Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government how many, and which, of the 39 outcomes in the National Cyber Security Centre Cyber Assessment Framework are complied with by Gov.uk One Login; and what steps they are taking to ensure Gov.uk One Login achieves all 39 outcomes.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
The Government does not routinely comment on operational security matters. GOV.UK One Login works closely with the National Cyber Security Centre (NCSC) to identify and mitigate risks and align to the Cyber Assessment Framework (CAF). The programme is committed to achieving CAF compliance by the end of 2025/26, in line with Government standards.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government whether the National Cyber Security Centre has warned about shortcomings with the One Login system, including risks of bulk personal data breach and mass impersonation fraud; and whether such warnings were shared with the Infrastructure and Projects Authority or the Cabinet Office Audit and Risk Committee.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
The GOV.UK One Login programme works closely with the National Cyber Security Centre (NCSC) to identify and mitigate risks and align to the Cyber Assessment Framework (CAF). NCSC advises One Login on any key risks which should be prioritised as part of our security efforts. This independent review by NCSC is something we encourage and have continued to prioritise since the programme was established. As a Government Major Projects Portfolio programme (GMPP), the programme is subject to regular internal and external scrutiny and reporting. The Infrastructure and Projects Authority has reviewed the programme positively in the last three Assurance Gateway Reviews.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government how many critical and high-risk vulnerabilities remained open in the live One Login system on 1 April, and what is the target date for full remediation.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
GOV.UK One Login follows the relevant security standards for government and private sector services, and we take addressing security concerns very seriously. As of 1 May, all critical and high vulnerabilities have been addressed. Risk mitigation will continue to be central to our approach to ensure we keep pace with the constantly changing cyber threat landscape.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government why they have not published a mandatory Data Protection Impact Assessment for One Login; whether they obtained explicit user consent for biometric processing prior to live rollout; and whether they conducted statutory prior consultation with the Information Commissioner’s Office.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
It is not a mandatory requirement to publish a Data Protection Impact Assessment (DPIA). We do have an obligation to let citizens know how we are processing their data, which we do via a privacy notice published on GOV.UK. We continually develop our DPIA to take into account the new identity verification journeys, such as the no photo ID route. Nevertheless, we are working on a publishable version of our DPIA which will be easy to digest for the public. The One Login programme meets with the Information Commissioners’ Office (ICO) on a monthly basis, engaging openly on programme developments, including iterations of the DPIA, and has been doing so since 2022. The lawful basis for data sharing in place has been agreed by the ICO.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government how many instances of production environment access to the One Login system were recorded in each month since July 2022; and, for each month, how many of those instances involved individuals who did not hold full Security Check clearance at the time of access.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
GOV.UK One Login takes the security clearance and audit of personnel very seriously. Access to production is granted only to those that require it and is closely monitored. As part of strengthening our approach to privileged access management, all individuals with production access to GOV.UK One Login must undergo a Security Check (SC), alongside further two-person checks for changes and audit loggings of actions. One Login has implemented a policy of SC clearance for all development staff; this is higher than Baselines Personnel Security Standard (BPSS) which is considered sufficient across many parts of government.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government whether any component of the One Login service was developed offshore without prior consultation with the National Cyber Security Centre; and whether the Government have retrospectively approved any such arrangements.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
No personnel developed components of the One Login service offshore without prior consultation with the National Cyber Security Centre (NCSC). We undertook a risk assessment in consultation with the NCSC before any offshore development by a small number of developers took place.
Any code in GOV.UK One Login that was produced by overseas staff was further subjected to a review by a staff member with Security Check clearance in the UK before it was deployed to production. As of March 2025, there is no longer any off-shored development on GOV.UK One Login.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government whether the Cabinet Office has quantified the likelihood and potential impact of insider threats, unauthorised privileged access, and production environment compromise within One Login, as required by ISO 27001 standards and guidance from the National Cyber Security Centre for cloud-hosted government services; and whether they will place copies of such assessments in the Library of the House.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
The GOV.UK One Login team collaborates closely with the National Cyber Security Centre (NCSC) to assess and mitigate risks associated with insider threats, unauthorised privileged access, and production environment compromise, aligning with the Cyber Assessment Framework outlined in the Government Cyber Security Strategy 2022-2030. Although the programme does not specifically pursue ISO 27001 certification, it adopts multiple overlapping controls and the risk management framework is based on the HMG Orange Book, which is closely aligned with ISO 27005 guidance on managing information security risks.
While assessments of insider threats have been made, copies of these assessments will not be placed in the Library of the House, as they are part of ongoing security measures and internal governance processes.