Public Sector: ICT

(asked on 31st January 2024) - View Source

Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what his Department's policy is on the security requirements for endpoint devices procured by the public sector.


Answered by
Alex Burghart Portrait
Alex Burghart
Parliamentary Secretary (Cabinet Office)
This question was answered on 8th February 2024

The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC). This includes specific security outcomes in relation to the secure configuration and management of devices.

As the CAF is outcomes-based, it does not specify which commercially available devices meet these security requirements or which vendors government organisations should buy their devices from. That is a matter for government organisations to determine locally, in consultation with their commercial, security and IT teams, based on their organisation’s business needs, risk tolerance and threat profile.

In addition, in November 2023 we published the cross-government Mobile Device Management policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. NCSC also provides guidance on how to securely configure devices from each of the most commonly used platforms.

Reticulating Splines