The Ministry of Defence (MoD) is moving to a ‘secure by design’ approach to deal with cyber security in its capability programmes.
It has indicated that it plans to end its process of accreditation at the end of a programme and replace it with a requirement on senior responsible owners, capability owners and delivery teams to be responsible and accountable for delivering systems that are cyber secure.
Director of cyber defence and risk Christine Maxwell said the new approach is essential as teams must own the cyber security risk, and that it must be followed in all new programmes and systems development.
A formal launch is planned for next month, following which the full process will go live.
“The approach will lead to the delivery of more secure systems through clearer accountability, simplified processes aligned to the capability delivery strategy, more use of open security standards, better guidance, more flexibility, and empowered decision making,” she said in a blogpost.
Piloting, policy, process
A project team has been piloting the approach in MoD programmes this year and produced a policy, process, guidance and tooling to support projects.
It includes a self-assessment tool and a new portal to support users in the ministry, along with a dedicated helpdesk.
In addition, a new second line assurance function has been set up to perform independent assessments, with reviews at key stages of programmes.