Securing AI Adoption in the Public Sector:
As AI becomes embedded in public sector the question is no longer whether to adopt it, but how to do so securely.
While public sector bodies are already deploying AI systems, concerns about how to do so securely remain one of most significant barriers to adoption.
The NCSC is committed to providing updated resources to support the secure deployment of AI in the public sector.
These resources will act as a single point of reference for assessing, evidencing, and tracking the cyber-security and assurance work needed to deploy AI safely in public services.
Resources
This brings together existing national guidance with a practical, project-level control set, and aligns to the
CyFun (Cyber Fundamentals)
framework so that AI work can be evidenced using the same controls an organisation is already assessed against.
The resources should be used together:
- AI Cyber Security Risk Assessment
Provides the background on the risks on why we need to secure AI - Securing AI Adoption in the Public Sector: Cyber Security Guidelines for AI Deployments
Explains what needs to be assessed - CyFun Mapping
Shows where each principle sits in the framework (Coming soon) - Project Tool
provides how a project team tracks and evidences them (Coming soon)
This work delivers on commitments in
the National Digital and AI Strategy “Digital Ireland – Connecting our People, Securing our Future”, .
They are the cyber security companion to the
DPER guidelines for the Responsible Use of AI in the Public Service ,
which set the overarching framework for how the public service adopts and uses AI, and they support compliance with the EU AI Act.
While designed for public sector bodies, the principles and measures set out here are applicable to other organisations too.
The NCSC will continue to publish further guidance on AI over the coming months and will review these resources as the threat landscape and operating environment evolve.
1. NCSC AI Cyber Security Risk Assessment: Public Sector Deployment
This document highlights the most significant cyber security risks associated with deploying AI across the public sector.
It explains the current threat landscape, identifying assets at risk and primary threat types, and describing potential operational
and reputational impacts for public sectors bodies. It provides an essential baseline for public sector bodies assessing their AI cyber security posture,
enabling them to design mitigations and realise the benefits AI offers to service delivery in a safe and secure manner.
NCSC AI Cyber Security Risk Assessment: Public Sector Deployment
2.Securing AI Adoption in the Public Sector: Cyber Security Guidelines for AI Deployments
These guidelines, give practical direction on how to mitigate against risks to safely and securely deploy AI systems in the public sector.
They follow the full AI life cycle - design, development, deployment, maintenance,and end-of-life, across seven security principles and draw on ETSI EN 304 223, a European standard for securing AI.
Securing AI Adoption in the Public Sector: Cyber Security Guidelines for AIDeployments
3. Mapping of Principles to CyFun
A reference document that maps each principle onto the relevant CyFun control(s). This lets teams review progress and evidence that they already produce for CyFun assessments when discharging AI-specific obligations.
Mapping coming soon for CyFun.
4. Project Tool
A project-level tool (Excel workbook) that walks through the AI Lifecycle and principles, captures evidence per control, and shows progress against the mapping. This can be used for AI projects to record decisions, risks and owners.
Project Tool coming soon.