office explained that it did not plan to assess 100% 43 C&AG’s Report, paras 14, 15 44 C&AG’s Report, para 19 45 Q 39 46 Q 44 47 Q 45...
Matched on
terms: assurance, government
Committee recommendation
83match
#4 - Set out assessed proportions of critical/legacy IT, optimal assessment frequency, deadlines, and funding protection.
Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure’s assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than the Cabinet Office expected. Departments had multiple fundamental control failures, including in risk management and response planning. The...
Matched on
terms: assurance, government
Committee recommendation
81match
#20 - GovAssure reveals significant gaps and low maturity in departmental cyber resilience.
In 2023, the Cabinet Office launched ‘GovAssure’, a cyber security assurance scheme, as part of its strategy to improve government organisations’ cyber resilience. Before GovAssure, departments self–assessed their performance against minimum cyber standards set by the Cabinet Office.43 In the period April 2023 to July 2024, 35 departments took part in the first year of GovAssure and assessed...
Matched on
terms: assurance, government
NAO recommendation
80match
Government cyber resilience
Government departments should urgently strengthen their own governance, accountability and reporting arrangements around cyber risk. In their annual security appraisal, accounting officers should assess their progress and performance in meeting the cyber security standards set out in Functional Standard GovS 007: Security (the Security Standard), which HM Treasury mandated in 2021. To show the importance of building a...
Matched on
terms: government
Committee recommendation
78match
#34 - Cabinet Office accepted NAO recommendation for cross-Government cyber security implementation and monitoring plan
We challenged the Cabinet Office on whether its plans were realistic. The Cabinet Office told us it had accepted the NAO’s recommendation that it needed a cross–Government implementation plan and a stronger monitoring and evaluation framework.75 It said these would be ready in the summer of 2025, after the Spending Review concluded.76 We asked the Cabinet Office how...
Matched on
terms: government
Committee recommendation
78match
#32 - Government lacks robust oversight of departmental cyber strategy, risking 2025 resilience target.
The Cabinet Office has prioritised implementing its central initiatives, such as GovAssure. However, it has not put robust arrangements in place to oversee how departments are implementing the Strategy, such 65 Q 67 66 Q 61 67 Q 79; GCR0004, Written evidence submitted by Nigel D Cook; GCR0007, Written evidence submitted by The Open Cloud Coalition 68 Hansard,...
Matched on
terms: government
Committee recommendation
78match
#11 - Government's current cyber resilience levels remain inadequate to effectively respond and recover from attacks.
We pressed the Cabinet Office on what assurance it could give us that government was keeping up with the cyber threat.17 The Cabinet Office’s assessment was that there was already a gap in government’s ability to respond and that this might always be the case. It suggested the best approach may be continuously managing and mitigating the risk...
Matched on
terms: assurance, government
Committee recommendation
78match
#6 - Set out levers and instruments for a fundamentally different approach to government cyber resilience.
Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office’s focus on implementing its initiatives, such as GovAssure, has been at the expense of it coordinating a cross–government plan...
Matched on
terms: government
Committee recommendation
77match
#29 - Departmental commitment to wider public sector cyber resilience strategy shows inconsistent implementation.
The Cabinet Office confirmed to us that lead government departments were responsible for understanding and tackling cyber risk across the wider public sector. While recognising that departments’ response to the Strategy 56 Q 49 57 Qq 50–51 58 Q 53 59 Qq 54, 57–58 60 Q 58 61 Q 56 62 Q 80 63 C&AG’s Report, para 11...
Matched on
terms: assurance, government
Committee recommendation
74match
#30 - Government faces complex challenges managing cyber security risk within its supply chain.
We asked the Cabinet Office how Government managed the cyber security of its supply chain. The Cabinet Office told us that managing supply chain risk was complex and difficult. Government’s supply chain has been the source of incidents with serious consequences for individuals, such as the ransomware attack on the supplier of NHS pathology services, Synnovis. The Cabinet...
Matched on
terms: government
Committee recommendation
74match
#26 - Unacceptable knowledge gap persists due to poor legacy IT asset management across government.
We pressed DSIT and the Cabinet Office on why Government’s understanding of its legacy IT was so limited. They told us that the amount of legacy systems, and understanding of them, varied between departments. They said this was because information about legacy systems 48 Q 39 49 Qq 41–42 50 Q 43 51 C&AG’s Report, para 1.3 52...
Matched on
terms: government
Committee recommendation
74match
#19 - Government Cyber Coordination Centre improves information sharing but remains in early stages.
We asked the Cabinet Office what structures it had in place to share information about cyber security with permanent secretaries and throughout departments.40 The Cabinet Office told us that it had launched the Government Cyber Coordination Centre (GC3) in September 2023, and that this had helped government share information more effectively. The GC3 brings together people from the...
Matched on
terms: government
Committee recommendation
74match
#17 - Require every government department to appoint a very senior Chief Information Officer.
We asked the Cabinet Office if departments have underestimated the cyber risk. It told us that until recently it had not done enough to ensure leaders across government understood the cyber threat, but that it had made 28 Q 17 29 C&AG’s Report, para 4.16 30 Qq 17–18 31 C&AG’s Report, para 4.2–4.4 32 C&AG’s Report, para 4.9–4.12...
Matched on
terms: government
Committee recommendation
74match
#7 - Defence must enhance protection of reliant digital networks and secure sufficient cybersecurity skills.
Digital networks are only as strong and resilient to cyberattack as their weakest links, and recent attacks indicate that the Ministry of Defence must do more to help protect all those networks it relies on to fulfil its mission— not just those which it directly controls. Defence also needs the right skills, in sufficient numbers, if it is...
Matched on
terms: cybersecurity
Committee recommendation
74match
#21 - UKRI's outdated legacy systems pose an increased cyber security risk to government operations.
As we have reported before, one of the most serious risks to all parts of Government and industry is large-scale-assaults on their cyber security defences and ensuring their resilience against such attacks. Outdated legacy systems, such as those at UKRI, increase the cyber risk to government.53 UKRI told us it takes cyber seriously and its updated systems have...
Matched on
terms: government
Committee recommendation
73match
#15 - Fragmented departmental cyber security recruitment and training programmes persist across government.
Recruitment is fragmented across government, with some departments developing their own cyber recruitment and training programmes based on their needs.29 We queried how the Cabinet Office was working across Government, rather than letting each department train and recruit in its own way. The Cabinet Office told us that it was planning a new series of interventions. These included...
Matched on
terms: government
Committee recommendation
73match
#13 - Significant cyber security skill vacancies persist across central government departments.
In 2023–24, one in three cyber security roles in central government were vacant or filled by expensive contractors, and the proportion of vacancies in several departments’ cyber security teams was more than 50%.23 The Cabinet Office accepted that there were significant cyber–skill vacancies and set out the actions it was taking to address the shortfall.24 These included a...
Matched on
terms: government
NAO recommendation
72match
Financial modelling in government
h) work with departments, ALBs and other stakeholders such as the Quality Assurance Working Group on guidance and training to facilitate system-wide learning and improvement. This should include sharing good practice on how business-critical models are managed and practical advice on how to analyse and communicate uncertainty.
Matched on
terms: assurance, government
Committee recommendation
71match
#28 - Departments lack resources and oversight to ensure cyber resilience across wider public sector.
Departments, arm’s–length bodies and their partners use a wide range of IT systems and technology to provide public services.63 The Government Cyber Security Strategy: 2022–2030 (‘the Strategy’) set out that government departments’ cyber responsibilities included ensuring their arm’s–length bodies and wider public sector meet resilience targets. In April 2024, the Cabinet Office reported it could not be confident...
Matched on
terms: government
Committee recommendation
70match
#25 - Government lacks comprehensive understanding of its total legacy IT estate and associated risks.
We challenged DSIT and the Cabinet Office on why they were not identifying and fixing legacy IT systems, where the risk is greatest and security lowest. DSIT told us that before 2023 the centre of government did not have much information about legacy IT but this was improving. DSIT data showed that around 28% of the public sector’s...
Matched on
terms: government
Committee recommendation
70match
#1 - Committee takes evidence regarding government cyber resilience based on C&AG report.
On the basis of a report by the Comptroller and Auditor General, we took evidence from the Cabinet Office and the Department for Science, Innovation and Technology (DSIT) on the cyber resilience of Government.1
Matched on
terms: government
Committee recommendation
69match
#5 - 8th Report - Mandatory to manageable: the government’s plans for digital ID
Digital ID will not achieve widespread adoption unless the majority of people can trust that their data is secure, so it is vital that the programme is subject to the highest standards of privacy and cyber and data security. Given the government’s poor track record in handling data securely, building this trust will require a significant effort to...
Matched on
terms: government
Committee recommendation
69match
#16 - Departments demonstrate insufficient ownership of cyber risk and hinder information sharing.
Accounting officers in departments are responsible for protecting the security of their organisations and managing their department’s cyber risk, but they have not taken sufficient ownership of this responsibility. Often, membership of departments’ most senior boards does not include a digital expert.31 Some departments have been reluctant to share information about their cyber incidents with other parts of...
Matched on
terms: government
Committee recommendation
66match
#7 - Government faces rapidly evolving and increasingly sophisticated cyber threats from capable adversaries.
The Cabinet Office told us that we should be extremely worried by the rapidly evolving cyber threat, which is the most sophisticated it has ever been. It explained that over the last three years, government’s adversaries, which include nation states and organised criminal groups, have developed their ‘capabilities’ more rapidly than it expected.7
Matched on
terms: government
Committee recommendation
65match
#12 - Persistent shortage of skilled cyber security professionals due to uncompetitive government salaries.
For more than a decade, skilled cyber security professionals have been in short supply and high demand nationally and globally. Government has not paid market–rate salaries for digital and cyber skills, which has been 11 C&AG’s Report, paras 1.7, 1.10 12 Q 5 13 Q 6 14 C&AG’s Report, para 12 15 Q 8 16 Qq 10–11 17...
Matched on
terms: government
Committee recommendation
65match
#8 - Thirtieth Report - Challenges in implementing digital change
The risks associated with legacy systems include that they can be difficult and expensive to support, lack operational resilience for key government services, and be vulnerable to cyber-attack. This exposes government to what is likely to be an uncertain but high level of financial risk from potential operational and cyber-related incidents. Legacy systems need a significant level of...
Matched on
terms: government
Committee recommendation
65match
#2 - Recommend a trial of a centralised Secure Data Environment and simplify ethical governance
Should our successor Committee wish to explore the reform of the UK health data strategy, we recommend it considers: • Investigating the replication of the academic model of open and competitive funding to solve problems and develop Privacy Enhancing technologies (PETs) and other critical pieces of data infrastructure as an alternative to internal or contracted software development work;...
Matched on
terms: government
Committee recommendation
65match
#31 - Over-reliance on limited strategic IT suppliers creates significant cyber security risks.
Based on written evidence, we asked the Cabinet Office about the advantages and disadvantages of relying on a few strategic suppliers.67 The Cabinet Office acknowledged that trying to maximise value for money and interoperability while managing the risks was not straightforward. DSIT added that this was not just a cyber security issue. In July 2024, the major global...
Matched on
terms: government
Committee recommendation
65match
#3 - Mandate Cabinet Office to outline support for accounting officers to strengthen cyber accountability and culture.
Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not given departments a clear picture of the cyber threat and what they should do about it. Departments have...
Matched on
terms: government
Committee recommendation
65match
#6 - Require MoJ and LAA to detail cyberattack lessons and funding for system vulnerabilities.
Despite lessons learned from the cyberattack on the LAA, funding to address weaknesses across MoJ systems is uncertain. Vulnerabilities in LAA’s systems had been on MoJ’s risk register since 2021. However, MoJ’s investment of over £50 million to transform and stabilise LAA’s systems was insufficient to prevent hackers accessing a large amount of both provider and legal aid...
Matched on
terms: government
Committee recommendation
65match
#23 - DWP recognises significant cyber risk given sensitive data and essential public services.
In our May 2025 report on government cyber resilience, we concluded that government had not kept up with the severe and rapidly evolving cyber threat, that there was a longstanding shortage of experienced, technical cyber skills, and that departments had not done enough to prioritise cyber security.35 The Department told us that it had identified cyber risk as...
Matched on
terms: government
Committee recommendation
61match
#7 - Second Report - The Security of 5G
There is no doubt that Huawei’s designation as a high-risk vendor is justified. The Huawei Cyber Security Evaluation Centre has consistently reported on its low-quality products and concerning approach to software development, which has resulted in increased risk to UK operators and networks. The presence of Huawei in the UK’s 5G networks therefore poses a significant security risk...
Matched on
terms: government
Committee recommendation
61match
#27 - Incomplete knowledge of legacy systems hampers effective risk management and funding decisions.
We queried how government could manage the risk from legacy systems, make informed bids for funding to fix them, or prevent departments reprioritising this funding, if it did not know what systems it had.59 The Cabinet Office told us that legacy systems were one of its biggest priorities, but that departments needed to own the risk.60 DSIT claimed...
Matched on
terms: government
Committee recommendation
61match
#24 - Legacy IT systems consume vast expenditure while posing persistent risks to public services.
Many of government’s IT systems are ‘legacy’, because they are ageing and outdated but still in use. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to public services posed by legacy technology have built up over many years.51 In 2023, the Government Digital Service...
Matched on
terms: government
Committee recommendation
61match
#18 - Departments remain reluctant to share cyber incident information, hindering collective learning.
We asked the Cabinet Office what the impact was when departments did not share information about their cyber incidents. The Cabinet Office agreed that sharing data is essential to learn lessons, understand vulnerabilities, share best practice and work out what has gone wrong. The Cabinet Office reassured us that if departments find any vulnerabilities that could affect other...
Matched on
terms: government
Committee recommendation
61match
#10 - Cyber threats and security constantly evolve; adversaries already leveraging AI to probe defences.
Both the cyber threat and government’s cyber security are continuing to evolve as technology develops.14 The Cabinet Office described this to us as a “technology race” that required government to adapt its approach constantly.15 We asked how government thought artificial intelligence (AI) would affect cyber security. The witnesses argued that AI was a huge opportunity, but that it...
Matched on
terms: government
Committee recommendation
60match
#6 - Second Report - The Security of 5G
It is important that the Government continues to call out cyber-attacks from adversaries on the international stage and works to find a deterrent to counter them. There is currently a lack of global rules regulating international cyber-attacks and the Government should work with allies to formulate a system to provide accountability for perpetrators. The Government should clarify why...
Matched on
terms: government
Committee recommendation
57match
#14 - Recommend successor Committee examine 5G Supply Chain Diversification, international standards, and technology rollout.
Should our successor Committee wish to examine the UK’s telecommunications infrastructure and domestic capability, we recommend it considers: • The implementation of the 5G Supply Chain Diversification Strategy, and relevant policy and technical developments since the then Committee’s report; • Examining the Government’s participation in international standards bodies for critical and emerging technologies; or • The rollout and...
Matched on
terms: government
Committee recommendation
57match
#4 - Increase public awareness of attacks against the UK and outline national defence conversation measures
The public need to understand not only the necessity of defence but also their role in it. We are therefore very supportive of the concept of a national conversation on defence and recommend that the Government (and MOD in particular) seek to increase public awareness of recent attacks against the UK, including sabotage, and cyber-attacks, through regular public...
Matched on
terms: government
Committee recommendation
56match
#8 - Second Report - The Security of 5G
The establishment of the Huawei Cyber Security Evaluation Centre has resulted in the UK leading the world in understanding Huawei’s equipment. Despite the planned withdrawal of Huawei from our 5G networks, the Huawei Cyber Security Evaluation Centre should continue to operate to assess Huawei equipment in other areas of our telecommunications. The Government should consider assessing all equipment...
Matched on
terms: government
Committee recommendation
52match
#12 - Second Report - The Security of 5G
We are content that Huawei has been, and continues to be, sufficiently distanced from sensitive defence and national security sites. The Defence Secretary has informed us that no Huawei 5G equipment is present on the defence estate and that sensitive communications are safe from compromise. The Government should ensure that Huawei continues to be distanced from sensitive networks...
Matched on
terms: government
Committee recommendation
52match
#39 - 4th Report - Disinformation diplomacy: How malign actors are seeking to undermine democracy
To ensure a whole-of-society approach, the Government should establish a public-facing National Counter Disinformation Centre. The UK’s National Counter Disinformation Centre should be placed on a statutory footing, be subject to oversight by Parliament, and be directed to understand, identify and combat foreign information manipulation and interference campaigns being directed against the UK and its interests. The National...
Matched on
terms: government
Committee recommendation
49match
#22 - Previous departmental self-assessments significantly over-estimated actual cyber resilience levels.
The Cabinet Office told us that cyber resilience was substantially lower than it had expected following departments’ previous self–assessments. It had found that the organisations that GovAssure’s independent reviewers had scored poorly were the most over–optimistic in their self–assessments.46 We challenged the Cabinet Office on why it had not introduced GovAssure sooner. The Cabinet Office acknowledged that it...
Matched on
classifier match
Committee recommendation
49match
#8 - Nation states pose increasing risk of espionage and disruptive cyber attacks on essential services.
The Cabinet Office highlighted concerns about nation states’ intent to conduct espionage and disrupt essential services.8 It described a campaign of espionage by Russian military intelligence that involved stealing and leaking data, and defacing websites. The Cabinet Office considered disruptive cyber attacks to be an increasing risk. It gave the example of Volt Typhoon, a Chinese state–affiliated group,...
Matched on
classifier match
Committee recommendation
49match
#27 - MoJ acknowledges system vulnerabilities, but acceleration depends on Spending Review funding
We asked MoJ whether the public could have confidence that data stored across MoJ’s systems is safe, following the attack. MoJ stated that it has comprehensively reviewed all of its systems to understand where vulnerabilities lie. It stated that its review had given it a better understanding of where the risks in its systems are and explained that...
Matched on
classifier match
Committee recommendation
48match
#26 - Establish a central CNI list to improve coordination and clarify priority areas.
Cross-government and external agency coordination in mitigating the risk of technological dependence on China is uneven and disjointed. The Government should create a central CNI list to improve coordination and clarify areas of priority. With the technology sector now dominated by a few key players, we are now over-reliant on Chinese technology. This is the direct result of...
Matched on
terms: government
NAO recommendation
47match
Transforming health assessments for disability benefits
DWP should: a review the Programme plan and produce an updated business case, incorporating the white paper reforms, including: demonstrating it has effective assurance and control over development of the Programme?s digital architecture, including how the Programme will fit with DWP?s other departmental digital initiatives, using oversight independent of the Programme;
Matched on
terms: assurance
Committee recommendation
45match
#9 - Organised criminal groups' ransomware attacks severely disrupt public services and incur significant costs.
Organised criminal groups use ransomware and data extortion to make money.10 They do this by stealing and encrypting victims’ data and then demanding a ransom or threatening to the leak the data. In October 2023, 5 Q 2; C&AG’s Report, paras 4, 6 6 C&AG’s Report, paras 6, 22 7 Q 4 8 Qq 4–5 9 Q 5...
Matched on
classifier match