Government cybersecurity assurance

Robustness and oversight of cyber security assurance programs within government departments for critical systems.

299 items 9 sources 2 inquiries
Strongest matches Browse by source
Watch Generate AI Report Export
Source spread

Where this theme appears

Government cybersecurity assurance has been flagged across 9 independent accountability sources:

2 inquiry recs 255 committee recs 4 ICIBI recs 2 IOPC recs 24 NAO recs 8 IMB recs 1 Article 2 learning point 1 PHSO decision 2 LGO/SPSO decisions

When the same issue appears across inquiries, coroner reports, and regulators independently, it indicates a recurring issue across the public record.

Browse by source

Source-grouped records are useful for tracing where a concern came from. Large sections show the 50 strongest matches for that source; counts still show the full theme total.

#7 —
Defence Committee
Recommendation: There is no doubt that Huawei’s designation as a high-risk vendor is justified. The Huawei Cyber Security Evaluation Centre has consistently reported on its low-quality products and concerning approach to software development, which has resulted in increased risk to UK …
Gov response: The UK has unique insight into Huawei’s presence in our networks and the Government has been quick to respond to the changing risk environment for network security. Because of the work of the Huawei Cyber …
Under Consideration
#8 —
Public Accounts Committee
Recommendation: The risks associated with legacy systems include that they can be difficult and expensive to support, lack operational resilience for key government services, and be vulnerable to cyber-attack. This exposes government to what is likely to be an uncertain but …
Gov response: 2: PAC conclusion: There is no clear plan to replace or modernise legacy systems and data that are critical to service provision but are often old, unsupportable, vulnerable and a constraint on transformation. 2: PAC …
Not Addressed
#14 — Recommend successor Committee examine 5G Supply Chain Diversification, international standards, and technology rollout.
Science, Innovation and Technology Committee
Recommendation: Should our successor Committee wish to examine the UK’s telecommunications infrastructure and domestic capability, we recommend it considers: • The implementation of the 5G Supply Chain Diversification Strategy, and relevant policy and technical developments since the then Committee’s report; • …
No Published Response
#2 — Recommend a trial of a centralised Secure Data Environment and simplify ethical governance
Science, Innovation and Technology Committee
Recommendation: Should our successor Committee wish to explore the reform of the UK health data strategy, we recommend it considers: • Investigating the replication of the academic model of open and competitive funding to solve problems and develop Privacy Enhancing technologies …
No Published Response
#7 — Legacy IT systems pose significant risks to government AI adoption and cybersecurity.
Public Accounts Committee
Recommendation: DSIT told us that it was a matter of urgency that the issue of legacy systems in government is addressed, not only to take advantage of the opportunities offered by AI, but also to address other risks including cyber security …
Gov response: The government agrees with the Committee’s recommendation. Target implementation date: Winter 2025 1.2 The Department for Science, Innovation and Technology (DSIT) will carry out this work in two steps. Firstly, working with HM Treasury (HMT), …
Accepted
#34 — Cabinet Office accepted NAO recommendation for cross-Government cyber security implementation and monitoring plan
Public Accounts Committee
Recommendation: We challenged the Cabinet Office on whether its plans were realistic. The Cabinet Office told us it had accepted the NAO’s recommendation that it needed a cross–Government implementation plan and a stronger monitoring and evaluation framework.75 It said these would …
Gov response: 6.1 The government agrees with the Committee’s recommendation. Target implementation date: Winter 2025 6.2 Work is underway to define a future Target Operating Model for Cyber and Digital Resilience, which will set out how government …
Not Addressed
#32 — Government lacks robust oversight of departmental cyber strategy, risking 2025 resilience target.
Public Accounts Committee
Recommendation: The Cabinet Office has prioritised implementing its central initiatives, such as GovAssure. However, it has not put robust arrangements in place to oversee how departments are implementing the Strategy, such 65 Q 67 66 Q 61 67 Q 79; GCR0004, …
Gov response: 6.1 The government agrees with the Committee’s recommendation. Target implementation date: Winter 2025 6.2 Work is underway to define a future Target Operating Model for Cyber and Digital Resilience, which will set out how government …
Not Addressed
#31 — Over-reliance on limited strategic IT suppliers creates significant cyber security risks.
Public Accounts Committee
Recommendation: Based on written evidence, we asked the Cabinet Office about the advantages and disadvantages of relying on a few strategic suppliers.67 The Cabinet Office acknowledged that trying to maximise value for money and interoperability while managing the risks was not …
Gov response: 5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many …
Accepted
#30 — Government faces complex challenges managing cyber security risk within its supply chain.
Public Accounts Committee
Recommendation: We asked the Cabinet Office how Government managed the cyber security of its supply chain. The Cabinet Office told us that managing supply chain risk was complex and difficult. Government’s supply chain has been the source of incidents with serious …
Gov response: 5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many …
Accepted
#29 — Departmental commitment to wider public sector cyber resilience strategy shows inconsistent implementation.
Public Accounts Committee
Recommendation: The Cabinet Office confirmed to us that lead government departments were responsible for understanding and tackling cyber risk across the wider public sector. While recognising that departments’ response to the Strategy 56 Q 49 57 Qq 50–51 58 Q 53 …
Gov response: 5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many …
Accepted
#28 — Departments lack resources and oversight to ensure cyber resilience across wider public sector.
Public Accounts Committee
Recommendation: Departments, arm’s–length bodies and their partners use a wide range of IT systems and technology to provide public services.63 The Government Cyber Security Strategy: 2022–2030 (‘the Strategy’) set out that government departments’ cyber responsibilities included ensuring their arm’s–length bodies and …
Gov response: 5.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 5.2 The government recognises the importance of managing the risk in ALBs and their supply chains. Whilst services can and in many …
Accepted
#27 — Incomplete knowledge of legacy systems hampers effective risk management and funding decisions.
Public Accounts Committee
Recommendation: We queried how government could manage the risk from legacy systems, make informed bids for funding to fix them, or prevent departments reprioritising this funding, if it did not know what systems it had.59 The Cabinet Office told us that …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Accepted
#26 — Unacceptable knowledge gap persists due to poor legacy IT asset management across government.
Public Accounts Committee
Recommendation: We pressed DSIT and the Cabinet Office on why Government’s understanding of its legacy IT was so limited. They told us that the amount of legacy systems, and understanding of them, varied between departments. They said this was because information …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Accepted
#25 — Government lacks comprehensive understanding of its total legacy IT estate and associated risks.
Public Accounts Committee
Recommendation: We challenged DSIT and the Cabinet Office on why they were not identifying and fixing legacy IT systems, where the risk is greatest and security lowest. DSIT told us that before 2023 the centre of government did not have much …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Accepted
#24 — Legacy IT systems consume vast expenditure while posing persistent risks to public services.
Public Accounts Committee
Recommendation: Many of government’s IT systems are ‘legacy’, because they are ageing and outdated but still in use. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Accepted
#23 — GovAssure not designed to assess all critical systems despite improvement goals.
Public Accounts Committee
Recommendation: We asked the Cabinet Office how it would increase the scale and pace of GovAssure to assess the cyber resilience of all of government’s critical systems. The Cabinet Office explained that it did not plan to assess 100% 43 C&AG’s …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Partially Accepted
#22 — Previous departmental self-assessments significantly over-estimated actual cyber resilience levels.
Public Accounts Committee
Recommendation: The Cabinet Office told us that cyber resilience was substantially lower than it had expected following departments’ previous self–assessments. It had found that the organisations that GovAssure’s independent reviewers had scored poorly were the most over–optimistic in their self–assessments.46 We …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Accepted
#20 — GovAssure reveals significant gaps and low maturity in departmental cyber resilience.
Public Accounts Committee
Recommendation: In 2023, the Cabinet Office launched ‘GovAssure’, a cyber security assurance scheme, as part of its strategy to improve government organisations’ cyber resilience. Before GovAssure, departments self–assessed their performance against minimum cyber standards set by the Cabinet Office.43 In the …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 4.2 DSIT is currently improving the way that they collect data on legacy systems across government. 4.3 Departments will continue to be …
Accepted
#19 — Government Cyber Coordination Centre improves information sharing but remains in early stages.
Public Accounts Committee
Recommendation: We asked the Cabinet Office what structures it had in place to share information about cyber security with permanent secretaries and throughout departments.40 The Cabinet Office told us that it had launched the Government Cyber Coordination Centre (GC3) in September …
Gov response: 3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear …
Accepted
#18 — Departments remain reluctant to share cyber incident information, hindering collective learning.
Public Accounts Committee
Recommendation: We asked the Cabinet Office what the impact was when departments did not share information about their cyber incidents. The Cabinet Office agreed that sharing data is essential to learn lessons, understand vulnerabilities, share best practice and work out what …
Gov response: 3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear …
Accepted
#17 — Require every government department to appoint a very senior Chief Information Officer.
Public Accounts Committee
Recommendation: We asked the Cabinet Office if departments have underestimated the cyber risk. It told us that until recently it had not done enough to ensure leaders across government understood the cyber threat, but that it had made 28 Q 17 …
Gov response: 3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear …
Accepted
#16 — Departments demonstrate insufficient ownership of cyber risk and hinder information sharing.
Public Accounts Committee
Recommendation: Accounting officers in departments are responsible for protecting the security of their organisations and managing their department’s cyber risk, but they have not taken sufficient ownership of this responsibility. Often, membership of departments’ most senior boards does not include a …
Gov response: 3.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 3.2 The government recognises the importance of embedding security expertise at the heart of departmental decision making. 3.3 There is a clear …
Accepted
#11 — Government's current cyber resilience levels remain inadequate to effectively respond and recover from attacks.
Public Accounts Committee
Recommendation: We pressed the Cabinet Office on what assurance it could give us that government was keeping up with the cyber threat.17 The Cabinet Office’s assessment was that there was already a gap in government’s ability to respond and that this …
Gov response: 1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and …
Accepted
#10 — Cyber threats and security constantly evolve; adversaries already leveraging AI to probe defences.
Public Accounts Committee
Recommendation: Both the cyber threat and government’s cyber security are continuing to evolve as technology develops.14 The Cabinet Office described this to us as a “technology race” that required government to adapt its approach constantly.15 We asked how government thought artificial …
Gov response: 1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and …
Accepted
#9 — Organised criminal groups' ransomware attacks severely disrupt public services and incur significant costs.
Public Accounts Committee
Recommendation: Organised criminal groups use ransomware and data extortion to make money.10 They do this by stealing and encrypting victims’ data and then demanding a ransom or threatening to the leak the data. In October 2023, 5 Q 2; C&AG’s Report, …
Gov response: 1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and …
Accepted
#8 — Nation states pose increasing risk of espionage and disruptive cyber attacks on essential services.
Public Accounts Committee
Recommendation: The Cabinet Office highlighted concerns about nation states’ intent to conduct espionage and disrupt essential services.8 It described a campaign of espionage by Russian military intelligence that involved stealing and leaking data, and defacing websites. The Cabinet Office considered disruptive …
Gov response: 1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and …
Accepted
#7 — Government faces rapidly evolving and increasingly sophisticated cyber threats from capable adversaries.
Public Accounts Committee
Recommendation: The Cabinet Office told us that we should be extremely worried by the rapidly evolving cyber threat, which is the most sophisticated it has ever been. It explained that over the last three years, government’s adversaries, which include nation states …
Gov response: 1.1 The government agrees with the Committee’s recommendation. Target implementation date: Autumn 2026 1.2 The government has committed in the Blueprint for Modern Digital Government to resetting the relationship with cyber and technology risk, and …
Accepted
#1 — Committee takes evidence regarding government cyber resilience based on C&AG report.
Public Accounts Committee
Recommendation: On the basis of a report by the Comptroller and Auditor General, we took evidence from the Cabinet Office and the Department for Science, Innovation and Technology (DSIT) on the cyber resilience of Government.1
Gov response: The government agrees with the Committee’s recommendation. resetting the relationship with cyber and technology risk, and taking a stronger and more interventionist approach to drive transformation across government. This approach is needed to achieve a …
Accepted
#6 — Set out levers and instruments for a fundamentally different approach to government cyber resilience.
Public Accounts Committee
Recommendation: Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office’s focus …
Gov response: The government agrees with the Committee’s recommendation. Resilience, which will set out how government and the public sector should organise itself and operate to understand, govern, and respond to cyber and digital resilience risk. Later …
Accepted
#5 — Secure clear assurance from departments managing cyber risk across arm’s-length bodies and supply chains.
Public Accounts Committee
Recommendation: The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm’s–length …
Gov response: The government agrees with the Committee’s recommendation. supply chains. Whilst services can and in many cases should be outsourced from lead government departments, they are still ultimately accountable for the risk and must build in …
Accepted
#4 — Set out assessed proportions of critical/legacy IT, optimal assessment frequency, deadlines, and funding protection.
Public Accounts Committee
Recommendation: Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure’s assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than …
Gov response: The government agrees with the Committee’s recommendation. systems and improve cyber resilience. DSIT will work with HM Treasury (HMT) to develop a methodology for tracking funding allocated to legacy remediation projects to ensure it is …
Accepted
#3 — Mandate Cabinet Office to outline support for accounting officers to strengthen cyber accountability and culture.
Public Accounts Committee
Recommendation: Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not …
Gov response: The government agrees with the Committee’s recommendation. heart of departmental decision making. There is a clear need for board-level expertise to ensure that digital and procurement considerations are fully factored into governance, investment and risk …
Accepted
#8 — Review and report on Ministry of Defence plans to protect digital networks from cyberattack.
Defence Committee
Recommendation: Within a year the Ministry of Defence should review and report back to us on its plans to better protect all the digital networks it relies on, allowing it to enhance the overall resilience of these networks to cyberattack. (Recommendation, …
Gov response: We agree to undertake this review and report back to the Committee within a year.
Accepted
#7 — Defence must enhance protection of reliant digital networks and secure sufficient cybersecurity skills.
Defence Committee
Recommendation: Digital networks are only as strong and resilient to cyberattack as their weakest links, and recent attacks indicate that the Ministry of Defence must do more to help protect all those networks it relies on to fulfil its mission— not …
Gov response: We acknowledge and agree with the Committee’s findings that the weakest link in Defence’s cyber protection is likely to lie in public and private organisations that support the Defence enterprise, such as industry, sub- contractors, …
Accepted
#2 — Expand current Defence capabilities to deter and effectively defend against grey zone threats.
Defence Committee
Recommendation: The Ministry of Defence should consider how current capabilities can be further expanded to deter and defend against grey zone threats. (Recommendation, Paragraph 33)
Gov response: We agree with this conclusion and recommendation. The SDR and NSS both highlight the increasing threat to the UK of activities in the ‘grey zone’ and the need for the Government and the Ministry of …
Accepted
#1 — Defence capabilities against increasingly severe grey zone threats remain significantly limited.
Defence Committee
Recommendation: Defence has a significant role in deterring and defending against grey zone threats, especially those of a more severe nature, including attacks on critical national infrastructure such as undersea data cables and energy pipelines. Despite an increase in the frequency …
Gov response: We agree with this conclusion and recommendation. The SDR and NSS both highlight the increasing threat to the UK of activities in the ‘grey zone’ and the need for the Government and the Ministry of …
Accepted
#21 — UKRI's outdated legacy systems pose an increased cyber security risk to government operations.
Public Accounts Committee
Recommendation: As we have reported before, one of the most serious risks to all parts of Government and industry is large-scale-assaults on their cyber security defences and ensuring their resilience against such attacks. Outdated legacy systems, such as those at UKRI, …
Gov response: 4.1 The government agrees with the Committee’s recommendation. Target implementation date: February 2026 4.2 UKRI’s organisational change programmes are overhauling its systems and processes to enhance grant administration, data quality, information security and to implement …
Accepted
#4 — Increase public awareness of attacks against the UK and outline national defence conversation measures
Defence Committee
Recommendation: The public need to understand not only the necessity of defence but also their role in it. We are therefore very supportive of the concept of a national conversation on defence and recommend that the Government (and MOD in particular) …
Gov response: As acknowledged in the National Security Strategy (NSS) and Resilience Action Plan (RAP), the UK adopts a whole-of-society approach to national security. There is therefore an important role for business, civil society, and households to …
Accepted
#27 — MoJ acknowledges system vulnerabilities, but acceleration depends on Spending Review funding
Public Accounts Committee
Recommendation: We asked MoJ whether the public could have confidence that data stored across MoJ’s systems is safe, following the attack. MoJ stated that it has comprehensively reviewed all of its systems to understand where vulnerabilities lie. It stated that its …
Gov response: 6. PAC conclusion: Despite lessons learned from the cyberattack on the LAA, funding to address weaknesses across MoJ systems is uncertain. 6a. PAC recommendation: In the Treasury Minute response, the Ministry of Justice and the …
Accepted
#6 — Require MoJ and LAA to detail cyberattack lessons and funding for system vulnerabilities.
Public Accounts Committee
Recommendation: Despite lessons learned from the cyberattack on the LAA, funding to address weaknesses across MoJ systems is uncertain. Vulnerabilities in LAA’s systems had been on MoJ’s risk register since 2021. However, MoJ’s investment of over £50 million to transform and …
Gov response: The government agrees with the Committee’s recommendation. several routes. Internally, across MoJ, this has taken place at: MoJ Audit and Risk Assurance Committee; within the MoJ Executive Committee and Senior Leadership Group; and with the …
Accepted
#23 — DWP recognises significant cyber risk given sensitive data and essential public services.
Public Accounts Committee
Recommendation: In our May 2025 report on government cyber resilience, we concluded that government had not kept up with the severe and rapidly evolving cyber threat, that there was a longstanding shortage of experienced, technical cyber skills, and that departments had …
Gov response: In our May 2025 report on government cyber resilience, we concluded that government had not kept up with the severe and rapidly evolving cyber threat, that there was a longstanding shortage of experienced, technical cyber …
Response Pending
#5 —
Home Affairs Committee
Recommendation: Digital ID will not achieve widespread adoption unless the majority of people can trust that their data is secure, so it is vital that the programme is subject to the highest standards of privacy and cyber and data security. Given …
Response Pending
#12 —
Defence Committee
Recommendation: We are content that Huawei has been, and continues to be, sufficiently distanced from sensitive defence and national security sites. The Defence Secretary has informed us that no Huawei 5G equipment is present on the defence estate and that sensitive …
Gov response: The Government agrees with the Committee that Huawei should continue to be distanced from sensitive networks. High risk vendors are not—and never will be—in our most sensitive networks. The decision was made in January 2020 …
Accepted
#8 —
Defence Committee
Recommendation: The establishment of the Huawei Cyber Security Evaluation Centre has resulted in the UK leading the world in understanding Huawei’s equipment. Despite the planned withdrawal of Huawei from our 5G networks, the Huawei Cyber Security Evaluation Centre should continue to …
Gov response: The HCSEC is integral to the UK’s Huawei security mitigation strategy and it provides the UK a unique insight into the workings of Huawei equipment and software. The government requires that HCSEC continues to be …
Under Consideration
#6 —
Defence Committee
Recommendation: It is important that the Government continues to call out cyber-attacks from adversaries on the international stage and works to find a deterrent to counter them. There is currently a lack of global rules regulating international cyber-attacks and the Government …
Gov response: The Government is committed to promoting stability in cyberspace based on the application of existing international law, voluntary norms of responsible state behaviour and confidence building measures supported by coordinated and targeted capacity- building programmes. …
Under Consideration
#39 —
Foreign Affairs Committee
Recommendation: To ensure a whole-of-society approach, the Government should establish a public-facing National Counter Disinformation Centre. The UK’s National Counter Disinformation Centre should be placed on a statutory footing, be subject to oversight by Parliament, and be directed to understand, identify …
Response Pending
#26 — Establish a central CNI list to improve coordination and clarify priority areas.
Foreign Affairs Committee
Recommendation: Cross-government and external agency coordination in mitigating the risk of technological dependence on China is uneven and disjointed. The Government should create a central CNI list to improve coordination and clarify areas of priority. With the technology sector now dominated …
Gov response: 100. The Government agrees with the Committee that it is unacceptable that any foreign government or its proxies should engage in transnational repression (TNR) on UK soil or against UK citizens. That is why the …
Not Addressed
#15 — Fragmented departmental cyber security recruitment and training programmes persist across government.
Public Accounts Committee
Recommendation: Recruitment is fragmented across government, with some departments developing their own cyber recruitment and training programmes based on their needs.29 We queried how the Cabinet Office was working across Government, rather than letting each department train and recruit in its …
Gov response: 2.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 2.2 The government acknowledges the ongoing cyber skills gaps across the public sector and is taking active steps to implement reforms that …
Accepted
#13 — Significant cyber security skill vacancies persist across central government departments.
Public Accounts Committee
Recommendation: In 2023–24, one in three cyber security roles in central government were vacant or filled by expensive contractors, and the proportion of vacancies in several departments’ cyber security teams was more than 50%.23 The Cabinet Office accepted that there were …
Gov response: 2.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 2.2 The government acknowledges the ongoing cyber skills gaps across the public sector and is taking active steps to implement reforms that …
Accepted
#12 — Persistent shortage of skilled cyber security professionals due to uncompetitive government salaries.
Public Accounts Committee
Recommendation: For more than a decade, skilled cyber security professionals have been in short supply and high demand nationally and globally. Government has not paid market–rate salaries for digital and cyber skills, which has been 11 C&AG’s Report, paras 1.7, 1.10 …
Gov response: 2.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2026 2.2 The government acknowledges the ongoing cyber skills gaps across the public sector and is taking active steps to implement reforms that …
Accepted
Government cyber resilience
Working in alignment with GSG?s government skills strategy, departments should make and enact plans to fill the cyber skills gaps in their workforces. Within the next year, they should: ? undertake a gap analysis of their current cyber workforce to …
Accepted
Government cyber resilience
Government departments should urgently strengthen their own governance, accountability and reporting arrangements around cyber risk. In their annual security appraisal, accounting officers should assess their progress and performance in meeting the cyber security standards set out in Functional Standard GovS …
Accepted
Government cyber resilience
GSG should design regular communications to ensure that senior leaders and other decision-makers across government understand the cyber threat, how it is relevant to their business outcomes and what they can do about it. GSG should embed this into departments? …
Accepted
Government cyber resilience
GSG should work with CDDO to take a more rigorous approach to understanding and mitigating the risk to government organisations? cyber resilience caused by legacy IT systems. Learning from GovAssure and the legacy IT risk assessment framework, this approach should: …
Accepted
Government cyber resilience
GSG should strengthen GovAssure?s focus on improving cyber resilience outcomes. GSG should: ? continue building the capacity to support departments in developing and implementing targeted improvement plans, and monitoring and evaluating progress against them; ? continue developing how GovAssure data …
Accepted
Government cyber resilience
Within six months, GSG should set out how the whole of government needs to operate differently, and what is needed for this transformation to be effective, so that the government can achieve its goals for cyber security and resilience. GSG …
Accepted
Government cyber resilience
Within six months, GSG should develop, share and start using a cross?government implementation plan for the Government Cyber Security Strategy: 2022?2030 (?the Strategy?). GSG should refresh it regularly, include how the government is responding to new and severe cyber threats …
Accepted
Investigation into the performance of UK Security Vetting
The Cabinet Office should: a recognise the importance of modernising the national security vetting process and work quickly to design an implementation plan with key milestones in place;
Accepted
Financial modelling in government
The OBR should: m) require departments, as a matter of routine, to analyse and present the range of plausible outcomes driven by key inputs and model parameters in each case to take account of where there might be material uncertainties …
Accepted
Financial modelling in government
l) include appropriate elements relating to analysis and modelling from the Finance Functional Standard in the Finance Function’s self-assessment tools to measure compliance of functional members with requirements on modelling.
Accepted
Financial modelling in government
The Finance Function should work with the Analysis Function to: k) strengthen the requirements in the Finance Functional Standard on departments to apply the Analysis Functional Standard and the Aqua Book to financial planning and reporting. This should include guidance …
Accepted
Financial modelling in government
The Cabinet Office is working on common standards for departmental sponsorship of ALBs. As part of this work, it should: j) include guidance for departments on overseeing the production and assurance of models in ALBs, based on expert input from …
Accepted
Financial modelling in government
HMT and the Analysis Function should: i) agree the funding and capacity implications of the proposed governance structure in relation to analytical modelling standards and guidance.
Accepted
Financial modelling in government
h) work with departments, ALBs and other stakeholders such as the Quality Assurance Working Group on guidance and training to facilitate system-wide learning and improvement. This should include sharing good practice on how business-critical models are managed and practical advice …
Accepted
Financial modelling in government
g) update its Functional Standard and relevant guidance to include clear principles for departments and ALBs to follow on independent review of business-critical models, and on publication of a model’s inputs, methodology, assumptions, and outputs; and
Accepted
Financial modelling in government
The Analysis Function should: f) set out the appropriate governance structure for the ownership, maintenance, monitoring and assurance of analytical modelling standards and guidance, as presented in the Analysis Functional Standard. As part of this, the Function should work with …
Accepted
Financial modelling in government
e) agree with the Analysis Function on responsibilities for ownership and maintenance of the Aqua Book, including appropriate sign-off arrangements between the Function and HMT for Aqua Book updates.
Accepted
Financial modelling in government
d) build on its current approach to quantifying uncertainty and risk analysis by requiring departments to present HMT with a range of plausible outcomes from business-critical models as a matter of routine. This range should be driven by key inputs …
Accepted
Financial modelling in government
c) put in place processes to assure itself that outputs from departments’ and ALBs’ business-critical models, which HMT uses, have been quality-assured in line with modelling standards. This should include clarifying in all relevant guidance that all models must comply …
Accepted
Financial modelling in government
Accounting officers should: a) Oversee the use of models within their organisation and ensure an appropriate quality assurance framework is in place and used for all business-critical models.
Accepted
UK Research and Innovation: providing support through grants
To enable UKRI to confidently take well-managed risks while effectively protecting public money, it needs a strong approach to funding assurance, fraud and error. By September 2026, it should ensure that the improvements it is implementing for 2025-26 have gone …
Accepted
Transforming health assessments for disability benefits
DWP should: a review the Programme plan and produce an updated business case, incorporating the white paper reforms, including: demonstrating it has effective assurance and control over development of the Programme?s digital architecture, including how the Programme will fit with …
Accepted
Delivery of employment support schemes in response to the COVID-19 pandemic
b) work with the Cabinet Office and government?s counter-fraud functions to improve protocols and thus increase the consistency of data collected on grant claimants, and the pace at which data can be shared between HMRC and other public bodies, in …
Rejected
Digital transformation in the NHS
e) Simplify and strengthen national governance arrangements. This should include further work to provide national bodies with the levers and monitoring capability to ensure local NHS organisations and suppliers comply with national standards for existing and new technology, and for …
Accepted
Long Lartin (2022)
Will the Governor give more priority to repairs and improvements to the security systems?
Governor / Director
Whatton (2023)
Can the Prison Service give us a timescale for the installation of the replacement Eureka system?
HMPPS
Wakefield (2023)
We ask the Minister to act in respect of the substantial security threat posed by the use of unmanned aerial vehicles (UAVs) in the vicinity of HMP Wakefield.
Other
Scotland and Northern Ireland Short-Term Holding Facilities (STHF) (2023)
We recommend that the HR be brought up to basic requirements by UKBF installing portable secure Wi-Fi and connecting a CCTV system to it. We understand that a section of elevator had been removed and stored elsewhere in the terminal. It could be brought back into service. The desired outcome would be that any individual detained is held within a …
Home Office
Scotland and Northern Ireland Short-Term Holding Facilities (STHF) (2023)
We recommend that the CCTV monitoring of the HR be brought to an end and that the adjacent office section be manned when persons are detained within the HR. Also, we requested, in our previous annual report that the missing section of elevator, which had been removed and stored elsewhere in the terminal, be also brought back into service. The …
Home Office
Maidstone (2023)
Provide funding for CCTV across the prison, and for enhanced gatehouse security.
HMPPS
Long Lartin (2024)
Security systems: the maintenance contractor, Amey, has been unable to restore or maintain the ageing surveillance equipment to enable it to provide the prison with adequate security cover. What measures are being taken to install and maintain effective and reliable electronic surveillance and when?
HMPPS
Long Lartin (2023)
Security systems. Much of the existing surveillance technology is obsolete or unserviceable, increasing the vulnerability of prisoners and staff. Will the Minister confirm that funds to provide a modern, fully operational surveillance system will be authorised and allocated within the next 12 months?
Ministry of Justice
Back to all themes