Who is responsible for Secure by Design

Secure by Design is a collaborative approach to cyber security. It aims to bring teams together to identify and manage cyber risks.

The approach should be used by everyone in Defence, not just by security professionals, throughout the lifecycle of capabilities.

Accountability for your capabilities

Secure by Design puts the responsibility and accountability for the delivery of secure outcomes on project teams of individual capabilities, because they have the best knowledge of the context and technology involved.

This gives confidence to stakeholders that the capability is safe, secure, and meets its agreed requirements.

Senior Responsible Owners

Senior Responsible Owners (SROs) are:

  • accountable for determining the acceptable level of cyber risk within their delegated risk appetite
  • aware of escalations paths when outside of this risk appetite
  • accountable for making sure their capabilities are resilient to cyber-attack within their delegated risk appetite

Delivery Teams

SROs are supported by delivery teams, who must provide evidence they are confident cyber security risks are being managed.

Delivery teams must provide evidence that cyber security risks are being effectively managed in order to support the SRO.

Roles and responsibilities

It is important to recognise that many stakeholders are involved in successfully delivering a secure capability.

This table of stakeholders tells you which roles are involved and their Secure by Design responsibilities.
Role Responsibilities
Capability sponsors Responsible for the sponsorship of the capability, its requirement development, concept of operation and ensuring the capability can address the risks in-service.
Programme / project manager Responsible for the development and delivery of funded change programmes, including the identification and management of programme risks.
Senior Responsible Owners (SROs) - or equivalent Accountable for the delivery of cyber security outcomes throughout the capability lifecycle. If your capability doesn't have an SRO, an individual with similar authority should carry out this role.
Delivery team leaders Responsible for the development and delivery of specific outcomes that underpin the overall capability, including security.
Capability owners These are in-service owners of the capability and are responsible for operating the capability to support Defence Outcomes.
Commercial officers Responsible for the implementation of contract terms and conditions in the MOD that ensure that security is enforced throughout the capability’s lifecycle.
Delivery team security leads The individuals within the Delivery Team responsible for advising Delivery Team Leaders on security and risk management. May be known by other titles.
Cyber security assessors Responsible for assessment of Delivery Teams’ adherence to Secure by Design and relevant risk and security policies and standards.

Other organisations in Defence may have different role titles.

It is also important to engage with internal and external stakeholders.

These may include:

  • engineering teams and engineering leads
  • safety engineers and safety teams
  • supportability and Integrated Logistic Support (ILS) teams
  • regulatory and legislative stakeholders
  • internal policy requirements such as JSP 453
  • internal design committees and review boards

It’s important to work with as many relevant stakeholders as possible from many different roles.

Role of the supplier

Delivery teams should work closely with suppliers to make sure they understand any potential cyber risks and shared responsibilities.

They should also work with the suppliers’ contracting authority to make sure they too are following a Secure by Design approach in line with their contract.

The supplier is not responsible for completing self-assessments on the Cyber Activity and Assurance Tracker.