8.5 KiB
Secure by Design Playbook
Guide Origin: Official | ArcKit Version: [VERSION]
/arckit:secure generates a UK Government Secure by Design assessment for civilian department projects using NCSC CAF principles.
Inputs
| Artefact | Purpose |
|---|---|
Requirements (ARC-<id>-REQ-v1.0.md) |
Security requirements (NFR-SEC) |
| Architecture diagrams | System boundaries and data flows |
| Risk register | Security risks identified |
| Data model | Personal data and classification |
Command
/arckit:secure Create Secure by Design assessment for <system>
Output: projects/<id>/ARC-<id>-SECD-v1.0.md
Auto-versioning: Re-running this command when a document already exists automatically increments the version (minor for refreshed content, major for changed scope) instead of overwriting.
Assessment Structure
| Section | Contents |
|---|---|
| Executive Summary | Overall security posture and key findings |
| System Overview | Purpose, boundaries, data classification |
| NCSC CAF Assessment | Compliance against 14 CAF principles |
| Threat Assessment | Threat landscape and attack vectors |
| Security Architecture | Controls, boundaries, defense in depth |
| Cyber Essentials | Alignment with Cyber Essentials controls |
| Supply Chain Security | Third-party and vendor security |
| Data Protection | Personal data handling and GDPR |
| Incident Response | Detection, response, and recovery |
| GovAssure Status | Critical system assurance tracking |
| SbD Confidence Rating | Secure by Design high-confidence profile self-assessment |
| CSS Exception Register | Cyber Security Standard non-compliance management |
| Cyber Action Plan Alignment | Departmental status against £210m Cyber Action Plan four pillars |
| GovS 007 Alignment | Mapping of 9 GovS 007 principles to assessment evidence |
| Government Cyber Security Profession | CCP status, DDaT mapping, Cyber Academy engagement |
| Recommendations | Prioritized security improvements |
NCSC CAF 14 Principles
| Objective | # | Principle |
|---|---|---|
| Managing Risk | A1 | Governance |
| A2 | Risk Management | |
| A3 | Asset Management | |
| A4 | Supply Chain | |
| Protecting Against Attack | B1 | Service Protection Policies |
| B2 | Identity and Access Control | |
| B3 | Data Security | |
| B4 | System Security | |
| B5 | Resilient Networks | |
| B6 | Staff Awareness | |
| Detecting Events | C1 | Security Monitoring |
| C2 | Anomaly Detection | |
| Minimising Impact | D1 | Response and Recovery |
| D2 | Lessons Learned |
Cyber Essentials Controls
| Control | Description |
|---|---|
| Firewalls | Boundary protection |
| Secure Configuration | Hardened systems |
| Access Control | Least privilege |
| Malware Protection | Anti-malware tools |
| Patch Management | Timely updates |
One-Page Workflow
| Phase | Key Activities | ArcKit Commands |
|---|---|---|
| Discovery | Define requirements and data model | /arckit:requirements, /arckit:data-model |
| Risk | Identify security risks | /arckit:risk |
| Assessment | Create Secure by Design assessment | /arckit:secure |
| Design | Implement security architecture | /arckit:diagram, /arckit:hld-review |
| Operations | Operational security readiness | /arckit:operationalize |
Review Checklist
- All 14 NCSC CAF principles assessed with evidence.
- Cyber Essentials controls addressed.
- Cyber Security Standard compliance assessed (GovAssure, SbD confidence, exceptions).
- NCSC VMS enrollment status and remediation benchmarks documented.
- Cyber Action Plan alignment assessed across four pillars.
- Government Cyber Security Profession participation and CCP status recorded.
- GovS 007 principle alignment mapped with named security roles (SSRO, DSO, SIRO).
- Data classification and handling defined.
- Supply chain risks identified and managed.
- Security monitoring and detection in place.
- Incident response procedures documented.
- Staff security awareness addressed.
- Third-party security requirements defined.
Security Classification (Civilian)
| Classification | Description | Controls |
|---|---|---|
| OFFICIAL | Majority of government data | Standard controls |
| OFFICIAL-SENSITIVE | More sensitive OFFICIAL | Enhanced access control |
UK Government Cyber Security Standard
The UK Government Cyber Security Standard (July 2025, Cabinet Office) builds on the NCSC CAF by mandating:
- CAF Baseline/Enhanced profiles — departments must achieve the appropriate CAF profile for their systems
- GovAssure — annual assurance process for critical government systems, validated by NCSC
- Secure by Design high-confidence profiles — self-assessment against SbD principles (secure development, deployment, and operation)
- Exception management (clauses 4.3/4.4) — formal register for any non-compliance, with risk assessment and improvement plans
- Cyber Action Plan alignment — departmental participation in the £210m cross-government investment across four pillars (Skills, Tooling, Resilience, Collaboration)
The /arckit:secure assessment includes dedicated sections (9.1–9.4) for tracking GovAssure status, SbD confidence ratings, CSS exceptions, and Cyber Action Plan alignment alongside the existing CAF assessment.
GovS 007: Security (Functional Standard)
GovS 007: Security is the parent functional standard for all protective security across central government. It defines nine principles, a security lifecycle, and protective security disciplines (physical, personnel, cyber, technical, industry).
The /arckit:secure assessment maps GovS 007's nine principles to the CAF assessment evidence and related ArcKit artefacts (Section 10), demonstrating how operational security controls satisfy the higher-level governance requirements. Key security roles mandated by GovS 007 (SSRO, DSO, SIRO) are captured in both the security roles table and the approval sign-off section.
Hierarchy: GovS 007 → Cyber Security Standard → NCSC CAF → /arckit:secure assessment
| GovS 007 Principle | Evidenced By |
|---|---|
| Governance | CAF A1, SIRO sign-off |
| Risk-based approach | CAF A2, /arckit:risk |
| Security in all activities | Secure Development (S4), Cloud Security (S5) |
| Holistic planning | Full CAF assessment (S1–S8) |
| Security culture | CAF B6 Staff Awareness, Government Cyber Security Profession (S11) |
| Accountability | Named SSRO/DSO/SIRO roles |
| Proportionate measures | Data classification → controls mapping |
| Continuous improvement | CAF D2 Improvements, Cyber Action Plan Alignment (S9.4) |
| Legal/regulatory compliance | UK GDPR (S3), /arckit:dpia |
NCSC Vulnerability Monitoring Service (VMS)
The VMS is an NCSC service that scans internet-facing systems across 6,000+ public sector bodies, with benchmarks of 8-day domain-specific and 32-day general vulnerability fix times. Departments achieving 84% faster fix times through VMS enrollment. The /arckit:secure assessment tracks VMS enrollment, coverage, and remediation performance against these benchmarks in Sections 1 (CAF C2) and 6.1 (VMS Integration).
Government Cyber Security Profession & Cyber Action Plan
The Government Cyber Security Profession establishes a career framework with Certified Cyber Professional (CCP) certification, DDaT role alignment, and the Government Cyber Academy. The £210m Cyber Action Plan (February 2026) invests across four pillars: Skills & Workforce, Tooling & Infrastructure, Resilience & Response, and Collaboration & Sharing. The /arckit:secure assessment tracks profession participation (Section 11) and Cyber Action Plan alignment (Section 9.4).
Key Principles
- Defense in Depth: Multiple layers of security controls.
- Least Privilege: Minimum access necessary for function.
- Secure by Default: Security is the default, not an option.
- Assume Breach: Design for detection and response, not just prevention.
- Proportionate Security: Controls match the risk and data sensitivity.