Guest post from Tony Richards, Head of Security and Accreditation for G-Cloud.
From 2nd April 2014, the UK government is changing the way that it classifies and protects its information. There will be a simplified approach going forward, with just three levels of security classification: OFFICIAL, SECRET and TOP SECRET. The new policy, controls framework and related guidance have already been published here.
Security classifications indicate the sensitivity of information and the need to defend against a broad range of threats to it. Each classification will attract a range of security controls appropriate for managing the information risks involved. There is no direct mapping from the old government protective marking scheme (GMPS) to the new classifications.
What is OFFICIAL?
The public sector holds a very wide range of information and delivers many different services, but many of the risks to that information are broadly similar. The majority of information related to public sector business, operations and services can be managed as OFFICIAL, including most policy development, service delivery, contracts, statistics and administrative data.
In general terms, information assets that were previously classified up to and including RESTRICTED should be managed at OFFICIAL and where some information was over marked at CONFIDENTIAL and this may be appropriate to manage as OFFICIAL too.
OFFICIAL Cloud
How does this affect G-Cloud and the CloudStore? The G-Cloud 5 Framework (G5), which opened for submission on the 25th February 2014, still refers to the older system (e.g. IL2 and IL3), however, this will be a transition period while we develop a new approach that is better aligned to OFFICIAL and clearer about our expectations of cloud services.
When the new classifications go live, buyers will be looking for services that can be used with OFFICIAL data and not for Impact level 2 or 3. We will be advising Government buyers to really think about their security requirements and use the Classification Policy Controls Framework and Cloud Security Principles as the basis for their decision-making.
What is happening to Business Impact Levels (BILs)?
BILs were originally conceived as a means of normalising and articulating the output of an impact assessment in the course of an overall technical risk assessment. However BILs have been widely misused beyond their intended purpose, which has led to negative outcomes.
There is no longer any mandatory or policy requirement for the use of BILs. However, the reference by a security professional to the BIL tables in IS1&2 remains acceptable in the course of a comprehensive technical risk assessment, however they should never be used as a label for accreditation, level of security or as a proxy for specifying contractual security requirements.
We’ll be writing further posts to help with this transition, what it means for you, and what the new process for getting an OFFICIAL status will be in the run up to G-Cloud 6.
12 comments
Comment by Security & Accreditation, what’s changing – G-Cloud | Public Sector Blogs posted on
[…] Original source – G-Cloud […]
Comment by Pete posted on
What is the impact on Pan Government Accreditation for G-Cloud services?
Comment by amandafoley posted on
Any current PGA Accreditation at IL2 or IL3 will be suitable for OFFICIAL. Current PGA Accreditations sponsored by G-Cloud will be valid for the duration of the associated G-Cloud Framework that they were purchased under.
Comment by Pete posted on
Thanks, I should have been clearer - what is the impact for future PGA activities, i.e. what will replace the current IL levels for services on G-Cloud? Will there now be an PGA for OFFICIAL - if so then what is the process and how does it map to the current IL2/3 requirements
Comment by Raphaelle Heaf posted on
There is a whole piece of work ongoing around the process for suppliers. There will be 4 different mechanisms for assuring G-Cloud services. Including PGA OFFICIAL. These changes will be taking place with G-Cloud 6. Until then the PGA process will continue, but with IL2 and IL3 non PSN connected services being PGA Accredited to OFFICIAL, and IL3 PSN connected services being PGA Accredited by the PSNA.
Comment by Mark Reynolds posted on
That's useful. What about new accreditations? Will pan government accreditors move to a risk based approach or remain enforcing B-ILs?
Comment by Raphaelle Heaf posted on
We've written a new blog post, talking a bit more about the process and the approach here https://digitalmarketplace.blog.gov.uk/2014/06/09/the-g-cloud-security-approach/
Comment by Peter O'Sullivan posted on
Hello,
I understand that not all public services will be changing on April 2nd. The police for example. Until all have changed over may be worth running with both for a while.
Just a thought.
Comment by M posted on
Please post some rationale/further explanation around the terms 'Assured' and 'Accredited'.
Is 'Accredited' the new IL3 PGA equivalent? With 'Assured' being the new PGA IL2 term?
If IL2 and IL3 are now Official what becomes of the PSN IL3 overlay, that is now deprecated before its fully launched? If not then that means PSN are retaining a standard that its own consumers are being guided away from. It would also infer that if an overlay is required then 'Restricted' as a classification still has relevance and as such Official is more akin to Protect thus not being robust enough for data previously classed as Restricted? Is there a risk that oversimplifying the difference between Restricted and Protected could mean data that would previously been considered Restricted may be either excessively classified upward or downward as the middle ground has been removed? Law enforcement are a good example of a group that don't immediately fit into Official but certainly don't fit into Secret for the bulk of their data? Please do clarify the plans and where PGA IL3 suppliers fit into this?
Comment by Raphaelle Heaf posted on
Thank you for your comment.
We will be posting further blogs to help explain the new security classifications, how it affect G-Cloud and the process for suppliers going forward.
'Accredited' simply refers to a supplier who is now approved to a certain security level and does not replace or affect the Impact Levels or classifications.
The PSN encrypted overlay allows an organisation to provide additional security above the PSN standard, where the organisation feels that it is needed.
Comment by Andy posted on
What happens to the existing data? For example, can data that currently exists and is classified as Restricted (IL3) now be stored in a cloud service that is Official (IL2)? If not, would this be acceptable if there were additional security controls over and above the standard IL2 service?
Comment by Raphaelle Heaf posted on
Hi Andy,
Information on how to use the new Government Security Classifications for both new and legacy information is available here:
https://www.gov.uk/government/publications/government-security-classifications
Current G-Cloud services with PGA Accreditations at IL2 are acceptable for processing or storing OFFICIAL information, where the Information Asset Owner accepts that the controls and residual risks are sufficient.