Applying Secure by Design
When following a Secure by Design approach, you should consider:
- the cyber security activities required
- capability assurance
- independent assurance where relevant
Know your cyber security activities
MOD policy says that cyber security must be embedded throughout the lifecycle of every capability.
Follow Secure by Design guidance in each phase:
Follow Secure by Design guidance in each phase:
- get the basics right
- assess your risk
- manage your risk
Assurance for your capability
Part of Secure by Design is continuously reviewing your capability’s security.
How often you do assessments depends on your capability or service, but you need to do one at least every 3 months.
You must also do an assessment when you make changes or discover new threats.
The Cyber Activity and Assurance Tracker (CAAT) forms one part of this process.
It is a tool to help teams understand and self-assess the cyber security maturity of their capabilities throughout their lifecycle.
Every programme is required to register on the CAAT and complete the relevant question sets to facilitate a self-assessment of their cyber security maturity.
The CAAT is only available for MOD delivery teams to use.
The CAAT helps your team:
How often you do assessments depends on your capability or service, but you need to do one at least every 3 months.
You must also do an assessment when you make changes or discover new threats.
The Cyber Activity and Assurance Tracker (CAAT) forms one part of this process.
It is a tool to help teams understand and self-assess the cyber security maturity of their capabilities throughout their lifecycle.
Every programme is required to register on the CAAT and complete the relevant question sets to facilitate a self-assessment of their cyber security maturity.
The CAAT is only available for MOD delivery teams to use.
The CAAT helps your team:
- manage and track cyber security activities
- create statements of assurance
Learn more about CAAT
Purpose: The CAAT facilitates continual assurance of cyber security risk management. It is a tool to support delivery teams in the Secure by Design approach by reflecting on security practices and encouraging proactive risk management.
Process: Capabilities complete relevant question sets within the CAAT, depending on their stage in the CADMID/T lifecycle. This self-assessment helps identify areas for improvement and informs risk reporting
Importance of honesty: While not a test, honesty in self-assessment is crucial. Accurate reporting, even if imperfect, enables appropriate risk management and avoids potential future complications
Focus on risk-based approach: The goal is not to achieve a perfect security score, but to determine and maintain a level of security maturity appropriate to the project’s specific risks.
Continual assurance: Cybersecurity assurance is an ongoing process. The CAAT aids in maintaining awareness of the capabilities security posture and facilitates communication and escalation of risks to relevant stakeholders, including SROs.
Statement of Assurance: The CAAT tool provides the structure for reporting and seeking approval / endorsement from your SRO through a Statement of Assurance. Where Relying Parties request a certificate, the SRO can provide a Statement of Assurance. However, the Statement of Assurance is not a replacement for accreditation or a certificate and should not be treated as one.
Process: Capabilities complete relevant question sets within the CAAT, depending on their stage in the CADMID/T lifecycle. This self-assessment helps identify areas for improvement and informs risk reporting
Importance of honesty: While not a test, honesty in self-assessment is crucial. Accurate reporting, even if imperfect, enables appropriate risk management and avoids potential future complications
Focus on risk-based approach: The goal is not to achieve a perfect security score, but to determine and maintain a level of security maturity appropriate to the project’s specific risks.
Continual assurance: Cybersecurity assurance is an ongoing process. The CAAT aids in maintaining awareness of the capabilities security posture and facilitates communication and escalation of risks to relevant stakeholders, including SROs.
Statement of Assurance: The CAAT tool provides the structure for reporting and seeking approval / endorsement from your SRO through a Statement of Assurance. Where Relying Parties request a certificate, the SRO can provide a Statement of Assurance. However, the Statement of Assurance is not a replacement for accreditation or a certificate and should not be treated as one.
By actively engaging with the CAAT and embracing a risk-based approach to security, teams can better manage their projects' security aspects and contribute to a more secure overall environment.
The CAAT is on MODNET and is for a capability classified as OFFICIAL, including SENSITIVE:
The CAAT is on MODNET and is for a capability classified as OFFICIAL, including SENSITIVE:
- to create an account and register your capability, access the CAAT
- if your capability or service is classified above OFFICIAL, you will need to register on DART S
Independent assurance
In some cases, a delivery team may be selected for independent assurance.
This includes assessors from the Cyber Security Assessment and Advisory Service (CySAAS) team.
Independent assurance does not determine capability security. Only the SRO can make that determination, using evidence from the delivery teams’ continual assurance process.
Projects can ask for independent assurance, which will be supported based on prioritisation and resourcing at the time of request.
Find out how to ask for support.
This includes assessors from the Cyber Security Assessment and Advisory Service (CySAAS) team.
Independent assurance does not determine capability security. Only the SRO can make that determination, using evidence from the delivery teams’ continual assurance process.
Projects can ask for independent assurance, which will be supported based on prioritisation and resourcing at the time of request.
Find out how to ask for support.