From 31 January 2025 all new or significant changes to digital service and technology infrastructure, either built within the Department for Education (DfE) or procured through suppliers, which are in scope of digital and technology spend controls approval process must follow Secure by Design. Significant changes may include those requiring a treasury business case or where there is significant change to the cyber risk profile.

Portfolios and divisions are responsible for evaluating their projects eligibility for Secure by Design when making investment decisions. Within your team you should have individuals who can support you in this evaluation.

Spend controls approval

You must make sure that you get spend approval before committing to any digital or technology spend which are above the spend thresholds. Any spend that is related to digital or technology delivery is in scope of this control. This includes spending on resources.

The spend controls approval process is supported by Get approval to spend service. This service is used for all public expenditure business case requests through the Cabinet Office spend approval for Digital and Technology that are above the threshold of £100,000.

Within the Get Approval to Spend service, business cases undergo a process to determine their risk and importance rating: High (H), Medium (M), or Low (L). Projects identified as high risk are in-scope for Secure by Design.

Business cases generally involve new digital services or technology infrastructure builds by DfE or those procured through suppliers. We expect a majority of cases will fall within the scope of Secure by Design.

Additional criteria

You must follow Secure by Design if your business case is in relation to one of the top 75 services flagged by the Government Digital Service (GDS). At present, for DfE, this includes:

  • Find an apprenticeship
  • Find school and college performance
  • Get information about schools
  • Get into teaching
  • Use the National Careers Service

If you are developing a service that must meet the service standard. You can check if you need to meet the Service Standard or get an assessment.

If your project or service meets any of these criteria or you have further queries, contact the Secure by Design team.