Skip to main content

UK Government Secure by Design Assessment

Generate a comprehensive Secure by Design assessment for UK Government technology projects using the NCSC Cyber Assessment Framework (CAF).

Command

arckit secure <project ID or system>

Arguments

  • project (required): Project identifier or system name

Examples

arckit secure "001"
arckit secure "Citizen Portal"

Purpose

UK Government departments must follow NCSC guidance and achieve appropriate security certifications before deploying systems. This command evaluates security controls using:
  • NCSC Cyber Assessment Framework (CAF) - 14 principles across 4 objectives
  • Cyber Essentials / Cyber Essentials Plus - 5 mandatory controls
  • UK GDPR compliance - Data protection requirements
  • UK Government Cyber Security Standard (July 2025)
  • GovS 007: Security - Functional standard alignment

NCSC CAF - 14 Principles

Objective A: Managing Security Risk

  • A1: Governance - SIRO appointed, security policies, oversight
  • A2: Risk Management - Asset classification, risk register, treatment plans
  • A3: Asset Management - Inventory of hardware, software, data
  • A4: Supply Chain - Vendor assessments, contracts, third-party controls

Objective B: Protecting Against Cyber Attack

  • B1: Service Protection Policies - Acceptable use, access control
  • B2: Identity and Access Control - MFA, PAM, least privilege
  • B3: Data Security - Encryption, UK GDPR, DPIA, DLP
  • B4: System Security - Patching, hardening, anti-malware, EDR
  • B5: Resilient Networks - Segmentation, firewalls, IDS/IPS
  • B6: Staff Awareness - Security training, phishing awareness

Objective C: Detecting Cyber Security Events

  • C1: Security Monitoring - SIEM, alerting, logging
  • C2: Proactive Discovery - Vulnerability scanning, pen testing

Objective D: Minimising Impact of Incidents

  • D1: Response and Recovery - Incident response, BC/DR
  • D2: Improvements - Post-incident reviews, continuous improvement

Cyber Essentials - 5 Controls

  1. Firewalls - Boundary firewalls configured
  2. Secure Configuration - Hardened systems, unnecessary services disabled
  3. Access Control - User accounts, MFA, least privilege
  4. Malware Protection - Anti-malware on all devices
  5. Patch Management - Timely patching (critical within 14 days)

Output

Generates ARC-{PROJECT_ID}-SECD-v{VERSION}.md with:
  • Executive summary with CAF score (X/14 principles)
  • Detailed assessment for all 14 CAF principles
  • Cyber Essentials compliance status
  • UK GDPR compliance assessment
  • UK Government Cyber Security Standard compliance
  • GovAssure status and Secure by Design confidence rating
  • Cyber Action Plan alignment
  • Government Cyber Security Profession alignment
  • GovS 007: Security principle mapping
  • Critical security issues
  • Actionable recommendations with priorities

Data Classification Requirements

PUBLIC

  • Basic security controls
  • No special encryption requirements

OFFICIAL

  • Cyber Essentials baseline minimum
  • Encryption in transit (TLS 1.2+)
  • Access control and audit logging

OFFICIAL-SENSITIVE

  • Cyber Essentials Plus recommended
  • Encryption at rest and in transit
  • Multi-factor authentication required
  • Enhanced audit logging
  • DPIA if processing personal data

Prerequisites

MANDATORY (warn if missing):
  • REQ (Requirements) - NFR-SEC (security), NFR-A (availability)
  • PRIN (Architecture Principles) - Security standards, approved platforms
RECOMMENDED (read if available):
  • RISK (Risk Register) - Security risks, threat model
  • DPIA (DPIA) - Personal data processing, privacy risks
  • DIAG (Architecture Diagrams) - Deployment topology, network boundaries

UK Government Context

Senior Information Risk Owner (SIRO)

  • Senior executive responsible for information risk
  • Must be board-level or equivalent
  • Reviews and approves risk treatment

Data Protection Officer (DPO)

Required if:
  • Public authority or public body
  • Core activities involve regular/systematic monitoring
  • Core activities involve large-scale processing of special category data

Information Commissioner’s Office (ICO)

  • UK’s independent data protection regulator
  • Must be notified of data breaches within 72 hours
  • Can impose fines up to £17.5 million or 4% of turnover

Cyber Essentials Requirements

  • Basic Cyber Essentials: Self-assessment questionnaire
  • Cyber Essentials Plus: External technical verification
Required for:
  • All central government contracts involving handling personal data
  • Contracts valued at £5 million or more
  • Most public sector technology procurements
  • arckit mod-secure - MOD Secure by Design (for defence projects)
  • arckit tcop - Technology Code of Practice (Point 6 overlap)
  • arckit dpia - Data Protection Impact Assessment
  • arckit service-assessment - GDS Service Standard (Point 9)

Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us