Government sets out refreshed plans to strengthen public sector cyber security

The government has set out refreshed plans to strengthen cyber security across the public sector, outlining new expectations, priorities and areas of focus for organisations delivering digital services.

Government has published its new Government Cyber Action Plan (GCAP), which introduces new objectives to strengthen the security and resilience of the UK’s public services. The publication coincides with the Second Reading of the Cyber Security and Resilience Bill, which aims to bolster the cyber defences of the UK’s critical national infrastructure.

What is the GCAP?

The Government’s Cyber Action Plan is an update to the Government’s Cyber Security Strategy published in 2022. It sets out a renewed ambition for public sector cyber security, with responsibility for the Plan now sitting with the Department for Science, Innovation and Technology.

The Plan opens with a recognition that government will not meet its previous target of ensuring all government organisations be resilience to known vulnerabilities and attack methods by 2030.

In this new Plan, clear expectations have been given to government departments and organisations. Each chapter begins by outlining ‘who is responsible for what’. Implementation will be supported by £210 million in funding, with delivery led by the new Government Cyber Unit.

The Plan will look to achieve four objectives:

• Better visibility of cyber security and resilience risk
• Addressing severe and complex risks
• Improving responsiveness to fast moving events
• Rapidly increasing government-wide cyber resilience

These objectives will be delivered through five delivery strands:

• Accountability: this strand will set out clear ownership and management of cyber risks at all levels of government.
• Support: this strand will outline how government organisations will be supported to ensure they have the capability, skills and capacity to meet their cyber responsibilities.
• Services: this strand will help scale cyber services that can address shared security and resilience challenges across government organisations.
• Response and recovery: this strand outlines responsibilities for managing cyber incidents at all levels, with the aim of reducing their impact.
• Skills: this strand will see government establish the first Government Cyber Profession to help attract, upskill and retrain cyber professionals across government.

How will the Plan be implemented?

Phase 1: Building

• By April 2027, the government will have built a new operating model for government cyber security. This will include empowering the Government Cyber Unit to achieve its function, refreshed accountability and governance for cyber risk across departments and launching the new Government Cyber Profession.

Phase 2: Scaling

• By April 2029, government will have scaled and leveraged the new model. This phase will see progress against the Plan’s ambitions, alongside a more mature understanding of cyber risks and how to respond to them.

Phase 3: Improving

• By April 2029, government will use the model to drive continuous improvement in cyber security and resilience. This will include leveraging the Government Cyber Profession, adopting a more proactive approach to supply chain cyber risk, and delivering central cyber support and services at scale to sustain long-term capability.

Software Security Ambassador Scheme

Government have also announced a new Software Security Ambassador Scheme which will be used to drive up the adoption of the Software Security Code of Practice. Among others, Cisco, Palo Alto Networks, Sage, Santander and NCC Group will act as ambassadors, championing the Code across sectors and providing feedback to inform future policy improvements.