Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what assessment he has made of the potential impact of incorporating device security in public sector risk management strategies.

The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC).

One of the four objectives which make up the CAF is managing security risk; this objective covers a range of security outcomes in relation to organisations’ internal processes for managing security risk, accountability and decision-making and managing assets such as corporate devices. The CAF also includes specific security outcomes in relation to the secure configuration and management of devices.

In November 2023 we published the cross-government Mobile Device Management (MDM) policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. This policy is mandatory for all government organisations and Arms Length Bodies. It requires them to manage corporately owned mobile phones and tablets which access, process or store OFFICIAL government and/or citizen data via critical systems using an appropriate MDM solution.