Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government whether any departments or government agencies monitor the use of insecure or vulnerable container images within government IT systems; and, if so, whether they will publish the latest audit data on the number of container images in use that contain critical or high-severity vulnerabilities.

All government departments and their Arms Length Bodies must meet the Government Cyber Security Standard, which specifies that organisations shall meet or exceed the security outcomes specified in the National Cyber Security Centre’s Cyber Assessment Framework (CAF). Principle B4 of the CAF on system security requires departments to manage vulnerabilities on their systems.

His Majesty’s Government does not hold a central view of departmental or agency vulnerabilities.