Question to the Ministry of Defence:

To ask the Secretary of State for Defence, whether his Department has made an assessment of the potential national security risks associated with IT infrastructure operated by (a) his Department's arm’s-length bodies and (b) private firms under contract to his Department.

The Ministry of Defence (MOD) takes the security of its IT infrastructure, that of its arm’s length bodies and of its suppliers, very seriously. However, the MOD does not comment on specific details of individual risk assessments as this could give useful information to potential adversaries.

Defence employs a Cyber Risk Management Framework that regularly reviews and escalates risk. This uses evidence from a variety of sources including as the Cabinet Office’s Gov Assure ‘Cyber Assessment Framework’ (CAF). All Defence Organisations, including ALBs, sit within this framework. MOD contracts are subject to a risk assessment which is used to determine the nature of the control measures should be applied to the contract.

The Cyber Resilience Strategy for Defence is driving a programme of work to improve Defence’s cyber security. In the longer term the MOD’s Secure by Design approach will ensure security is built into our capability programmes from the outset and managed effectively on a through life basis. The MOD is also reducing the cyber security risk across its complex legacy estate by improving its ability to respond to and detect cyber incidents, improve cyber awareness across the workforce, and improve resilience in it supply.