In April, the Government Security Classification scheme changed. The updated OFFICIAL, SECRET and TOP SECRET classifications provide an opportunity to make the security assurance process for G-Cloud services simpler.
Impact Levels are no longer relevant to describe the security properties and accreditation of different services. Instead, in the OFFICIAL tier, we will be adopting the Cloud Security Principles. Buyers should be choosing a service that meets their requirements and then deciding if a higher level of security is required or not.
Assure, Choose, Reuse
Assure
Suppliers will complete a number of pre-defined security statements asserting how their services meet the Cloud Security Principles.
Choose
Buyers will have greater awareness of the security detail of the services in the Digital Marketplace.
Re-use
Suppliers can use existing supporting security assurance evidence, while using additional or different supporting approaches and when new evidence is available. It is the intention that buyers can reuse the risk management work of other buyers, reducing time and effort.
The Process
The new process will make it clearer, simpler and faster to find a service on the Digital Marketplace that meets a buyer’s requirements. It will also reduce the time and cost for suppliers and emphasise finding a service that suits the buyer needs.
- Suppliers will assert how they meet the Cloud Security Principles by selecting a predefined answer for a range of questions that meet the Cloud Security Principles.
- Suppliers will then be required to provide evidence and documentation to support their assertion.
- These self-assertion statements will form part of the Suppliers service entry on the Digital Marketplace.
- Buyers will be able to assess and compare services with a view as to what meets their specific requirements.
- Suppliers will be able to continuously update the assertion statements, ensuring that Buyers have the latest information.
13 comments
Comment by Richard Ellis posted on
Hi
Does a supplier still need to submit an RMADS for OFFICIAL as used to be the case for IL2? If not, is there a template for the security statements. Is the RMARDS 1.3 document still valid?
Thanks
Comment by Raphaelle Heaf posted on
The new security approach does not require an RMADS.
IaaS, PaaS and SaaS Suppliers will need to complete the security statements as part of the G6 application process. G5 Suppliers will have the option to update their CloudStore entries with the Security Statements.
Suppliers might want to construct an RMADS in relation to the service, which can then be used as part of the supporting evidence for the security statements.
Comment by Richard Ellis posted on
Are the predifined answers mentioned above available anywhere?
Comment by Raphaelle Heaf posted on
We will look to provide the statements when we publish the draft guidance.
Comment by Richard Ellis posted on
Thanks. Do you know when that will be?
Comment by Raphaelle Heaf posted on
We are working on getting this out as soon as possible.
Comment by Alex posted on
How will this new approach incorporate PGA accreditation and the different G-Cloud services defined in Government Security Classifications, FAQ Sheet 2: Managing Information Risk at OFFICIAL (v2.0 March 2014 - the most recent at the time of posting):
- Unassured Cloud Services;
- Assured Public Cloud;
- Accredited Public Cloud.
In the current framework there is a benefit to consuming departments being able to select a service which has had the bulk of the IA work done prior to procurement (though obviously there is still some thought necessary with respect to residual risks).
A combination of PGA accreditation, residual risk statement and Cloud Security Principles compliance statement(s) would provide a sound basis for departmental risk owners to make informed decisions about the suitability, or otherwise, of G-Cloud services.
Comment by Raphaelle Heaf posted on
The new G-Cloud Security Approach is referenced in the last paragraph, of the section on G-Cloud in the document, <a href="https://www.gov.uk/government/publications/government-security-classifications" rel="nofollow">Government Security Classifications</a>, FAQ Sheet 2: Managing Information Risk at OFFICIAL (v2.0 March 2014). It states that "Future iterations of the G-Cloud Framework will ask suppliers to present the security of their service in a far clearer and more meaningful way. The basis of this approach can be found in the 14 Principles of Cloud Security and organisations are advised to start using these principles when selecting cloud services."
Though the new G-Cloud Security Approach does not use impact levels nor the Cloud Services levels described in the document, a comparison can be drawn between the Cloud Security Levels described and the new Security Approach:
Unassured Cloud Services - Supplier Assertions without supporting evidence;
Assured Cloud Services - Supplier Assertions with Independent Validation;
Accredited Cloud Services - Supplier Assertions with supporting Accreditation*.
*Where a Government organisation has carried out an Accreditation of the service, a Supplier can re-use the Accreditation as as supporting evidence of their Assertions.
The Supplier Security Assertions, will be visible to buyers on the store and will be used as part of the procurement process.
Comment by Ronald Tse posted on
Hi Raphaelle,
In the latest PGA application form (https://digitalmarketplace.blog.gov.uk/2014/04/11/updated-g-cloud-service-accreditation-scope-template/), which was updated in April (before this post), there is still a requirement for RMADS.
Couple questions:
1. Will the new approach not require a RMADS for "Accredited Cloud Services" anymore?
2. Will this approach only work with G-Cloud 6 or could be applied to current services on G-Cloud 5?
Thanks!
Comment by Raphaelle Heaf posted on
The new approach will not require RMADS. Suppliers will complete security statements to provide self-assertion and provide supporting evidence.
The approach will be rolled out with G-Cloud 6 but will also be made available to suppliers with services currently available on the store in time.
Comment by Ronald Tse posted on
Raphaelle, thank you for clarifying, and hope you don't mind the additional questions below!
1. So there will be a "new" assurance/accreditation application process? Around when would it be available?
2. Will the IA document from 2012 ("G-Cloud Services IA Requirements and Guidance"), which mentions IL2/3, change to reflect this approach? Or will it no longer be relevant being superseded by the new "Implementing the Cloud Security Principles"?
3. You mentioned that "Assured Cloud Services" means "Supplier Assertions with Independent Validation". According to "Implementing the Cloud Security Principles", "Independent validation of assertions" really means "A certificate of compliance with a recognised standard is presented by the service provider. Additionally, the scope of certification and implementation of controls are also reviewed by a suitably qualified individual". Suppose a service, is ISO 27001:2013 certified with a suitable scope, applies for the "Assured" level. What would the process be for achieving it?
Thanks!
Comment by Raphaelle Heaf posted on
Apologies for the delay.
In answer to your queries.
1. Yes. There is a new G-Cloud Security Approach. Guidance for comment will be posted shortly.
2. The document "G-Cloud Services IA Requirements and Guidance" is no longer valid, and replacement guidance will be issued shortly.
3. For a cloud service to be considered "Assured", the suppliers assertions must be independently validated. In the Cloud Security Principles guidance "Implementing the Cloud Security Principles", "Independent validation of assertions" is actually defined as: "An independent third party has reviewed and confirmed the service provider’s assertions. The third party certifies that the service meets the objectives associated with the given principle.". The guidance goes on to give further details for varying grades of "Independent validation of assertions".
Under the new G-Cloud Security Approach, a supplier can use a suitably scoped ISO27001:2013 certification as independently validated supporting evidence that the suppliers assertions for a number of Cloud Security Principles objectives are true.
It is unlikely that the ISO27001:2013 certification would be sufficient to support all the assertions, and a combination of evidence would be required.
Comment by Ronald Tse posted on
Hi Raphaelle,
Thank you for the clarifications.
Question 1.
From my understanding of the ICSP document, it is possible to obtain independent validation on the principles not covered by ISO 27001:2013. However, what criteria is there for the "independent party" that performs the "independent validation"? For example, in the previous "IA Requirements" it requires an ISO 27001 certification accredited by UKAS.
Specifically, under principle 6 (personnel security), the only two options are "SC clearance" and "BS7858:2012".
* "SC clearance" seems to require sponsorship from a government department, therefore if the organisation doesn't have an existing government contract it is not possible to go this route? Or could G-Cloud be a sponsor?
* "BS7858:2012" is a standard that applies to the vetting process, meaning that service providers provide a screening service that complies with BS7858:2012. The question is, what vendor's BS7858 service will G-Cloud accept? What if the BS7858 process was performed by the in-house HR department?
Question 2.
You mentioned that "[most likely] a combination of evidence would be required" for the "Assured" level:
* such "evidence" is supposed to only cover the above mentioned principles that are not covered by ISO 27001:2013?
* who determines what evidence is necessary? The applicant CSP?
* who will review such evidence? What will happen if the reviewer deems the evidence not satisfactory/enough?
Question 3.
About the "Accredited" level. This post mentions that G-Cloud will not accept PGA accreditation request anymore (https://digitalmarketplace.blog.gov.uk/2014/07/21/security-update-from-g-cloud/). However it is stated that "Where a Government organisation has carried out an Accreditation of the service[...]".
* who are the "Government organisations" eligible to carry out Accreditation of a service?
* how can a cloud service provider request for Accreditation under the new scheme?
Thanks again and hope you don't mind the additional questions!