Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what plans they have to require their suppliers to use secure container images, in a manner comparable to the United States 2024 executive order on securing the software supply chains of federal government suppliers.

In February 2025 Cabinet Office published the updated National Procurement Policy Statement (NPPS). The statement requires all public sector contracting authorities in scope to mitigate supply chain and national security risks by ensuring appropriate controls are in place, such as the Cyber Essentials standard for cyber security. Contracting authorities should also follow government guidance on Tackling Security Risk in Government Supply Chains inclusive of software security risk.

In May 2025 DSIT published a voluntary Software Security Code of Practice. The Code of Practice has been developed to improve the security and resilience of software that organisations and businesses rely on. This is not mandatory for government suppliers but we strongly encourage public sector organisations to use the Code of Practice in their commercial engagements.