Government seeks to strengthen security requirements for G-Cloud suppliers

Out-Law News | 10 Sep 2014 | 2:17 pm | 2 min. read

IT suppliers will need to demonstrate how they adhere to a range of cloud security principles as part of new measures designed to make it easier for G-Cloud buyers to assess whether suppliers' security commitments correspond to their needs, under new UK government proposals.

The Government Digital Service (GDS) has announced an overhaul of the "security assurance process for G-Cloud services" in light of changes to the government security classification scheme. The new scheme means government data is now classified as being either 'official', 'secret' or 'top secret' depending on its sensitivity.

Under the new process, G-Cloud suppliers will need to provide statements that correspond to "predefined assertions" drafted by the GDS that relate to their adherence to the cloud security principles. The principles address issues such as the protection of data in transit, information governance and the security offered within businesses' supply chains.

Suppliers' statements, together with further details of the "mechanism and evidence" they will use to support the assertions they commit to, will be displayed alongside details of the suppliers' goods and services on the 'Digital Marketplace', the new online platform that government buyers and other public sector users can use to buy cloud-based IT products and services.

The GDS said it would be the responsibility of G-Cloud buyers to determine whether the security measures suppliers offer are appropriate for them when selecting which IT supplier to contract with.

"We’ll be adopting the cloud security principles as a fundamental part of G-Cloud security assurance to help buyers make pragmatic decisions based on relevant, transparent and available information," the GDS said in a blog. "Responsibility to understand their own security requirements (and therefore which cloud security principles apply) will lie with the buyers."

"Suppliers can use existing supporting security assurance evidence, while using additional approaches when new evidence is available," the GDS said. "Suppliers will be able to develop an up-to-date portfolio of supporting evidence over the lifetime of the service. Buyers can use the security assurance evidence, according to their business-driven appetite for risk, as part of their own accreditation and risk management process. It’s the intention that qualified risk managers within buying organisations can reuse the risk management work of other buyers to reduce time and effort."

"Random sample checks" will be carried out on the statements suppliers make and their "corresponding supporting approaches" to ensure accuracy. Suppliers found to be "maliciously in breach of their assertions" could lose any existing contracts with government buyers and their G-Cloud listing, the GDS said.

The GDS intends to implement the changed process in time for the introduction of the sixth G-Cloud framework (G-Cloud 6) and for future frameworks under the G-Cloud programme. It is seeking feedback on its proposals.

The G-Cloud programme allows public sector bodies to gain access to cloud-based IT services being offered by a selected list of pre-approved suppliers during a set period. The fifth version of the framework, which went live in May, includes 1,132 suppliers offering more than 17,000 services. The government has said that the availability of "off the shelf" IT solutions through the G-Cloud programme will allow public sector bodies to "use what they need when they need it" and avoid duplication of services that cannot be shared, while the Cabinet Office has claimed that purchasing services through the G-Cloud could cost departments 50% of what it would cost on the open market.

Central government departments are now subject to a 'cloud first' policy that requires them to consider cloud-based IT solutions before other options.