We want to share the new security approach process and draft questions that suppliers will need to answer prior to submissions for G-Cloud 6 opening. As this is still an alpha, we welcome your comments and feedback as we continue to make improvements.
Assure, Choose, Reuse
The change to the new Government Security Classification scheme provides an opportunity to refine the security assurance process for G-Cloud services. It’s no longer appropriate to use ‘Impact Levels’ to describe the security properties and assurance of different services. Instead we’ll be adopting the Cloud Security Principles as a fundamental part of G-Cloud security assurance to help buyers make pragmatic decisions based on relevant, transparent and available information.
Due to the increasing number of services and suppliers entering onto the G-Cloud frameworks, and the future inclusion of other digital frameworks under the Digital Marketplace, it’s become unsustainable to process all the submitted services through Pan Government Accreditation.
Responsibility to understand their own security requirements (and therefore which cloud security principles apply) will lie with the buyers. By providing a framework that clearly presents the security attributes of services, and adopting a mantra of Assure, Choose, Reuse we’ll enable increased choice and market availability.
Suppliers will complete statements asserting how their services meet the Cloud Security Principles. These statements will be used as part of the G-Cloud service description on Digital Marketplace. A number of approaches can be used by the suppliers to support the assertions and provide buyers with confidence. To enforce a consistent approach in completing the statements, a range of predefined assertions have been given. An additional menu provides suppliers with a predefined list of supporting approaches.
Buyers will have greater awareness of the security detail of the services in Digital Marketplace. This will improve service comparison and enable pragmatic choice.
Suppliers can use existing supporting security assurance evidence, while using additional approaches when new evidence is available. Suppliers will be able to develop an up-to-date portfolio of supporting evidence over the lifetime of the service. Buyers can use the security assurance evidence, according to their business-driven appetite for risk, as part of their own Accreditation and Risk Management process. It’s the intention that qualified risk managers within buying organisations can reuse the risk management work of other buyers to reduce time and effort.
- When a supplier is accepted on to a G-Cloud framework, they’ll be given secure access to their service descriptions on Digital Marketplace
- For each service, the supplier will need to complete all the security questions. To do this, they must select the relevant pre-defined assertion
- Suppliers must select the appropriate supporting approach to each assertion. The supporting approach must reflect the mechanism and evidence the supplier will use
- Suppliers will be able to update their service description security assertions at any time during the lifespan of the related G-Cloud Framework. Any changes to the security of the service must be reflected in the assertions immediately
Pre-defined assertion answers
To ensure a common level of quality across suppliers and to allow search result filtering on the Digital Marketplace, consistent and relevant assertion statements are required. The supplier assertion statements have predefined answers which are in the form of either yes/no or a short menu of predefined assertion statements.
As with the commercial quality checks that are part of the G-Cloud Framework on-boarding process, a number of random sample checks will be conducted on supplier assertion statements and the corresponding supporting approaches.
For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud Framework on-boarding process. Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud Framework. Any buyers who are consuming the service will be alerted to the breach, and will be advised to move to a new supplier or accept the risk.
Suppliers already on G4 and G5 Frameworks, though not mandated to provide assertions, will have the opportunity to add suppliers assertions to their existing service descriptions.