Meeting ISN 2022/04 Secure by Design Requirements

Meeting ISN 2022/04 Secure by Design Requirements

Armour Mobile in use at the MoD

Recently the UK Government published Industry Security Notice 2022/04 Secure by Design Requirements, which informs the UK Defence Supply Base of the Secure by Design policy and approach which has been set out to ensure cyber secure delivery of capabilities for the MoD.

Before we outline just how closely Armour complies, we address the issue; What is the difference between Secure by Design and Secure by Default?  The National Cyber Security Centre (NCSC) uses both terms in different contexts.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security. After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

      • security should be built into products from the beginning, it can’t be added in later;
      • security should be added to treat the root cause of a problem, not its symptoms;
      • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
      • security should never compromise usability – products need to be secure enough, then maximise usability;
      • security should not require extensive configuration to work, and should just work reliably where implemented;
      • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
      • security through obscurity should be avoided;
      • security should not require specific technical understanding or non-obvious behaviour from the user.


Armour Mobile complies with Secure by Design AND Secure by Default

At Armour Comms we have been working with NCSC since our inception a number of years ago to ensure that our products are designed with Best Practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices.

Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in many Government departments as well as having been deployed for numerous use cases across the MoD.

Armour Mobile and MoD Secure by Design Requirements

One of the key principles within the ISN 2022/04 Secure by Design Requirements is to Define Security Controls, and within that, the requirement is that: “Existing processes, knowledge, standards and technologies should be identified, assessed and reused where possible to avoid duplication of effort.”  With this in mind, and our track record of working with NCSC and the MoD, Armour Mobile is the obvious choice for any secure comms requirement within the Defence sector.

For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance:  and for more information about the NCSC Secure by Default principles please read:

Watch this space for future articles describing in more detail how Armour Mobile meets the Secure by Design requirements.

  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements
  • Meeting ISN 2022/04 Secure by Design Requirements