Skip to main content

Five questions we’ve been asked about the cross-government Secure by Design approach

internet security and data protection concept, blockchain and cybersecurity

Secure by Design is all about building effective and proportionate cyber security into the delivery of new government services. You can read more of the background to this in our previous blog.

We’ve been engaging with colleagues from across the digital, data and technology, security and project management communities through pilots, user research and senior leadership briefings. Not surprisingly, we’ve been asked lots of questions, and we’d like to address some of the more popular ones in this post.

What are the components of the cross-government Secure by Design approach?

The approach includes both principles and framework guidance. It has been developed with input from our stakeholders, including a cross-government working group and an industry panel. In recent months we’ve been testing the guidance, and are now updating it based on the feedback we’ve received.

You can read the proposed Secure by Design principles in full and the intent behind them. The principles cover the end-to-end project lifecycle and reflect security challenges in digital delivery faced by government organisations. The National Cyber Security Centre (NCSC) secure design principles, which focus on secure design of a system, have been incorporated in principles five to eight.

The framework guidance covers the activities which need to be implemented in order for the principles to be met. It covers things like: security in the business case; documenting your assets; performing threat modelling; mitigating security risks; and evaluating the security impact of changes. The activities set out the what, why, when, who and how and are accompanied by templates, examples and tools to practically help project teams implement the activities. 

Two key tools are built into the framework guidance. The first, a Self-Assessment Tracker, is designed to help delivery teams track how well their projects are following the Secure by Design approach.

The second tool, a Security Controls Taxonomy, will help project teams select appropriate security controls from recognised industry security standards and frameworks as part of their risk mitigation activities. The controls are mapped to the NCSC Cyber Assessment Framework (CAF) outcomes and Indicators of Good Practice (IGPs).

It’s worth stating that the cross-government Secure by Design approach is likely to evolve further in the future. How it develops will depend on further user research and stakeholder engagement.

Will Secure by Design be mandatory?

Yes. The Secure by Design approach will be mandated across central government departments and Arms Length Bodies (ALBs). This has been cemented in the Government Cyber Security Strategy (outcome 9) and Transforming for a digital future: 2022 to 2025 roadmap for digital and data (commitment 11). The 10 Principles - expressed as outcomes - will be mandatory and central government departments and ALBs must adhere to them. 

The Secure by Design activities set out in the framework guidance will be mandatory too, but there will be some flexibility in how organisations apply them, recognising that this will be influenced by structures, processes, governance, culture, resources and other factors.

How does Secure by Design relate to GovAssure?

The Secure by Design approach will help government organisations on their journey to meeting their assigned GovAssure profiles and respective Cyber Assessment Framework (CAF) Indicators of Good Practice.

As Secure by Design is specific to systems and services which are in development - rather than those which are already operating - it supports some areas of CAF more than others including those relating to risk management (A2), supply chain (A4), identity and access control (B2), data security (B3) and resilient networks and systems (B5).

What is the timeline for launching and implementing Secure by Design?

We are working towards a launch for Secure by Design in December 2023 or early 2024. We are developing an appropriate implementation approach, which is likely to involve a substantial ‘grace period’ during which government organisations would be expected to begin applying the approach to the delivery life-cycles for new systems and services. 

How can I stay up to date with what’s happening on Secure by Design?

We’ll be ramping up our communication with departments, ALBs and other stakeholders over the coming months. For now, the best way to stay informed is to sign up for our regular stakeholder updates.  If you’d like to have a more detailed discussion with us about Secure by Design, please email us at:

Sharing and comments

Share this page

Leave a comment

We only ask for your email address so we know you're a real person

By submitting a comment you understand it may be published on this public website. Please read our privacy notice to see how the GOV.UK blogging platform handles your information.