Updated fifth version of guidance reveals that the National Cyber Security Centre will take on responsibility for assuring departmental spending on technology to secure communications systems against attacks from adversaries

All departmental investments in cryptography systems will now be covered by government’s spending controls, and will require assurance from the National Cyber Security Centre.

The Cabinet Office-based Central Digital and Data Office has published an update to version 5 of the Digital and technology spend controls, first released in 2018 and overseen by CDDO since its creation in 2021. While the amendments do not constitute a full new iteration of the controls, there are a couple of significant tweaks – in particular the inclusion, for the first time, of dedicated assurance processes for so-called ‘crypt-key’ systems.

According to the National Cyber Security Strategy published by the government last year, “crypt-key is the term used to describe the UK’s use of cryptography to protect the critical information and services on which the UK government, military and national security community rely, including from attack by our most capable adversaries”.

Related content

• Surprising sources for skills and 10,000 problem passwords – eight things we learned at PT Cyber Security Conference
• Home Office and BEIS first departments under the microscope in pilots of new independent cyber audits
• Analysis: Public sector cyber contracts have doubled since Covid

The concept of cryptography is thousands of years old and, in modern security technology parlance, refers to techniques to encode communications so as to protect them from interception or attack. Cryptographic methods underpin distributed-ledger technologies – such as blockchain.

In November 2020, the NCSC set up a National Crypt-Key Centre to oversee how the government and the UK at large “develops, operates and maintains the systems providing highly secure communications for the government, military, industry and allies”.

As part of its work, the NCSC facility will now also take on responsibility for assuring all spending by government bodies on cryptographic technology – regardless of value.

“Within the Digital and Tech Spend control, the Cabinet office also monitors investment in crypt-key above a threshold of £0,” said a new section added to the procurement guidance document. “Any spend on crypt-key needs to be assured by the National Crypt-Key Centre in NCSC to ensure that the spend is aligned with the National Crypt-Key strategy.”

Procurement teams affected by this new measure are instructed to contact their departmental lead for crypt-key systems, as well as alerting CDDO by updating their existing digital and tech spend pipeline. More information is available by emailing spendcontrols@ncsc.gov.uk, the document added.

The National Cyber Security Strategy – which sets out a range of measures intended to ensure “the UK in 2030 will continue to be a leading responsible and democratic cyber power” – includes plans to boost the country’s cryptography credentials, particularly in government.

The strategy enshrines a commitment that “the UK remains one of a handful of nations able to develop sovereign crypt-key into the future”.

“[We will ensure that] the UK has stronger crypt-key capabilities and services in government, able to meet the evolving needs of the UK and our allies and ensuring we remain at the forefront of crypt-key development,” the document adds. “We will provide strong technical leadership to understand user requirements and improve our core services, including provision of key material and assurance of products and systems. We will also transform crypt-key services, harnessing new technologies so that they become more flexible and invisible.”

In the other main update to the digital and tech spend controls, the threshold at which CDDO, on behalf of departments and agencies, is required to work alongside the government commercial function to submit requests for ministerial spending approval has been raised from £10m to £20m.

The amended guidance explains: “When an activity owner marks an activity as ‘control’ they need to get approval from the CDDO. Your CDDO senior technology adviser provides a recommendation, usually with conditions, [and] a submission is made to the Cabinet Office minister [for approval]. CDDO and GCF will make a joint submission to the minister if the spend activity costs over £20m. CDDO will make the submission alone if the spend activity costs below £20m.”