Skip to main content

https://defencedigital.blog.gov.uk/2023/05/30/secure-by-design-a-new-way-to-manage-cyber-risk-in-capabilities/

Secure by Design – a new way to manage cyber risk in capabilities

Posted by: , Posted on: - Categories: Cyber

Here’s what you need to know

Secure by Design is a key component of how cyber security will be improved within the MOD.

The culture and approach to how cyber security is addressed in capability programmes across MOD is changing.  Cyber security is often bolted on at the end of a programme lifecycle after an accreditation process and this does not provide MOD with the best chance of delivering secure capabilities into our operational user’s hands.

Things are changing and the old MOD accreditation approach is stopping!

The Secure by Design approach is a modern approach whereby SROs, capability owners and delivery teams are accountable and responsible for delivering systems that are cyber secure.  Safety isn’t treated as an add on or an optional extra that can be traded out and cyber security needs to be treated the same.

With the increasing cyber threat that exists in the world the new approach is essential. Teams must own the cyber security risk of their capabilities from concept to disposal and manage it effectively through the lifecycle of the capability.

The approach will lead to the delivery of more secure systems through clearer accountability, simplified processes aligned to the capability delivery strategy, more use of open security standards, better guidance, more flexibility, and empowered decision making.

How will we implement this, I hear you say...

A Secure by Design project team has been piloting the new ways of working with 40 programmes over the last year. The team have therefore produced policy, process, guidance, and tooling to support projects on their journey.

This includes a self-assessment tool which will enable projects to self-assess their maturity against security policy and technical guidance. The intent of this tool is to help projects understand what they need to consider when delivering a capability and help track progress through delivery. All new programmes and system developments must now follow this approach and details are mandated in JSP 440 Leaflet 5C.

The key to the success of this is that programmes need to resource and fund cyber security as they would any other key capability requirement. Cyber security has the support of the Service Chiefs and DDG’s across Defence and is not something that can be traded out as it is now a licence to operate item.

This may seem a big change but don’t worry there is plenty of support available to guide you:

  • A range of user-friendly digital tools and guides have been specifically developed to help everyone along the way.
  • These can be viewed on a new Secure by Design portal and will continue to evolve.
  • A dedicated helpdesk has also been set up to help answer any questions and guide teams through delivering a secure capability.

I said that Accreditation is stopping – and it is. A new second line assurance function has been established that will perform independent assessments over MOD capabilities. These assurance reviews will be performed at key stages of the programme in order to provide SROs and Delivery Teams with the independent specialist opinions as to the state of cyber security.

Cyber Security has also been embedded as a requirement into IAC and JROC submissions and teams will need to evidence that they are cyber ready.

The full process is going live over the next few months with a formal launch in July 2023 and you will see lots more communication in relation to Secure by Design.

If you have a programme that is early in its lifecycle then get your team on to the Secure by Design portal and start defining your cyber security risk and how you are going to mitigate it.

Sharing and comments

Share this page

3 comments

  1. Comment by RO posted on

    Is there a planned release of Industry Publications and templates that support the SbD processes, especially for those that do not leverage JSPs and instead rely on ISNs etc? Looking forward to seeing this on the new SbD portal soon.

    Reply
  2. Comment by AP posted on

    When will the new SbD portal be available and how do you apply for access?

    Reply
  3. Comment by Moore posted on

    At last! Well done.

    Reply

Leave a comment

We only ask for your email address so we know you're a real person

By submitting a comment you understand it may be published on this public website. Please read our privacy notice to see how the GOV.UK blogging platform handles your information.