Key Secure by Design Changes to Look Out For… An Evolution or a Revolution?
With Secure by Design (SbD) fast approaching, here are some of the high-level, significant changes that you are likely to see.
Over the last 18 months, we have had numerous discussions, both internally and externally, regarding the implementation of SbD by the MoD and what that means for the delivery and management of cyber secure systems. We have even applied it in anger to systems and capability (even in-service capability) to road test the principles and approach. From this, we have learnt an awful lot about what works and what doesn’t, as well as the key changes to MoD processes that are just around the corner.
So, what are some of the key changes to the MoD process that you need to know about:
Security From The Start
This is the fundamental change in focus. Security is no longer an add-on or an afterthought that can result in exorbitant costs and vulnerable systems. Security now needs to be integrated right from the beginning of the system’s lifecycle.
What this means: Security must be planned into the capability at the start (e.g. Concept phase) and budgeted for throughout its lifecycle.
Cyber Security will now play a crucial role in the Investment Appraisal Committee (IAC) and the Joint Requirement Oversight Committee (JROC) which oversee financial matters and conduct formal reviews of systems at certain stages in its lifecycle.
What this means: If a system does not have the correct security in place, it may fail to pass its next financing review.
Registering new systems will now be through the Secure by Design Portal. The moD is expected to bring a new registration tool, but this is not yet built. One to watch out for!
What this means: A manual registration process will likely lead to delays, so it’s better to get systems signed up sooner.
The traditional concept of accreditation will cease to exist! Instead, the Senior Responsible Owners (SROs) and delivery teams will hold sole responsibility for delivering cyber-secure systems.
What this means: A breach on an improperly secured system could have a much more significant impact on the system SRO.
To ensure compliance with SbD, the MoD has introduced second-line assurance teams. These teams will conduct assurance reviews to provide independent assessments of the current cyber security status for system delivery teams and Senior Responsible Owners.
What this means: Systems need to be able to conduct regular security assurance on their systems.
SbD primarily follows the National Institute of Standards and Technology (NIST) Framework. IT systems, both new and existing ones within the MoD, will be required to ensure their security aligns with NIST or a similar framework.
What this means: You need the correct SQEP security personnel on your team to deliver NIST Risk Management Framework.
It’s clear that SbD is a massive overhaul in UK Defence thinking. Previously, security was treated as an afterthought, but SbD brings it straight to the forefront. It requires system delivery teams to prioritize security throughout the entire system lifecycle, including budget, personnel, assurance, and governance.
Delivery teams and SROs are now solely accountable for the safe and secure delivery of the systems. Departing from the past, where security was often treated as a separate concern. SbD signifies a transformative change in defence’s approach to Cyber Security.
Our team of Cyber Subject Matter Experts are ready to assist you. We recognise the significant benefits but also the challenges that SbD brings, and we are here to support you in leveraging those advantages. Don’t hesitate to reach out to us for support and guidance.