Skip to main content

UK Government Secure by Design Assessment

The /arckit.secure command generates a comprehensive Secure by Design assessment for UK Government technology projects (civilian departments).

What is Secure by Design?

Secure by Design means embedding security from the start of a project, not bolting it on at the end. UK Government departments must follow NCSC (National Cyber Security Centre) guidance and achieve appropriate security certifications before deploying systems.

Command: /arckit.secure

Usage

/arckit.secure 001  # By project ID
/arckit.secure "Citizen Portal"  # By system name
Arguments:
  • Project ID or system name

Output: ARC-{PROJECT_ID}-SECD-v1.0.md

Generates a Secure by Design assessment document with:
  • NCSC Cyber Assessment Framework (CAF) assessment (14 principles)
  • Cyber Essentials compliance check (5 controls)
  • UK GDPR compliance assessment (if processing personal data)
  • UK Government Cyber Security Standard compliance
  • Government Cyber Security Profession alignment
  • GovS 007: Security mapping

Key UK Security Frameworks

1. NCSC Cyber Assessment Framework (CAF)

14 principles across 4 objectives: Objective A: Managing Security Risk
  • A1: Governance - SIRO appointed, security policies, oversight
  • A2: Risk Management - Asset classification, risk register, treatment plans
  • A3: Asset Management - Inventory of hardware, software, data
  • A4: Supply Chain - Vendor assessments, third-party controls
Objective B: Protecting Against Cyber Attack
  • B1: Service Protection Policies - Acceptable use, access control, data protection
  • B2: Identity and Access Control - MFA, PAM, least privilege, access reviews
  • B3: Data Security - Encryption, UK GDPR compliance, DPIA, DLP
  • B4: System Security - Patching, hardening, anti-malware, EDR
  • B5: Resilient Networks - Segmentation, firewalls, IDS/IPS, VPN
  • B6: Staff Awareness - Security training, phishing awareness
Objective C: Detecting Cyber Security Events
  • C1: Security Monitoring - SIEM, alerting, logging, threat intelligence
  • C2: Proactive Security Event Discovery - Vulnerability scanning, pen testing, NCSC VMS enrollment
Objective D: Minimising the Impact of Incidents
  • D1: Response and Recovery Planning - Incident response, BC/DR, RTO/RPO
  • D2: Improvements - Post-incident reviews, metrics, continuous improvement
Scoring: X/14 principles achieved

2. Cyber Essentials / Cyber Essentials Plus

5 baseline controls:
  • Firewalls - Boundary firewalls configured
  • Secure Configuration - Hardened systems, unnecessary services disabled
  • Access Control - User accounts, MFA, least privilege
  • Malware Protection - Anti-malware on all devices
  • Patch Management - Timely patching (critical within 14 days)
Required for:
  • All central government contracts involving personal data
  • Contracts valued at £5 million or more
  • Most public sector technology procurements

3. UK GDPR and Data Protection Act 2018

If processing personal data:
  • DPO appointed (if required)
  • Lawful basis identified
  • Privacy notice published
  • Data subject rights procedures (SAR, deletion, portability)
  • DPIA completed (if high risk) - use /arckit.dpia
  • Data breach notification process (72 hours to ICO)
  • Records of Processing Activities (ROPA)

4. UK Government Cyber Security Standard (July 2025)

New requirements:
  • GovAssure Status - For critical systems subject to GovAssure assurance
  • Secure by Design Confidence Rating - Self-assessment (Low/Medium/High)
  • Cyber Security Standard Exception Register - Track non-compliance with justification
  • Cyber Action Plan Alignment - £210m cross-government Cyber Action Plan (February 2026)

5. Government Cyber Security Profession

Workforce development:
  • Certified Cyber Professional (CCP) certification status
  • DDaT (Digital, Data and Technology) profession framework
  • Government Cyber Academy engagement

6. GovS 007: Security

9 principles mapped to CAF sections:
  • Principle 5 (Security culture) → CAF B6 + Cyber Security Profession
  • Principle 8 (Continuous improvement) → CAF D2 + Cyber Action Plan
  • Named security role holders (SSRO, DSO, SIRO)

Assessment Process

The command analyzes:
  1. Existing ArcKit Artifacts
    • ARC-*-REQ-*.md - Security requirements (NFR-SEC)
    • ARC-*-PRIN-*.md - Security standards, approved platforms
    • ARC-*-RISK-*.md - Security risks, threat model
    • ARC-*-DPIA-*.md - Privacy protection evidence
    • diagrams/ - Deployment topology, network boundaries
  2. External Documents (if provided)
    • Vulnerability scan reports
    • Penetration test results
    • Cyber Essentials certificates
    • Previous security assessments
  3. For Each CAF Principle
    • Status: ✅ Achieved / ⚠️ Partially Achieved / ❌ Not Achieved
    • Evidence from project documents
    • Security controls checked
    • Gaps and risks identified
    • Remediation actions with owners and timelines

Data Classification Requirements

OFFICIAL

  • Cyber Essentials baseline minimum
  • Encryption in transit (TLS 1.2+)
  • Access control and audit logging
  • Regular security patching

OFFICIAL-SENSITIVE

  • Cyber Essentials Plus recommended
  • Encryption at rest and in transit
  • Multi-factor authentication required
  • Enhanced audit logging
  • DPIA if processing personal data
  • Data loss prevention controls

SECRET

  • Cyber Essentials Plus mandatory
  • CESG-approved cryptography
  • Air-gapped or assured network connectivity
  • Enhanced physical security
  • Security Cleared (SC) personnel minimum

TOP SECRET

  • Developed Vetting (DV) personnel
  • Compartmented security
  • Strictly controlled access
  • Enhanced OPSEC measures

Phase-Based Expectations

Discovery/Alpha:
  • Security principles identified
  • Data classification determined
  • Initial risk assessment
  • Security requirements defined
  • SIRO engaged
Beta:
  • Security controls implemented
  • Penetration testing completed
  • DPIA completed (if required)
  • Cyber Essentials certification obtained
  • Vulnerability management operational
  • Incident response plan documented
Live:
  • All CAF principles addressed
  • Cyber Essentials Plus for high-risk systems
  • Continuous security monitoring
  • Regular penetration testing (annual minimum)
  • Security incident capability proven
  • Annual security review with SIRO

Critical Security Issues (Phase Blockers)

Mark as CRITICAL if:
  • No UK GDPR compliance for personal data processing
  • No DPIA for high-risk processing (BLOCKING for Beta)
  • No encryption for sensitive data (OFFICIAL-SENSITIVE)
  • Cyber Essentials not obtained (required for most gov contracts)
  • No incident response capability
  • No backup/recovery capability
  • Critical vulnerabilities unpatched (>30 days)
  • No MFA for privileged access
  • SIRO not appointed or engaged

Report Contents

The Secure by Design assessment includes:
  1. Executive Summary
    • Overall security posture assessment
    • NCSC CAF score (X/14)
    • Cyber Essentials status
    • UK GDPR compliance status
    • Critical issues
    • Overall risk level
  2. NCSC CAF Assessment
    • Each of 14 principles assessed
    • Evidence gathered
    • Gaps identified
    • Recommendations
  3. Cyber Essentials
    • 5 control compliance status
    • Certification status and expiry
    • Gaps for Cyber Essentials Plus (if targeting)
  4. UK GDPR Compliance (if applicable)
    • DPO status
    • DPIA status
    • Data subject rights procedures
    • Critical issues
  5. UK Government Cyber Security Standard Compliance
    • GovAssure status
    • Secure by Design confidence rating
    • Exception register
    • Cyber Action Plan alignment
  6. Government Cyber Security Profession Alignment
    • CCP certification status
    • DDaT framework mapping
    • Cyber Academy engagement
  7. GovS 007: Security Mapping
    • 9 principles mapped to CAF sections
    • Security role holders
  8. Action Plan
    • Critical priority (0-30 days) - blockers for next phase
    • High priority (1-3 months) - significant risk reduction
    • Medium priority (3-6 months) - continuous improvement

Key UK Government Roles

Senior Information Risk Owner (SIRO)

  • Senior executive responsible for information risk
  • Must be board-level or equivalent
  • Reviews and approves risk treatment
  • Signs off on major security decisions
  • Typically Permanent Secretary or Director level

Data Protection Officer (DPO)

Required if:
  • Public authority or public body
  • Core activities involve regular/systematic monitoring
  • Core activities involve large-scale processing of special category data

Information Commissioner’s Office (ICO)

  • UK’s independent data protection regulator
  • Enforces UK GDPR and Data Protection Act 2018
  • Must be notified of data breaches within 72 hours
  • Can impose fines up to £17.5 million or 4% of turnover

Integration with Other Commands

  • /arckit.dpia - Generate DPIA (feeds into CAF B3, UK GDPR section)
  • /arckit.risk - Risk register (feeds into CAF A2)
  • /arckit.requirements - Security requirements (NFR-SEC)
  • /arckit.tcop - TCoP Point 6 (Make things secure) overlaps
  • /arckit.service-assessment - Service Standard Point 9 overlaps

Resources

NCSC Guidance: Cyber Essentials: Data Protection:

Example Use Cases

Security assessment before Beta: 
/arckit.secure 001  # Comprehensive security review before Beta assessment
Annual security review: 
/arckit.secure 001  # Update assessment, track improvements
Cyber Essentials preparation: 
/arckit.secure 001  # Identify gaps before CE/CE+ certification

Build docs developers (and LLMs) love

Get started for freeTalk to us