G-Cloud #AccreditCamp - London 16Jul2013

Uploaded on

This presentation is a short guide to G-Cloud pan-government accreditation processes. More information on G-Cloud and HMG pan-government Accreditation is available on our …

This presentation is a short guide to G-Cloud pan-government accreditation processes. More information on G-Cloud and HMG pan-government Accreditation is available on our website

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Tuesday 16 July 2013 #AccreditCamp Royal College of Surgeons, 35-43 Lincoln’s Inn Fields, LONDON WC2A 3PE
  • If you are participating remotely, please mute your line so everyone can hear the presentation. You can submit questions in two ways throughout the presentation 1. through Twitter @G_Cloud_UK using the hashtag #accreditcamp or as a comment on the SlideShare page for the presentation. UK Government takes Information Security seriously. There are a number of boards governing cyber security policy across government and the Office of the Government Senior Information Risk Owner (OGSIRO) has been established. Open - introductions, agenda Update What accreditation is for? Why pan government accreditation? Process Scenarios Where and when to find out more Close - questions, contact details
  • G-Cloud update - What have we done over the last 18 months since February 2012? Creating a marketplace We’ve made it a lot easier for buyers: no long procurement, no negotiations; Simplifying how we buy and deliver services Encouraging innovation – access to a wider choice Encouraging the shift from custom to commodity Changing the culture across the Public Sector We’ve made it easier for suppliers too. £25m is less than 1% of government spend (£44.5bn). We have seen savings of between 60-90% on that spend. We can only let for the best VfM, not just because they are SME Our challenge is to find SMEs who offer better value The Government supports SMEs because they are seen as key to economic recovery The PM chairs the Enterprise Committee Most significant spend by department is with MOD (£20bn) and MOJ (£5bn)
  • 3 frameworks so far G-i - February 2012 G-ii - October 2012 G-iii - April 2013 Commoditised services organised across 4 lots IaaS - infrastructure PaaS - platform SaaS - software SCS - specialist cloud services On-demand self-service. A consumer can unilaterally provision a capability Broad network access. Capabilities are available over the network Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model Rapid elasticity. Capabilities can be rapidly and elastically provisioned Measured Service. Cloud systems automatically control and optimize resource G-Cloud framework features Launch OJEU 3 months before Commencement Call-off contracts between supplier and individual government authorities Framework value limits Call-off duration when consumers must go back to market G-Cloud currently under review and future frameworks beyond G-iv are under consideration The G-Cloud frameworks are separate from the Digital Framework that is now open for applications. More information about that framework is available on the GDS blog.
  • What is Accreditation for? Government must make sure the information systems we use will protect the information they handle, and function as and when they need to. Accreditation is the formal assessment of the system against its information assurance requirements. Do you need Accreditation? Security accreditation is required for services which will hold information assessed at Business Impact Level profiles 1-1-x/2-2-x, 33x and above (often described as IL1, IL2 & IL3) IL0 services and most Lot 4 services do not need accreditation. Those lot 4 services that may benefit from accreditation are those that include infrastructure, platform, or software features that have simply not conformed to the definitions of the other Lots. Software as a Service (SaaS) Control: Not much! Not Control: Underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities Platform as a Service (PaaS) Control: Deployed applications and possibly application hosting environment configurations Not Control: Underlying cloud infrastructure including network, servers, operating systems, or storage.. Infrastructure as a Service (IaaS) Control: Operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) Not Control: Underlying cloud infrastructure
  • The Availability in these examples is denoted as x. The G-Cloud frameworks do not mandate service levels and it is up to the supplier to specify the availability of their offering. Business Impact Level profiles are sometimes condensed for brevity into a single number, i.e. IL3 for an offering with a BIL profile of 3-3-x
  • Central accreditation results in a service which can be procured by multiple consumers. We want to do it once, get it right first time, and share the benefits across government from an overall perspective. For suppliers this will mean a reduced time to market and lower cost of accreditation if multiple customers buy the service. G-Cloud SIRO and PSN SIRO authorise the work of the Public Sector Assurance & Accreditation Board (PSAAB) and Pan Government Accreditors (PGAs). Different consumers may have different appetites for risk and different threat models. PGA aims to complete 80% of the necessary work for an accreditation.
  • A supplier can sell an unaccredited service, but not to all customers for all requirements. Consuming department still own the information risk, but can rely on the work of trusted IA teams (minimising re-work on accreditation). IA team in the Public Sector consuming organisation may request the G-Cloud team to send them Risk Management Accreditation Document Set (RMADS) and Residual Risk Statement (RRS) for a service. A supplier should make any remaining documentation available to consumers directly if necessary.
  • There are 10 steps to the process in 2 main phases. First, the top row is the Scoping phase. Second, the bottom row is the Accreditation & Review phase. Supplier submits their service; Iterate as required to achieve necessary quality; Initial Assessment; Prioritise for Verification; PGA assess scope; Scope approved; Supplier prepares evidence set; Iterate as required to achieve necessary quality; PGA make recommendation to the board; Review by the board and Authority. There is a clear need for suppliers to provide good quality Scoping Statements and evidence in order to facilitate the process and minimize the need for iteration or amendments.
  • NHS trust fined £200k Sony fined £250k To initiate accreditation suppliers must complete a scoping template for each service requiring accreditation You should also complete, if relevant, our Data Protection Act (DPA) checklist. DPA checklist for suppliers, e.g. - guarantees that staff are trained or vetted, wherever they are based - facilities for rectification, blocking, erasure, destruction - guarantees about location of personal data - ensure high data protection standards even if data in a country with weak or no data protection law These can be submitted for programme deadlines at 6pm on the second Wednesday of each month – next on 8 May 2013. All services with templates completed to the necessary quality will be put into a pool ready for submission to the Pan Government Accreditation service at CESG.  We will look to prioritise submissions to the PGAs from this pool based on a number of factors, including demand from central HMG departments.
  • Once your service has been submitted to the Pan Government Accreditation service you will work with an assigned PGA to agree the scope of your accreditation. Once this is agreed a version of your scoping template with list of required evidence will be signed off by supplier and accreditor. Scope is essential for an accreditor to articulate what parts of a service should be tested.
  • Accreditation of BIL2-2-x services centred on a suitably scoped ISO/IEC 27001 certified service Scope agreed with the PGA Scope must be unambiguous and includes all elements of the service, e.g. onward supply chain and follow-the-moon and follow-the sun operations Certification through bodies recognised by UKAS, or agreed to be equivalent to UKAS (see note on EA MLA) Expected to follow sound commercial security practice ‘ x’ for availability must be defined by Supplier EA MLA – note on UKAS equivalent bodies for ISO27001 Available on our blog http://gcloud.civilservice.gov.uk/2012/05/29/revised-statement-on-the-use-of-isoiec-27001-certification-companies/
  • Accreditation of BIL3-3-x services uses UK Government IA Standards and Guidance Scope agreed with the PGA Detailed IA guidance already available for BIL3 services Expected to be delivered to the Public Sector through the PSN Implementation of technical controls at BIL3-3-x will require higher standard to those at BIL2-2-x, including more robust compliance Specific guidance on geographical location; protection of communications and data in transit; data at rest, storage and object re-use; clearance and checking of staff; site inspections ‘ x’ for availability must be defined by Supplier This will still be relevant should the policy on security Classifications be changed from Business Impact Levels in the future.
  • G-Cloud IA requirements use CIO Council paper on “offshoring and international sourcing” available on the Cabinet Office gov.uk website https://www.gov.uk/government/publications/government-ict-offshoring-international-sourcing-guidance This takes into consideration the jurisdiction and legislation under which the service would be governed outside the UK.
  • Formal assurance activity cannot take place until a service is in a mature design state representative of the final service.
  • Re-accreditation of services is required every 12 months or coinciding with rollover between frameworks. This will take into consideration any material changes to the service. The majority of time to fully complete accreditation is spent on - Agreeing scope - Preparing evidence - Scheduling testing If you already have everything prepared then it should be a paper-based exercise that can be completed quickly. How long does pan-government accreditation take? Time to provide Evidence Set... make your preparations early! What will it cost? G-Cloud process is free, the costs incurred are to provide evidence set and take any necessary remedial actions.
  • You will be required to gather and submit a set of evidence requested by the PGA. More information is available in G-Cloud IA Guidance and also at the end of the Scoping Statement document you will submit for your service to go through G-Cloud pan-government accreditation. Use a layered, modular, approach to accreditation with maximum re-use of IA activities E.g. suppliers can re-use FISMA evidence within ISO/IEC 27001 certification Use assured products where appropriate Monitoring of on-going implementation of security controls
  • National Security Vetting to SC level should be completed for at least your system administrators with access to RESTRICTED material in the live environment of an IL3 service.
  • Re-use evidence that is suitably scoped and of the necessary quality.| RE-USE SCENARIOS A service with accreditation from a central HMG department and not pan-government yet The existing scope and or List X scope may be a good start for pan-government accreditation if it covers the scope and evidence set for PGA. A service with no previous accreditation or PSN connectivity that is now targeting IL3 pan-government accreditation HMG strongly encourages PSN connectivity A service with no previous accreditation that is now targeting IL2 pan-government accreditation Industry best practice underpinned by ISO27001 can be a good start, especially if the scope of certification covers PGA scope too. SCOPE SCENARIOS A G-Cloud SaaS offering on another suppliers PaaS or IaaS service The SaaS supplier would need to consider what reliance they’re placing on the PaaS/IaaS service, and then demonstrate that all information risks have been managed appropriately (including consideration of off-shoring). A SaaS supplier hosting their service with a supplier that has ISO 27001 certification for their data centre. The SaaS supplier will also need to have their own ISO 27001 certification. In the scope of their certification they can include the assurance they are getting from the IaaS provider. CONSIDERATIONS Can you adequately scope your service (follow-the-sun, follow-the-moon services, location to country/legal framework)? What is the ‘Service’? Retain principle of information risk ownership Do you need assured products and services Think in layers and endpoints Be sure you are clear on the difference between the scope of each service
  • QUALITY SCENARIOS Lot 4 services requiring accreditation The majority of Lot 4 Specialist Cloud Services do not require accreditation. Suppliers of IL3 services requiring National Security Vetting Supplier staff with access to sensitive material on an IL3 service must have completed Baseline Personnel Security Standard (BPSS) as part of National Security Vetting (NSV). CONSIDERATIONS What level of assurance can you provide in your service, including security products within the service? Who can you use to provide independent assurance (UKAS certified bodies for ISMSs)? How will you demonstrate compliance with the DPA in a cloud service operating as a Data Processor? How will you assist the consumer with accounting and audit and forensic readiness? Pan-government Accreditation - G-Cloud IA Guidance - PSN RMARD - HMG IA Policy & Guidance, HMG IA Standards Access to Reference Material - Good Practice Guides: please approach CESG Enquiries in the first instance Design Review - Triggered by HMG PGA accreditor if necessary to agree scope after submission to G-Cloud and allocation to PGA. National Security Vetting - Only possible in exceptional circumstances where a supplier does not have sponsorship from another government authority and is already providing G-Cloud services to government.
  • G-Cloud IA Guidance covers:- Governance structures Assurance and accreditation approach, re-accreditation triggers Data Protection Act and Offshoring (outside of UK and EEA) Distribution of IA evidence, NDAs Specific Guidance on BIL 2-2-x and 3-3-x services Accreditation scoping template Data Protection Act (DPA) Checklist for Suppliers
  • Any questions What are the barriers for you? Who do we/you need to talk to in your organisation? What processes do you need to influence/tweak/develop to allow you to procure through the G-Cloud effectively? What channels/networks should we be exploring and taking advantage of to get the message out there?


  • 1. Mark Smitham Principal Cyber Security Advisor Government Digital Service @maakusan 1
  • 2. GDSMark Smitham #AccreditCamp @G_Cloud_UK Take Information Security seriously. 2
  • 3. GDSMark Smitham Total Sales Spend: £25m+ Suppliers: 800+ with 80% SME Services: 7000+ SME volume of orders: 64% SME sales spend: 62% 3
  • 4. GDSMark Smitham The fourth G-Cloud framework is set to launch this summer. 4
  • 5. GDSMark Smitham Consider the Information Assurance requirements of your service and the information that it holds. 5
  • 6. GDSMark Smitham Business Impact Level profiles include:- Confidentiality, Integrity, Availability. e.g. 1-1-x / 2-2-x, 3-3-x and above. 6
  • 7. GDSMark Smitham G-Cloud services can be consumed by nearly 30,000 government authorities. Pan-Government Accreditation (PGA) aims to reduce the number of times a service needs to be accredited. 7
  • 8. GDSMark Smitham Accreditation should not be a blocker to consumers procuring a service. Any service procured without Pan-Government Accreditation is purchased at risk to the consumer. 8
  • 9. GDSMark SmithamMark Smitham Process GDS 9
  • 10. GDSMark Smitham Consider your legislative obligations for the material handled by your service. Mark Smitham GDS 10
  • 11. GDSMark Smitham Consider the boundary of your service, what it relies upon and what else should be analysed to assess its security. Mark Smitham GDS 11
  • 12. GDSMark Smitham HMG Information Assurance Standards are underpinned by industry best practice, i.e. suitably scoped ISO27001 certification recognised by UKAS. Mark Smitham GDS 12
  • 13. GDSMark Smitham Consider the baseline set of controls that secure your service, including Physical, Personnel, Procedural, and Technical. Search for “CESG IA Policy & Guidance” and go to HMG IA Standards. Mark Smitham GDS 13
  • 14. GDSMark Smitham Cabinet Office guidance for offshoring currently states that services at IL3 and above must not be provided, supported, or managed from outside UK mainland without explicit consent from OGSIRO. Mark Smitham GDS 14
  • 15. GDSMark Smitham Make sure your service is in a mature design state ready for any security testing to be carried out. Mark Smitham GDS 15
  • 16. GDSMark SmithamMark Smitham Process GDS 16
  • 17. GDSMark SmithamMark Smitham GDS Evidence IL2 IL3 RMADS Light Full Residual Risk Statement  + Risk Register  + ISO27001 cert, report, notice  * Security Operating Procedure  + IA Conditions compliance*  + DPA checklist  + ITHC and other assurance  +
  • 18. GDSMark Smitham The employment checks you do on your staff should meet the Baseline Personnel Security Standard. Search for “BPSS” or “Security Policy Framework” on gov.uk Mark Smitham GDS 18
  • 19. GDSMark Smitham 19 GDSMark Smitham Re-use evidence that is suitably scoped and of the necessary quality. 19
  • 20. GDSMark Smitham Ask G-Cloud to help you with Pan-Government Accreditation, access to reference material, Design Review, National Security Vetting. 20
  • 21. GDSMark Smitham Find out more online gcloud.civilservice.gov.uk /supplier-zone/accreditation @G_Cloud_UK @gdsteam 21
  • 22. G-Cloud Government Digital Service @G_Cloud_UK @gdsteam 22