Government consults on new G-Cloud security regime

Written by Colin Marrs on 8 September 2014 in News

Digital suppliers which are found to have deliberately lied to councils about their security status would be disqualified from the G-Cloud framework, according to self-certification rules to replace pan-government accreditation.

The government has released a consultation on the new security approach, which will apply to the next – sixth - iteration of G-Cloud.

It said that suppliers would be required to answer a list of more than 50 questions on security procedures before being accepted onto the framework.

Tony Richards, head of security and accreditation for G-Cloud at the Government Digital Service, said: “For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud Framework on-boarding process.

“Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud Framework.”

Buyer beware - Mike Thomas from PSN on the proposed new security arrangements

It said that any buyers consuming the service would be alerted to the breach, and would be advised to move to a new supplier or accept the risk.

Andy Powell, head of product marketing at supplier Eduserv, said: “From a suppliers perspective, that is do-able – pretty tedious but definitely do-able. “Whether the 56 questions capture everything a buyer needs to know about the service, whether suppliers are capable of answering coherently (honestly?) and whether buyers understand how to interpret the answers is, of course, another matter.”

He added that some of the questions proposed are not usefully answered with yes or no answers, and that some definitions – such as “protective monitoring” are not sufficiently defined by the document.

Richards said that the process will also see random sample checks on supplier statements and the actual approaches taken.

The government proposals anticipate that buyers will reuse risk management work undertaken by other buyers to help the assurance process.

In addition, suppliers will be able to develop a portfolio of supporting evidence over the lifetime of the service.

The government has abandoned the previous pan government accreditation system, where each supplier underwent individual inspection, due to the increasing number of services and suppliers entering onto the G-Cloud framework.

Last week, the CloudEthernet forum said that the removal of pan government accreditation reduces certainty over security.

Share this page



Please login to post a comment or register for a free account.


Ghost Systems (not verified)

Submitted on 12 September, 2014 - 16:51
Bottom line is: If the Cloud provider is not able to offer an absolute solid contractual SLA guarantee that they won't be hacked, underwritten by an insurance company who will pay you compensation if they DO get hacked, then don't let them have any of your sensitive data. Vendors will tell you anything you want to hear, let the insurance underwiters decide.

Related Articles

‘Top Secret UK eyes only’ – MoD plots new infrastructure for highly classified information
20 February 2023

Facility in south-east England is likely to include private cloud and physical storage

Government report claims authorities’ bulk data collections are stymied by ‘disproportionate safeguards’
10 February 2023

Study assesses impact of Investigatory Powers Act during its first five years and suggests potential changes

ICO to fast-track public interest Freedom of Information complaints
30 March 2023

Regulator expects to give up to a fifth of complaints faster treatment

Cabinet Office to ‘fill gaps’ in vulnerability scanning of technology
29 March 2023

New deal covers 13,500 end-user and on-site devices, AWS accounts and public-facing domains 

Related Sponsored Articles

Digital transformation – a guide for local government
6 March 2023

Digital transformation will play a key role in the future of local government. David Bemrose, Head of Account Strategy for Local Government at Crown Commercial Service (CCS), introduces a new...