This presentation is a short guide to G-Cloud pan-government accreditation processes. More information on G-Cloud and HMG pan-government Accreditation is available on our website
http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/
5. GDSMark Smitham
Consider the Information
Assurance requirements of
your service and the
information that it holds.
5
6. GDSMark Smitham
Business Impact Level profiles
include:-
Confidentiality, Integrity,
Availability.
e.g. 1-1-x / 2-2-x,
3-3-x and above.
6
7. GDSMark Smitham
G-Cloud services can be
consumed by nearly 30,000
government authorities.
Pan-Government Accreditation
(PGA) aims to reduce the
number of times a service
needs to be accredited.
7
8. GDSMark Smitham
Accreditation should not be a
blocker to consumers
procuring a service.
Any service procured without
Pan-Government Accreditation
is purchased at risk to the
consumer.
8
11. GDSMark Smitham
Consider the boundary of your
service, what it relies upon and
what else should be analysed
to assess its security.
Mark Smitham GDS
11
12. GDSMark Smitham
HMG Information Assurance
Standards are underpinned by
industry best practice, i.e.
suitably scoped ISO27001
certification recognised by
UKAS.
Mark Smitham GDS
12
13. GDSMark Smitham
Consider the baseline set of
controls that secure your
service, including Physical,
Personnel, Procedural, and
Technical. Search for
“CESG IA Policy & Guidance”
and go to HMG IA Standards.
Mark Smitham GDS
13
14. GDSMark Smitham
Cabinet Office guidance for
offshoring currently states that
services at IL3 and above
must not be provided,
supported, or managed from
outside UK mainland without
explicit consent from OGSIRO.
Mark Smitham GDS
14
15. GDSMark Smitham
Make sure your service is in a
mature design state ready for
any security testing to be
carried out.
Mark Smitham GDS
15
18. GDSMark Smitham
The employment checks you
do on your staff should meet
the Baseline Personnel
Security Standard. Search for
“BPSS” or “Security Policy
Framework” on gov.uk
Mark Smitham GDS
18
19. GDSMark Smitham 19
GDSMark Smitham
Re-use evidence
that is suitably
scoped and of the
necessary quality.
19
20. GDSMark Smitham
Ask G-Cloud to help you with
Pan-Government Accreditation,
access to reference material,
Design Review,
National Security Vetting.
20
21. GDSMark Smitham
Find out more online
gcloud.civilservice.gov.uk
/supplier-zone/accreditation
@G_Cloud_UK
@gdsteam
21
Tuesday 16 July 2013 #AccreditCamp Royal College of Surgeons, 35-43 Lincoln’s Inn Fields, LONDON WC2A 3PE
If you are participating remotely, please mute your line so everyone can hear the presentation. You can submit questions in two ways throughout the presentation 1. through Twitter @G_Cloud_UK using the hashtag #accreditcamp or as a comment on the SlideShare page for the presentation. UK Government takes Information Security seriously. There are a number of boards governing cyber security policy across government and the Office of the Government Senior Information Risk Owner (OGSIRO) has been established. Open - introductions, agenda Update What accreditation is for? Why pan government accreditation? Process Scenarios Where and when to find out more Close - questions, contact details
G-Cloud update - What have we done over the last 18 months since February 2012? Creating a marketplace We’ve made it a lot easier for buyers: no long procurement, no negotiations; Simplifying how we buy and deliver services Encouraging innovation – access to a wider choice Encouraging the shift from custom to commodity Changing the culture across the Public Sector We’ve made it easier for suppliers too. £25m is less than 1% of government spend (£44.5bn). We have seen savings of between 60-90% on that spend. We can only let for the best VfM, not just because they are SME Our challenge is to find SMEs who offer better value The Government supports SMEs because they are seen as key to economic recovery The PM chairs the Enterprise Committee Most significant spend by department is with MOD (£20bn) and MOJ (£5bn)
3 frameworks so far G-i - February 2012 G-ii - October 2012 G-iii - April 2013 Commoditised services organised across 4 lots IaaS - infrastructure PaaS - platform SaaS - software SCS - specialist cloud services On-demand self-service. A consumer can unilaterally provision a capability Broad network access. Capabilities are available over the network Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model Rapid elasticity. Capabilities can be rapidly and elastically provisioned Measured Service. Cloud systems automatically control and optimize resource G-Cloud framework features Launch OJEU 3 months before Commencement Call-off contracts between supplier and individual government authorities Framework value limits Call-off duration when consumers must go back to market G-Cloud currently under review and future frameworks beyond G-iv are under consideration The G-Cloud frameworks are separate from the Digital Framework that is now open for applications. More information about that framework is available on the GDS blog.
What is Accreditation for? Government must make sure the information systems we use will protect the information they handle, and function as and when they need to. Accreditation is the formal assessment of the system against its information assurance requirements. Do you need Accreditation? Security accreditation is required for services which will hold information assessed at Business Impact Level profiles 1-1-x/2-2-x, 33x and above (often described as IL1, IL2 & IL3) IL0 services and most Lot 4 services do not need accreditation. Those lot 4 services that may benefit from accreditation are those that include infrastructure, platform, or software features that have simply not conformed to the definitions of the other Lots. Software as a Service (SaaS) Control: Not much! Not Control: Underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities Platform as a Service (PaaS) Control: Deployed applications and possibly application hosting environment configurations Not Control: Underlying cloud infrastructure including network, servers, operating systems, or storage.. Infrastructure as a Service (IaaS) Control: Operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) Not Control: Underlying cloud infrastructure
The Availability in these examples is denoted as x. The G-Cloud frameworks do not mandate service levels and it is up to the supplier to specify the availability of their offering. Business Impact Level profiles are sometimes condensed for brevity into a single number, i.e. IL3 for an offering with a BIL profile of 3-3-x
Central accreditation results in a service which can be procured by multiple consumers. We want to do it once, get it right first time, and share the benefits across government from an overall perspective. For suppliers this will mean a reduced time to market and lower cost of accreditation if multiple customers buy the service. G-Cloud SIRO and PSN SIRO authorise the work of the Public Sector Assurance & Accreditation Board (PSAAB) and Pan Government Accreditors (PGAs). Different consumers may have different appetites for risk and different threat models. PGA aims to complete 80% of the necessary work for an accreditation.
A supplier can sell an unaccredited service, but not to all customers for all requirements. Consuming department still own the information risk, but can rely on the work of trusted IA teams (minimising re-work on accreditation). IA team in the Public Sector consuming organisation may request the G-Cloud team to send them Risk Management Accreditation Document Set (RMADS) and Residual Risk Statement (RRS) for a service. A supplier should make any remaining documentation available to consumers directly if necessary.
There are 10 steps to the process in 2 main phases. First, the top row is the Scoping phase. Second, the bottom row is the Accreditation & Review phase. Supplier submits their service; Iterate as required to achieve necessary quality; Initial Assessment; Prioritise for Verification; PGA assess scope; Scope approved; Supplier prepares evidence set; Iterate as required to achieve necessary quality; PGA make recommendation to the board; Review by the board and Authority. There is a clear need for suppliers to provide good quality Scoping Statements and evidence in order to facilitate the process and minimize the need for iteration or amendments.
NHS trust fined £200k Sony fined £250k To initiate accreditation suppliers must complete a scoping template for each service requiring accreditation You should also complete, if relevant, our Data Protection Act (DPA) checklist. DPA checklist for suppliers, e.g. - guarantees that staff are trained or vetted, wherever they are based - facilities for rectification, blocking, erasure, destruction - guarantees about location of personal data - ensure high data protection standards even if data in a country with weak or no data protection law These can be submitted for programme deadlines at 6pm on the second Wednesday of each month – next on 8 May 2013. All services with templates completed to the necessary quality will be put into a pool ready for submission to the Pan Government Accreditation service at CESG. We will look to prioritise submissions to the PGAs from this pool based on a number of factors, including demand from central HMG departments.
Once your service has been submitted to the Pan Government Accreditation service you will work with an assigned PGA to agree the scope of your accreditation. Once this is agreed a version of your scoping template with list of required evidence will be signed off by supplier and accreditor. Scope is essential for an accreditor to articulate what parts of a service should be tested.
Accreditation of BIL2-2-x services centred on a suitably scoped ISO/IEC 27001 certified service Scope agreed with the PGA Scope must be unambiguous and includes all elements of the service, e.g. onward supply chain and follow-the-moon and follow-the sun operations Certification through bodies recognised by UKAS, or agreed to be equivalent to UKAS (see note on EA MLA) Expected to follow sound commercial security practice ‘ x’ for availability must be defined by Supplier EA MLA – note on UKAS equivalent bodies for ISO27001 Available on our blog http://gcloud.civilservice.gov.uk/2012/05/29/revised-statement-on-the-use-of-isoiec-27001-certification-companies/
Accreditation of BIL3-3-x services uses UK Government IA Standards and Guidance Scope agreed with the PGA Detailed IA guidance already available for BIL3 services Expected to be delivered to the Public Sector through the PSN Implementation of technical controls at BIL3-3-x will require higher standard to those at BIL2-2-x, including more robust compliance Specific guidance on geographical location; protection of communications and data in transit; data at rest, storage and object re-use; clearance and checking of staff; site inspections ‘ x’ for availability must be defined by Supplier This will still be relevant should the policy on security Classifications be changed from Business Impact Levels in the future.
G-Cloud IA requirements use CIO Council paper on “offshoring and international sourcing” available on the Cabinet Office gov.uk website https://www.gov.uk/government/publications/government-ict-offshoring-international-sourcing-guidance This takes into consideration the jurisdiction and legislation under which the service would be governed outside the UK.
Formal assurance activity cannot take place until a service is in a mature design state representative of the final service.
Re-accreditation of services is required every 12 months or coinciding with rollover between frameworks. This will take into consideration any material changes to the service. The majority of time to fully complete accreditation is spent on - Agreeing scope - Preparing evidence - Scheduling testing If you already have everything prepared then it should be a paper-based exercise that can be completed quickly. How long does pan-government accreditation take? Time to provide Evidence Set... make your preparations early! What will it cost? G-Cloud process is free, the costs incurred are to provide evidence set and take any necessary remedial actions.
You will be required to gather and submit a set of evidence requested by the PGA. More information is available in G-Cloud IA Guidance and also at the end of the Scoping Statement document you will submit for your service to go through G-Cloud pan-government accreditation. Use a layered, modular, approach to accreditation with maximum re-use of IA activities E.g. suppliers can re-use FISMA evidence within ISO/IEC 27001 certification Use assured products where appropriate Monitoring of on-going implementation of security controls
National Security Vetting to SC level should be completed for at least your system administrators with access to RESTRICTED material in the live environment of an IL3 service.
Re-use evidence that is suitably scoped and of the necessary quality.| RE-USE SCENARIOS A service with accreditation from a central HMG department and not pan-government yet The existing scope and or List X scope may be a good start for pan-government accreditation if it covers the scope and evidence set for PGA. A service with no previous accreditation or PSN connectivity that is now targeting IL3 pan-government accreditation HMG strongly encourages PSN connectivity A service with no previous accreditation that is now targeting IL2 pan-government accreditation Industry best practice underpinned by ISO27001 can be a good start, especially if the scope of certification covers PGA scope too. SCOPE SCENARIOS A G-Cloud SaaS offering on another suppliers PaaS or IaaS service The SaaS supplier would need to consider what reliance they’re placing on the PaaS/IaaS service, and then demonstrate that all information risks have been managed appropriately (including consideration of off-shoring). A SaaS supplier hosting their service with a supplier that has ISO 27001 certification for their data centre. The SaaS supplier will also need to have their own ISO 27001 certification. In the scope of their certification they can include the assurance they are getting from the IaaS provider. CONSIDERATIONS Can you adequately scope your service (follow-the-sun, follow-the-moon services, location to country/legal framework)? What is the ‘Service’? Retain principle of information risk ownership Do you need assured products and services Think in layers and endpoints Be sure you are clear on the difference between the scope of each service
QUALITY SCENARIOS Lot 4 services requiring accreditation The majority of Lot 4 Specialist Cloud Services do not require accreditation. Suppliers of IL3 services requiring National Security Vetting Supplier staff with access to sensitive material on an IL3 service must have completed Baseline Personnel Security Standard (BPSS) as part of National Security Vetting (NSV). CONSIDERATIONS What level of assurance can you provide in your service, including security products within the service? Who can you use to provide independent assurance (UKAS certified bodies for ISMSs)? How will you demonstrate compliance with the DPA in a cloud service operating as a Data Processor? How will you assist the consumer with accounting and audit and forensic readiness? Pan-government Accreditation - G-Cloud IA Guidance - PSN RMARD - HMG IA Policy & Guidance, HMG IA Standards Access to Reference Material - Good Practice Guides: please approach CESG Enquiries in the first instance Design Review - Triggered by HMG PGA accreditor if necessary to agree scope after submission to G-Cloud and allocation to PGA. National Security Vetting - Only possible in exceptional circumstances where a supplier does not have sponsorship from another government authority and is already providing G-Cloud services to government.
G-Cloud IA Guidance covers:- Governance structures Assurance and accreditation approach, re-accreditation triggers Data Protection Act and Offshoring (outside of UK and EEA) Distribution of IA evidence, NDAs Specific Guidance on BIL 2-2-x and 3-3-x services Accreditation scoping template Data Protection Act (DPA) Checklist for Suppliers
Any questions What are the barriers for you? Who do we/you need to talk to in your organisation? What processes do you need to influence/tweak/develop to allow you to procure through the G-Cloud effectively? What channels/networks should we be exploring and taking advantage of to get the message out there?