Government consults on new G-Cloud security regime
Digital suppliers which are found to have deliberately lied to councils about their security status would be disqualified from the G-Cloud framework, according to self-certification rules to replace pan-government accreditation.
The government has released a consultation on the new security approach, which will apply to the next – sixth - iteration of G-Cloud.
It said that suppliers would be required to answer a list of more than 50 questions on security procedures before being accepted onto the framework.
Tony Richards, head of security and accreditation for G-Cloud at the Government Digital Service, said: “For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud Framework on-boarding process.
“Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud Framework.”
Buyer beware - Mike Thomas from PSN on the proposed new security arrangements
It said that any buyers consuming the service would be alerted to the breach, and would be advised to move to a new supplier or accept the risk.
Andy Powell, head of product marketing at supplier Eduserv, said: “From a suppliers perspective, that is do-able – pretty tedious but definitely do-able. “Whether the 56 questions capture everything a buyer needs to know about the service, whether suppliers are capable of answering coherently (honestly?) and whether buyers understand how to interpret the answers is, of course, another matter.”
He added that some of the questions proposed are not usefully answered with yes or no answers, and that some definitions – such as “protective monitoring” are not sufficiently defined by the document.
Richards said that the process will also see random sample checks on supplier statements and the actual approaches taken.
The government proposals anticipate that buyers will reuse risk management work undertaken by other buyers to help the assurance process.
In addition, suppliers will be able to develop a portfolio of supporting evidence over the lifetime of the service.
The government has abandoned the previous pan government accreditation system, where each supplier underwent individual inspection, due to the increasing number of services and suppliers entering onto the G-Cloud framework.
Last week, the CloudEthernet forum said that the removal of pan government accreditation reduces certainty over security.
Share this page
CONTRIBUTIONS FROM READERS
Please login to post a comment or register for a free account.
Facility in south-east England is likely to include private cloud and physical storage
Study assesses impact of Investigatory Powers Act during its first five years and suggests potential changes
Regulator expects to give up to a fifth of complaints faster treatment
New deal covers 13,500 end-user and on-site devices, AWS accounts and public-facing domains
Related Sponsored Articles
Digital transformation will play a key role in the future of local government. David Bemrose, Head of Account Strategy for Local Government at Crown Commercial Service (CCS), introduces a new...
Ghost Systems (not verified)Submitted on 12 September, 2014 - 16:51