The government has cut the time it takes to fix critical cyber vulnerabilities across the public sector by 84% and launched a new dedicated Cyber Profession to strengthen long-term resilience across public services.
Announced by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC), the measures form part of a wider drive to harden the UK’s digital defences.
At the centre of the announcement is the government-wide Vulnerability Monitoring Service (VMS), introduced under the Blueprint for Modern Digital Government. The service continuously scans 6,000 public sector bodies and detects around 1,000 different types of cyber vulnerabilities affecting internet-facing systems.
The service has reduced the median time taken to remediate domain-related vulnerabilities from 50 days to eight - a six-fold improvement. The median time to fix other cyber vulnerabilities has also fallen from 53 days to 32 days.
The backlog of critical open domain-related vulnerabilities has also been cut by 75%, with around 400 confirmed vulnerabilities processed and resolved each month.
Many of the issues relate to weaknesses in the Domain Name System (DNS), which translates website names into machine-readable addresses. If left unresolved, those weaknesses can allow attackers to redirect users to fraudulent sites, intercept sensitive data or disrupt services.
Previously, DNS-related weaknesses could go undetected for almost two months. Under the VMS, organisations are alerted with actionable guidance and remediation is tracked until issues are resolved, reducing the window of exposure to just over a week.
Speaking at the annual Government Cyber Security and Digital Resilience conference, Digital Government Minister Ian Murray said the reforms would significantly reduce risks to frontline services.
“Cyber-attacks aren’t abstract threats - they delay NHS appointments, disrupt essential services, and put people’s most sensitive data at risk. When public services struggle it’s families, patients and frontline workers that feel it. The vulnerability monitoring service has transformed how quickly we can spot and fix weaknesses before they’re exploited so we can protect against that.
Alongside the VMS, the government has launched its first dedicated Cyber Profession. The initiative is intended to recruit, develop and retain cyber specialists across the public sector. It will introduce a competitive employment offer, establish a Cyber Resourcing Hub to streamline recruitment, and create a clear career framework aligned with professional standards set by the UK Cyber Security Council.
Plans include the creation of a government Cyber Academy, a new apprenticeship scheme and structured career pathways designed to address long-standing skills gaps identified in recent assessments of government cyber resilience. Murray said the ambition was to make government “a destination of choice for cyber professionals who want to protect the services that matter most to people’s lives”.
The North West will serve as a primary hub for the profession, building on Manchester’s growing digital cluster and the forthcoming government Digital Campus.
The reforms are backed by £210 million of investment under the government’s Cyber Action Plan and follow warnings from the National Audit Office in early 2025 that the cyber threat to government is both severe and rapidly evolving, with workforce capability representing a significant risk.