CINXE.COM

<?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom" xmlns:thr="http://purl.org/syndication/thread/1.0" xml:lang="en-US" > <title type="text">Technology in government</title> <subtitle type="text">About digital and technology projects in government.</subtitle> <updated>2025-04-02T09:14:06Z</updated> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk" /> <id>https://technology.blog.gov.uk/feed/</id> <link rel="self" type="application/atom+xml" href="https://technology.blog.gov.uk/feed/" /> <entry> <author> <name>Cloud and Platform team at GDS</name> </author> <title type="html"><![CDATA[Government’s Cloud First Policy is 12!]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2025/02/18/governments-cloud-first-policy-is-12/" /> <id>https://technology.blog.gov.uk/?p=5193</id> <updated>2025-04-02T09:14:06Z</updated> <published>2025-02-18T13:46:55Z</published> <category scheme="https://technology.blog.gov.uk" term="Cloud" /> <summary type="html"><![CDATA[Two landmark publications: the State of Digital Government Review, and the blueprint for modern digital government are clear - cloud technology is helping to reshape how government works. With the blueprint setting out the long-term vision, and with the Government …]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2025/02/18/governments-cloud-first-policy-is-12/"><![CDATA[ <figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="3840" height="2160" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash.jpg" alt="Graphic image of HD computer with cloud" class="wp-image-5194" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash.jpg 3840w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash-300x169.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash-1024x576.jpg 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash-768x432.jpg 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash-1536x864.jpg 1536w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2025/02/growtika-Am6pBe2FpJw-unsplash-2048x1152.jpg 2048w" sizes="(max-width: 3840px) 100vw, 3840px" /><figcaption class="wp-element-caption">Credit: Unsplash @growtika </figcaption></figure> Two landmark publications: the <a href="https://www.gov.uk/government/publications/state-of-digital-government-review/state-of-digital-government-review">State of Digital Government Review</a>, and <a href="https://www.gov.uk/government/publications/a-blueprint-for-modern-digital-government">the blueprint for modern digital government</a> are clear - cloud technology is helping to reshape how government works. With the blueprint setting out the long-term vision, and with the <a href="https://www.gov.uk/guidance/government-cloud-first-policy">Government Cloud First</a> policy turning 12, we thought it was a good time to reflect on the successes, the challenges and our current focus. The objective of the <a href="https://www.gov.uk/guidance/government-cloud-first-policy">Government Cloud First policy</a> is that government departments and public organisations should use public cloud services as their first choice when buying IT services. This rule must be followed by central government and is strongly encouraged for other public sector organisations. The aim is for us to spend less time provisioning technology and more time improving public services. <h3 class="wp-block-heading">Cloud technology has helped us improve our public services</h3> <a href="https://www.gov.uk/government/publications/state-of-digital-government-review/state-of-digital-government-review">The State of Digital Government Review</a> found that about 60% of UK government and public sector IT systems are run on cloud services. This is a good percentage when compared to big private companies and other countries, and we now have lots of experience of cloud helping departments to deliver services. The Ministry of Justice (MoJ) has used the Cloud to simplify its operations, enhance internal collaboration, and reduce reliance on legacy systems. They have created a <a href="https://aws.amazon.com/solutions/case-studies/uk-ministry-of-justice/">data and analytics platform</a> that serves over 500 professionals daily with data from diverse sources; ranging from legacy databases to modern digital services. While this shift has delivered better public services, cost savings and improved security, it's not without its hurdles. Departments are grappling with the complexities of moving their remaining legacy systems, addressing skills shortages, and managing security concerns. <h3 class="wp-block-heading">Our focus now</h3> What we are doing <ul class="wp-block-list"> <li>Coordinating professional development opportunities so that Government Digital and Data professionals have access to low (or zero) cost training and certification programmes such as the AWS Solutions architect Profession bootcamp, Microsoft’s Cross Platforms Hero’s, the Oracle University. <a href="https://digitalpeople.blog.gov.uk/2024/09/17/get-cloud-certified-this-autumn/">Read more about the Get Cloud Certified this autumn programme</a> we ran last year as a good example of the training on offer.</li> <li>Supporting under-represented groups in technology with initiatives like the AWS CloudUp for Her pilot and Microsoft’s TechHer for Government.</li> <li>Working with cloud service providers to offer consistently secure, well-architected cloud environments that can be rapidly deployed and consumed. We want to ensure all elements of the public sector can access their services and benefit from enhanced deals and cost savings.</li> <li>Looking to connect and strengthen the communities of cloud practitioners that have emerged across the public sector. We will hold regular events with key partners and suppliers to share knowledge and best practice. </li> </ul> More information and resources to support your organisations’ cloud journey are available in the new <a href="https://www.gov.uk/government/collections/cloud-technology-and-the-public-sector">GOV.UK collection</a>: <a href="https://www.gov.uk/government/publications/cloud-guide-for-the-public-sector/cloud-guide-for-the-public-sector">Cloud Guidance for the public sector</a>, and by contacting <a href="mailto:cloud-strategy@digital.cabinet-office.gov.uk">the GDS Cloud Strategy mailbox</a>. ]]></content> <link rel="replies" type="text/html" href="https://technology.blog.gov.uk/2025/02/18/governments-cloud-first-policy-is-12/#comments" thr:count="0" /> <link rel="replies" type="application/atom+xml" href="https://technology.blog.gov.uk/2025/02/18/governments-cloud-first-policy-is-12/feed/" thr:count="0" /> <thr:total>0</thr:total> </entry> <entry> <author> <name>Simon Foster, Head of Protecting Public Service Domains, CDDO</name> </author> <title type="html"><![CDATA[The 5 year journey to moving .gov.uk to a new registry]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2024/09/20/the-5-year-journey-to-moving-gov-uk-to-a-new-registry/" /> <id>https://technology.blog.gov.uk/?p=5129</id> <updated>2024-09-20T13:59:24Z</updated> <published>2024-09-20T13:59:10Z</published> <category scheme="https://technology.blog.gov.uk" term="News" /><category scheme="https://technology.blog.gov.uk" term="Security" /><category scheme="https://technology.blog.gov.uk" term="Transformation" /> <summary type="html"><![CDATA[Find out how the Domains team planned and executed the biggest ever change to digital infrastructure with zero disruption to citizen services.]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2024/09/20/the-5-year-journey-to-moving-gov-uk-to-a-new-registry/"><![CDATA[ <figure class="wp-block-image size-large"><img decoding="async" width="1024" height="439" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/09/shutterstock_463024261-1-1024x439.jpg" alt="DNS Domain Name System Server" class="wp-image-5131" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/09/shutterstock_463024261-1-1024x439.jpg 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/09/shutterstock_463024261-1-300x129.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/09/shutterstock_463024261-1-768x329.jpg 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/09/shutterstock_463024261-1-1536x658.jpg 1536w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/09/shutterstock_463024261-1-2048x877.jpg 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> A week before the 2024 General Election, the Domains team carried out one of the most important digital infrastructure changes in government history. In theory the migration to a new .gov.uk Registry Operator required a few technical changes, but it was not as simple as that. There was a risk these changes would interrupt people from using all of the UK government’s digital services, including the ability to use the <a href="https://www.gov.uk/register-to-vote">Register to vote service</a> at a time when it was needed most. Before we dive into the preparation that went into the migration, let’s start by explaining the importance of the .gov.uk registry. <h3 class="wp-block-heading">Why is the .gov.uk domain so important?</h3> The Domains team at the Central Digital and Data Office (CDDO) is responsible for operating the .gov.uk domain or as we call it the “.gov.uk registry”. That’s different to the GOV.UK brand, which is used to describe the government’s website.  We approve applications for all .gov.uk third-level domains  - like “cabinetoffice.gov.uk”, “hmrc.gov.uk” or newly created ones like “greatbritishenergy.gov.uk”. Not all domains have websites - some are simply used to provide emails or other services. The .gov.uk registry currently contains 5,000 public sector domain names. Just like an address book, the registry tells your browser, your email, and everything else where to find that domain on the internet. Domain registries exist in a hierarchy across the internet as part of the global Domain Name System (DNS). If a domain registry fails, your internet browser will not be able to find the websites that the registry was publishing. Similarly, all email and other digital services that use that domain will stop. <h3 class="wp-block-heading">The journey to a new .gov.uk registry </h3> Our journey to improve the security and resilience of the .gov.uk domain name and all the services that sit under it began 5 years ago when the Domains team was assembled.  Up until the switch-over, the .gov.uk registry was run on a pro-bono basis that was not meeting internationally recognised standards. That was not the fault of any party in particular, it was due to having a legacy memorandum of understanding that was set up in a world where the internet was in its infancy. Our 3 objectives for the .gov.uk registry were to make it: <ul class="wp-block-list"> <li>highly globally resilient as it underpins all critical digital services</li> <li>meet internationally recognised DNS standards, set by the Internet Corporation for Assigned Names and Numbers (ICANN), for better interoperability and future portability</li> <li>meet the <a href="https://www.ncsc.gov.uk/collection/cyber-assessment-framework">National Cyber Security Centre’s Cyber Assessment Framework (NCSC CAF) standards</a></li> </ul> We also wanted our .gov.uk Registry provider to help us prevent and fix domain related cyber vulnerabilities, which is the main focus of what the CDDO Domains team does. To create a fair open market competition we worked closely with Crown Commercial Service to enable our registry procurement through the <a href="https://www.crowncommercial.gov.uk/agreements/RM6116:1d/lot-suppliers">Network Services 3 Framework</a>. Once we were set up with a Lot on NS3, the real work could begin. Starting in March 2022, we planned 7 workshops with potential Registry Operator bidders as well as the 300 plus Registrars in our marketplace to assess the viability and impact. Getting feedback from the marketplace was critical. This helped the Domains team create 40 pages worth of in-depth technical requirements for the Registry Operator as well as  <a href="https://www.gov.uk/guidance/criteria-to-be-a-govuk-approved-registrar">Criteria to be a .gov.uk Approved Registrar</a>, which all had to go through commercial and legal review.  <h3 class="wp-block-heading">Evaluating bids, planning the transition and getting Public Sector assurance</h3> Our incumbent supplier, Jisc, did not bid for the new contract to run the Registry because it was outside of its educational and charitable remit, but they supported us strongly throughout the process.  During the bidding process, each supplier had to answer 44 questions, which were marked by a team of 3 evaluators from the Domains team. Nominet - who have operated the .uk domain since 1996, was awarded the contract in November 2023 and a phased migration plan was put into place. This consisted of: <ul class="wp-block-list"> <li>5 workshops with CDDO, Nominet and Jisc to prepare for the migration</li> <li>1 Assurance deep-dive day</li> <li>3 weekly meetings with suppliers to update</li> <li>2 Registrar workshops to answer their questions</li> </ul> Transitioning a registry is a fairly common activity, but if it goes wrong it could cause significant disruption. We could not let this happen to our stakeholder community of thousands of Public Sector bodies, plus the millions of people that rely on them every day. We wanted to be sure that we had addressed every risk comprehensively, so we asked the Chief Technology Officer’s Council and the Cabinet Office Commercial Information Assurance Team to provide in-depth independent assurance. We also set up a Change Advisory Board (CAB) composed of representatives from across the Public Sector. This group monitored a set of criteria from all transition-critical areas and had the ultimate decision making power on whether to proceed with the transition. <h3 class="wp-block-heading">Transition day - 26 June 2024</h3> Successful digital change often results in a glorious anti-climax. In our case, the months of data cleaning, testing and risk mitigation planning resulted in an uneventful call with members of the CAB, the outgoing provider and the incoming provider.  Instructions were given out to make technical DNS changes, which were monitored step-by-step.  User experience of DNS changes do not happen immediately. Your laptop, phone and even your ISP has a cache of its recent DNS queries, so you won’t experience any changes until these caches expire and you run a new DNS lookup. This caching exists at every level across the internet, and the cache expiry times can range from a few seconds to a few days. What this meant was that we could not immediately confirm that the transition was successful. We had to wait, and that is what we did. By lunchtime we had confirmation that the new registry’s 4 primary name servers were responding to DNS queries from across the world, and by mid afternoon, we had confirmation that the new registry’s 4 secondary name servers were also responding. The transition had been a complete success, and - most importantly - no one had noticed that it had happened. <h3 class="wp-block-heading">Next steps</h3> Our work does not end with the migration. The team is continuing to improve the operation of the .gov.uk registry by introducing technical checks and increasing the governance of the Registrar channel.  If you need any more information you can contact support@domains.gov.uk. ]]></content> </entry> <entry> <author> <name>Nick Woodcraft, Domains Product Owner, CDDO</name> </author> <title type="html"><![CDATA[Missing the Point(er)]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2024/05/10/missing-the-pointer/" /> <id>https://technology.blog.gov.uk/?p=5114</id> <updated>2024-05-10T08:34:19Z</updated> <published>2024-05-10T08:15:13Z</published> <category scheme="https://technology.blog.gov.uk" term="Security" /><category scheme="https://technology.blog.gov.uk" term="Tools" /><category scheme="https://technology.blog.gov.uk" term="Transformation" /> <summary type="html"><![CDATA[Email security policy for the UK Government has been fairly consistent for a while, so we were pleased when Google and Yahoo decided to tighten their email authentication requirements that align closely to our own guidance. One element that stands …]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2024/05/10/missing-the-pointer/"><![CDATA[<img decoding="async" class="alignnone size-large wp-image-5119" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/05/PXL_20240509_134906527-1024x666.jpg" alt="Image of postcard with numbers>words>numbers written on it" width="620" height="403" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/05/PXL_20240509_134906527-1024x666.jpg 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/05/PXL_20240509_134906527-300x195.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/05/PXL_20240509_134906527-768x500.jpg 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/05/PXL_20240509_134906527-1536x999.jpg 1536w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/05/PXL_20240509_134906527.jpg 1600w" sizes="(max-width: 620px) 100vw, 620px" /> Email security policy for the UK Government has been fairly consistent for a while, so we were pleased when <a href="https://blog.google/products/gmail/gmail-security-authentication-spam-protection/">Google and Yahoo decided to tighten their email authentication requirements</a> that align closely to <a href="https://www.gov.uk/guidance/securing-government-email">our own guidance</a>. One element that stands out however, is their requirement that all IP addresses must have a PTR (‘Pointer’ or ‘reverse DNS’) record. This is also in our guidance, but was a little buried until a recent update. <h3>What is a PTR?</h3> They are a less well known but important part of the anti-spam toolkit, and we probably ought to give them more attention than we have up to now. Google and Yahoo may be tightening their approach, but most other email providers use PTR records in their checks as well. PTR records provide some reassurance that a sender is well established and trustworthy. When an email is received the IP address is checked for its PTR record. Google states: Every IP address must map to a hostname in the PTR record. The hostname specified in the PTR record must have a forward DNS that refers to the sending IP address. This means the sending service has control of the IP address, the DNS associated with the IP address, and the sending hostname. Spammers are more likely to use short lived domains for sending, and spoof IP addresses, meaning they won’t be able to get valid PTR records in place. A lack of good PTR records won’t always cause an email to be rejected, but it adds to the overall spam score and could be the thing that tips a message into the spam folder. <h3>PTR in government</h3> Improving email security is a collective effort in the UK Government, across teams including the Government Security Group in Cabinet Office, the National Cyber Security Centre (NCSC), us in the Central Digital and Data Office (CDDO), and the Government Security Centre for Cyber. We also get help with implementation in the local sector from Information Security for London (ISfL). Across these organisations we’ve looked at email sending IP addresses and at IP addresses in Sender Policy Framework (SPF) records. These records list the email sending sources approved to send email for a domain. A review of SPF records across the sector shows there are problems. Many include email sending services that are out of use, or have changed IP addresses. It is vital that genuine messages from government to citizens are delivered, so in CDDO, NCSC, and ISfL we’ve been doing some outreach to the organisations explaining the problem and providing help on how to fix it. <h3>Identifying the problem</h3> Spotting when a PTR record is missing or broken can be difficult, particularly if you don’t have great visibility of the services you use to send email. People in your organisation may notice email failing to deliver. It could be when they send from a particular source, like a mailing list service, or when they send to a particular provider like Google or Yahoo. If you’re signed up to the <a href="https://www.ncsc.gov.uk/information/mailcheck">NCSC’s Mail Check service</a> (and if you look after email for a public sector organisation you definitely should be) you can send them your <a href="https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc">DMARC</a> reports. Mail Check can tell you where problems lie, and specifically calls out when PTR records aren’t set up correctly. <h3>Looking up PTR records</h3> You can also check your records for yourself. If you have an IP address in your SPF record that’s a good place to start. You can use <a href="https://en.wikipedia.org/wiki/Dig_(command)">dig</a> (the Domain Information Groper) or a web-based dig-like tool like the <a href="https://toolbox.googleapps.com/apps/dig/">Google Admin toolbox</a> or <a href="https://www.digwebinterface.com/">Dig web interface</a>. Enter the IP address of your sending email service and lookup the PTR record: <div class="highlight"> <pre>dig -x <your_ip_address></pre> </div> and it should return an in-addr.arpa record pointing to a valid domain. For example, Mail Chimp sends some of its email on behalf of customers from 148.105.10.6. If we look up the PTR record for this: <div class="highlight"> <pre>dig -x 148.105.10.6</pre> </div> we get: <div class="highlight"> <pre>6.10.105.148.in-addr.arpa. 86400 IN PTR mail6.sea172.mcdlv.net.</pre> </div> If we then look for an A record of mail6.sea172.mcdlv.net.: <div class="highlight"> <pre>dig a mail6.sea172.mcdlv.net</pre> </div> we get: <div class="highlight"> <pre>mail6.sea172.mcdlv.net. 86400 IN A 148.105.10.6</pre> </div> So the IP address points to a valid hostname AND that domain points back to the same IP address. This tells us that both the hostname and the IP address are linked and under some level of shared control, making email sent from this address more trustworthy. <h3>What is in-addr.arpa?</h3> .in-addr.arpa domains are delegated to the owners of a network range. The owner of the IP address range also controls the DNS of the respective .in-addr.arpa domain and can create DNS records on it, including the all important PTR record. <h3>Fixing the problem</h3> If you find an IP address that doesn’t have working PTR record somewhere in your email sending services, you can look up the owner with the WHOIS command: <div class="highlight"> <pre>whois <your_ip_address></pre> </div> or use a <a href="https://lookup.icann.org/en/lookup">web based WHOIS lookup</a>. For example, looking up the IP 148.105.10.6 again tells us it is delegated by ARIN (the <a href="https://www.arin.net/">American Registry of Internet Numbers</a>) to MailChimp. There are five <a href="https://en.wikipedia.org/wiki/Regional_Internet_registry">Regional Internet Registries</a> (RIRs) providing Internet resource allocations, registration services and coordination activities for the internet. Once you know who owns the IP address you’ll need to contact them and ask them to put the PTR record in place. Some larger organisations or service providers may own their own IP addresses. Others may be owned by an Internet Service Provider and leased to the organisation running the email service. Whoever owns it, they’ll need to add the record. This is a standard part of running a reliable email service and should always be provided. <h3>Read my previous blogs on</h3> <ul> <li style="font-weight: 400"><a href="https://technology.blog.gov.uk/2024/02/16/how-our-domains-data-sharing-beta-aims-to-reduce-domain-vulnerabilities/">How our Domains Data Sharing beta aims to reduce domain vulnerabilities</a></li> <li style="font-weight: 400"><a href="https://technology.blog.gov.uk/2023/05/10/weve-removed-98-gsi-family-domains-from-the-public-sector/">We’ve removed 98% of gsi-family domains from the public sector</a></li> <li style="font-weight: 400"><a href="https://technology.blog.gov.uk/2023/01/20/removing-gsi-family-domains-from-the-public-sector/">Removing gsi-family domains from the public sector</a></li> </ul> ]]></content> </entry> <entry> <author> <name>Nick Woodcraft, Domains Product Owner, CDDO</name> </author> <title type="html"><![CDATA[How our Domains Data Sharing beta aims to reduce domain vulnerabilities]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2024/02/16/how-our-domains-data-sharing-beta-aims-to-reduce-domain-vulnerabilities/" /> <id>https://technology.blog.gov.uk/?p=5097</id> <updated>2024-02-16T14:20:06Z</updated> <published>2024-02-16T14:20:06Z</published> <category scheme="https://technology.blog.gov.uk" term="News" /> <summary type="html"><![CDATA[Every organisation has vulnerabilities in its digital infrastructure, including in its Domain Name System (DNS). In the Protecting Public Sector Domains team in the Central Digital and Data Office (CDDO) we work to identify and fix those vulnerabilities before our …]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2024/02/16/how-our-domains-data-sharing-beta-aims-to-reduce-domain-vulnerabilities/"><![CDATA[<img loading="lazy" decoding="async" class="alignnone size-full wp-image-5099" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359.jpg" alt="DNS Domain Name System Concept photography" width="6000" height="4000" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359.jpg 6000w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359-300x200.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359-1024x683.jpg 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359-768x512.jpg 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359-1536x1024.jpg 1536w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2024/02/shutterstock_2165242359-2048x1365.jpg 2048w" sizes="auto, (max-width: 6000px) 100vw, 6000px" /> Every organisation has vulnerabilities in its digital infrastructure, including in its Domain Name System (DNS). In the Protecting Public Sector Domains team in the Central Digital and Data Office (CDDO) we work to identify and fix those vulnerabilities before our adversaries find them. We’d also like to do that for other kinds of vulnerabilities, related to email and web services. This isn’t easy, but it’s a goal we’re working towards. Our monitoring tools find misconfiguration and vulnerability data from a variety of services, and we’re gradually expanding our scope and capability. Once we have the data, we have found the hardest part is getting the information into the hands of the person who can fix it. To that end we are running a Domain Data Sharing programme to send the vulnerability data we collect directly to public sector organisations via their SIEM (Security Information and Event Management) or other systems. <h3>SIEM on the rise, tracking is hard: what we learnt during discovery</h3> Last year, we ran a discovery programme to look for a way to share all our vulnerability data, not just the biggest and most urgent problems. We talked to people in public sector organisations who manage and fix domain issues, or operate vulnerability management or other teams that work every day to fix these kinds of problems. We found that: <ul> <li style="font-weight: 400">knowing what domains an organisation has and who controls them is surprisingly hard</li> <li style="font-weight: 400">it can take longer to find the person who can fix the vulnerability, than it does to fix the vulnerability itself</li> <li style="font-weight: 400">lots of organisations lack a consistent approach to handling vulnerabilities - they come in different formats and from different sources, and different parts of the organisation need to fix them depending on what they are</li> <li style="font-weight: 400">some processes for managing vulnerabilities are new, or more informal, and the process can be hard to track</li> <li style="font-weight: 400">lots of people like the National Cyber Security Centre’s <a href="https://www.ncsc.gov.uk/section/active-cyber-defence/services">Active Cyber Defence (ACD) services</a>, and that is where they expect to go to find out about misconfigurations and vulnerabilities</li> <li style="font-weight: 400">lots of people also like someone to get in touch and tell them directly when something is wrong</li> </ul> We also found that SIEM adoption is growing. These are systems that collect and analyse data from different sources like network devices or servers, and external feeds like ours, and use them to spot security issues. These are toolsets that can handle the volume of data we offer in a way that’s useful to our users. <h3>Launching our Domain Data Sharing beta programme</h3> In light of our learnings during the discovery phase, we've got a Domain Data Sharing beta programme running right now that will: <ul> <li style="font-weight: 400">set up SIEM integrations, so we can get data to where it can be acted on most quickly</li> <li style="font-weight: 400">set up DNS hosting integrations, so we know what domains you have, and make sure we're monitoring everything</li> <li style="font-weight: 400">work with your organisation to map out the business processes used to handle vulnerabilities, and help you improve them if needed</li> </ul> We’re also working with NCSC to include our data in ACD services in the future. <div class="highlight"> <h3>Join our beta and explore your organisation’s domain vulnerabilities </h3> So if you have struggled with the kind of problems we found in our discovery, or you'd just like to get a free feed of domain, web, and email vulnerabilities for your public sector organisation, we’d like you to join our Domain Data Sharing beta programme. Get in touch with us at <a href="mailto:support@domains.gov.uk">support@domains.gov.uk</a> to sign up. </div> ]]></content> </entry> <entry> <author> <name>Claudia Chiurlia, Delivery Manager, Central Digital and Data Office</name> </author> <title type="html"><![CDATA[Navigating Microsoft 365 guidance for UK government digital, data and technology professionals]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2023/10/05/navigating-microsoft-365-guidance-for-uk-government-digital-data-and-technology-professionals/" /> <id>https://technology.blog.gov.uk/?p=5040</id> <updated>2023-10-20T13:55:53Z</updated> <published>2023-10-05T13:50:02Z</published> <category scheme="https://technology.blog.gov.uk" term="Tools" /><category scheme="https://technology.blog.gov.uk" term="Transformation" /> <summary type="html"><![CDATA[In an unprecedented age where secure and efficient collaboration is paramount, the Central Digital and Data Office has taken a significant stride forward by collaborating with Microsoft and the National Cyber Security Centre (NCSC) to develop comprehensive guidance for the …]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2023/10/05/navigating-microsoft-365-guidance-for-uk-government-digital-data-and-technology-professionals/"><![CDATA[<img loading="lazy" decoding="async" class="aligncenter wp-image-5042 size-large" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/10/CDDO-Blog-Featured-Image-template-19-1024x535.png" alt="3d fingerprint cyber secure icon. Digital security authentication concept. " width="620" height="324" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/10/CDDO-Blog-Featured-Image-template-19-1024x535.png 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/10/CDDO-Blog-Featured-Image-template-19-300x157.png 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/10/CDDO-Blog-Featured-Image-template-19-768x401.png 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/10/CDDO-Blog-Featured-Image-template-19.png 1200w" sizes="auto, (max-width: 620px) 100vw, 620px" /> In an unprecedented age where secure and efficient collaboration is paramount, <a href="https://www.gov.uk/government/organisations/central-digital-and-data-office">the Central Digital and Data Office</a> has taken a significant stride forward by collaborating with Microsoft and the National Cyber Security Centre (NCSC) to develop comprehensive guidance for the UK government organisations that are using Microsoft 365. The guidance has been designed by digital, data and technology professionals across government to empower and support each other in alignment with the Mission Four: Efficient, Secure and Sustainable Technology of the 2022 to 2025 roadmap: Transforming for a digital future. This blog outlines three pieces of guidance available that are key to enhancing secure configuration, external collaboration and information protection within the Microsoft 365 environment. <h3>1. Secure Configuration Alignment for Enhanced Security</h3> The <a href="https://www.gov.uk/guidance/microsoft-365-guidance-for-uk-government#microsoft-365-configuration-guidance-for-uk-government-secure-configuration-blueprint">Microsoft 365 Guidance for UK Government: Secure Configuration Alignment</a> guides government departments on how to securely configure their Microsoft 365 Platform in alignment with the latest NCSC advice in the journey towards fortified cybersecurity. By adhering to these guidelines, digital, data and technology professionals can understand how the features and capabilities in Microsoft 365 can be used to ensure that a common bar has been achieved for their tenant and promote a secure digital ecosystem. <h3>2. Fostering cross-government collaboration</h3> It is no surprise that collaboration lies at the heart of modern government operations. The <a href="https://www.gov.uk/guidance/microsoft-365-guidance-for-uk-government#microsoft-365-configuration-guidance-for-uk-government-external-collaboration">Microsoft 365 Guidance for UK Government: External Collaboration</a> is a huge step forwards for colleagues that rely on effective collaboration and rapid communication with teams across HM government. This guidance provides a baseline configuration for the Microsoft 365 platform enabling key features such as real-time file sharing and co-authoring across government departments, efficient meeting scheduling through free-busy calendar sharing, consistent instant messaging (IM), video conferencing and the creation of cross-governmental Microsoft Teams sites. This blueprint not only streamlines communication, but also paves the way for more efficient and impactful cross-department collaboration. <h3>3. Safeguarding information with precision</h3> In an era of data-driven governance, safeguarding sensitive information is non-negotiable. The <a href="https://www.gov.uk/guidance/microsoft-365-guidance-for-uk-government#microsoft-365-configuration-guidance-for-uk-government-information-protection">Microsoft 365 Guidance for UK Government: Information Protection</a> sets forth a standard configuration for sensitivity labels and data loss prevention. This guidance caters to organisations aiming to implement the OFFICIAL tier of the updated <a href="https://www.gov.uk/government/publications/government-security-classifications/government-security-classifications-policy-html">Government Security Classification Policy</a> (GSCP) using Microsoft Purview, a part of the Microsoft 365 suite. By adhering to this guidance, government departments can confidently navigate the intricacies of data protection while harnessing the full potential of their information assets. <div class="highlight"> <h3>Taking your next steps</h3> For digital, data and technology colleagues navigating the implementation of our Microsoft 365 guidance within the UK Government, assistance and insights are just an email away. Connect with the dedicated OneIT team at <a href="mailto:oneit@digital.cabinet-office.gov.uk">oneit@digital.cabinet-office.gov.uk</a> for tailored support and clarifications. For those curious about the integration of these guidelines within your department, your IT Department is perfectly placed to provide further details. Reach out to them to learn about the plans and strategies for adopting the Microsoft 365 guidance, tailored to the UK government. Stay informed and engaged as your department takes strides towards secure and efficient collaboration. </div> ]]></content> </entry> <entry> <author> <name>Ollie N, Head of Vulnerability Management, National Cyber Security Centre</name> </author> <title type="html"><![CDATA[Advocating security.txt across UK government]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2023/08/10/advocating-security-txt-across-uk-government/" /> <id>https://technology.blog.gov.uk/?p=5033</id> <updated>2023-08-10T11:44:53Z</updated> <published>2023-08-10T11:44:53Z</published> <category scheme="https://technology.blog.gov.uk" term="Data" /><category scheme="https://technology.blog.gov.uk" term="Open Standards" /><category scheme="https://technology.blog.gov.uk" term="Security" /> <summary type="html"><![CDATA[Publishing a security.txt file to help finders report vulnerabilities has now been championed for use across government following endorsement by the Open Standards Board and the Data Standards Authority’s Steering Board.]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2023/08/10/advocating-security-txt-across-uk-government/"><![CDATA[<img loading="lazy" decoding="async" class="alignnone wp-image-5035 size-large" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/08/shutterstock_1931787956-1024x617.jpg" alt="" width="620" height="374" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/08/shutterstock_1931787956-1024x617.jpg 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/08/shutterstock_1931787956-300x181.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/08/shutterstock_1931787956-768x462.jpg 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/08/shutterstock_1931787956-1536x925.jpg 1536w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/08/shutterstock_1931787956-2048x1233.jpg 2048w" sizes="auto, (max-width: 620px) 100vw, 620px" /> Technology has revolutionised every aspect of our society and our economy, including the way that we deliver our public services, helping to make people’s lives easier and safer. Security vulnerabilities are discovered all the time online and people want to be able to report them directly to the organisation responsible. That’s why we are advocating for the use of security.txt as a standardised way of doing just that. One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact. Security.txt describes a text file that advertises the organisation’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability. It is a voluntary standard for internet users set by the <a href="https://www.ietf.org/about/introduction/">Internet Engineering Task Force</a> (RFC 9116). Security.txt will serve the government in its aim to become more resilient in its online security by making it easier for anyone to report vulnerabilities they have found. Quick, easy and secure reporting directly to the affected department speeds up the triage and remediation time and reduces the risk of compromise, such as reporting of a vulnerable web server so it can be remediated before being exploited. The security.txt was <a href="https://alphagov.github.io/data-standards-authority/standards/">endorsed</a> by the Data Standards Authority in March 2023. Benefits to government departments & finders The ability to receive, respond and ultimately fix a reported vulnerability is essential to providing secure products and services. Being open to receiving vulnerability reports helps departments engage constructively with those who find them - ‘finders’. Engaging with finders can be a source of valuable information that would otherwise be missed or require additional time and effort to discover. Vulnerability disclosure policy Departments should define what they expect from someone reporting a vulnerability, as well as what they will do in response, by providing a clear policy. This enables the department and the finder to confidently work within an agreed framework. In its basic form, a vulnerability disclosure policy should contain the following information: <ul> <li style="font-weight: 400">how you want to be contacted</li> <li style="font-weight: 400">secure communication options (for example, a secure web form)</li> <li style="font-weight: 400">what information to include in the report</li> <li style="font-weight: 400">what the finder should expect to happen</li> <li style="font-weight: 400">guidance on what is in and out of scope for the finder to do in finding vulnerabilities</li> </ul> How to implement security.txt Security.txt is a plaintext file that should be published in the “/.well-known” directory of the domain root. The file contains three key fields: CONTACT: How finders should report vulnerabilities. For example, email or secure web form. POLICY: A link to the department’s vulnerability disclosure policy. EXPIRES: Indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used. The value of this field is formatted according to the Internet profile of [ISO.8601] as defined in [RFC3339]. It is recommended that the value of this field be less than a year into the future to avoid staleness. The ENCRYPTION field is optional and should link to the PGP public key you wish to be used for encrypted communication. <div class="highlight"> The National Cyber Security Centre (NCSC) has published <a href="https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit">the NCSC Vulnerability Disclosure Toolkit</a> that provides information on how to implement security.txt as well as an example vulnerability disclosure policy. </div> ]]></content> </entry> <entry> <author> <name>Nick Woodcraft, Domains Product Owner, CDDO</name> </author> <title type="html"><![CDATA[We’ve removed 98% of gsi-family domains from the public sector]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2023/05/10/weve-removed-98-gsi-family-domains-from-the-public-sector/" /> <id>https://technology.blog.gov.uk/?p=5025</id> <updated>2023-05-10T15:38:26Z</updated> <published>2023-05-10T14:42:24Z</published> <category scheme="https://technology.blog.gov.uk" term="News" /> <summary type="html"><![CDATA[An important update on work to remove gsi-family domains from the public sector including what to do if you believe you still have an active domain. ]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2023/05/10/weve-removed-98-gsi-family-domains-from-the-public-sector/"><![CDATA[<img loading="lazy" decoding="async" class="alignnone size-full wp-image-5026" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/05/gsi-family-blog.png" alt="Photo of plug socket with post it saying 'Please switch off after use'" width="512" height="366" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/05/gsi-family-blog.png 512w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/05/gsi-family-blog-300x214.png 300w" sizes="auto, (max-width: 512px) 100vw, 512px" /> We posted previously about <a href="https://technology.blog.gov.uk/2023/01/20/removing-gsi-family-domains-from-the-public-sector/">our work removing gsi-family domains from the public sector</a> and why we are doing it. This work is now complete and over 3,500 domains have been removed including: <ul> <li style="font-weight: 400">all gse.gov.uk domains</li> <li style="font-weight: 400">all gcsx.gov.uk domains</li> <li style="font-weight: 400">all gsx.gov.uk domains</li> <li style="font-weight: 400">2533 gsi.gov.uk domains - 83 remain (further details below)</li> </ul> We will continue to monitor the remaining domains for issues, but this work has removed the bulk of the risk of email spoofing and domain hijacking from misconfiguration for these domains. We expect that further work may be required in the future to completely remove gsi.gov.uk and to look at the domains that remain within the PSN (Public Services Network). <h2>Changes made</h2> Since our previous blog, we’ve made the following changes: <ol> <li style="font-weight: 400">At the end of January 2023 we updated the Domain-based Message Authentication, Reporting and Conformance (<a href="https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc">DMARC</a>) records to block email from any domain without its own DMARC record. </li> <li style="font-weight: 400">At the beginning of March 2023 we suspended domains in the internet-facing zones for 72 hours to help identify any remaining services. </li> <li style="font-weight: 400">At the beginning of April 2023 we permanently removed the internet-facing zones for gse.gov.uk, gcsx.gov.uk and gsx.gov.uk and the domains they contained. Most .gsi.gov.uk domains were also removed but a small number remain.</li> </ol> Please note that no PSN-facing zones were changed during this work. <h2>What to do if you still have gsi-family domains</h2> There are 83 .gsi.gov.uk domains remaining. If you still have one of these domains you should take steps now to remove it. If it still works for email, we recommend you change settings to start rejecting inbound email. You can also choose to include a bounce-back message giving senders the correct address. You should also check public facing websites or documentation for mentions of gsi-family domains and remove them. <div class="highlight"> If you have any questions around this work or need advice on removing a domain get in touch with us at <a href="mailto:support@domains.gov.uk">support@domains.gov.uk</a>. If you have a domain that has been suspended or removed as part of this work and you need it restored contact Nominet directly on <a href="mailto:psnsupport@nominet.uk">psnsupport@nominet.uk</a> or 01865 332493. </div> ]]></content> </entry> <entry> <author> <name>Nick Woodcraft, Domains Product Owner, CDDO</name> </author> <title type="html"><![CDATA[Removing gsi-family domains from the public sector]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2023/01/20/removing-gsi-family-domains-from-the-public-sector/" /> <id>https://technology.blog.gov.uk/?p=5003</id> <updated>2023-03-29T08:41:53Z</updated> <published>2023-01-20T14:07:55Z</published> <category scheme="https://technology.blog.gov.uk" term="News" /> <summary type="html"><![CDATA[Public sector organisations are no longer using gsi-family domains and therefore they are scheduled for removal by the beginning of April. Read this post to find out more. ]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2023/01/20/removing-gsi-family-domains-from-the-public-sector/"><![CDATA[<img loading="lazy" decoding="async" class="alignnone size-large wp-image-5005" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/01/PXL_20230109_165213963-1024x731.jpg" alt="Image of plug socket with post it saying 'please switch off after use'" width="620" height="443" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/01/PXL_20230109_165213963-1024x731.jpg 1024w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/01/PXL_20230109_165213963-300x214.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/01/PXL_20230109_165213963-768x548.jpg 768w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/01/PXL_20230109_165213963-1536x1096.jpg 1536w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2023/01/PXL_20230109_165213963-2048x1461.jpg 2048w" sizes="auto, (max-width: 620px) 100vw, 620px" /> Last updated: 29 March 2023 <div class="highlight"> Most gsi-family domain names (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) are scheduled for removal from their internet-facing zones by the beginning of April. </div> A core pillar of the <a href="https://www.gov.uk/government/publications/roadmap-for-digital-and-data-2022-to-2025/transforming-for-a-digital-future-2022-to-2025-roadmap-for-digital-and-data">Transforming for a Digital Future strategy</a> is delivering efficient, secure and sustainable technology, and, at CDDO’s Securing Government Services team <a href="https://cddo.blog.gov.uk/2022/11/15/is-it-time-to-retire-the-gb-top-level-domain/">we're working hard to clean up and remove legacy services</a>. Some public sector organisations have previously used .gsi.gov.uk, x.gsi.gov.uk, .gsx.gov.uk, .gse.gov.uk and .gcsx.gov.uk to email each other in a secure way. However, the <a href="https://www.gov.uk/guidance/securing-government-email">current email standards and guidance</a> mean they can now get better security sending the same email over the internet rather than using the Public Services Network (PSN). The PSN, where these gsi-family domains were used, is in the <a href="https://www.gov.uk/guidance/future-networks-for-government-fn4g">process of being wound down</a>, and <a href="https://www.gov.uk/government/publications/changing-government-email-migrating-from-gsi/changing-government-email-migrating-from-gsi">we officially stopped using these domains in 2019</a>. The PSN email relay they depended on meanwhile was shut down in 2021. <h2>The end of gsi-family domains</h2> People are reluctant to remove old domain names, often because they are concerned there might be a forgotten service that depends on the domain. This means these old domains can get neglected and become vulnerable to spoofing and malicious attacks. Many gsi-family domains still exist in both internet and PSN-facing zones. Most are dormant, some are misconfigured, and all are targeted heavily for email spoofing. As a result we plan to remove most of the internet-facing zones entirely at the beginning of April. As a starting point we’ve added more protection to reduce the impact, in the form of <a href="https://www.gov.uk/government/publications/email-security-standards/domain-based-message-authentication-reporting-and-conformance-dmarc">DMARC</a> records to protect the apex domains and prevent the spoofing of domains that don’t exist. DMARC records tell the receiving email service what the legitimate senders are for that domain. If an email comes from somewhere else it gets marked as spam. <h2>Timeline for changes</h2> <ol> <li style="font-weight: 400">At the end of January 2023 we updated the DMARC records to block email from any domain without its own DMARC record.</li> <li style="font-weight: 400">At the beginning of March we suspended domains in the internet-facing zones for 72 hours to help identify any remaining services. Start of suspension: 10am Monday 6th March 2023 End of suspension: 10am Thursday 9th March 2023</li> <li style="font-weight: 400">On the 3rd April at 10am we’ll permanently remove the internet-facing zones and the domains they contain.</li> </ol> <div class="highlight"> This blog previously stated we would suspend and remove PSN-facing zones in addition to the internet-facing zones. This is no longer the case, although we will review the option to do this in the future. </div> Most of the domains appear to be dead already, pointing to services that do not exist or reject queries. It is possible there are still some dependencies we don’t know about. Email may be being routed through to modern systems to provide continuity for old addresses. <h2>What to do if you think you have gsi-family domains</h2> If you still have one of these domains and it still works for email, start rejecting inbound email. You can also choose to include a bounce-back message giving senders the correct address. It will be removed at the beginning of April so it would be good to give anyone still using it some notice. You should also check public facing websites or documentation for mentions of gsi-family domains and remove them. We have identified a small number of domains that are operating internet facing services that can't yet migrate to a new domain. We have excluded these domains from the suspension and removal process. If you have a domain you think you will need beyond the beginning of April, get in touch with us now at <a href="mailto:support@domains.gov.uk">support@domains.gov.uk</a> so we can work out a solution. If you have a domain that has been suspended or removed as part of this work and you need it restored contact Nominet directly on <a href="mailto:psnsupport@nominet.uk">psnsupport@nominet.uk</a> or 01865 332493. ]]></content> <link rel="replies" type="text/html" href="https://technology.blog.gov.uk/2023/01/20/removing-gsi-family-domains-from-the-public-sector/#comments" thr:count="4" /> <link rel="replies" type="application/atom+xml" href="https://technology.blog.gov.uk/2023/01/20/removing-gsi-family-domains-from-the-public-sector/feed/" thr:count="4" /> <thr:total>4</thr:total> </entry> <entry> <author> <name>Agatha Blake, Programme Delivery Manager, CDDO, Cabinet Office</name> </author> <title type="html"><![CDATA[Help shape the future of FN4G]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2022/11/07/help-shape-the-future-of-fn4g/" /> <id>https://technology.blog.gov.uk/?p=4978</id> <updated>2022-11-07T11:54:31Z</updated> <published>2022-11-07T16:00:37Z</published> <category scheme="https://technology.blog.gov.uk" term="Event" /><category scheme="https://technology.blog.gov.uk" term="News" /><category scheme="https://technology.blog.gov.uk" term="Security" /><category scheme="https://technology.blog.gov.uk" term="Tools" /><category scheme="https://technology.blog.gov.uk" term="domains" /><category scheme="https://technology.blog.gov.uk" term="security" /><category scheme="https://technology.blog.gov.uk" term="user needs" /> <summary type="html"><![CDATA[The Future Network for Government programme is launching pre-market engagement and industry consultation to help determine future ways of working - here the FN4G team explain the plans and announces a launch event.]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2022/11/07/help-shape-the-future-of-fn4g/"><![CDATA[<div id="attachment_4991" style="width: 623px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-4991" class="wp-image-4991 size-full" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2022/10/network_cables.jpg" alt="Purple cables with yellow and green markings plugged into networking equipment" width="613" height="420" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2022/10/network_cables.jpg 613w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2022/10/network_cables-300x206.jpg 300w" sizes="auto, (max-width: 613px) 100vw, 613px" />Photo credit: Possessed Photography on Unsplash</div> The Future Networks for Government (FN4G) team, part of the Cabinet Office’s Central Digital and Data Office (CDDO), is helping <a href="https://technology.blog.gov.uk/2019/09/09/the-vision-for-the-future-networks-for-government-fn4g-programme/">organisations to migrate away from the Public Services Network</a> (PSN) as it’s increasingly hard to secure. The team is encouraging organisations to migrate to modern network solutions, which offer more competitive commercial terms as well as greater flexibility and scalability. <h2>Consulting with industry and our users </h2> To help us get a better picture of what our users and suppliers need, we’re running a pre-market engagement and industry consultation. We’re partnering with <a href="https://www.innopsis.uk/">Innopsis</a>, which will run the pre-market engagement and coordinate the consultation with industry. We’ll discuss, test, and iterate technical models, service models, and different ways of working. We hope the outcome will mean PSN users can improve their network security posture and implement a more modern network and telecommunications services environment. More specifically, we want the pre-market engagement process to: <ul> <li style="font-weight: 400">define architectural market models for FN4G that are able to realise the goals and requirements of the FN4G programme for the customers and the suppliers</li> <li style="font-weight: 400">be collaborative, open, and iterative</li> <li style="font-weight: 400">minimise upfront investment costs for both buyers and suppliers </li> <li style="font-weight: 400">take a default position to align with existing policies, principles, and processes - wherever a recommendation exists the work groups will conduct a cost-benefit analysis to show that any impact is justified</li> </ul> We’ll be looking into setting up work groups jointly chaired by the Cabinet Office and Innopsis. Initially focusing on 4 areas - technical, transition and commercial, security, and service management - the work groups will make sure the pre-market engagement meets its deadlines. The work groups will also be responsible for: <ul> <li style="font-weight: 400">concluding a manageable and meaningful set of proposals </li> <li style="font-weight: 400">providing a clear rationale for decisions made, suggested changes adopted and suggested changes not adopted</li> <li style="font-weight: 400">providing a clear view for each proposal of what will be defined as a success</li> </ul> We’ll also be setting up a steering committee to coordinate activities across the work groups, and take overall responsibility for taking these proposals forward to the Cabinet Office for final approval. <h2>Sign up to our pre-market engagement event</h2> We’ll be hosting a pre-market engagement launch event where you can learn more about FN4G, what it will mean for future public sector networking and telecommunications procurements, and how you can shape it. <div class="highlight">The online event will be held at 11.00am on 15 November. You can register for the event <a href="https://www.innopsis.uk/engagements/fn4g">here</a>.</div> ]]></content> <link rel="replies" type="text/html" href="https://technology.blog.gov.uk/2022/11/07/help-shape-the-future-of-fn4g/#comments" thr:count="1" /> <link rel="replies" type="application/atom+xml" href="https://technology.blog.gov.uk/2022/11/07/help-shape-the-future-of-fn4g/feed/" thr:count="1" /> <thr:total>1</thr:total> </entry> <entry> <author> <name>Terence Eden</name> </author> <title type="html"><![CDATA[Solving an interesting problem with Sender Policy Framework records]]></title> <link rel="alternate" type="text/html" href="https://technology.blog.gov.uk/2022/07/11/solving-an-interesting-problem-with-sender-policy-framework-records/" /> <id>https://technology.blog.gov.uk/?p=4970</id> <updated>2022-07-11T15:33:08Z</updated> <published>2022-07-11T12:52:36Z</published> <category scheme="https://technology.blog.gov.uk" term="Security" /><category scheme="https://technology.blog.gov.uk" term="domains" /><category scheme="https://technology.blog.gov.uk" term="email" /><category scheme="https://technology.blog.gov.uk" term="security" /> <summary type="html"><![CDATA[The Securing Government Services team found and fixed a curious problem regarding email security]]></summary> <content type="html" xml:base="https://technology.blog.gov.uk/2022/07/11/solving-an-interesting-problem-with-sender-policy-framework-records/"><![CDATA[<img loading="lazy" decoding="async" class="aligncenter wp-image-4043 size-full" src="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2019/06/47994682357_cf5fe5e569_z.jpg" alt="Code on a laptop" width="640" height="427" srcset="https://technology.blog.gov.uk/wp-content/uploads/sites/31/2019/06/47994682357_cf5fe5e569_z.jpg 640w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2019/06/47994682357_cf5fe5e569_z-300x200.jpg 300w, https://technology.blog.gov.uk/wp-content/uploads/sites/31/2019/06/47994682357_cf5fe5e569_z-435x290.jpg 435w" sizes="auto, (max-width: 640px) 100vw, 640px" /> The Securing Government Services team at the Central Digital and Data Office recently encountered, and fixed, a small bug with the way some government domains handle their <a href="https://www.gov.uk/government/publications/email-security-standards/sender-policy-framework-spf">Sender Policy Framework (SPF) records</a>. SPF allows a domain owner to specify which email services are authorised to send email on their behalf. For example, the website example.gov.uk might use Outlook for email - so they can create a TXT record in their DNS which says: <code>"v=spf1 include:spf.protection.outlook.com -all"</code> This tells the internet that if someone tries to send an email purporting to come from example.gov.uk, it will only be valid if it has been sent from the Outlook server. If it comes from a different server, it must be rejected. This prevents people from sending spoofed emails which impersonate legitimate government services. SPF records need to be written in a precise format. If the syntax is even slightly different from the specification, the record is invalid and spoofed emails will be able to be delivered. <h2>Discovering the problem</h2> Our team recently noticed a record which was syntactically correct - but was, somehow, still being marked as invalid. This was a serious risk and could have let a malicious actor send emails as though they were from a specific government service. The SPF record looked like this: <code>"v=spf1 include:example.com include:spfprotectionoutlook.com -all"</code> The SPF checker works on multiple levels. The first is a simple conformance check - that is, seeing if the record is written in the correct syntax. This record was correct. The second level is to evaluate the included domains. This involves doing a DNS lookup on the domain. And this is where the problem was. The second domain was misspelt. When a lookup was performed on that domain, it returned an error - NXDOMAIN. Because this recursive check failed, it resulted in what the specification calls a "permerror" - which means <a href="https://datatracker.ietf.org/doc/html/rfc7208#section-8.7">the domain's published records could not be correctly interpreted</a>. Even though the record has the correct syntax, and even though other included domains validated correctly, because a single domain didn't exist the entire SPF record failed validation. <a href="https://datatracker.ietf.org/doc/html/rfc7208">The specification is complicated</a> and we had initially expected that a partially matching set of includes would still validate and the SPF would be valid. A thorough reading of the specification shows that is not the case. <h2>Fixing the issue and lessons learned</h2> The issue was fixed by correcting the spelling of the incorrect domain. We do not believe this error was actively exploited by malicious parties. We learned several lessons from this incident: <ul> <li style="font-weight: 400">Domain names in SPF records need to be regularly audited. Domain names can be misspelt or expire - so they will need to be updated.</li> <li style="font-weight: 400">The failure mode of SPF can be unexpected. It’s only one tool which can be used to reduce spoofed emails.</li> <li style="font-weight: 400">Different mail servers can interpret an SPF permerror differently. Just because one mail system rejects the SPF record, that does not mean all of them will.</li> </ul> For more information, you can read our guidance on <a href="https://www.gov.uk/guidance/set-up-government-email-services-securely">how to set up government email services securely</a>. <div class="highlight">Interested in our work? <a href="https://gdscareers.gov.uk/">CDDO is hiring</a>.</div> ]]></content> <link rel="replies" type="text/html" href="https://technology.blog.gov.uk/2022/07/11/solving-an-interesting-problem-with-sender-policy-framework-records/#comments" thr:count="2" /> <link rel="replies" type="application/atom+xml" href="https://technology.blog.gov.uk/2022/07/11/solving-an-interesting-problem-with-sender-policy-framework-records/feed/" thr:count="2" /> <thr:total>2</thr:total> </entry> </feed>