Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what criteria are used by his Department to determine which public systems require mandatory zero-trust security measures.

The Department applies a risk-based assessment framework, underpinned by secure by design methodology including structured threat modelling, to determine which public systems require mandatory zero-trust security measures. Systems handling sensitive data, supporting critical services, or presenting elevated threat exposure are prioritised. This approach ensures that zero-trust controls are applied proportionately, focusing effort on the environments with the highest risk profile.