Follow the Government Cyber Security Standard
All digital services and technical infrastructure must be built to comply with the Government Cyber Security Standard
To meet this commitment as part of Digital and Data function’s strategic commitments your plans must show how you will meet the government cyber security standard for your services and infrastructure.
All digital services and technical infrastructure in scope of your spend must comply with the appropriate Cyber Assessment Framework (CAF) profile and the cross-government Secure by Design principles.
The cross-government Secure by Design approach provides a series of mandatory principles and good practice activities to help organisations implement the approach. Delivery teams must establish a “high” confidence profile using the self assessment tracker in the early phases of their projects, and maintain it as the projects evolve.
If you’re going through the digital and technology spend control process you must explain how you’re meeting this commitment if your spend request has been rated “high” on the risk and importance framework or has an assurance rating of “control”.
Answering ‘no’ will not lead to an automatic rejection and you will need to explain why your spend cannot align to the commitment.
Updates to this page
Published 23 February 2024Last updated 7 February 2025 + show all updates
-
First and fourth paragraph: small changes to wording and new links added. Second paragraph: the references to the cross government policies published in the government cyber security policy handbook and on security.gov.uk have been removed allowing only the references to the Cyber Assessment Framework (CAF) profile and cross-government Secure by Design principles. Third paragraph: removes the reference to Security by Design as “framework” and recommends it as “approach”. It also removes the indication that this approach is applied only to the delivery of digital services.
-
First published.