Digital suppliers which are found to have deliberately lied to councils about their security status would be disqualified from the G-Cloud framework, according to self-certification rules to replace pan-government accreditation.
The government has released a consultation on the new security approach, which will apply to the next – sixth – iteration of G-Cloud.
It said that suppliers would be required to answer a list of more than 50 questions on security procedures before being accepted onto the framework.
Tony Richards, head of security and accreditation for G-Cloud at the Government Digital Service, said: “For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud Framework on-boarding process.
“Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud Framework.”
It said that any buyers consuming the service would be alerted to the breach, and would be advised to move to a new supplier or accept the risk.
Andy Powell, head of product marketing at supplier Eduserv, said: “From a suppliers perspective, that is do-able – pretty tedious but definitely do-able. “Whether the 56 questions capture everything a buyer needs to know about the service, whether suppliers are capable of answering coherently (honestly?) and whether buyers understand how to interpret the answers is, of course, another matter.”
He added that some of the questions proposed are not usefully answered with yes or no answers, and that some definitions – such as “protective monitoring” are not sufficiently defined by the document.
Richards said that the process will also see random sample checks on supplier statements and the actual approaches taken.
The government proposals anticipate that buyers will reuse risk management work undertaken by other buyers to help the assurance process.
In addition, suppliers will be able to develop a portfolio of supporting evidence over the lifetime of the service.
The government has abandoned the previous pan government accreditation system, where each supplier underwent individual inspection, due to the increasing number of services and suppliers entering onto the G-Cloud framework.
Last week, the CloudEthernet forum said that the removal of pan government accreditation reduces certainty over security.