The government has formally unveiled the GovAssure programme which will require all departments to undergo annual external audits of cyber-resilience.
The initiative, which was first trailed in the Government Cyber Security Strategy in January 2022, will require yearly investigations of the cyber protections of all Whitehall departments and some arm’s-length bodies. The procedures, which will be overseen by the Cabinet Office-based Government Security Group, will use the National Cyber Security Centre’s Cyber Assessment Framework to review organisations’ security practices.
Audits will include evaluation by external assessors, while the Cabinet Office will provide “centralised security policy and guidance” to help inform departments’ security policies.
CSW's sister title PublicTechnology revealed earlier this year that the central department had awarded a deal to security firm C3IA to support the fulfilment of a pilot phase in which the Home Office and the then Department for Business Energy and Industrial Strategy underwent GovAssure assessments.
The text of the contract with cyber company revealed that “once [an audit is] complete, a department will receive a ‘get well’ report listing current vulnerabilities which will then allow it to spend its cyber budget more effectively and to mitigate specific risks quickly”.
Announcing the full rollout of the programme in the coming months, government chief security officer Vincent Devine said the audit regime represents “a transformative change in government cybersecurity”.
“GovAssure will give us far greater visibility of the common cyber security challenges facing government,” he said. “It will set clear expectations for departments, empower hard-working cybersecurity professionals to strengthen the case for security change and investment, and will be a powerful tool for security advocacy.”
Chancellor of the Duchy of Lancaster Oliver Dowden – who has since also taken on the mantle of deputy prime minister – added: “Cyberthreats are growing, which is why we are committed to overhauling our defences to better protect government from attacks. Today’s stepped up cyber assurance will strengthen government systems, which run vital services for the public, from attacks. It will also improve the country’s resilience; a key part of our recent Integrated Review Refresh.”
Sam Trendall is editor of PublicTechnology, where this story first appeared