UK Ministry of Housing, Communities and Local Government (MHCLG) 
MHCLG’s Defend as One (DaO) programme is supporting councils to address shared cyber threats through collaboration and knowledge sharing. We want to take a unified and proactive approach to cyber security by sharing data, expertise and capabilities across government and the wider sector.
The Government Cyber Security Strategy (2022 to 2030)
“While developing a strong foundation of organisational cyber security is critical, the scale and pace of the threat demands a more comprehensive and joined up response. Government will therefore ‘defend as one’; harnessing the value of sharing cyber security data, expertise and capabilities across government to present a defensive force disproportionately more powerful than the sum of its parts.”
Programme aims
Based on one of the key pillars of the Government Cyber Security Strategy, Defend as One aims to:
- improve cyber incident detection by ensuring councils can effectively detect and monitor cyber security incidents
- reduce the impact of cyber incidents by coordinating the cross-government response, improving how councils respond, and minimising the impact of repeated or scaled attacks
- facilitate knowledge sharing including cyber intelligence, best practices, and tools across councils and the wider public sector
Current work
We’re running a number of pilots to gather evidence and inform our long-term approach to supporting the sector.
Improving cyber incident detection
We’re working with cyber specialists, Bridewell, to provide 10 councils with six months of funded Security Operations Centre (SOC) provision, starting in February 2025, as part of a research pilot.
A Security Operations Centre brings together cyber threat analysis, incident response, threat intelligence and cyber monitoring tools.
Evidence from this pilot will help to shape MHCLG’s long-term approach to supporting the sector in improving incident detection.
Sharing cyber intelligence
We’re running a pilot that provides councils with critical information about cyber threats and vulnerabilities. The pilot launched in March 2025 and will run for a 3-month period.
Additionally, we’re also working with the Government Cyber Coordination Centre (GC3) to explore how the Vulnerability Reporting Service can be utilised to support the local government sector.
Insights from both pilots will help to inform MHCLG’s long-term strategy for sharing intelligence with councils.
Cyber Incident Response (CIR)
We are planning to launch a Cyber Incident Response (CIR) service for local government. The service will provide eligible councils with access to an NCSC Enhanced Level CIR provider to support containment and eradication in the event of a cyber incident. Further guidance on eligibility criteria and how to access the service will be shared soon.
We want to help councils respond to and recover from cyber incidents quickly - minimising disruption and protecting the public services communities rely on. CIR providers are experienced partners who can support you through the most critical stages of an incident and into recovery.
Reporting incidents
We recommend that you report all suspicious activity and confirmed cyber incidents to the National Cyber Security Centre (NCSC) using its Report an incident form.
You should also notify Local Digital at MHCLG as early as possible: [email protected]. We’ll advise on available support and help coordinate with other central government departments.
Additional support:
- the Local Government Association’s Cyber Incident Grab Bag can help guide your response in the early stages of an incident
- the NCSC maintain a list of assured suppliers. If you need to engage a CIR provider, speak to your procurement team early
Stay updated and get involved
Sign up to the newsletter to receive updates on the Defend as One programme, including upcoming pilots, as we often invite participation through expressions of interest.
If you have any questions or would like to get involved in a future pilot, you can contact us at [email protected].