Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what processes are undertaken to verify the (a) cyber security and (b) data protection measures of digital services provided to Government.

Clarification and assumption

We assume that this question refers to external supplier digital services and products utilised by government.

The Government enforces a number of controls to ensure that any supplier to government has adequate cyber security and demonstrates acceptable protection of government data

Each department is responsible for understanding and managing the security risks that their supply chain poses. Contracts with government departments should include cyber security clauses referencing how incidents would be managed in the event of a cyber attack

This year, the Government issued a new Minimum Cyber Security Standard which outlines a set of protective measures that departments should implement, and exceed wherever possible. The standard will be incremented to continually ‘raise the bar’, address new threats, and incorporate the use of new Active Cyber Defence measures from the National Cyber Security Centre (NCSC).

The standard enables departments and their suppliers to better understand their cyber security risks and makes clear government’s expectations of suppliers. The new cyber security standard will be applied to government's strategic suppliers to assess if they meet the required level, and government will write the standard into new contracts and enforce full compliance with it

Government will also pilot the introduction of the cyber security equivalent of a ‘credit check’ on suppliers, to allow for easy risk assessments of suppliers and to accelerate expansion of the world-leading Active Cyber Defence programme, to better protect our critical national infrastructure including services such as our hospitals and schools

Departments are also supported in choosing suppliers through Cyber Essentials, the government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats. The scheme is a key element of the UK’s National Cyber Security Strategy 2016-2021 and certification is available to all organisations, of all sizes and in all sectors

Departments also use advice from the NCSC to ensure that their supply chain is secure. Examples of such advice include twelve principles for establishing effective control and oversight of supply chain and fifteen good practice measures for the protection of bulk data held by digital services

At a national level, all organisations in the UK must comply with the Data Protection Act 2018 and the General Data Protection Regulation. This includes government departments and any digital service providers that are helping to deliver government services. These laws require all parties carrying out processing operations to hold personal data securely and in accordance with the rights of data subjects.