Skip to content

UK Government Secure by Design

Status: Deferred (Plan 101).

Scope

Secure by Design is the UK Government's programme for embedding cyber security into the lifecycle of every digital service procured or built by central government. Departments and arm's-length bodies are expected to evidence Secure by Design adherence as a condition of digital service approval.

Secure by Design is structurally different from the other four frameworks Secruna supports. The EU AI Act, RICS, the UK Defence AI Playbook, and 05-138 are all rule books — sets of conditions an AI system either satisfies or violates. Secure by Design is a checklist plus maturity assessment:

  • A set of principles the service must demonstrate.
  • A Confidence Profile scoring the team's evidence against each principle as LOW, MEDIUM, or HIGH maturity.
  • Iteration over the checklist throughout the service lifecycle, not a single pass-or-fail evaluation.

Why deferred

Secure by Design is only relevant to customers bidding on UK central government digital procurement. The first paying customer (Plan 102 RLB pilot) is a chartered surveying and defence supplier, not a central-government bidder. The principles are well-documented and the maturity model is stable, so the implementation cost is bounded — but until a customer asks, the work does not earn its place ahead of more urgent items in the backlog.

What it would look like in product

When implemented, Secure by Design will be the first non-rule-book framework in the platform, and that's the architectural test it imposes:

  • Principles map to the Plan 96 WI-3 category taxonomy as a new enum branch (secure_by_design_principle).
  • The Confidence Profile scoring is a new entity — not a verdict, not an artifact, but an explicit maturity assessment that a tenant member edits and evidences over time.
  • The dashboard adds a Secure by Design surface alongside the inventory: principles list, current maturity, evidence attached, next review date.

The work is sized at three to four weeks full-time engineering once started.

The 10 principles

Secure by Design defines ten principles that a service must demonstrate. The pack will surface each as its own page in the dashboard, with maturity scoring and an evidence attachment slot.

The principles are documented in the UK Government Secure by Design programme materials.

Reference

UK Government, Secure by Design programme.

Plan reference

Plan 101 — captured 2026-05-09 with the deferred status. Work will be picked up when a customer with a UK central government procurement scope signs.

Analysis

Scope

Secure by Design is the UK Government's programme for embedding cyber security into the lifecycle of every digital service procured or built by central government. It applies to all UK central government departments, executive agencies, and arm's-length bodies, plus suppliers delivering digital services into them. It does not apply to wider public sector unless individual organisations adopt it (some have). Geographic scope is UK central government, but suppliers headquartered anywhere are caught when they bid into that procurement universe. In scope: any digital service covered by the Government Functional Standard for Digital, Data and Technology, including AI services, traditional web applications, APIs, and back-office systems. Out of scope (explicitly): defence-specific systems governed by 05-138 and the Defence AI Playbook; classified systems with bespoke security regimes; supplier-internal R&D not delivered into government. Secure by Design overlaps with the wider Government Cyber Security Strategy but is the operational mechanism through which that strategy reaches individual digital procurements.

Key obligations

  1. Adhere to the ten principles — the programme defines ten principles spanning organisational, design, build, and operate phases of the digital service lifecycle.
  2. Confidence Profile scoring — each principle is scored at LOW, MEDIUM, or HIGH maturity based on evidence the team produces.
  3. Iterative review — the Confidence Profile is updated through the service lifecycle, not assessed once at procurement.
  4. Evidence attachment — each principle's maturity score must be backed by attached evidence (documents, test results, architectural artifacts) that withstands review.
  5. Service-approval gating — Secure by Design adherence is a condition of digital service approval at the relevant gate (alpha, beta, live).
  6. Cross-team accountability — the obligation is on the service team collectively, not a single security function; the principle ownership distributes across product, engineering, and security.
  7. Continuous improvement — maturity scores are expected to improve over the service lifetime; static scoring through multiple review cycles is itself a finding.

Our coverage approach

Secure by Design is structurally different from Secruna's other four frameworks — it is checklist-plus-maturity rather than rule-book. The implementation plan (Plan 101, deferred) introduces the first non-rule-book framework in the platform. Principles will map to the Plan 96 WI-3 category taxonomy as a new enum branch (secure_by_design_principle). The Confidence Profile becomes a new entity — distinct from a verdict (which is a pass-or-fail judgement on a rule) and distinct from an artifact (which is a discovered piece of evidence). It is an explicit maturity assessment that a tenant member edits and evidences over time. The dashboard surface adds a Secure by Design tab alongside inventory, listing the ten principles, the current maturity score per principle, attached evidence, and the next review date. Audit-log entries record every Confidence Profile edit, preserving the trail of how maturity changed over the service lifecycle. The same multi-framework subscription mechanism (Plan 103) gates access — a tenant subscribes to Secure by Design separately from the rule-book frameworks.

Gaps

Everything is a gap right now — Plan 101 is deferred. The principles map and Confidence Profile entity are designed but not implemented. The dashboard surface is described but not built. No customer artifacts are evaluated against any Secure by Design principle in the current product. The reference to the ten principles in this page is the public-source description; we do not yet ship a Secruna-curated mapping of each principle to discoverable artifact patterns. Specifically deferred work-items: (1) database schema for Confidence Profile entity, (2) ten principle YAML descriptors, (3) dashboard Secure by Design tab, (4) evidence-attachment workflow, (5) maturity-trend reporting, (6) marketing landing at /use-cases/secure-by-design, (7) counsel review of programme-adherence wording. Plan 101 is sized at three to four weeks full-time engineering once a customer with the procurement scope signs.

Customer impact

Secure by Design adherence is a service-approval gate at UK central government digital procurements. The practical impact for a non-compliant supplier or department is that the digital service does not pass its alpha, beta, or live review, which means it cannot be put into operation or moved to the next funding tranche. Procurement disqualification: bids into UK central government digital frameworks (G-Cloud, Digital Outcomes, departmental direct-awards) require Secure by Design evidence as a precondition; suppliers who cannot produce a Confidence Profile against the ten principles are screened out at evaluation. Funding hold-back: existing services failing the periodic Secure by Design review can have their next funding tranche held back until remediation evidence is produced. No direct financial penalty: unlike the EU AI Act, Secure by Design has no fine schedule — the consequences are commercial (lost bids, withheld funding) and reputational (visibility within the cross-government CDDO function). For Secruna's customer base, the practical impact is bounded: only customers bidding into UK central government digital procurements are exposed, which is why Plan 101 is deferred until such a customer signs.