Every organisation has vulnerabilities in its digital infrastructure, including in its Domain Name System (DNS). In the Protecting Public Sector Domains team in the Central Digital and Data Office (CDDO) we work to identify and fix those vulnerabilities before our adversaries find them. We’d also like to do that for other kinds of vulnerabilities, related to email and web services. This isn’t easy, but it’s a goal we’re working towards. Our monitoring tools find misconfiguration and vulnerability data from a variety of services, and we’re gradually expanding our scope and capability. Once we ..read more

The Central Digital and Data Office (CDDO) is passionate about improving user experience and recognises that external collaboration is key to enabling the Civil Service to run efficiently and effectively. CDDO, NCSC and several government departments partnered with Microsoft to produce guidance that enables those government departments who use Microsoft 365 to seamlessly work together delivering better outcomes for their users and the people they serve. In this captivating comic, you can follow the story of Anna and John, working at the Department of Government decades apart. Discover how conf ..read more

In an unprecedented age where secure and efficient collaboration is paramount, the Central Digital and Data Office has taken a significant stride forward by collaborating with Microsoft and the National Cyber Security Centre (NCSC) to develop comprehensive guidance for the UK Government organisations that are using  Microsoft 365.  The guidance has been designed by digital, data and technology professionals across government to empower and support each other in alignment with the Mission Four: Efficient, Secure and Sustainable Technology of the 2022 to 2025 roadmap: Transforming for ..read more

Technology has revolutionised every aspect of our society and our economy, including the way that we deliver our public services, helping to make people’s lives easier and safer. Security vulnerabilities are discovered all the time online and people want to be able to report them directly to the organisation responsible. That’s why we are advocating for the use of security.txt as a standardised way of doing just that. One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact. Security.txt describes a text file that advertis ..read more

We posted previously about our work removing gsi-family domains from the public sector and why we are doing it. This work is now complete and over 3,500 domains have been removed including: all gse.gov.uk domains all gcsx.gov.uk domains all gsx.gov.uk domains 2533 gsi.gov.uk domains - 83 remain (further details below) We will continue to monitor the remaining domains for issues, but this work has removed the bulk of the risk of email spoofing and domain hijacking from misconfiguration for these domains. We expect that further work may be required in the future to completely remove gsi.gov.u ..read more

All gsi-family domain names (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) are scheduled for removal by 31st March 2023. A core pillar of the Transforming for a Digital Future strategy is delivering efficient, secure and sustainable technology, and, at CDDO’s Securing Government Services team we're working hard to clean up and remove legacy services.  Some public sector organisations have previously used .gsi.gov.uk, x.gsi.gov.uk, .gsx.gov.uk, .gse.gov.uk and .gcsx.gov.uk to email each other in a secure way. However, the current email standards and guidance mean they can now get b ..read more

Photo credit: Possessed Photography on Unsplash The Future Networks for Government (FN4G) team, part of the Cabinet Office’s Central Digital and Data Office (CDDO), is helping organisations to migrate away from the Public Services Network (PSN) as it’s increasingly hard to secure. The team is encouraging organisations to migrate to modern network solutions, which offer more competitive commercial terms as well as greater flexibility and scalability. Consulting with industry and our users  To help us get a better picture of what our users and suppliers need, we’re running a pre-market en ..read more

The Securing Government Services team at the Central Digital and Data Office recently encountered, and fixed, a small bug with the way some government domains handle their Sender Policy Framework (SPF) records. SPF allows a domain owner to specify which email services are authorised to send email on their behalf. For example, the website example.gov.uk  might use Outlook for email - so they can create a TXT record in their DNS which says: "v=spf1 include:spf.protection.outlook.com -all" This tells the internet that if someone tries to send an email purporting to come from example.gov.uk ..read more

We constantly monitor the GOV.UK analytics browser stats and every 6 months we update the ‘Designing for different browsers and devices’ page in the Service Manual. This page gives service teams an idea of the minimum browser support their service should support. The last Internet Explorer change to the Service Manual was in June 2018, when we changed our testing requirements for Internet Explorer 8, 9 and 10. The reasons these changes occurred is due to our rule that we only support the browsers the top 95% of people use. This is a data-driven process so it's as inclusive as possible to user ..read more

In April the GOV.UK Pay infrastructure team noticed some of our test payments were failing intermittently. Payments made by real users in the production environment were unaffected, but the test errors occurred often enough to start blocking our deployment pipeline. The issue lay in our Connector app’s ‘connection time to live’ settings. Here’s how we fixed it. The problem GOV.UK Pay makes it easy for public sector organisations to take payments by providing an API that connects to various third-party payment providers such as Worldpay and Stripe.  We have different levels of testing for ..read more