This presentation is a short guide to G-Cloud pan-government accreditation processes. More information on G-Cloud and HMG pan-government Accreditation is available on our website
http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/
1. #AccreditCamp
17 April 2013
G-Cloud
Dave Denton & Mark Smitham
UNCLASSIFIED
2. Agenda
• Introductions
• Programme Update
• Accreditation
• Why does G-Cloud conduct Pan-Government Accreditation?
• Process
• Scenarios
• Where and when to find out more
• Questions
• References
UNCLASSIFIED 2
4. Programme Update
Phase 1 complete: 1st anniversary; open
Our aim is to encourage the and competitive marketplace
adoption of cloud-based 460 suppliers and 3,200+ services
services across the Public MEs
provide access to a much wider choice
%S
Sector 7 5for buyers
We’ve made it a lot easier
We’ve made it a lot easier for suppliers;
we’re levelling the playing field for
SME SME
Sales SMEs
Vol Sales
We’re getting the message out; we’re
changing the market for public sector IT
£11m+ to 80% vol 70% of
end of Feb of orders spend Giii – expect to see many more services
UNCLASSIFIED But we need to improve and look
to make it even easier…
5. G-Cloud Frameworks
G-Cloud framework OJEU Commencement Close
Gi 18/10/11 14/02/12 13/11/12 – Closed
Gii 23/05/12 26/10/12 27/10/13
Giii 11/01/13 April 2013 April 2014
Service across 4 Lots: Gii Features:
11 Infrastructure as a Service (IaaS) •Framework 12 months
22 Platform as a Service (PaaS) •Framework value up to £100m
33 Software as a Service (SaaS) •Call offs up to 24 months
44 Specialist Cloud Services (SCS)
UNCLASSIFIED 5
6. What is Accreditation for?
• Government must make sure the information systems we use will
protect the information they handle, and function as and when they
need to. Accreditation is the formal assessment of the system
against it’s information assurance requirements.
• Security accreditation is required for services which will hold
information assessed at Business Impact Level profiles 1-1-x/2-2-x,
33x and above (often described as IL1, IL2 & IL3)
• IL0 services and most Lot 4 services do not need accreditation
UNCLASSIFIED 6
7. Why Pan-Government Accreditation?
• Central accreditation results in a service which can be procured by
multiple customers
• We want to do it once, get it right first time, and share the benefits
across government
• For suppliers this will mean a reduced time to market and lower
cost of accreditation if multiple customers buy the service
• G-Cloud SIRO and PSN SIRO authorise the work of the Public
Sector Accreditation Board (PSAB) and Pan Government
Accreditors (PGAs)
UNCLASSIFIED 7
8. Buying services with Pan-Gov Accreditation
• Consuming department still own the information risk, but can rely
on the work of trusted IA teams (minimising re-work on
accreditation)
• IA team in the Public Sector consuming organisation to be given
RMADS and RRS. Remaining documentation available from the
supplier
• Any service procured without pan government accreditation is
purchased at risk to the customer. A supplier can sell an
unaccredited service, but not to all customers for all requirements
UNCLASSIFIED 8
10. Initiation of Accreditation
• To initiate accreditation suppliers must complete a scoping
template for each service requiring accreditation
• You should also complete, if relevant, our Data Protection Act
(DPA) checklist.
• These can be submitted for programme deadlines at 6pm on the
second Wednesday of each month – next on 8 May 2013.
• All services with templates completed to the necessary quality will
be put into a pool ready for submission to the Pan Government
Accreditation service at CESG. We will look to prioritise
submissions to the PGAs from this pool based on a number of
factors, including demand from central HMG departments.
UNCLASSIFIED 10
11. Scoping
• Once your service has been submitted to the Pan Government
Accreditation service you will work with an assigned PGA to agree
the scope of your accreditation.
• Once this is agreed a version of your scoping template with list of
required evidence will be signed off by supplier and accreditor
UNCLASSIFIED 11
12. BIL2-2-x Services
• Accreditation of BIL2-2-x services centred on a suitably scoped
ISO/IEC 27001 certified service
– Scope agreed with the PGA
– Scope must be unambiguous and includes all elements of the
service, e.g. onward supply chain and follow-the-moon and
follow-the sun operations
– Certification through bodies recognised by UKAS, or agreed to
be equivalent to UKAS (see note on EA MLA)
– Expected to follow sound commercial security practice
– ‘x’ for availability must be defined by Supplier
UNCLASSIFIED 12
13. BIL3-3-x Services
• Accreditation of BIL3-3-x services uses UK Government IA
Standards and Guidance
– Scope agreed with the PGA
– Detailed IA guidance already available for BIL3 services
– Expected to be delivered to the Public Sector through the PSN
– Implementation of technical controls at BIL3-3-x will require
higher standard to those at BIL2-2-x, including more robust
compliance
– Specific guidance on geographical location; protection of
communications and data in transit; data at rest, storage and
object re-use; clearance and checking of staff; site inspections
– ‘x’ for availability must be defined by Supplier
UNCLASSIFIED 13
14. Data Protection Act and Offshoring
• DPA checklist for suppliers, e.g.
– guarantees that staff are trained or vetted, wherever they are
based
– facilities for rectification, blocking, erasure, destruction
– guarantees about location of personal data
– ensure high data protection standards even if data in a country
with weak or no data protection law
• G-Cloud IA requirements use CIO Council paper on
offshoring and international sourcing available on the Cabinet
Office gov.uk website
UNCLASSIFIED 14
15. Is your Service ready to be submitted?
• Before any formal assurance activity is undertaken your service
design must be in a mature design state or at least developed to
a state than means any security testing carried out is on a design
that represents the final service
• If you are unsure about this contact us to discuss before submitting
your scoping template.
UNCLASSIFIED 15
17. Is your Service ready to be submitted?
• Before any formal assurance activity is undertaken your service
design must be in a mature design state or at least developed to
a state than means any security testing carried out is on a design
that represents the final service
• If you are unsure about this contact us to discuss before submitting
your scoping template.
• How long does pan-government accreditation take? Time to
provide Evidence Set... make your preparations early!
• What will it cost? G-Cloud process is free, the costs incurred are
to provide evidence set and take any necessary remedial actions.
UNCLASSIFIED 17
18. Evidence Set
• You will be required to gather and submit a set of evidence
requested by the PGA. This could include at minimum:
Lightweight RMADS required for BIL 22x / Full RMADS required for 33x
RMADS
Required for both IL22x and IL33x systems/services
Residual Risk Statement
Required for both IL22x and IL33x systems/services
Risk Register
Required for IL22x systems/services
ISO/IEC 27001 Certificate, report & improvement notice
Required for both IL22x and IL33x systems/services
Security Operating Procedures (relevant to the consumer and/or
supplier)
Required for both IL22x and IL33x systems/services
Other Security Related documentation such as IA conditions consumers
are expected to meet
Required for both IL22x and IL33x systems/services
Statement on personal data and a completed DPA questionnaire
Required for both IL22x and IL33x systems/services, though the extent will be less for the
ITHC (scope and results) and other evidence of assurance (e.g. CPA IL22x systems/services.
certificate)
UNCLASSIFIED 18
19. Evidence Set
• All information to be seen by the Pan Government Accreditor
(PGA) and their advisors:
– Risk Management and Accreditation Document Set (RMADS),
– Residual Risk Statement (RRS),
– Risk Register,
– ISO27001 certification documentation
• RRS presented to PSAB and part or all of the remaining
documentation if needed
UNCLASSIFIED 19
20. IA and Accreditation Approach
• Use a layered, modular, approach to accreditation with maximum
re-use of IA activities
– E.g. suppliers can re-use FISMA evidence within ISO/IEC 27001
certification
• Use assured products where appropriate
• Monitoring of on-going implementation of security controls
UNCLASSIFIED 20
21. Accreditation Scenarios
A service with accreditation from a central HMG
department and not pan-government yet
• The existing scope and or List X scope may be a good start for
pan-government accreditation if it covers the scope and evidence
set for PGA.
A service with no previous accreditation or PSN connectivity
that is now targeting IL3 pan-government accreditation
• HMG strongly encourages PSN connectivity
A service with no previous accreditation that is now
targeting IL2 pan-government accreditation
• Industry best practice underpinned by ISO27001 can be a good
start, especially if the scope of certification covers PGA scope too.
UNCLASSIFIED 21
22. Accreditation Scenarios
A G-Cloud SaaS offering on another suppliers PaaS or IaaS
service
• The SaaS supplier would need to consider what reliance they’re
placing on the PaaS/IaaS service, and then demonstrate that all
information risks have been managed appropriately (including
consideration of off-shoring).
A SaaS supplier hosting their service with a supplier that has
ISO 27001 certification for their data centre.
• The SaaS supplier will also need to have their own ISO 27001
certification. In the scope of their certification they can include
the assurance they are getting from the IaaS provider.
UNCLASSIFIED 22
23. Accreditation Scenarios
Lot 4 services requiring accreditation
• The majority of Lot 4 Specialist Cloud Services do not require
accreditation.
Suppliers of IL3 services requiring National Security Vetting
• Supplier staff with access to sensitive material on an IL3 service
must have completed Baseline Personnel Security Standard (BPSS)
as part of National Security Vetting (NSV).
UNCLASSIFIED 23
24. Questions for Suppliers to consider
• Can you adequately scope your service (follow-the-sun, follow-the-
moon services, location to country/legal framework)?
– What is the ‘Service’?
– Retain principle of information risk ownership
– Do you need assured products and services
– Think in layers and endpoints
– Be sure you are clear on the difference between the scope of
each service
UNCLASSIFIED 24
25. Questions for Suppliers to consider
• What level of assurance can you provide in your service, including
security products within the service?
• Who can you use to provide independent assurance (UKAS
certified bodies for ISMSs)?
• How will you demonstrate compliance with the DPA in a cloud
service operating as a Data Processor?
• How will you assist the consumer with accounting and audit and
forensic readiness?
UNCLASSIFIED 25
26. Advice that G-Cloud can provide
• Pan-government Accreditation
– G-Cloud IA Guidance
– PSN RMARD
– HMG IA Policy & Guidance, HMG IA Standards
• Access to Reference Material
– Good Practice Guides: please approach
CESG Enquiries in the first instance
• Design Review
– Triggered by HMG PGA accreditor if necessary to agree scope
after submission to G-Cloud and allocation to PGA.
• National Security Vetting
– Only possible in exceptional circumstances where a supplier
does not have sponsorship from another government authority
and is already providing G-Cloud services to government.
UNCLASSIFIED 26
27. Where & when to find out more
• All guidance and templates available on the G-Cloud website
accreditation page
• G-Cloud IA Guidance covers:-
– Governance structures
– Assurance and accreditation approach, re-accreditation triggers
– Data Protection Act and Offshoring (outside of UK and EEA)
– Distribution of IA evidence, NDAs
– Specific Guidance on BIL 2-2-x and 3-3-x services
– Accreditation scoping template
– Data Protection Act (DPA) Checklist for Suppliers
• To be updated this summer
UNCLASSIFIED 27
What have we done? Creating a marketplace We’ve made it a lot easier for buyers: no long procurement, no negotiations; Simplifying how we buy and deliver services Encouraging innovation – access to a wider choice Encouraging the shift from custom to commodity Changing the culture across the Public Sector http://gcloud.civilservice.gov.uk
Framework Iterations – G-iii awards, G-iv this summer New CloudStore Sales total invoiced over £11m 59 Accredited services http://gcloud.civilservice.gov.uk
http://gcloud.civilservice.gov.uk
http://gcloud.civilservice.gov.uk
On-demand self-service. A consumer can unilaterally provision a capability Broad network access. Capabilities are available over the network Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model Rapid elasticity. Capabilities can be rapidly and elastically provisioned Measured Service. Cloud systems automatically control and optimize resource Software as a Service (SaaS) Control: Not much! Not Control: Underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities Platform as a Service (PaaS) Control: Deployed applications and possibly application hosting environment configurations Not Control: Underlying cloud infrastructure including network, servers, operating systems, or storage.. Infrastructure as a Service (IaaS) Control: Operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) Not Control: Underlying cloud infrastructure
Any questions What are the barriers for you? Who do we/you need to talk to in your organisation? What processes do you need to influence/tweak/develop to allow you to procure through the G-Cloud effectively? What channels/networks should we be exploring and taking advantage of to get the message out there? http://gcloud.civilservice.gov.uk