Cyber Resilient Scotland - strategic framework: action plan 2025-2030

Outcome 3

Scotland’s digital public services are secure and cyber resilient

3.1 Securing legacy systems and ensuring secure-by-design and by-default systems

Appropriate mitigations are in place to secure legacy systems. A secure-by-design and by-default approach is embedded across digital public systems, services and infrastructure.

The Scottish Government and national digital service providers will:

• continue to identify legacy IT systems and fully understand the cyber risks they pose
• replace legacy systems as a critical step in improving cyber resilience. Where legacy systems remain in use, cyber risks are actively managed with clear risk ownership until replacement is possible
• ensure that new systems are secure by design and secure by default throughout their lifecycle, with maintenance, support and long-term sustainability planned from the outset to prevent future legacy challenges.

3.2 Adhering to Cyber Security Standards and Regulations

Digital public services align with the relevant recognised standards and regulations.

The Scottish Government and national digital service providers will:

• use NCSC’s Cyber Assessment Framework (CAF) as their guiding framework for managing cyber resilience
• apply the GovAssure scheme for assessing critical systems in order to meet CAF objectives
• follow the principles of secure-by-design when building digital services and technical infrastructure.

3.3 Securing the Supply Chain

Digital public service supply chains are secure to protect against cyber threats. This includes regular risk assessments, enforcing security requirements in procurement and monitoring third-party compliance.

The Scottish Government and national digital service providers will:

• establish a risk-based Supply Chain Security Framework and standardise its use across digital procurement, ensuring suppliers understand the baseline security requirements expected of them
• align supply chain security policies with NCSC Supply Chain Security Principles and UK Government Procurement Security Guidelines
• ensure suppliers meet relevant certifications, such as Cyber Essentials Plus, ISO/IEC 27001 and other appropriate industry standards
• embed security requirements into public sector supplier contracts - mandating clear and enforceable clauses covering data protection, incident reporting and compliance auditing.

3.4 Enhancing incident response and recovery

A national framework for cyber incident response is strengthened, ensuring rapid recovery and continuity of essential digital public services.

The Scottish Government and national digital service providers will:

• enhance and refine their Cyber Incident Response Plans (CIRPs) to ensure continuous improvement and alignment with NCSC Incident Management Guidance and recognised industry best practice
• conduct regular crisis management exercises, tabletop simulations and live attack drills to test organisational readiness
• define clear incident severity levels, escalation procedures and response playbooks for a range of attack scenarios, including ransomware, insider threats and nation state attacks
• foster a culture of cyber resilience and integrate cyber incident response with Business Continuity and Disaster Recovery (BCDR) plans to ensure coordinated recovery
• maintain and regularly test alternative communication channels for use during incidents where primary IT infrastructure is compromised
• ensure backup and recovery processes are robust, immutable and tested frequently to enable rapid restoration of services and minimise operational disruption
• maintain a joined-up approach to incident response in collaboration with the SC3.

3.5 Enabling safe use of emerging technologies

Guidance and governance are developed to ensure the secure deployment of AI, Automation, machine learning, quantum and IoT (Internet of Things) technologies in public services.

The Scottish Government and national digital service providers will:

• ensure appropriate governance is in place to support the secure adoption and use of new and emerging technologies
• maintain awareness of standards and guidance issued by relevant technical authorities and ensure these are integrated into organisational governance processes and technical design boards.

3.6 Maximising public-private collaboration

The Scottish Government and other public bodies deepen engagement with industry and academia to access industry cutting-edge solutions, share threat intelligence and co-develop secure digital platforms.

The Scottish Government and national digital service providers will:

• ensure insights from NCSC’s socio‑technical research inform the design and development of digital platforms
• take into account the UK Government’s cyber security Codes of Practice and relevant NCSC guidance including Secure development and deployment guidance.
• consider sponsoring Civtech challenges that address public sector cyber resilience needs
• engage with industry and academia to explore the cyber security benefits of emerging technologies and identify opportunities to adopt them within government settings, for example, homomorphic encryption, crypto‑agility for quantum‑safe encryption, artificial intelligence agents and model context protocols.