Government consults on new G-Cloud security regime

Written by Colin Marrs on 8 September 2014 in News

Digital suppliers which are found to have deliberately lied to councils about their security status would be disqualified from the G-Cloud framework, according to self-certification rules to replace pan-government accreditation.

The government has released a consultation on the new security approach, which will apply to the next – sixth - iteration of G-Cloud.

It said that suppliers would be required to answer a list of more than 50 questions on security procedures before being accepted onto the framework.

Tony Richards, head of security and accreditation for G-Cloud at the Government Digital Service, said: “For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud Framework on-boarding process.

“Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud Framework.”

Buyer beware - Mike Thomas from PSN on the proposed new security arrangements

It said that any buyers consuming the service would be alerted to the breach, and would be advised to move to a new supplier or accept the risk.

Andy Powell, head of product marketing at supplier Eduserv, said: “From a suppliers perspective, that is do-able – pretty tedious but definitely do-able. “Whether the 56 questions capture everything a buyer needs to know about the service, whether suppliers are capable of answering coherently (honestly?) and whether buyers understand how to interpret the answers is, of course, another matter.”

He added that some of the questions proposed are not usefully answered with yes or no answers, and that some definitions – such as “protective monitoring” are not sufficiently defined by the document.

Richards said that the process will also see random sample checks on supplier statements and the actual approaches taken.

The government proposals anticipate that buyers will reuse risk management work undertaken by other buyers to help the assurance process.

In addition, suppliers will be able to develop a portfolio of supporting evidence over the lifetime of the service.

The government has abandoned the previous pan government accreditation system, where each supplier underwent individual inspection, due to the increasing number of services and suppliers entering onto the G-Cloud framework.

Last week, the CloudEthernet forum said that the removal of pan government accreditation reduces certainty over security.

Share this page



Please login to post a comment or register for a free account.


Ghost Systems (not verified)

Submitted on 12 September, 2014 - 16:51
Bottom line is: If the Cloud provider is not able to offer an absolute solid contractual SLA guarantee that they won't be hacked, underwritten by an insurance company who will pay you compensation if they DO get hacked, then don't let them have any of your sensitive data. Vendors will tell you anything you want to hear, let the insurance underwiters decide.

Related Articles

Government does ‘not expect public-service disruption’ over UKCloud insolvency
28 October 2022

Public sector hosting provider has suspended itself from frameworks after being placed in compulsory liquidation

Government to study ‘key vulnerabilities’ of cloud sector and estimate national cost of outages
26 October 2022

Research will consider potential impact of system failure on the country’s finances and way of life

Tech giants paying ‘significantly more tax’ following HMRC digital services levy
1 December 2022

Tax agency raised £83m more than expected during 2021 fiscal year

MoD brings in Amazon to boost tech skills of Armed Forces leaders
30 November 2022

Ministry claims that MoU is a first-of-its-kind deal