We recently blogged about our plans to do a discovery for G-Cloud 9 (G9). Although this piece of work hasn’t started just yet, we’re already thinking about what we need to find out. One of the things we’ll be speaking to buyers and suppliers about is the security around G-Cloud services. To help us do that, an information assurance specialist from CESG, the government's technical authority for assurance has joined the Digital Marketplace team.
Asking the experts
We recently ran a workshop at the Cyber UK in Practice conference, an event aimed at cyber security and technology professionals. We wanted to use the opportunity to ask the cyber security community:
- what would make buying secure government cloud technology easier
- what security questions should a public sector buyer ask when buying cloud technology
- what problems they have when they buy and sell cloud technology in the public sector
When we’d gathered feedback, we grouped it into 3 main areas.
There’s a lack of understanding between public sector buyers and cloud technology suppliers. We learnt:
- buyers don’t understand how to clearly communicate the security details they need
- suppliers’ technical teams don’t understand the procurement language that buyers often use
Guidance on security
Both buyers and suppliers would like more guidance on security and risk. We learnt:
- suppliers would find it helpful to know about a buyer’s security requirements, how risk averse they are and any specific technical blockers earlier on in the buying process
- buyers want to know how to understand and assess suppliers’ security assertions
Security in the Digital Marketplace
Buyers and suppliers made suggestions about how the Digital Marketplace can better support them. They said:
- it would be useful to hear other buyer and supplier security experiences
- suppliers wanted to be able to provide more details about the security of their services
- buyers wanted tools to help making their decision easier eg, for Digital Outcomes and Specialists, buyers can use templates to help them evaluate and score suppliers
The G-Cloud 9 discovery
We’re reviewing the public sector’s cloud and technology needs and part of this is around security. The discovery will tell us if, and how, the user need has changed and whether the services that government needs still fit into the 4 categories we have in the current G-Cloud iteration. Our CESG information assurance specialist will help us with the security part of the G9 discovery.
The NCSC would like your feedback
Also at the Cyber UK in Practice conference, government launched a prospectus for the National Cyber Security Centre (NCSC) which outlines the NCSC’s scope and focus.
The team behind the NCSC are keen to work with people who work in the industry from the start so they’d like your feedback. You can read the prospectus and send your comments to email@example.com in time for the centre’s launch in autumn.