–Gareth Shaw, Founder of Pera Prometheus Consulting Ltd
Table of Contents
If your business is hoping to fulfill a contract in the Defence Industry you will need to understand the information assurance requirements of HMG and, more specifically MOD. Last week’s blog discussed DEFSTAN 05-138, now let us consider Secure by Design.
Since the founding of Pera Prometheus, we have experienced the transition from the MOD Accreditation process to the adoption of the Secure by Design (SbD) process as one option for delivering information assurance for information systems. Pera Prometheus has lead the way with a number of clients to successfully deliver and maintain SbD assurance for organisations seeking approval for their Defence Industry information systems, often leading the way with both clients and authorities who were unfamiliar with how the SbD process should be applied.
This blog is for those organisations who want further clarity as to what HMG SbD requirements are and wondering what it takes to become a dependable HMG or MOD supplier.
What is Secure by Design?
Secure by Design means embedding security into your products, services, and infrastructure from the ground up, not bolting it on as an afterthought. It’s a philosophy and approach that enables long-term resilience, particularly critical in the defence sector, where supply chains are prime targets.
“Secure by Design” may sound like a modern initiative, but the concept dates back to 1975, when Saltzer and Schroeder published their paper, The Protection of Information in Computer Systems. Their principles like least privilege and fail-safe defaults form the philosophical roots of today’s secure engineering.
Fast forward to now, and the UK’s National Cyber Security Centre (NCSC) has distilled those ideas into five core design principles to help organisations embed cyber resilience from the ground up. UK MOD has however extended these principles from 5 to 7, all of which are explained in ISN 2023-09 Secure by Design Requirements.
As you can see, there is already a difference between NCSC recommendations and MOD requirements, these differences extend to different authorities within HMG also. So the first key point is, ensure that you understand which authority you are delivering too and that the Contracting Authority provides clear direction as to what the appropriate SbD process will be. As we are primarily considering MOD requirements for Defence Industry, here is an outline of the 7 SbD Principles outlined in ISN 2023-09:
- Principle 1: Understand and Define Context
Understand the capability’s overall context and how it will use and manage MOD data while achieving its primary business/operational outcome(s). - Principle 2: Plan the Security Activities
Establish security workstream of the capability, perform initial planning including assessment of cyber threat and potential risks while defining clear security requirements, validation and verification. - Principle 3: Implement Continuous Risk Management
Embed cyber security risk management into existing programme governance as a continuous process. - Principle 4: Define Security Controls
Define, architect and implement security control requirements to address risks identified. Reuse existing services and patterns where they exist. - Principle 5: Engage and Manage the Supply Chain
Understand the supply chain role and risks posed, including how to ensure they meet their responsibilities and implement good security. - Principle 6: Assure, Verify and Test
Work with security experts to gain security assurance, test and validate throughout the capability’s lifecycle. - Principle 7: Enable Through Life Management
Ensure continuous security monitoring and improvements, including ongoing assurance requirements are enabled, met and disposed.
One of the critical differences between the previous Accreditation system and SbD is that in SbD, the Senior Risk Owner (SRO) has a great deal of autonomy when it comes to deciding how to apply the SbD Principles and what the appropriate security processes and controls should be put in place, whereas under the old Accreditation system there was much less flexibility.
As a delivering organisation, you will be expected to appoint an SRO but there will also be a leading SRO appointed by the Contracting Authority. The SRO role is crucial to the SbD process and will often be a senior organisational representative advised and supported by an information assurance advisor.
The key to success in SbD is engagement, find out who the SRO is as early as possible and identify who is responsible for providing them with information assurance guidance. Early engagement between both the SRO and Information Assurance roles within your organisation and the Contracting Authority, or Defence Prime Contractor, will provide confidence that your SbD approach is understood and approved. Regular engagement on progress is key to success.
Final Thoughts
SbD is a large topic with a number of variables that need to be considered on a case-by-case business. For brevity, this Blog does not cover all aspects such as Continual Improvement, regular reviews such as In-Service Question Sets etc, but hopefully it provides some context to build upon.
At Pera Prometheus, we help organisations understand the unique attention that SbD requires. We can help your organisation give clear and effective SbD plans to Contracting Authorities that will give them confidence in your Organisation’s ability to deliver assured information systems. Our consultants bring real-world experience in GRC in the Defence Industry, MOD compliance, and mission-critical security strategy.