Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what recent assessment he has made of the effectiveness of the Government's cyber security measures in protecting public sector organisations.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government prioritises public sector cyber security, which is why in April 2023 GovAssure was launched. Under GovAssure, government organisations regularly review the effectiveness of their cyber defences against common cyber vulnerabilities and attack methods. We are currently evaluating the first year’s assessments.
GovAssure will enable government organisations to accurately assess their levels of cyber resilience across their critical services, highlight priority areas for improvement and provide the Government with a strategic view of cyber capability, risk and resilience across the sector.
With its foundations in the National Cyber Security Centre’s Cyber Assessment Framework, GovAssure will help us to understand our risk at scale and put us on the pathway to reducing it, as well as aligning Government with the best practice in management of wider UK Critical National Infrastructure sectors.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what his Department's policy is on the security requirements for endpoint devices procured by the public sector.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC). This includes specific security outcomes in relation to the secure configuration and management of devices.
As the CAF is outcomes-based, it does not specify which commercially available devices meet these security requirements or which vendors government organisations should buy their devices from. That is a matter for government organisations to determine locally, in consultation with their commercial, security and IT teams, based on their organisation’s business needs, risk tolerance and threat profile.
In addition, in November 2023 we published the cross-government Mobile Device Management policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. NCSC also provides guidance on how to securely configure devices from each of the most commonly used platforms.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what criteria his Department uses to determine the security standard of hardware devices before they are purchased by Government.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC). This includes specific security outcomes in relation to the secure configuration and management of devices.
As the CAF is outcomes-based, it does not specify which commercially available devices meet these security requirements or which vendors government organisations should buy their devices from. That is a matter for government organisations to determine locally, in consultation with their commercial, security and IT teams, based on their organisation’s business needs, risk tolerance and threat profile.
In addition, in November 2023 we published the cross-government Mobile Device Management policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. NCSC also provides guidance on how to securely configure devices from each of the most commonly used platforms.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment he has made of the effectiveness of the Procurement Act 2023 on strengthening cyber security requirements for public tenders.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Procurement Act 2023 brings in new powers to exclude and debar companies from public procurement on grounds of national security. The new National Security Unit for Procurement (NSUP), in the Cabinet Office, will work across government to coordinate assessments of companies and support ministers in national security debarment decisions.
In addition, Procurement Policy Note 09/14 requires central government contracting authorities to ensure that for contracts with certain characteristics, suppliers must meet the technical requirements prescribed by Cyber Essentials, including where suppliers store, or process, personal information or data at Official level.
The Cabinet Office encourages all organisations to follow National Cyber Security Centre (NCSC) guidance which sets out the security matters to be considered during the procurement process. The National Protective Security Agency (NPSA) has also published guidance to prevent hostile actors exploiting vulnerabilities in supply chains.
The National Procurement Policy Statement sets out the national priorities that all contracting authorities should have regard to in their procurement where it is relevant to the subject matter of the contract and proportionate to do so. The current statement does not include cyber security as a separate, wider policy because the need for cyber security protection is fundamental to procurements where it applies and therefore built into the procurement process as described above. The new legislative statement that will come into force alongside the Procurement Act is currently being drafted and will be subject to a consultation process as set out in Section 13 of the Act.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, if he will make an assessment of the impact of the National Procurement Policy Statement, published in June 2021, on cybersecurity in public sector procurement processes.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Procurement Act 2023 brings in new powers to exclude and debar companies from public procurement on grounds of national security. The new National Security Unit for Procurement (NSUP), in the Cabinet Office, will work across government to coordinate assessments of companies and support ministers in national security debarment decisions.
In addition, Procurement Policy Note 09/14 requires central government contracting authorities to ensure that for contracts with certain characteristics, suppliers must meet the technical requirements prescribed by Cyber Essentials, including where suppliers store, or process, personal information or data at Official level.
The Cabinet Office encourages all organisations to follow National Cyber Security Centre (NCSC) guidance which sets out the security matters to be considered during the procurement process. The National Protective Security Agency (NPSA) has also published guidance to prevent hostile actors exploiting vulnerabilities in supply chains.
The National Procurement Policy Statement sets out the national priorities that all contracting authorities should have regard to in their procurement where it is relevant to the subject matter of the contract and proportionate to do so. The current statement does not include cyber security as a separate, wider policy because the need for cyber security protection is fundamental to procurements where it applies and therefore built into the procurement process as described above. The new legislative statement that will come into force alongside the Procurement Act is currently being drafted and will be subject to a consultation process as set out in Section 13 of the Act.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, if he will make an assessment of the effectiveness of the Procurement Act 2023 for tackling cybersecurity threats in public tenders.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Procurement Act 2023 brings in new powers to exclude and debar companies from public procurement on grounds of national security. The new National Security Unit for Procurement (NSUP), in the Cabinet Office, will work across government to coordinate assessments of companies and support ministers in national security debarment decisions.
In addition, Procurement Policy Note 09/14 requires central government contracting authorities to ensure that for contracts with certain characteristics, suppliers must meet the technical requirements prescribed by Cyber Essentials, including where suppliers store, or process, personal information or data at Official level.
The Cabinet Office encourages all organisations to follow National Cyber Security Centre (NCSC) guidance which sets out the security matters to be considered during the procurement process. The National Protective Security Agency (NPSA) has also published guidance to prevent hostile actors exploiting vulnerabilities in supply chains.
The National Procurement Policy Statement sets out the national priorities that all contracting authorities should have regard to in their procurement where it is relevant to the subject matter of the contract and proportionate to do so. The current statement does not include cyber security as a separate, wider policy because the need for cyber security protection is fundamental to procurements where it applies and therefore built into the procurement process as described above. The new legislative statement that will come into force alongside the Procurement Act is currently being drafted and will be subject to a consultation process as set out in Section 13 of the Act.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps his Department has taken to improve the cyber resilience of public services.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
We are working extensively to improve the cyber resilience of public services, particularly through the Government Cyber Security Strategy. As part of this, in April 2023 we launched GovAssure, which introduced stringent new measures for Government cyber security to be reviewed against. We have also published the Cyber Policy Handbook and the Secure by Design Framework, as well as soft launching the Government Cyber Coordination Centre (GC3), to share best practice and embed it throughout the UK’s public services.
Asked by: Julie Elliott (Labour - Sunderland Central)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, how much has been spent on improving cyber security of the health and care system in each year since 2016; and how much and what proportion of that expenditure was (a) internal and (b) on contracted suppliers.
Answered by Andrew Stephenson - Minister of State (Department of Health and Social Care)
The information requested on cyber spending covers sensitive details about cyber security investment for the National Health Service. Releasing this information at the level of any annual breakdown may assist in determining the effectiveness of detecting cyber-attacks on the NHS, and could compromise measures to protect NHS IT systems, leaving them vulnerable to future cyber-attacks.
However, in total, £338 million has been invested nationally to improve the cyber security of the health and care system between 2016 and 2023. This is core spend and excludes investment by local organisations, and wider national or local IT investment which supports better security, such as Microsoft licensing for NHS organisations.
Cyber improvement programmes will always seek to use internal resource where skillsets are available. External subject matter expertise support is brought in to support delivery where these are not available within the Department.
Asked by: James Wild (Conservative - North West Norfolk)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, in what specialisms the Armed Forces are providing training to Iraqi Security Forces in Iraq.
Answered by James Heappey
UK training is focused on enhancing the capabilities of the Iraqi Security Forces in order to ensure the enduring defeat of Daesh. This includes training on policy and strategy, planning, cyber security, human rights and women's empowerment.
Asked by: Jim Shannon (Democratic Unionist Party - Strangford)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether he has had discussions with the Police Service of Northern Ireland on lessons learned from data breaches.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Police Service of Northern Ireland (PSNI) is devolved and has operational independence. It is for the Northern Ireland Policing Board (NIPB) to monitor and provide oversight of PSNI performance.
The PSNI and the NIPB commissioned an independent review into the data breach and a report was published on 11 December 2023.
The Government’s focus following the data breaches of August 2023 was on providing specialist support and expertise to the PSNI in its handling of this issue. Officials in the Cabinet Office chaired regular operational meetings - initially daily - bringing together the PSNI, Government Departments and the Security Services, to ensure that their collective skills, including cyber-expertise, were brought to bear in supporting the PSNI.
The Government published on 14 December 2023 technical guidance relating to the approach to be taken by FOI practitioners across central government when a requestor asks for disclosure in a spreadsheet format.