What is so wrong with accreditation? 

As a senior Programme Manager, you've been used to asking specialists to advise you on whether the capability is secure and achieve milestones like accreditation.  What is wrong with that?  

Also, talk to some experienced security specialists in Defence and they’ll tell you how important it is that they act as ‘policeman’ to make sure that projects stay secure. They make sure you tick all the security boxes and give you a certificate when it’s done. Again, what’s wrong with that?  

So why then is the MOD stopping accreditation?  

The sad truth is that it hasn’t been working.  When audited, many Defence systems – even those with accreditation certificates – have been found to be trivially easy to breach.  This doesn’t just apply to fringe capabilities but to some systems critical to our national security.   

Here’s what the NCSC advises instead:  

“We advocate meaningful cyber security risk management that illuminates the real cyber risks that are applicable to your organisation and how it operates, rather than the use of techniques which just seek to satisfy compliance requirements.” 

Thus, Defence programmes need to ensure they have identified all risks and developed a plan to treat each one. This is a joint exercise by the whole delivery team, not just the cyber expert in isolation. The delivery team also needs to take responsibility for through-life risks, not in effect outsource them to security.  Security isn’t responsible for security. You are.   

This changes how cyber risk within programmes is done. To implement NCSC best practice, the UK MOD has introduced Secure by Design, which is defined as making capabilities secure through continual risk management.  But how do you do this in practice? Bee.net uses a Cyber Design Accelerator to help clients across Defence, government and the private sector implement best practice in cyber security and Secure By Design.  Find out more at https://www.bee-net.co.uk/