New regime of independent audits launched recently and – ahead of her appearance at the PublicTechnology Cyber Security Conference next week – Bella Powell from the Government Security Group tells us more
“A transformative change in government cybersecurity.”
This was how government chief security officer Vincent Devine described the launch in April of GovAssure: the new regime of annual independent audits of departments’ cyber resilience.
The formal commencement of the initiative followed a trial exercise in which the Home Office and the then Department for Business, Energy and Industrial Strategy underwent assessments conducted by security firm C3IA, which then provided the two organisations “a ‘get well’ report listing current vulnerabilities which will then allow [them] it to spend… cyber budget more effectively and to mitigate specific risks quickly”.
The ongoing rollout of the audits in the coming months – and their operation in the years to come – will be overseen by the Cabinet Office-based Government Security Group.
Bella Powell, director of group’s Cyber Directorate, will be appearing at the PublicTechnology Cyber Security Conference on Tuesday of next week – 4 July – to share with delegates more details of GovAssure and the impact government hopes it will have.
We hope you join us there, and there is still plenty of time to register to hear from a great array of speakers, join in interactive sessions and enjoy a full-day of award-winning food and drink – and all completely free to attend for public sector delegates.
But, before the event, we caught up with Powell to get an introduction to the new cyber-resilience regime, and its progress so far.
PublicTechnology: What was the rationale behind the introduction of GovAssure, and what are its key aims?
Bella Powell: In January 2022, we launched the Government Cyber Security Strategy, to set clear targets for government and drive up cyber resilience. We set out to significantly strengthen critical government functions by 2025, and make all government public sector organisations resilient by 2030.
A critical deliverable of the strategy is GovAssure, our new cyber assurance scheme launched in April by the deputy prime minister. It is a fundamental step change. Its primary aims are to provide visibility of cyber security risks across government organisations as well as the confidence that those risks are being appropriately and proportionately managed, to provide confidence that cyber security risks to organisation’s functions are being managed sufficiently, to highlight common issues and challenges at scale, and to enable organisations to implement cost-effective and targeted intervention.
How significant a difference does it represent from the current assurance and resilience regime?GovAssure takes account of the huge variation across the government technology estate with its wide range of functions, complexity and differing threats. We have moved to an outcomes-based framework which means organisations are measured on their ability to implement the right controls for them. GovAssure uses the NCSC’s Cyber Assessment Framework, which was designed to assess the resilience of critical national infrastructure. This puts us in alignment with the UK’s most important functions, reporting in a way that’s consistent with other organisations operating UK essential services. We will also be introducing independent assessment, to increase the rigour and objectivity of output.
The scheme will identify vulnerabilities at a system level rather than at an organisational level. By assessing from the ground up, any identified vulnerabilities will be highlighted to an organisation to enable it to mitigate them with targeted cyber spend. The other fundamental difference is that an external review of the organisation’s self-assessment will be introduced in order to increase the rigour of the outputs.
What have you learnt through the initial trial audits?
We have worked closely with the NCSC and departments to develop the scheme, including a series of pilots. It was important to put GovAssure through a pilot phase to test key of areas the process before the launch in April of this year, and enable us to optimise the implementation process. These pilots have enabled us to evaluate the level of effort required to complete assurance for a range of different systems, and to develop additional guidance for departments in implementing the process.
How is government working with industry and other external partners to deliver GovAssure?
Industry partners will be critical to the implementation of GovAssure, particularly assurance suppliers and accreditation bodies, who will be responsible for delivering the independent assurance component of the scheme. We have engaged early and extensively with external partners to shape the scheme, including consulting on the route to market and the approach to market maturity, and to ensure that they are prepared to support the launch.
What would success look like – and how can it be measured?
As an integral part of the Government Cyber Security Strategy, the ultimate success of GovAssure will be measured through the achievement of the strategy’s vision and targets to improve cyber resilience across government and the wider public sector. In the interim, we can measure progress through the launch and adoption of the scheme across government. The launch of GovAssure in April marked the start of a sizable step-change in how cyber assurance is conducted, and by the end of its first year, we should already be in a much stronger position to understand and improve government cyber resilience.
The PublicTechnology Cyber Security Conference – which is open only to public-sector delegates and is completely free to attend – will gather together cyber and information security professionals from across public services. Beginning with a keynote from Ministry of Justice security chief Amie Alekna, discussing how engage the entirety of an incredibly diverse and dispersed workforce in their cyber responsibilities, the programme also features exclusive presentations from senior leaders representing the Ministry of Defence, Oxford University, the City of London Police and the Government Security Group.