Here’s what you need to know
Secure by Design is a key component of how cyber security will be improved within the MOD.
The culture and approach to how cyber security is addressed in capability programmes across MOD is changing. Cyber security is often bolted on at the end of a programme lifecycle after an accreditation process and this does not provide MOD with the best chance of delivering secure capabilities into our operational user’s hands.
Things are changing and the old MOD accreditation approach is stopping!
The Secure by Design approach is a modern approach whereby SROs, capability owners and delivery teams are accountable and responsible for delivering systems that are cyber secure. Safety isn’t treated as an add on or an optional extra that can be traded out and cyber security needs to be treated the same.
With the increasing cyber threat that exists in the world the new approach is essential. Teams must own the cyber security risk of their capabilities from concept to disposal and manage it effectively through the lifecycle of the capability.
The approach will lead to the delivery of more secure systems through clearer accountability, simplified processes aligned to the capability delivery strategy, more use of open security standards, better guidance, more flexibility, and empowered decision making.
How will we implement this, I hear you say...
A Secure by Design project team has been piloting the new ways of working with 40 programmes over the last year. The team have therefore produced policy, process, guidance, and tooling to support projects on their journey.
This includes a self-assessment tool which will enable projects to self-assess their maturity against security policy and technical guidance. The intent of this tool is to help projects understand what they need to consider when delivering a capability and help track progress through delivery. All new programmes and system developments must now follow this approach and details are mandated in JSP 440 Leaflet 5C.
The key to the success of this is that programmes need to resource and fund cyber security as they would any other key capability requirement. Cyber security has the support of the Service Chiefs and DDG’s across Defence and is not something that can be traded out as it is now a licence to operate item.
This may seem a big change but don’t worry there is plenty of support available to guide you:
- A range of user-friendly digital tools and guides have been specifically developed to help everyone along the way.
- These can be viewed on a new Secure by Design portal and will continue to evolve.
- A dedicated helpdesk has also been set up to help answer any questions and guide teams through delivering a secure capability.
I said that Accreditation is stopping – and it is. A new second line assurance function has been established that will perform independent assessments over MOD capabilities. These assurance reviews will be performed at key stages of the programme in order to provide SROs and Delivery Teams with the independent specialist opinions as to the state of cyber security.
Cyber Security has also been embedded as a requirement into IAC and JROC submissions and teams will need to evidence that they are cyber ready.
The full process is going live over the next few months with a formal launch in July 2023 and you will see lots more communication in relation to Secure by Design.
If you have a programme that is early in its lifecycle then get your team on to the Secure by Design portal and start defining your cyber security risk and how you are going to mitigate it.