Defence Technology Principles

Principle 4 — Make your technical solution secure

Our security guidance helps you to make your technology secure throughout its lifetime

Secure by Design principles

To help ensure your project is secure, follow these principles.

Principle 1: Context

Understand the solution’s cyber security context and how it will use and manage data.

Principle 2: Plan

Identify the solution’s security workstream in your plan, including assessing the cyber threat and defining and validating requirements.

Principle 3: Risk assessment and oversight

Include cyber security risk management into existing governance as a continual process.

Principle 4: Security controls

Define and apply security controls to prevent any risks identified. Reuse existing services and patterns.

Principle 5: Supply chain

Understand the role and risks of the supply chain and how to ensure they meet their security responsibilities.

Principle 6: Security testing and assurance

Work with cyber security experts on assurance to test and validate throughout the solution’s lifecycle.

Principle 7: Through life management

Monitor and improve security continually to meet assurance and make a plan for disposal.

What you should do

To design a secure project for now and in the future:

  • follow our Secure by Design principles
  • follow our Defence Manual of Security (JSP 440)
  • appoint a Delivery Team Security Lead with a level of expertise in line with your project
  • follow our Technical Coherence Assurance process
  • appoint a Project Security Officer (PSyO) if your project is classified SECRET or above
  • follow JSP 453 rules and policy on security
  • agree to use a new network gateway with the CyDR Security Architecture Team before you start your project
  • protect all communications using high grade crypto for any system classified as SECRET or TOP SECRET. This must be agreed by the Crypt-Key Enterprise Authority and documented in a crypto management plan as described in JSP 490 and JSP 491
  • use network bearers that are fit for purpose and offer good value for the type of service you are designing and its security requirements
  • work with commercial teams to ensure that services delivered by a 3rd party are futureproofed to reduce cyber risks from outdated technology
  • to ensure supply chain resilience, all suppliers must follow DEFCON 658
  • have a Defence Cyber Protection Partnership (DCPP) risk assessment for suppliers

Updated 09 Sep 2024