Skip to main content
Guidance

Hardware Lifecycle Management Security Policy

Updated 9 June 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dwp-procurement-security-policies-and-standards/hardware-lifecycle-management-security-policy

This Department for Work and Pensions (DWP) Hardware Lifecycle Management Security Policy is part of a suite of policies designed to promote consistency across the DWP and supplier base with regards to the implementation and management of security controls. For the purposes of this policy, the term DWP and department are used interchangeably.   

Security policies considered appropriate for public viewing are published on DWP Procurement Security Policies and Standards  

Security policies cross-refer to each other where needed, so can be confidently used together. They contain both mandatory and advisory elements, described in consistent language, as shown in the table below.

Term Intention
must denotes a requirement - a mandatory element
should denotes a recommendation - an advisory element
may denotes approval
might denotes a possibility
can denotes both capability and possibility
is/are denotes a description

Overview 

The DWP Hardware Lifecycle Management Security Policy establishes the framework for managing hardware throughout its entire lifecycle, from planning and acquisition to decommissioning. The policy emphasises the application of recognised cybersecurity best practices, robust information security principles, and supply chain risk management at every stage.

DWP’s Hardware Lifecycle Management practices are a critical component of the department’s overall cybersecurity posture. They contribute to the UK government’s objectives for building a cyber-resilient public sector, aligning with the UK National Cyber Strategy and the Government Cyber Security Strategy.

This policy is informed by and aligns with relevant guidance from the National Cyber Security Centre (NCSC), including principles for asset management, secure configuration, secure sanitisation and disposal, supply chain security, and technology assurance.

Purpose 

This policy is to provide the high-level principles for managing DWP hardware securely.   

It mandates that DWP hardware must be managed in accordance with an approved lifecycle framework, incorporating robust information security and supply chain risk management throughout all stages, including planning, acquisition (purchase and lease), build, testing, deployment, in-life management (maintenance, monitoring, updates), and decommissioning.  

The DWP hardware procurement process must consider security requirements, identify and assess security deficiencies, and budget for decommissioning costs. Hardware no longer required must be evaluated and subjected to a decommissioning process where necessary, taking into account relevant information, software, services, and data storage capability. The department applies a risk-focused approach to hardware lifecycle management, accepting that hardware requires a proportionate and appropriate level of security management. Consequently, this policy adopts an exception-based risk management approach, where compliance is mandated unless an exception is formally granted.

Scope 

1. This policy applies to:  

  • DWP employees (including contractors, consultants and other workers) involved in the provision and lifecycle management of hardware for the DWP, from this point forward will collectively be referred to as ‘users’

  • all contracted third-party suppliers whose systems or services store, handle, or process DWP information, or are involved in the provision and lifecycle management of hardware for the DWP, to ensure the appropriate levels of assurance for the confidentiality, integrity and availability of the DWP’s assets

2. This policy does not replace any legal or regulatory requirements.

3. All hardware and electronic equipment capable of storing, processing, or transmitting digital information acquired throughout the organisation, including:  

  • computer equipment such as servers, network devices, desktop computers, and specialist devices (such as barcode scanners, smart meters, and point-of-sale terminals)

  • mobile devices (such as laptops, tablets, and smartphones) and portable storage devices

  • network storage systems (such as storage area network) and network-attached storage)

  • network equipment (such as routers, switches, wireless access points, and firewalls)

  • voice communication services (including Voice-over Internet Protocol) and conferencing equipment

  • authentication hardware (such as physical tokens, smartcards, and biometric equipment)

  • office equipment (such as network printers, photocopiers, facsimile machines, scanners, and multifunction devices)

  • specialist equipment (such as hardware used to support industrial control systems, including heating, ventilation and air conditioning equipment, and power systems)

4. All contractual agreements for the provision and lifecycle management of hardware for the department, and these policy statements supplement all currently applicable contractual agreements related to departmental computing and networking services. This policy does not replace any legal or regulatory requirements.

Definitions

Hardware - Any IT physical asset used to support corporate information or systems (such as a server, network device, mobile device, various storage media including USB devices and recordable media, printer, or specialised equipment, such as devices used by manufacturing, transport, or utility companies), including the software embedded within it and the operating systems supporting it. 

Hardware Acquisition - The purchasing and leasing (or equivalent) of hardware. Also referred to throughout the policy as ‘Procurement’. 

Sanitisation - The process of treating data held on storage media to reduce the likelihood of retrieval and reconstruction to an acceptable level. Some forms of sanitisation will allow you to reuse the media, while others are destructive in nature and render the media unusable.

Policy Statements 

1. Service Owners and functional leads within DWP Digital (including Workplace Computing and IT Service Management) parties in DWP must ensure people, processes and monitoring are in place to perform the activities required for Hardware Lifecycle Management and monitor its progress. 

2. Responsible parties must develop and maintain processes ensuring that hardware malfunction or failure is reduced by employing up-to-date models, ensuring reliability, compatibility and capacity with existing infrastructure when acquiring hardware and comply with standards.  

3. DWP must operate a proportionate, risk-based Supply Chain Risk Management (SCRM) program including Supply Chain Security Assurance (SCSA) for hardware acquisitions and management, noting defined roles, governance approval and documented processes. The SCRM program must include documented processes for:  

  • engaging SCSA prior to the acquisition of hardware where ongoing supplier or vendor support is required, or where there will be any sharing, access to, or handling of DWP information or data by the supplier or their sub-contractors

  • conducting due diligence and vetting of hardware suppliers, with enhanced scrutiny to providers of critical hardware or handling sensitive DWP data. This process must be initiated when suppliers are onboarded for relevant hardware provision

  • implementing processes, proportionate to the assessed risk and criticality of the hardware, for assessing the authenticity and integrity of hardware products throughout its lifecycle. The specific methods and responsibilities for these assessments must be defined within the SCRM program

  • managing risks introduced by requiring critical hardware suppliers to demonstrate due diligence and risk management of their own key sub-contractors, proportionate to the risks passed to DWP. The extent of this flow-down assurance must be determined by the criticality of the hardware and supplier

4. DWP must integrate and require compliance with NCSC technology assurance schemes (such as GovAssure and Principle Based Assurance outputs), and National Protective Security Authority standards such as the Cyber Assurance of Physical Security Systems for physical security equipment, where proportionate to risk during acquisition and management of hardware. Processes integration must be documented and consistently applied, ensuring that decisions not to leverage such schemes for critical hardware are formally justified and risk accepted.

5. Hardware must be acquired (such as purchased or leased) from approved suppliers via the commercial procurement process, tested by Information Technology Health Check after implementation and be supported by maintenance arrangements. 

6. When acquiring hardware, the security requirements must be identified and captured within the contractual terms with suppliers. Moreover, suppliers must demonstrate how they can meet the requirements. The decommissioning of the hardware must be in accordance with SS-036: Secure Sanitisation and Destruction, with the decommissioning costs being agreed with the supplier.

7. Hardware acquisitions involving cryptographic capabilities or long lifecycles, must consider the hardware’s Post-Quantum Cryptography readiness. The cryptographic agility should also be included as part of the security requirements definition and evaluation process, see (SS-007: Use of Cryptography).  

8. Assurance must be obtained from suppliers or manufacturers about the level of security provided by their products (such as producing results of security-related tests – against a Technology-Organisation-Environment Framework where appropriate, vulnerability assessments, and adherence to technical standards).  

9. The risks of potential security weaknesses in hardware must be reduced by reviewing external assessments from trusted sources, identifying security deficiencies and addressing the security weaknesses through appropriate controls.   

10. Acquired hardware must be reviewed by individuals who hold the necessary skills to evaluate associated information security requirements and be subject to approval by an appropriate business manager.

11. Documented, approved, and maintained secure baseline configurations must be established for all of hardware assets used within DWP, consistent with NCSC guidance, government-specific standards (such as NCSC platform guides), and recognised industry hardening standards (such as Centre for Information Security Benchmarks). The approved baselines must be applied to all hardware upon deployment and maintained throughout its operational life.  

12. Hardware must be configured to provide only essential functionality, with unnecessary services, ports, protocols, and applications disabled or removed (principle of least functionality) in line with SS-006: Security Boundaries and relevant build patterns.  

13. Changes to hardware configurations must be managed through a formal, documented change control process that includes a security impact assessment, referencing DWP Change Management procedures.  

14. DWP must maintain an inventory of firmware versions for all applicable hardware assets, reliably linked to or integrated with the overall hardware inventory.   

15. Processes must be in place to identify, risk-assess, and apply security patches and updates to hardware firmware in a timely manner , see (DWP Technical Vulnerability Management Policy and SS-033: Security Patching).   

16. DWP must establish and maintain a comprehensive inventory of all hardware assets. The inventory must be kept accurate and up-to-date through automated discovery and integration with Information Technology Service Management tooling where technically feasible, or via defined and rigorous operational verification processes. The department must actively work towards the automation of inventory updates to ensure near real-time visibility.  

17. The hardware inventory must include, or be capable of reliably linking to, at a minimum, the following details for each asset. It is acknowledged that these attributes may reside in federated repositories (such as Information Technology Asset Management Register, Configuration Management Data Base, Vulnerability Scanners) but must be correlatable to a unique asset ID:

  • unique identifier (such as serial number, asset tag)
  • hardware type, model, and manufacturer
  • firmware version(s)
  • operating System (OS) details, including version and patch level
  • network addresses (IP, MAC) where applicable
  • physical and logical location
  • assigned user or custodian
  • accountable asset owner
  • date of acquisition and warranty information
  • data classification and asset criticality rating (referencing DWP Security Classification Policy)
  • approval status for network connection
  • maintenance schedule and history
  • status in the hardware lifecycle (such as in use, in storage, pending disposal)

18. Automated tools and processes (such as active and passive scanning, network logging) must be utilised to populate and maintain the accuracy of the hardware inventory wherever possible.   

19. Regular reviews and audits of the hardware inventory must be conducted to verify its accuracy and completeness.  

20. Assets must be formally removed from the hardware inventory upon verified secure disposal or return to a supplier in line with SS-036: Secure Sanitisation and Destruction.  

21. Robust and controlled maintenance processes must be implemented for all hardware, scheduled, performed, documented, and reviewed in line with relevant operational procedures, on a regular basis, and in accordance with supplier or manufacturer recommendations.

22. Secure procedures must be defined and followed for remote hardware maintenance, including secure access methods and session monitoring in conjunction with SS-016: Remote Access.  

23.  All tools used for hardware maintenance, especially those with elevated privileges or potential access to sensitive data, must be approved, controlled, monitored, and regularly inspected.  

24. Hardware maintenance must only be performed by authorised personnel, whose authorisation is based on verification of skills, training and appropriate security vetting and (DWP Security Vetting Policy and DWP Personnel Security Policy).  

25. Hardware assets must be continuously monitored for unauthorised changes, deviations from secure baselines, security events, and the presence of unauthorised hardware (SS-012: Protective Monitoring Standard).  

26. Proactive measures for security event discovery related to hardware assets must be continuously monitored for unauthorised changes, deviations from secure baselines, security events, and the presence of unauthorised hardware (SS-012: Protective Monitoring Standard).  

27. Effective hardware lifecycle management, including the maintenance of an accurate inventory, adherence to secure baseline configurations, and timely patching, is crucial for enabling rapid response and recovery, thereby minimising the operational and business impact of security incidents.  

28. Security-relevant alerts generated by hardware monitoring (such as configuration changes, unauthorised connection attempts) must be triaged and responded to in accordance with SS-012: Protective Monitoring Standard and, where a breach is suspected, SS-014: Security Incident Management Standard.

29. Procedures must be defined and followed for managing hardware with end-of-life (unsupported) firmware, which may include isolation, decommissioning, or replacement based on risk assessment.  

30. Hardware assets including all accessible DWP Information and Licences software on the hardware which are no longer required or are being retired from DWP control must be subject to secure sanitisation or destruction, with the effectiveness of the sanitisation process verified in accordance with SS-036: Secure Sanitisation and Destruction Security Standard.   

31. Detailed and auditable records of all sanitisation or destruction activities, including method used, verification results, media details, and personnel involved, must be maintained and linked to the hardware inventory (DWP Information Management Policy).   

Accountabilities and Responsibilities 

The DWP Chief Security Officer is the accountable owner of the DWP Hardware Lifecycle Management Policy and is responsible for its maintenance and review, through the Head of Security Policy. 

This policy requires DWP Digital, DWP Operations Functions, and any contracted accountable parties, to clearly define, document, and agree accountabilities and responsibilities for establishing, implementing, and monitoring documented procedures for managing the lifecycle of hardware. These procedures must encompass all stages from planning and acquisition through to secure disposal and reuse, and should include, as appropriate: 

  • guidelines for selecting hardware, including security considerations, contractual terms, and budget for decommissioning/disposal costs

  • integration of SCSA processes as appropriate, including supplier due diligence and ongoing monitoring (referencing the new section on SCSA below)

  • requirements for Technology Assurance, leveraging NCSC schemes where applicable (referencing the new section on Technology Assurance below)

  • methods of identifying, assessing, and addressing security weaknesses and vulnerabilities throughout the hardware lifecycle (referencing DWP Technical Vulnerability Management Policy and SS-033: Security Patching)

  • a formal process for reviewing and approving hardware prior to acquisition and deployment

  • categorisation and classification of hardware assets, based on the type and sensitivity of information processed, stored, or transmitted, and their criticality to DWP operations (referencing DWP Security Classification Policy)

  • maintaining a comprehensive and accurate inventory of hardware assets throughout their lifecycle (referencing this policy’s statements on Inventory)

  • processes for secure configuration, hardening, deployment, maintenance (including remote maintenance), and in-life monitoring (referencing relevant DWP Security Standards such as SS-006: Security BoundariesSS-012: Protective MonitoringSS-016: Remote Access Security Standard and SS-001 (part 1): Access and Authentication)

  • processes for secure sanitisation, destruction, and disposal of hardware and associated media (referencing SS-036: Secure Sanitisation and Destruction Security Standard)

  • processes for the secure reuse of hardware

  • integration of hardware-related risks (such as risks arising from asset inventory gaps, out-of-date firmware, or supply chain issues) into the DWP Enterprise Risk Management framework, including a formal risk acceptance process, and regular reporting on Hardware Lifecycle Management security posture and compliance to relevant governance bodies and risk owners. DWP Security Policy and Data Protection is responsible for supporting and advising upon the development and implementation of these procedures in compliance with this policy and other relevant DWP security policies and standards

Compliance 

All DWP employees, whether permanent or temporary (including DWP’s contractors) have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards.   

Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security.  

Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of a DWP asset (or a supplier asset that provides a service to the authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. DWP users must report security incidents via the DWP Security Incident Referral Webform; third parties and suppliers must follow the SS-014: Security Incident Management Standard.    

DWP’s Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems, design and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners and service providers will be required to facilitate, support, and when necessary, participate in any such inspection. DWP Collaboration and Communication Services will use software filters to block access to some online websites and services, additional information can be found in the DWP Employee Privacy Notice.  

An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s security policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the Security Policy and Standards Team immediately.

Back to top