New GovAssure cyber regime launches across UK government

All government departments and a selected number of arm’s length bodies are to have their cyber security postures reviewed under new, more stringent measures being put in place under the auspices of an enhanced security regime, known as GovAssure, to be run by the Cabinet Office’s Government Security Group with support from the National Cyber Security Centre (NCSC).

The measures are designed to better protect the government IT systems behind vital public services from a myriad of growing cyber threats.

The imposition of annual, more robust, security audits delivers on a key part of the government’s Cyber Security Strategy by improving government resilience and helping public bodies protect themselves, said the Cabinet Office.

“Cyber threats are growing, which is why we are committed to overhauling our defences to better protect government from attacks. Today’s stepped up cyber assurance will strengthen government systems, which run vital services for the public, from attacks. It will also improve the country's resilience; a key part of our recent Integrated Review Refresh,” said Oliver Dowden, chancellor of the Duchy of Lancaster.

Government chief security officer, Vincent Devine, added: “This is a transformative change in government cyber security. GovAssure will give us far greater visibility of the common cyber security challenges facing government.

“It will set clear expectations for departments, empower hard-working cyber security professionals to strengthen the case for security change and investment, and will be a powerful tool for security advocacy.”

The key change introduced by the GovAssure regime is the imposition of the NCSC’s existing Cyber Assessment Framework (CAF) to review the assurance measures in place across government. Initially designed for security teams at operators of critical national infrastructure (CNI), the CAF includes a number of measures, including establishing indicators of good practice for cyber risk management, and protecting against cyber attacks.

It also introduces third-party-led assessments to increase standardisation and validate results, and centralised cyber security policies and guidance to help government bodies identify what best practice looks like.

The launch of the GovAssure programme – which was announced by Dowden at the NCSC’s annual CyberUK conference in Belfast – comes amid a flurry of discourse after the NCSC published a new alert warning of the growing threat to critical services, and by extension government bodies, posed by mercenary Russian hacktivists.

This new breed of threat actor, which has emerged over the course of the war in Ukraine, is motivated by ideology rather than getting rich, and is not tied to the whims of the Russian intelligence services – which at least make a pretence of obeying international law. As such, they are more unpredictable and unrestrained.

Nominet managing director David Carroll said: “Nation states are increasingly focusing their activities on disrupting services that impact the greatest number of people. Ultimately these cyber criminals don't care who the end organisation is – it comes down to who can be exploited to create the biggest effect on a nation's society and economy, such as CNI.

“This alert from the NCSC has come at the right time. As the need for protection against nation-state threats increases, a push on bolstering critical national infrastructure by the NCSC sends a strong message to cyber criminals around the world and helps us all to manage the risk against future attacks.

Carroll added: “The alert also signifies greater intervention from governments, as we’ve similarly seen in the US. With more specific and ambitious resilience targets coming for CNI operators in the UK by 2025 – it’s a clear-cut message on how our collective national cyber defence is so reliant on the posture of CNI.”