G-Cloud #AccreditCamp - Farnborough 17Apr2013


Published on

This presentation is a short guide to G-Cloud pan-government accreditation processes. More information on G-Cloud and HMG pan-government Accreditation is available on our website

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • http://gcloud.civilservice.gov.uk
  • What have we done? Creating a marketplace We’ve made it a lot easier for buyers: no long procurement, no negotiations; Simplifying how we buy and deliver services Encouraging innovation – access to a wider choice Encouraging the shift from custom to commodity Changing the culture across the Public Sector http://gcloud.civilservice.gov.uk
  • Framework Iterations – G-iii awards, G-iv this summer New CloudStore Sales total invoiced over £11m 59 Accredited services http://gcloud.civilservice.gov.uk
  • http://gcloud.civilservice.gov.uk
  • http://gcloud.civilservice.gov.uk
  • On-demand self-service. A consumer can unilaterally provision a capability Broad network access. Capabilities are available over the network Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model Rapid elasticity. Capabilities can be rapidly and elastically provisioned Measured Service. Cloud systems automatically control and optimize resource Software as a Service (SaaS) Control: Not much! Not Control: Underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities Platform as a Service (PaaS) Control: Deployed applications and possibly application hosting environment configurations Not Control: Underlying cloud infrastructure including network, servers, operating systems, or storage.. Infrastructure as a Service (IaaS) Control: Operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) Not Control: Underlying cloud infrastructure
  • Any questions What are the barriers for you? Who do we/you need to talk to in your organisation? What processes do you need to influence/tweak/develop to allow you to procure through the G-Cloud effectively? What channels/networks should we be exploring and taking advantage of to get the message out there? http://gcloud.civilservice.gov.uk
  • http://gcloud.civilservice.gov.uk
  • G-Cloud #AccreditCamp - Farnborough 17Apr2013

    1. 1. #AccreditCamp 17 April 2013 G-CloudDave Denton & Mark Smitham UNCLASSIFIED
    2. 2. Agenda• Introductions• Programme Update• Accreditation• Why does G-Cloud conduct Pan-Government Accreditation?• Process• Scenarios• Where and when to find out more• Questions• References UNCLASSIFIED 2
    3. 3. Introductionshttp://gcloud.civilservice.gov.ukenquiries@gcloud.cabinet-office.gov.uk@G_Cloud_UK#AccreditCamp UNCLASSIFIED 3
    4. 4. Programme Update Phase 1 complete: 1st anniversary; openOur aim is to encourage the and competitive marketplaceadoption of cloud-based 460 suppliers and 3,200+ servicesservices across the Public MEs provide access to a much wider choice %SSector 7 5for buyers We’ve made it a lot easier We’ve made it a lot easier for suppliers; we’re levelling the playing field for SME SME Sales SMEs Vol Sales We’re getting the message out; we’re changing the market for public sector IT£11m+ to 80% vol 70% ofend of Feb of orders spend Giii – expect to see many more services UNCLASSIFIED But we need to improve and look to make it even easier…
    5. 5. G-Cloud FrameworksG-Cloud framework OJEU Commencement Close Gi 18/10/11 14/02/12 13/11/12 – Closed Gii 23/05/12 26/10/12 27/10/13 Giii 11/01/13 April 2013 April 2014 Service across 4 Lots: Gii Features:11 Infrastructure as a Service (IaaS) •Framework 12 months22 Platform as a Service (PaaS) •Framework value up to £100m33 Software as a Service (SaaS) •Call offs up to 24 months44 Specialist Cloud Services (SCS) UNCLASSIFIED 5
    6. 6. What is Accreditation for?• Government must make sure the information systems we use will protect the information they handle, and function as and when they need to. Accreditation is the formal assessment of the system against it’s information assurance requirements.• Security accreditation is required for services which will hold information assessed at Business Impact Level profiles 1-1-x/2-2-x, 33x and above (often described as IL1, IL2 & IL3)• IL0 services and most Lot 4 services do not need accreditation UNCLASSIFIED 6
    7. 7. Why Pan-Government Accreditation?• Central accreditation results in a service which can be procured by multiple customers• We want to do it once, get it right first time, and share the benefits across government• For suppliers this will mean a reduced time to market and lower cost of accreditation if multiple customers buy the service• G-Cloud SIRO and PSN SIRO authorise the work of the Public Sector Accreditation Board (PSAB) and Pan Government Accreditors (PGAs) UNCLASSIFIED 7
    8. 8. Buying services with Pan-Gov Accreditation• Consuming department still own the information risk, but can rely on the work of trusted IA teams (minimising re-work on accreditation)• IA team in the Public Sector consuming organisation to be given RMADS and RRS. Remaining documentation available from the supplier• Any service procured without pan government accreditation is purchased at risk to the customer. A supplier can sell an unaccredited service, but not to all customers for all requirements UNCLASSIFIED 8
    9. 9. Process UNCLASSIFIED 9
    10. 10. Initiation of Accreditation• To initiate accreditation suppliers must complete a scoping template for each service requiring accreditation• You should also complete, if relevant, our Data Protection Act (DPA) checklist.• These can be submitted for programme deadlines at 6pm on the second Wednesday of each month – next on 8 May 2013.• All services with templates completed to the necessary quality will be put into a pool ready for submission to the Pan Government Accreditation service at CESG.  We will look to prioritise submissions to the PGAs from this pool based on a number of factors, including demand from central HMG departments. UNCLASSIFIED 10
    11. 11. Scoping• Once your service has been submitted to the Pan Government Accreditation service you will work with an assigned PGA to agree the scope of your accreditation.• Once this is agreed a version of your scoping template with list of required evidence will be signed off by supplier and accreditor UNCLASSIFIED 11
    12. 12. BIL2-2-x Services• Accreditation of BIL2-2-x services centred on a suitably scoped ISO/IEC 27001 certified service – Scope agreed with the PGA – Scope must be unambiguous and includes all elements of the service, e.g. onward supply chain and follow-the-moon and follow-the sun operations – Certification through bodies recognised by UKAS, or agreed to be equivalent to UKAS (see note on EA MLA) – Expected to follow sound commercial security practice – ‘x’ for availability must be defined by Supplier UNCLASSIFIED 12
    13. 13. BIL3-3-x Services• Accreditation of BIL3-3-x services uses UK Government IA Standards and Guidance – Scope agreed with the PGA – Detailed IA guidance already available for BIL3 services – Expected to be delivered to the Public Sector through the PSN – Implementation of technical controls at BIL3-3-x will require higher standard to those at BIL2-2-x, including more robust compliance – Specific guidance on geographical location; protection of communications and data in transit; data at rest, storage and object re-use; clearance and checking of staff; site inspections – ‘x’ for availability must be defined by Supplier UNCLASSIFIED 13
    14. 14. Data Protection Act and Offshoring• DPA checklist for suppliers, e.g. – guarantees that staff are trained or vetted, wherever they are based – facilities for rectification, blocking, erasure, destruction – guarantees about location of personal data – ensure high data protection standards even if data in a country with weak or no data protection law• G-Cloud IA requirements use CIO Council paper on offshoring and international sourcing available on the Cabinet Office gov.uk website UNCLASSIFIED 14
    15. 15. Is your Service ready to be submitted?• Before any formal assurance activity is undertaken your service design must be in a mature design state or at least developed to a state than means any security testing carried out is on a design that represents the final service• If you are unsure about this contact us to discuss before submitting your scoping template. UNCLASSIFIED 15
    16. 16. Process UNCLASSIFIED 16
    17. 17. Is your Service ready to be submitted?• Before any formal assurance activity is undertaken your service design must be in a mature design state or at least developed to a state than means any security testing carried out is on a design that represents the final service• If you are unsure about this contact us to discuss before submitting your scoping template.• How long does pan-government accreditation take? Time to provide Evidence Set... make your preparations early!• What will it cost? G-Cloud process is free, the costs incurred are to provide evidence set and take any necessary remedial actions. UNCLASSIFIED 17
    18. 18. Evidence Set• You will be required to gather and submit a set of evidence requested by the PGA. This could include at minimum: Lightweight RMADS required for BIL 22x / Full RMADS required for 33x RMADS Required for both IL22x and IL33x systems/services Residual Risk Statement Required for both IL22x and IL33x systems/services Risk Register Required for IL22x systems/services ISO/IEC 27001 Certificate, report & improvement notice Required for both IL22x and IL33x systems/services Security Operating Procedures (relevant to the consumer and/or supplier) Required for both IL22x and IL33x systems/services Other Security Related documentation such as IA conditions consumers are expected to meet Required for both IL22x and IL33x systems/services Statement on personal data and a completed DPA questionnaire Required for both IL22x and IL33x systems/services, though the extent will be less for the ITHC (scope and results) and other evidence of assurance (e.g. CPA IL22x systems/services. certificate) UNCLASSIFIED 18
    19. 19. Evidence Set• All information to be seen by the Pan Government Accreditor (PGA) and their advisors: – Risk Management and Accreditation Document Set (RMADS), – Residual Risk Statement (RRS), – Risk Register, – ISO27001 certification documentation• RRS presented to PSAB and part or all of the remaining documentation if needed UNCLASSIFIED 19
    20. 20. IA and Accreditation Approach• Use a layered, modular, approach to accreditation with maximum re-use of IA activities – E.g. suppliers can re-use FISMA evidence within ISO/IEC 27001 certification• Use assured products where appropriate• Monitoring of on-going implementation of security controls UNCLASSIFIED 20
    21. 21. Accreditation ScenariosA service with accreditation from a central HMG department and not pan-government yet• The existing scope and or List X scope may be a good start for pan-government accreditation if it covers the scope and evidence set for PGA.A service with no previous accreditation or PSN connectivity that is now targeting IL3 pan-government accreditation• HMG strongly encourages PSN connectivityA service with no previous accreditation that is now targeting IL2 pan-government accreditation• Industry best practice underpinned by ISO27001 can be a good start, especially if the scope of certification covers PGA scope too. UNCLASSIFIED 21
    22. 22. Accreditation ScenariosA G-Cloud SaaS offering on another suppliers PaaS or IaaS service• The SaaS supplier would need to consider what reliance they’re placing on the PaaS/IaaS service, and then demonstrate that all information risks have been managed appropriately (including consideration of off-shoring).A SaaS supplier hosting their service with a supplier that has ISO 27001 certification for their data centre.• The SaaS supplier will also need to have their own ISO 27001 certification. In the scope of their certification they can include the assurance they are getting from the IaaS provider. UNCLASSIFIED 22
    23. 23. Accreditation ScenariosLot 4 services requiring accreditation• The majority of Lot 4 Specialist Cloud Services do not require accreditation.Suppliers of IL3 services requiring National Security Vetting• Supplier staff with access to sensitive material on an IL3 service must have completed Baseline Personnel Security Standard (BPSS) as part of National Security Vetting (NSV). UNCLASSIFIED 23
    24. 24. Questions for Suppliers to consider• Can you adequately scope your service (follow-the-sun, follow-the- moon services, location to country/legal framework)? – What is the ‘Service’? – Retain principle of information risk ownership – Do you need assured products and services – Think in layers and endpoints – Be sure you are clear on the difference between the scope of each service UNCLASSIFIED 24
    25. 25. Questions for Suppliers to consider• What level of assurance can you provide in your service, including security products within the service?• Who can you use to provide independent assurance (UKAS certified bodies for ISMSs)?• How will you demonstrate compliance with the DPA in a cloud service operating as a Data Processor?• How will you assist the consumer with accounting and audit and forensic readiness? UNCLASSIFIED 25
    26. 26. Advice that G-Cloud can provide• Pan-government Accreditation – G-Cloud IA Guidance – PSN RMARD – HMG IA Policy & Guidance, HMG IA Standards• Access to Reference Material – Good Practice Guides: please approach CESG Enquiries in the first instance• Design Review – Triggered by HMG PGA accreditor if necessary to agree scope after submission to G-Cloud and allocation to PGA.• National Security Vetting – Only possible in exceptional circumstances where a supplier does not have sponsorship from another government authority and is already providing G-Cloud services to government. UNCLASSIFIED 26
    27. 27. Where & when to find out more• All guidance and templates available on the G-Cloud website accreditation page• G-Cloud IA Guidance covers:- – Governance structures – Assurance and accreditation approach, re-accreditation triggers – Data Protection Act and Offshoring (outside of UK and EEA) – Distribution of IA evidence, NDAs – Specific Guidance on BIL 2-2-x and 3-3-x services – Accreditation scoping template – Data Protection Act (DPA) Checklist for Suppliers• To be updated this summer UNCLASSIFIED 27
    28. 28. Questions ? UNCLASSIFIED 28
    29. 29. Contactshttp://gcloud.civilservice.gov.ukenquiries@gcloud.cabinet-office.gov.uk@G_Cloud_UK#AccreditCamp UNCLASSIFIED 29