United Kingdom Introduces New Cybersecurity Assessment Initiatives

The UK has introduced a series of new cybersecurity assessment initiatives aimed at advancing the principles of “secure by design.” Announced during the CYBERUK 2025 conference, these initiatives seek to enhance organizations’ ability to demonstrate cyber resilience and improve confidence in the products and services they offer.

The cornerstone of this effort is the Cyber Resilience Test Facilities (CTRF) program, which intends to establish a network of accredited facilities capable of independently auditing the cybersecurity measures of technology vendors systematically and reliably. This shift from traditional compliance-based schemes to a principles-based approach marks a significant evolution in how cybersecurity assessments will be conducted.

Additionally, the National Cyber Security Center (NCSC) is set to launch a Cyber Adversary Simulation (CyAS) scheme in early summer 2025. Companies certified under this scheme will provide services that test an organization’s ability to prevent, detect, and respond to simulated cyber-attacks. Participants will receive comprehensive reports detailing assessment results and areas requiring remediation. Organizations that meet the requisite security standards will be awarded the NCSC assured logo, enabling them to utilize this certification for marketing purposes.

Jonathan Ellison, the NCSC Director for National Resilience, emphasized that these initiatives not only bolster consumer reassurance regarding digital products and services but also aim to foster consumer demand for secure by design practices. Ellison highlighted the importance of balancing both demand and supply aspects when it comes to secure technologies.

In conjunction with these initiatives, the UK government has released a new Software Security Code of Practice during the CYBERUK event. This guide outlines essential steps that organizations involved in software development or sales should adopt to enhance the security of their products. This voluntary code comprises 14 principles intended to set a consistent baseline for software security and resilience across the market.

Key principles outlined in the code include:

– Establishing clear processes for testing software and software updates prior to distribution.
– Minimizing the risk of compromise in build environments to safeguard software integrity and quality.
– Implementing and publicizing an effective vulnerability disclosure process.
– Providing timely security updates, patches, and notifications to customers.
– Offering detailed information to customers regarding the level of support and maintenance provided for sold software.

James Neilson, Senior Vice President of International at OPSWAT, praised the introduction of this code as a message to software developers about the necessity of prioritizing end-to-end security and focusing on security by design. He noted that many developers rely on third-party components, including open-source software, to expedite development and incorporate features, which can introduce known vulnerabilities or those created maliciously. Neilson advocated for securing software supply chains through methods such as scanning for hidden threats, validating Software Bill of Materials (SBOMs), securing build environments, and ensuring that delivered software matches initial design intentions, thereby enhancing resilience and trust in their offerings.