g-cloud accreditation for isvs: a practical guide to ... · in this context, accreditation should...

Optimise Cloud ISV Whitepaper | August 2012Follow us

G-Cloud Accreditation for ISVs: a practical guide to embracing

the public sector opportunity

WhitepaperAuthor: Karen Kennedy-Milne

Business Solutions DirectorDate: August 2012

Enabling a Platform for 21st Century Service Delivery

Cloud

Copyright © 2012 SCC. SCC, the SCC logo and OptimisedCloud are registered trademarks of SCC.

Optimise Cloud ISV Whitepaper | August 2012 Share

1. Introduction

These are exciting times for Independent Software Vendors in Britain. The UK Government has recognised the potential benefits of enabling small, innovative companies to engage directly with the public sector – bringing a range of agile new solutions to bear on embedded civic problems – and has opened the doors to a multi billion pound business opportunity that offers SMEs the chance to access a lucrative and dynamic marketplace for the first time in history.

While its development has been slow and steady, G-Cloud has come of age, playing a central role in the Government’s drive to achieve annual savings on its technology expenditure of over £120 million by 2015. Within two years it is expected that sales through the service will exceed £8.75billion, accounting for more than half of all new public ICT spending, and represents a major opportunity for ISVs and small businesses to win new contracts from the public sector.

In order to access this new market, however, ISVs must learn to navigate an extensive and complex accreditation process that ensures their products or services observe the Government’s information security guidelines. It can be an exhaustive process, and one that is complicated further by the fact that the standards required are in an almost constant state of flux.

In the UK public sector data is currently classified into six Impact Level categories, but for some time now the government has been considering reducing this number, dividing public data into three distinct security tiers.

Meanwhile, keen to ensure that a common set of standards are in force across the continent, the European Union is looking at establishing its own set of rules to govern the privacy and security of public data. The Information Commissioner’s

Office (ICO) has its own set of concerns regarding the proper use of data held on individuals, and is likely to act on this in the near future.

There are sound reasons behind all this. The era of Big Data brings both opportunities and challenges. By collecting data and analysing it, the UK public sector can achieve its desired efficiency improvements. More importantly it will identify areas where transformation can deliver citizen services in a more effective way. Public sector bodies will only achieve the massive savings they must deliver whilst improving outcomes for their service users by balancing the need for transparency with the right to privacy and enabling inter-agency sharing of data.

In this context, accreditation should be seen not so much as a box ticking exercise but as a corporate state of mind. Achieving the right balance of security and flexibility isn’t a one-off job or the sole preserve of a single department, but an ethos that must run throughout the organisation from top to bottom.

Welcome to the age of G-Cloud. Making the most of it won’t be easy, but for those companies that get it right, some major opportunities lie ahead.


2. Information Assurance & Accreditation: What is it and Why do I need it?

At the time of writing there are currently six Impact Level categories. For some time now the government has been considering reducing this number to three in order to better reflect a 21st Century workplace that is more focused on digital records than paper ones and is increasingly utilised anytime anyplace and anywhere, but for now at least the tiers are defined as below:

Unclassified: IL0

Protected: IL2

Restricted: IL3

Confidential: IL4

Secret: IL5

Top Secret: IL6

Accreditation is the term used by Government to describe the process of ensuring that an IT system satisfies the technical and security protocols required for the adequate protection of any information held or processed by it. These requirements, which the accreditation scheme ensures are in place and up to standard, are set out by the Cabinet Office’s Security Policy Framework (SPF), with guidance on satisfying them supplied by CESG, the national technical authority for Information Assurance.

These requirements are in place for a very simple reason; the G-Cloud procurement framework is intended to provide public sector organisations with a catalogue of certified and complete solutions, with the primary intention being that agencies need to expend little additional effort, thus, substantially reducing the time and costs involved in making a purchase. Many public sector organisations have already seen procurement activity costs drop by 75% and time to contract reduced by 85%.

Information Assurance describes the way that information is classified and protected. It is central to the safe and effective management of public sector data, and a comprehensive understanding of its workings is an essential prerequisite for any company wishing to take advantage of the G-Cloud opportunity and sell direct to UK Government agencies.


If your Software as a Service (SaaS) solution is pre-accredited, it therefore becomes much more attractive to buying organisations, as it protects them from having to go through their own expensive and time consuming procurement process.

The principle driving this system is that in a world of pre-accredited solutions, the public sector only needs to go through the verification process a single time, after which the service in question can be reused by multiple organisations, safe in the knowledge that their software satisfies all relevant and legal standards. By following this approach, the Cloud Store will become a catalogue of Best Practices or Gold Standards for delivering common processes and services across the public sector.

Accreditation is not merely confined to the IT systems and services being supplied or the Data Centre services on which they reside. The purchasing organisation has to consider every aspect of the life of the information asset and must therefore also include the users, their locations, the endpoint devices via which they access information and the communication channels used to access and transfer these assets between systems and partners. Also within scope will be any individuals with privileged access to the systems including systems administrators, third party application providers and support organisations, such as SCC.

Key to your accreditation application, will therefore be the selection of a Cloud hosting solution that has already achieved IL2/IL3 accreditation as an Infrastructure as a Service platform from an organisation that already has experience of assisting ISV’s on this journey.

Accreditation TypesTwo types of accreditation – Departmental and Pan-Government – can currently be achieved by working through the government’s processes. Each are relevant to different scenarios, and both have alternative components to complete and offer varying outcomes once achieved. Prior to selecting which is the most appropriate for your company, it is important that you are clear on your business aspirations for your Cloud Store SaaS offerings in order to make the right choice.

Departmental AccreditationThis is provided by the accreditor of a particular public sector body and relates to the specific systems used by that agency and its associated information assets. The risk appetite and threat assessment used to calculate the appropriate security level for these services will be based on the internal decisions of the specific department and may well not match the requirements of others, meaning that it can only be used to in conjunction with that single customer and is not transferrable.


Two scenarios where Departmental accreditation is clearly the appropriate route:1. If the service you have designed is for a specific public sector customer for a specific purpose and is unlikely to be re-sold to others, a departmental accreditation will be appropriate. This is clearly subject to the public sector customer being willing to undertake this process.

2. If the public sector body intends to contract for the service directly with you as the software provider, and separately with a Cloud hosting provider, such as SCC, then it is probable that they will be assuring the end-to-end solution on a departmental basis.

Pan Government Accreditation

This is provided by the accreditation team at CESG. The baseline is often higher than that required for departmental accreditation as the threat assessment and risk appetite against which the process is completed is based on the expectation that the accreditation will be acceptable to multiple public sector organisations. It is a far more complex procedure, but once achieved means that the solution can be bought by multiple organisations with limited further effort on their part.

The following best describes the scenario where this level of accreditation should be sought:1. If an ISV wishes to offer its software services on the G-cloud framework either in a single or multi tenanted configuration for purchase by multiple public sector organisations then the software service will require its own Pan Government accreditation.

Useful Reading

The Cabinet Office’s Security Policy Framework (SPF)

https://www.gov.uk/government/publications/security-policy-framework

CESG guidance on implementing IT security requirements set out in the SPF document

http://www.cesg.gov.uk/Finda/Pages/PublicationResults.aspx?cat=IA+Policy+%26+Guidance


The Accreditation Process

ISVs seeking to maximise the business advantages offered by G-Cloud should brace themselves. Gaining official accreditation can be a complex, time consuming, expensive process.

If they have not been through such a process before, many companies can find the entire operation to be quite daunting and will discover that successfully navigating through it requires a level of experience and knowledge around Information Assurance that is typically beyond the expertise that the majority of ISV’s will have within their own organisations.

However, having negotiated the issue ourselves, we have a growing wealth of expertise and experience dealing with the accreditation process and is in a strong position to help ISV’s make the journey a relatively painless one.

Understanding the importance of intercommunication between IL levels is critical to making a success of the accreditation process. Clearly, it is vital that a SaaS solution provider selects the correct IL level for their offering and the appropriate type of Accreditation.

However, it is worth noting that there are some limitations on intercommunication that should be considered when making decisions about which Cloud Hosting partner is most suitable. The core principle is this: users of a system may have monitored access to systems at a lower classification (browse down). but they cannot access systems at a higher level than that which theirs is assured against (browse up).

This is important if your SaaS Solution is intended to facilitate public sector engagement with citizens, since they will typically be engaging via the Internet (ILO), but the public sector body may need to host their data in an application that sits at a higher IL level such as IL2 or IL3.

With this in mind, ISVs must prepare themselves to complete five mandatory steps in order to achieve accredited status.

Accreditation Steps1. Prerequisites

As the baseline for all the Government Information Assurance policy and guidance is drawn from the ISO 27001 standards, the starting point for any organisation that wishes to be accredited for use by public sector bodies is to complete that certification.

The ISO 27001 Certification process will cover control implementations and Applicable SOA and Business Requirements Design Documentation defining Build, composition and Architectural requirements network and Platform.

It should be noted that an accredited Platform at the appropriate impact level (IL), must also be provided together with appropriate accredited network connections.

2. Preparation of G-Cloud Scoping Document

Prior to embarking on the later stages of the process, candidate ISVs must provide CESG G-Cloud with an accreditation scoping document.

The Test Scope will need to be defined within the Target of Evaluation (TOE) against the design documentation, architectural requirements and application functionality and, if the application is to be presented to G-Cloud, this must then be approved by CESG.

3.


3. Pen Test on Appropriate InfrastructureOnce the TOE has been approved and the testing scope has been defined, the ISV’s application must be tested on a replicant platform and network and a report provided for assessment by the accreditation authority.

A defects list and corrective actions plan will be produced, and any defects must be fixed where possible and re-tested to demonstrated that they have been solved. A final Test Report is then produced together with a Residual Risk statement for presentation onto the G-Cloud portal.

4. Risk Management and Accreditation Documentation Set (RMADS) Production

In this penultimate stage, an approved CLAS consultant must provide the appropriate advice and guidance to the ISV and assist in the production of the associated security documentation.

During this step, an RMADS Lite approach must also be provided to assure the application when on-boarded onto a suitable platform for G-Cloud assessment, an engagement which should start at the earliest opportunity within the lifecycle of the project.

5. Accreditation Authority ApprovalThe accreditation authority (CESG) will receive the Accreditation evidence Pack through the Cabinet Office IA provided by the ISV’s CLAS Consultant. Providing all of the assurance evidence required for the authority to make an accreditation decision, this will consist of the following:

G-Cloud Accredition Scoping Document

Design Documents (where relevant)

TOE – Target of valuation (Test Scoping Document)

ITHC Reports – (Initial and Final)

Residual Risk Statements

RMADS (Lite)

ISO27001 Certification and SOA (Statement of Applicability)


What Next?

As already discussed, public sector bodies wishing to utilise G-Cloud services will need to consider Security Accreditation and compliance requirements. This not only applies to Accreditation of the solution they are deploying (Departmental or Pan Government) but will also include meeting the on-boarding requirements for the Pan Government Accredited platform they have selected.

For instance, where a Departmental Accreditation is being sought in partnership with SCC, the on-boarding department will need to sign up to the SMTC Code of Connection (CoCo). This is aligned to the Security Policy Framework and PSN code of Connection for Central Government and Local authorities, IGSoc for Health, PNN CoCo for Police, and relevant compliance requirement depending which Government sector they sit within.

The SMTC CoCo is an optimised process that references the Public Sector Departments’ existing compliance requirements and draws upon SCC’s experience to streamline implementation, making it quick and easy for ISV’s to govern and maintaining compliance. This is to provide assurance that newly on-boarded Public Sector customers don’t pose a security risk to the platform and network and therefore any existing G-Cloud users.

Engaging with SCCSCC have approved (CLAS and I.A. Professional) Consultants who can assist you in achieving your goal. Even better, we have been through this process ourselves and were the first Cloud provider to achieve IL2 and IL3 accreditation for our own IaaS and SaaS offerings on the Cloud Store.

Mindful that the Information Assurance requirements vary between the Departmental and Pan-Government accreditation schemes, and that some ISV’s will feel they are capable of completing a number of the required elements, we have broken down our Information Assurance services into a series of logical steps, enabling companies to work with us only on the accreditation stages for which they require expert assistance.

Although the accreditation process might seem daunting, with its welter of acronyms, technical references and overseeing bodies creating a picture complex enough to cause even the most stout hearted of ISVs a moment of doubt, the fact is that it can be done. It might not be easy, but having successfully navigated our own way to Pan-Government accredited status, SCC we know how to do so and are ready to pass that knowledge onto the ISV community.

For SMEs and innovators seeking a route into the public sector market, the way is now open. The only question remaining is when and how you begin your journey on G-Cloud.

4.