Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, whether her Department has made an assessment of the use of independent security assurance and red-team testing requirements in public sector procurement of AI systems.

The UK government has worked within the European Telecommunications Standards Institute (ETSI) to create a global standard (EN 304 223) that sets baseline security requirements for the developers and deployers of AI models and systems. This standard will help provide a cyber resilient and ‘secure by design’ approach to utilising AI systems in government. We also embed baseline security requirements throughout government procurement and our supply chains, including through the use of Modular Security Schedules in contracts.

We are also considering how government can better facilitate more specific products-based assurance, including the defining of more proportionate assurance models that are aligned to supplier criticality.

Government’s most critical systems are independently assessed against the NCSC’s Cyber Assessment Framework through the GovAssure scheme, now in its third year of operation. We have also conducted a programme of independent red teaming of critical government assets.