Background

Cyber resilience is an organisation’s ability to prevent, withstand and recover from cyber security incidents. The Cabinet Office leads government’s work to make itself cyber resilient through successive National Cyber Security Strategies published in 2011, 2016 and 2021. In our 2019 report on Progress of the 2016-2021 National Cyber Security Programme, we said that failings in the way the Cabinet Office established its 2016-2021 cyber security programme meant that the government did not know whether it would meet the programme’s goals, and raised questions about its plans to tackle cyber-attacks after 2021.

In 2022 a separate Government Cyber Security Strategy was published for the first time. It sets out five strategic goals and a target for critical government functions to be significantly hardened to cyber-attack by 2025, and the whole public sector to be resilient to known vulnerabilities and attack methods by 2030 at the latest. Government has also committed to invest £2.6 billion in cyber and legacy IT in the following three years, recognising that “there remains a significant gap between where government cyber resilience is now and where it needs to be.” The strategy is backed up by GovAssure, which is a new, stronger assurance regime introduced in April 2023.

Scope

Our report will examine government’s efforts to improve its cyber resilience to meet the challenges of the changing cyber threat landscape. It will look at:

  • the current threats to government’s cyber resilience 
  • whether the Cabinet Office has identified what funding, organisational structure and strategic interventions will optimise government resilience to cyber threat
  • whether government has defined and achieved an acceptable level of cyber resilience
  • if government has a robust plan to maintain and improve its cyber resilience in the future

NAO Team

Director: Tom McDonald
Audit Manager: Lizzie Hogarth