alt Hacker NewsI think this is an overly cynical read on the whole thing, at least after skimming the main points from the bill.
A lot of it is about designating critical suppliers + providers and their security obligations.
Central government would typically be a customer, that uses other suppliers and providers to achieve its goals, not a supplier or a provider itself.
So in that sense it doesn't seem so strange to see it omitted, or at least for first set of legislation etc.? Get the first party suppliers in shape first, then legislate the net result of government function using those suppliers etc.
Replies
The problem is that this has been (well one of) the fatal flaw of previous attempts. If this were the first revamp i could agree with you.
Central government would typically be a customer
This is a wrong assumption, it's not that they aren't customers as they'll deal with hundreds of vendors/partners and will benefit from these changes regardless but national cyber & supporting IT agencies (including the UK) are often providers themselves to both other government agencies and private organizations in the country.
This can be anything from running their SOC functions to specialized consulting services to intelligence sharing so the bill is definitely relevant and the exclusion of the govt. doesn't seem to serve a purpose other than saving the budget to implement/maintain their own rules.
What you're describing would see the government fall outside the purview of the law naturally, without the need for an exemption. This is a true case of an exception that proves the rule — the fact that they made the exemption is itself proof that they would've been otherwise subject to the law.