Software Security Ambassadors Scheme
Updated 24 February 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/software-security-ambassadors-scheme/software-security-ambassadors-scheme
Championing secure software development for a resilient cyber ecosystem
Software Security Ambassadors Scheme
This is a commitment by the Department for Science, Innovation and Technology, the National Cyber Security Centre and signatory organisations to work together to endeavour to promote best practices in secure software development and to strengthen digital supply chains by improving transparency and facilitating risk management.
Organisations that sign up to this Scheme are committing to become Ambassadors of the Software Security Code of Practice. They will role model the implementation of the code, champion awareness of the Code, encourage its adoption, and showcase and exchange information on their real-world success stories and use cases.
The Software Security Code of Practice is one of a series of Codes of Practice developed by the UK government to set clear expectations to help improve cyber security. These Codes, and the UK government’s Cyber Essentials scheme, set out good practices to reduce cyber security risks which are not being sufficiently addressed by industry. Organisations ideally should implement all applicable DSIT codes of practice as a minimum, but organisations signatory to this document are acting specifically as exemplars for the implementation of the Software Security Code of Practice. They have contributed to the development of this policy and are committed to endeavouring to promote the Code within relevant industries.
By acting as ambassadors, signatories are committing to a process of transparency, development and continuous improvement. The implementation of this code of practice will take time and, in doing so, may bring to light issues that need to be addressed. Signatories and policymakers will learn from these issues as well as the successes and challenges for each organisation and, where appropriate, will share information to help develop and strengthen this government policy.
Ambassadors include software vendors, organisations that procure software and organisations that act as expert advisors. Depending on their roles, these organisations agree to endeavour to lead by example in their development and sales practices, in their procurement and supplier management practices, or by promoting these measures in an advisory capacity.
The Scheme aligns with the government’s Plan for Change by ensuring a more resilient economy where we can safely benefit from digital technologies that are ‘secure by design’ and accessible to all. By better securing supply chains, these measures will help to give businesses confidence in the technologies they need to operate and innovate, helping to prevent costly incidents and supporting growth across all our sectors.
Following best practice on secure software development makes digital ecosystems better placed to prevent the most common types of cyber-attacks and better withstand cyber incidents. Companies that develop and sell software should embed security into their practices at all stages of the software lifecycle, from development, through deployment, to ongoing maintenance, and should be transparent in the communication of risk and incident management to customers. Organisations procuring software will benefit from increased trust and confidence in the digital technologies and services that help them innovate and grow.
The public commitment
My organisation makes a public commitment to achieve the following objectives in one year:
| All signatories | Promote the Software Security Code of Practice on our social media, websites and, where possible, at NCSC/DSIT events. | |
| Endeavor to showcase real-world success stories and use cases on our journey to achieve the below objectives and implementing the Software Security Code of Practice in our organisation and supply chains. | ||
| Reflect on incidents and lessons-learned to inform continuous improvement of organisational practices and government policy (where appropriate). | ||
| Software suppliers | Appoint a Senior Responsible Owner to hold accountability for the implementation of the Software Security Code of Practice. | |
| Complete and publish the self-assessment form or third party verification to demonstrate compliance with the principles of the Software Security Code of Practice. | ||
| Put in place measures to ensure relevant teams develop the necessary skills and expertise on secure software development and provide access to appropriate learning and development opportunities. | ||
| [If a DSP/ consultant] Encourage clients and collaborators to adopt the Software Security Code of Practice and embed the principles of the Code into software developed collaboratively. | ||
| Software buyers | Incorporate the Software Security Code of Practice into procurement policies and procedures for supplier management of our software suppliers. | |
| Expert advisors | Promote the Software Security Code of Practice through advisory/ educational services and other business. | |
| If applicable, incorporate the Software Security Code of Practice into requirements for relevant partner organisations. |
Signatories
- Department for Science, Innovation and Technology
- National Cyber Security Centre
- Accenture
- Cisco
- Hexiosec
- ISACA
- ISC2
- Lloyds Banking Group
- NCC Group
- Nexor
- Palo Alto Networks
- Sage
- Salus
- Santander
- Zaizi