The Cabinet Office is set to miss its targets for the UK government to be “cyber resilient” by the end of 2025, and needs to do more to strike the right balance between supporting departments, holding them to account, and doing more from the centre of government, a Public Accounts Committee (PAC) report has concluded.
In the report, Government cyber resilience, published today (9 May 2025), the cross-bench PAC presented a mixed picture of its findings. On the positive side, it praised the Cabinet Office for taking steps to independently verify the resilience of critical IT systems in government departments.
However, it also said this exercise had revealed that in general, resilience is much lower than expected, with many systems containing fundamental weaknesses.
A July 2024 assessment of 72 critical systems at 35 departments identified significant cyber resilience gaps, with multiple control failures in risk management and incident response planning, and although this was an improvement on the past situation, the PAC said more should have been done quicker. In particular, it again lamented the reliance on self-assessment to identify at-risk, legacy assets – a point…
