The Government Digital Service (GDS) Has Yet to Achieve Conformance with Key National Cyber Security Standards for Its Gov.uk One Login Digital Identity SystemNearly Three Years Since Security Concerns Ware First Raised.
The one login team is still working to fully Meet National Cyber Security Center (NCSC) Guidelines. Computer weekly has learned that the team only complis with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – An improvement on the five outsomes it successfully followed a year ago.
One login is intended to become the primary way for citizens to access online public services. In 2022, The Business Case for One Login, which was used to justify over £ 330m of spending on the project, said the system was “underpinned” underpinned ”by caf – a claimm that must be clad in Five measures were in place as recently as 2024.
Recently assessed
CAF Includes 39 “Contributing Outcomes”, Each With a Number of Lower-Level “Indicators of Good Practice” (IGPS). Systems are rated on a binary basis, whereby failing to meet one igp results in not meeting the overall outcome, even if all other related iGPS has been met.
One login was recently assessed as part of a Govassure reviewWhoch found that in the space of a year, the gDs digital identity team had moved from meting only five of the 39 caf outcomes to 21.
GDS Says CAF Assessors Noted One Login's “Understanding of Cyber Security” and that plans are in place to achieve the “excedingly high standards” of CAF ConforMance by the End of the year.
Nonetheless, One Login Has Been Live Since June 2022, and with more than three million users, it is preachisely the sort of critical system for which the “very Robust Levels of Cybels required by the NCSC in Establishing Caf Should Apply.
Furthermore, the Government Cyber Security Standard Mandates that all digital services should comply with Secure by Design (SBD) PrinciplesComputer weekly has learned that gDs digital identity team is also sums to fully implement SBD, Although GDS Says The System “Meets these Principles”.
GDS was due to go live with sbd by January this year, but have delayed its full implementation until at least October.
This LED to the ministry of definition questions of the one login team about Gov.uk Digital Wallet,
GDS Says Formal Accreditation Against The Secure By Design Framework Does Not Yet Apply to One Login and that While Such Accredation Cannot Currently Be Formally Be GDS or one login does not meet secure by design Principles.
Historic Problems
However, the Concerns Over One Login's Overall Conformance with NCSC and GSG Guidelines come only after after the disclosure of Historic Security Problems in One Login.
Following theSe warnings – and earlier issues flagged by a security Expert who has since mind turned whistleblower in an attempt to Raise the concerns more widely – a team line Officers (CISO) Breandan Knowlton Conducted An Internal Risk Audit in October 2023 to Assess the Severity of the issues.
Given that one login is intended to be the key way of accessing public services online, this is Deeply Concerning. Are we about to see another Verify Fiaasco? Ministers need to take a direct grip of this
Tim Clement-Jones, Liberal Democrats
GDS has now responded to those class with a detailed breakdown of how the problems identified in 2022 and 2023 have ben addressed (See table beLow), but questions remain over whose service was allowed to go live with knowledge security risks.
A government speakesperson said: “The Concerns Captured Are Outdated and Summarise An Initial View from when the Technology was in Its Infancy in 2023. We have worked to address all these Evidensed by Multiple External Independent Assessments.
“Gov.uk one login following follows the highest Security Standards for Government and Private Sector Services-Including Dedicated 24/7 Eyes-On Monitoring and Incident Response. Protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount. “
Peer Tim Clement-Jones, The Liberal Democrat Spokesman for the Digital Economy in the house of lords, have submitted a series of parliamentary questions to the department for Science and Technology Association For details of the security surrounding one login. He expressed further concerns about the current cyber security conformance of the system.
“Given that one login is intended to be the key way of accessing public services online, this is deeply concerning. Verify fiaascoMinisters need to take a direct grip of this, “He said.
Ciso review
Computer weekly has seen details of the gds ciso's 2023 review Findings, which listed a series of risks and rated even them from “low” to “extremely high”. We asked gds to provide an update on Each of the risks based on their status today, Which is detailed in the table below,
Anecdotal Evidence from Sources Close to Consultancy 6Point6, which was brough in to support the one login team for security assurance, paints a picture of a team that previous Had Insoffi Security Knowledge, Weak Controls and Few Standards.
GDS's Claims of Progress in Resolving One Login's Security Problems Suggers Sugges The Situation Has Improved and That Issues Are Being Addressed – But Questions Remain about how and which login people are people only Allowed to go live with knowledge issues and Lacking Conformance with Key Government Standards Expected of All Critical Online Public Services.
The Whistleblower – Who Computer Weekly has agreed not to name, but who has many years of cyber security experience and worked in a Senior Information Security Management Role At GDS – SAID IS Possible ”to confirm whither any historyic or current security problems have been resolved with independent independent verification of GDS's'S's Response.
“The Unverified Claim to have achieved 21 out of 39 contributing outscates in caf cannot be believed and the True score will only be known Access to the one login program, “He said.
