Logiq Logo

Search

Secure By Design in 2026

MOD Secure by Design – A Practical Guide for Defence and Government

Time to read:

19 minutes

Secure by Design has changed how cyber security is approached across defence and wider government. It places security into the design, delivery and through-life management of capabilities rather than treating it as a final approval activity.

This guide explains what Secure by Design means in 2026, what the current public MOD guidance says, and how defence and government teams can apply it in complex, regulated and supplier-led environments.

Updated for 2026 | Built around Digital MOD.UK and GOV.UK guidance as of 4 June 2026

Overview

  • Secure by Design is now a mandated MOD approach for capabilities and services that handle Defence data, including those delivered by suppliers.
  • It places cyber security at the heart of a capability’s lifecycle, from early design through delivery, operation and disposal or termination.
  • The approach moves teams away from treating security as a one-off approval hurdle and towards proportionate, ongoing risk management and assurance.
  • Current MOD guidance places accountability with SROs or suitable equivalents, supported by delivery teams that provide evidence that cyber security risks are being managed.
  • The current guidance is explicit that Secure by Design needs to be tailored to the context, complexity, criticality and risk profile of the capability. One size does not fit all.
  • The Cyber Activity and Assurance Tracker (CAAT) supports MOD delivery teams with self-assessment, maturity reporting and Statements of Assurance, but it is only available for MOD personnel and is not a replacement for accreditation or a certificate.
  • For suppliers, the practical challenge is to support MOD’s assurance needs while managing legitimate constraints around intellectual property, export controls, sensitivity and commercial information.
  • Logiq has supported Secure by Design from its early development into MOD implementation, including work associated with the programme’s formation and launch, portal development and CAAT tooling.

Current guidance snapshot

  • Digital MOD.UK describes Secure by Design as “Design for security from the start” and organises the guidance into two broad areas: knowing the basics and being secure.
  • The basics cover what Secure by Design is, who is responsible, why MOD uses it, and how to apply it.
  • The practical activity areas are: understand and define context; plan the security activities; implement continuous risk management; define security controls; engage and manage the supply chain; assure, verify and test; and plan the through-life approach.
  • The guidance states that all capabilities and services that handle Defence data must follow Secure by Design, including supplier-delivered capabilities.
  • The guidance also states that in MOD, Secure by Design is mandated in JSP 440 Leaflet 5C. The public version of this hub page should link readers to the official Digital MOD.UK guidance rather than attempting to reproduce restricted policy content.

Introduction

Secure by Design is now part of the operating context for MOD capability and digital delivery. The practical question is no longer whether it matters, but how teams embed it into real delivery without creating unnecessary friction.

For MOD programmes, Secure by Design is more than a change in terminology. It affects how teams think about risk, who owns security decisions, how evidence is gathered, how suppliers are engaged and how assurance is maintained as a capability changes through life.

The official MOD guidance describes Secure by Design as an approach that puts cyber security at the heart of every stage of a capability’s lifecycle. It also makes clear that MOD is implementing Secure by Design in all top-level budgets and arm’s length bodies, and that capabilities and services handling Defence data must follow the approach.

For organisations delivering into defence or highly regulated government environments, this creates a practical challenge. Secure by Design has to work within real programmes, contractual boundaries, supplier ecosystems, legacy dependencies, changing requirements and operational constraints. It cannot simply be treated as another checklist.

We have been closely involved with Secure by Design from its early development through to MOD implementation support. Our 2024 contract announcement confirmed Logiq’s role as Secure by Design implementation partner with the MOD Cyber Resilience Programme, building on more than two-and-a-half years of work supporting the programme’s formation and launch, including associated products and digital tools.

1. What is Secure by Design?

Secure by Design means security is built into the design, development, operation and management of a capability from the outset and then managed throughout the lifecycle.

Secure by Design is an approach to cyber security that places security into the design and delivery of systems, services and capabilities from the start. It asks teams to consider cyber risk as part of capability planning, architecture, delivery, supplier engagement, assurance, operation and through-life management.

In defence, this matters because capabilities are rarely simple. They often involve multiple suppliers, legacy dependencies, sensitive data, operational constraints, complex governance and long service lives. A security decision made early in the lifecycle can affect cost, assurance, operational effectiveness and risk exposure years later.

The current MOD guidance explains that Secure by Design is used to shift security to the left, so that security is designed into capabilities from the start and risks are proactively and proportionately mitigated. It also states that security is no longer a one-time checkbox or isolated activity, but an ongoing part of capability development and operation.

That does not remove the need for controls, assurance, testing or governance. It changes how those activities are planned and used. Controls need to be proportionate. Assurance needs to be supported by evidence. Testing and validation need to happen throughout the lifecycle. Risk needs to be reviewed as the capability, threat picture, operating environment and supply chain change.

2. Why Secure by Design matters in 2026

Secure by Design is no longer an emerging concept. Public guidance has moved onto Digital MOD.UK, adoption expectations are clearer, and wider government has begun to frame Secure by Design as part of how Crown data and services should be secured.

In February 2025, Defence Digital stated that the new user-centred Secure by Design guidance on Digital MOD.UK is now the go-to place for Secure by Design guidance and replaces previous Defence Gateway content. The move was intended to make the guidance more accessible to defence industry users as well as MOD teams.

The same Defence Digital update described Secure by Design as mandated in MOD policy and explained that the new guidance was created because policy alone did not fully answer the questions users had when trying to implement Secure by Design for themselves.

The wider government context has also moved on. GOV.UK’s Secure by Design Problem Book, published in April 2025, describes Secure by Design as becoming mandated across UK Government for securing Crown data and services. It also recognises that applying Secure by Design in UK defence creates challenges not always found in enterprise settings, including interoperability, technical debt associated with legacy platforms, and operation in harsh or contested environments.

That distinction matters. Secure by Design is not simply a generic cyber security principle being applied to defence. Defence brings its own complexity. Capabilities may need to integrate with older systems, operate across multiple Defence Lines of Development, protect sensitive information and work within supply chains where information cannot always be shared freely.

3. How MOD expects teams to apply Secure by Design

The current guidance is organised around practical lifecycle activities. Teams need to understand context, plan security activity, manage risk continuously, define controls, engage suppliers, assure and test, and plan through life.

Digital MOD.UK sets out a practical sequence of Secure by Design activity areas. These are not isolated tasks. They are connected activities that should be revisited as the capability develops and as risk changes.

  • Understand and define context: understand what the capability does and how it uses and manages data.
  • Plan the security activities: plan the right security activity, including assessment of cyber threat and potential risks.
  • Implement continuous risk management: make cyber security risk management a continuous process.
  • Define security controls: set up security controls or use current services and patterns.
  • Engage and manage the supply chain: understand the supply chain, including its risks and security responsibilities.
  • Assure, verify and test: gain assurance, testing and validation throughout the capability lifecycle.
  • Plan the through-life approach: continuously monitor for through-life security improvements.

The important point is proportionality. The current guidance is explicit that one size does not fit all. Secure by Design needs to be adapted to the context, complexity and criticality of the capability. Too much security can be too expensive and difficult to maintain; too little can leave a capability exposed.

For teams adopting Secure by Design part way through CADMID/T, the current guidance says they should revisit the security activities, identify gaps, review activities already completed and revisit any tasks that were not completed when the capability started. Continuous activities should also be revisited through life.

4. Continuous risk management and assurance

Secure by Design relies on continuous risk management and continual assurance. The aim is not a perfect score or a late-stage certificate; it is a justified, evidence-based view of risk that can be maintained through delivery and operation.

One of the most important shifts introduced by Secure by Design is the move towards continuous risk management. Cyber risk changes over time. Systems evolve. Suppliers change. New vulnerabilities emerge. Operational use cases shift. Threats develop. A one-off approval at a fixed point in time cannot give lasting confidence if the risk picture changes afterwards.

The current MOD guidance on continuous risk management refers to Security Working Groups, regular reassessment of risks, risk reviews, CAAT maturity assessments and vulnerability management. This gives a clearer view of what “continuous” means in practice: governance, reassessment, documentation, maturity tracking and active management of weaknesses in the capability and supply chain.

The CAAT forms part of the assurance process for MOD delivery teams. Digital MOD.UK states that it helps teams understand and self-assess the cyber security maturity of their capability throughout its lifecycle by tracking cyber security activities and creating statements of assurance. It also makes clear that CAAT is only available for MOD personnel to use, and that programmes and projects above OFFICIAL SENSITIVE should continue to register on DART S.

Statements of Assurance need careful treatment. The current guidance says the CAAT provides the structure for reporting and seeking approval or endorsement from the SRO through a Statement of Assurance. Where reliant parties request a certificate, the SRO can provide a Statement of Assurance. However, the guidance is explicit that the Statement of Assurance is not a replacement for accreditation or a certificate and should not be treated as one.

Independent assurance also needs careful wording. The current guidance says independent assurance is provided by CySAAS assessors in some cases, and can highlight risks. It does not decide whether a capability is secure. That decision sits with the SRO, or suitable equivalent, based on evidence from continual assurance activities.

5. What Secure by Design means for suppliers

Suppliers are within scope where they deliver capabilities or services that handle Defence data, but MOD’s current public guidance still places CAAT self-assessment responsibility with MOD personnel and delivery teams rather than suppliers completing it directly.

For suppliers working with MOD and wider defence, Secure by Design changes expectations. It is not enough to wait for security requirements to appear late in delivery or to treat assurance as a separate activity handled after the design is largely fixed. Suppliers may need to show how security has been considered in the solution, how risks have been identified and managed, how controls have been selected, and what evidence can support assurance throughout the lifecycle.

The current guidance states that all capabilities and services handling Defence data must follow Secure by Design, including capabilities delivered by suppliers. It also states that delivery teams should work closely with suppliers to make sure they understand potential cyber risks and shared responsibilities, and should work with suppliers’ contracting authority to make sure suppliers follow Secure by Design in line with their contract.

This distinction matters. Suppliers still need to understand their responsibilities and provide relevant evidence, but CAAT self-assessment remains a MOD delivery-team activity rather than something suppliers complete directly through public guidance.

The GOV.UK Problem Book adds a useful supplier-side reality check. It notes that MOD may not always be able to share all available Secure by Design evidence, including threat models, risk information or security requirements. It also recognises that suppliers may be unable to share all relevant evidence because of export restrictions, sensitive intellectual property or commercial constraints.

For suppliers, the practical challenge is therefore to support assurance without assuming perfect transparency. They need to understand the security intent, the evidence expectation, the contractual context and the boundaries around what can and cannot be shared.

6. What Secure by Design means for SROs, product owners and delivery teams

The current guidance places accountability for secure outcomes with SROs or suitable equivalents, supported by delivery teams that provide evidence that cyber security risks are being effectively managed.

Secure by Design is a collaborative approach, but accountability still needs to be clear. Digital MOD.UK states that SROs are accountable for setting the level of cyber risk they are willing to accept, understanding how and when to escalate issues outside that level of risk, and making sure the capability is resilient to cyber attacks.

Delivery teams support the SRO by providing evidence that cyber security risks are being effectively managed. This means security activity cannot sit outside delivery as a separate late-stage workstream. It needs to be visible in plans, design decisions, risk management, supplier engagement, assurance evidence and through-life arrangements.

For product owners and capability owners, the implication is practical. They do not need to become cyber security engineers, but they do need to understand the risk decisions being made, the assumptions behind those decisions, the evidence available, the residual risks being carried and the conditions under which risk may need to be escalated.

The current guidance also lists a wide set of roles involved in Secure by Design, including capability sponsors, programme and project managers, SROs or suitable equivalents, delivery team leaders, capability owners, commercial officers, delivery team security leads and cyber security assessors. It also encourages engagement with engineering, safety, supportability, ILS, regulatory and internal design stakeholders.

That breadth matters because Secure by Design is not only a cyber security activity. In defence, security interacts with engineering, safety, support, commercial arrangements, architecture, operational use and through-life management.

7. Common implementation challenges

The hard part is not explaining Secure by Design. It is applying it across complex programmes where ownership, evidence, information sharing and through-life management are rarely straightforward.

Ownership and accountability

If cyber risk is seen as something owned only by security specialists, decisions may be delayed or disconnected from delivery. If accountability is placed with SROs and delivery teams without enough support, teams may struggle to understand what good looks like.

Evidence and proportionality

Secure by Design depends on evidence, but evidence needs to be useful and proportionate. Too little evidence creates uncertainty. Too much evidence creates noise. The aim is to support risk decisions, assurance and through-life management.

Supplier engagement

Security expectations need to be clear enough for suppliers to respond to them, but proportionate enough that they do not create unnecessary barriers. This is particularly important where suppliers have legitimate IP, export control, sensitivity or commercial constraints.

Legacy systems and technical debt

The GOV.UK Problem Book highlights technical debt associated with legacy platforms as a specific challenge for UK defence. Secure by Design has to operate in this reality. Many programmes need to integrate with existing systems rather than redesign from a clean sheet.

Early acquisition

The Problem Book also notes the difficulty of applying Secure by Design at the very earliest stages of capability acquisition, when a capability’s form and functionality may still be emerging. Teams need to make risk visible early without pretending everything is known.

Through-life sustainment

Many defence capabilities remain operational for years or decades. Secure by Design therefore needs to preserve rationale, evidence, ownership and risk context through changes in technology, personnel, threat, operation and support arrangements.

8. Logiq’s role in Secure by Design

We have been close to Secure by Design from its early development through to MOD implementation support. That gives us a practical view of the work involved in turning policy intent into something delivery teams can use.

This is not a topic we approach at a distance. We were involved early in the development and implementation of the MOD approach, and that work has shaped how we support defence and government teams today.

Our involvement has included support associated with the formation and launch of the Secure by Design programme, including work connected with the portal and the Cyber Activity and Assurance Tracker (CAAT). In 2024, we were awarded the Secure by Design implementation partner contract, continuing the work developed over the previous two-and-a-half years.

That experience matters because the difficult part of Secure by Design is rarely the principle itself. Most teams understand the need to consider security earlier and manage risk through life. The harder task is embedding that approach into live programmes, supplier relationships, evidence requirements, assurance activity and delivery decisions without creating unnecessary friction.

Official MOD guidance remains the source of policy. Logiq’s role is different. We help teams interpret the guidance, understand what it means for their specific capability or organisation, and put the approach into practice in a way that supports delivery, assurance and operational confidence.

9. How Logiq supports Secure by Design delivery

We support Secure by Design by helping teams turn policy expectations into clear roles, practical evidence, proportionate controls and delivery activity that can be sustained through life.

We help organisations understand, adopt and apply Secure by Design in complex, regulated and security-conscious environments. Support can include early-stage readiness, maturity review, assessment of current delivery approaches, review of risk management and assurance activity, supplier engagement support, security control definition, evidence planning, through-life security planning and implementation support.

For MOD and government teams, this may mean helping translate guidance into practical delivery activity, clarifying ownership, improving assurance evidence, supporting risk management, or helping delivery teams understand how Secure by Design applies to their capability.

For suppliers, it may mean helping interpret Secure by Design expectations, prepare evidence, understand the security and assurance implications of a solution, and engage with MOD delivery teams in a way that is constructive and proportionate.

For leadership teams, it may mean building a clearer view of maturity, risk, governance and readiness, so that Secure by Design becomes part of decision-making rather than another isolated compliance exercise.

10. Secure by Design and the future of defence cyber assurance

Secure by Design is moving defence cyber assurance towards earlier security thinking, clearer accountability, evidence-based assurance and through-life risk management.

The direction is clear. Security needs to be considered earlier. Risk needs to be managed continuously. Assurance needs to be supported by useful evidence. Suppliers need to be engaged in a way that reflects the reality of defence delivery. SROs and delivery teams need to understand the risk decisions they are making and the evidence that supports those decisions.

That does not make implementation easy. MOD delivery environments are complex, and Secure by Design has to operate across different teams, suppliers, capabilities, lifecycles and levels of sensitivity. But the principle is sound: security is more effective when it is designed in from the start and managed through life.

For defence and government teams, the next stage is practical adoption. Not simply knowing what Secure by Design says, but understanding how to apply it in a way that improves resilience, supports delivery and gives decision-makers confidence in the risks they are carrying.

How We Can Help

Secure by Design is now a practical delivery requirement for MOD and defence industry teams handling Defence data. The challenge is applying it in a way that is proportionate, evidenced and workable across real programmes and supply chains.

Logiq supports defence, government and highly regulated organisations with Secure by Design adoption, cyber security assurance, risk management and secure system delivery.

Whether you are trying to understand what Secure by Design means for your programme, prepare your team, improve your assurance approach or embed continuous risk management into delivery, we can help you take a practical next step.

Speak to our Secure by Design team

Source and citations

Training

An informative three-day, instructor-led course that arms engineers, architects, and security professionals with the tools to embed Secure by Design principles into real-world projects.

Move beyond risk-only thinking. Learn how to engineer trustworthy systems that provide assurance to customers and meet demanding defence requirements

Register Now