CDDO releases cross-government ‘secure by design’ approach

The Central Digital and Data Office (CDDO) has published a cross-government ‘secure by design’ approach to digital delivery.

It includes a set of principles and activities designed to help government departments and arm’s length bodies integrate effective security practices in digital delivery; the intention being to increase government’s cyber resilience and improve data sharing between organisations. 

The approach applies all the way through the digital delivery lifecycle, as services are being planned, designed and built. 

It is made up of ten principles, each focused on achieving outcomes linked to specific security challenges. These include creating responsibility for any cyber security risks, designing usable security controls, minimising the attack surface and embedding continuous assurance. 

Alongside this is a list of activities designed to support organisations to meet these ten principles. They are designed to be flexible, allowing organisations to tailor how they carry them out based on their own security risk management and assurance frameworks.

CDDO have also included a couple of practical tools; one is a security controls taxonomy and another is a self assessment tracker to support teams in monitoring progress.

The ‘secure by design’ approach is a major part of the Government Cyber Security Strategy and Transforming for a digital future roadmap.

Roll out

In a blog outlining the new approach Fotini Tsekmezoglou, Head of Securing Digital Transformation at CDDO, said they are looking to  build awareness and understanding of it among key roles, professional communities and organisations. 

“We have been working with specific organisations which have already started their journey of implementing Secure by Design to understand potential implementation models and activities (for both government organisations and CDDO), challenges and lessons learned as well as developing content required to support effective implementation.

"Recognising the diverse profile and maturity of government organisations, we appreciate that each organisation will be adopting the Secure by Design approach from a different starting position.”

He said they expect to continue refining the approach in light of organisations’ experiences with the approach and further discovery work in the future.