To support ongoing delivery of a strategy covering cyber across the public sector, a new plan will be created that, ministers suggest, will help DSIT take a more hands-on approach

After taking over responsibility for cross-public sector cyber issues, the Department for Science, Innovation and Technology will adopt a “more interventionist operating model”.

Formerly housed in the Cabinet Office, prime minister Keir Starmer announced earlier this month that the remit of leading government’s work on cybersecurity across Whitehall and the broader public sector would be moved to the Government Digital Service. The move comes shortly after GDS formally completed its own move from the central department to its new home in DSIT.

According to, Feryal Clark, DSIT’s minister for artificial intelligence and digital government the shift will “strengthen the resilience of digital public services by better integrating cybersecurity responsibilities and expertise into the Government Digital Service”.

GDS will now play a key role in supporting the ongoing delivery of the Government Cyber Security Strategy, a public sector-wide plan which was published in 2022 and covers the period up until 2030, by which time the intention is that all public bodies will be “resilient to known vulnerabilities and attack methods”.

The rollout of work to support this ambition will be informed by a new plan intended to assist GDS in its new oversight role – one in which it is likely to take a noticeably more hands-on approach, Clark indicated.

Related content

• GDS signs £10m One Login cyber deal and plans recertification after losing government digital ID trustmark
• One Login data: GDS promises ‘no marketing or profiling’ and explanation for disputed decisions
• MoJ cyber strategy sets plan to appoint security SRO for all IT systems and create unified staff identity system

“The government is progressing work on an implementation plan to support the delivery of the Government Cyber Security Strategy and is developing a new, more interventionist operating model to clarify, enable, and enforce cross-government responsibilities for cyber and digital resilience,” she said. “Additionally, important steps have been taken to understand and mitigate cyber risk through the launch of the GovAssure cyber assurance regime and the Government Cyber Coordination Centre.”

A report published by the National Audit Office earlier this year found that, after limited progress in tackling persistent problems, government will miss the cyber strategy’s nearer-term target of ensuring for the public sector’s “critical functions to be significantly hardened to cyberattack by 2025”.

As of March 2024, there were about 228 significant legacy IT systems used across departments “and the government does not know how vulnerable these are to cyberattack”, according to the NAO, which added that “departments have no fully funded remediation plans for half of these vulnerable systems”.

In the face of threat that is already “severe and advancing quickly”,  auditors also concluded that “the government’s cyber resilience levels are lower than it previously estimated, and departments have significant gaps in their system controls that are fundamental to their cyber resilience”.