Secure by Design
All technology and services that handle Defence data must be Secure by Design. This includes projects delivered by suppliers.
Designing security into projects from the start helps Defence stay ahead of adversaries and maintain national security.
What has changed
Cabinet Office policy is that all government departments and arm’s length bodies must be Secure by Design.
The Ministry of Defence (MOD) is implementing Secure by Design in all top level budgets and arm’s length bodies.
You no longer have to apply for security accreditation that lasts for a period of time.
To be Secure by Design, your team needs to:
- consider cyber security from the start
- choose appropriate security frameworks and controls
- continuously manage risks
Get your team involved
Secure by Design encourages everyone to identify and manage risk. Make sure your team understands:
- that the project is responsible for cyber security
- why designing for security from the start is important
- their role in keeping MOD data secure
The project team is responsible for cyber security but you also need to nominate a Senior Responsible Owner (SRO). They will be accountable for Secure by Design.
Your SRO needs to be someone with authority who has experience in risk management.
Check what you need to do
To be Secure by Design, your team needs to do certain activities. These include:
- agreeing roles and responsibilities
- deciding how much risk is acceptable
- continually reviewing your security
To check what you need to do, sign in to the Secure by Design portalopens in a new tab.
To access the Secure by Design portal, you must work in Defence or for one of our suppliers. If you do not have access, ask a senior military or MOD civil servant on your team to arrange it for you.
Related guidance
- Secure by Design – a new way to manage cyber risk in capabilitiesopens in a new tab
- GOV.UK Secure by Design guidanceopens in a new tab
- National Cyber Security Centre secure design principlesopens in a new tab
Published April 2024