Back in September, James Duncan, the CTO of the Public Services Network (PSN), discussed our aims to make things simpler and clearer for PSN customers.
One of the areas where PSN customers and suppliers have struggled in the past is with PSN’s compliance regime. This currently controls who can and who can’t access PSN. After running PSN for about six months our experience of the compliance regime is that it’s far too complicated.
Feedback from the PSN community has confirmed this. We hear plenty of stories about the drain on resources, unnecessarily complicated requirements and the prescriptive approach to information security which actually prevent organisations from taking responsibility for their own risk assessment and risk management.
A proportionate approach
Ensuring the security of government data by ensuring that organisations connecting to the PSN are secure is important, and we’re going to continue to do that. We realise, however, that as important as security is, it’s only one of the factors you consider when making decisions for your business, and the PSN compliance process needs to recognise this.
We’ve taken great care design a new compliance process. We’ll maintain PSN’s security while making it easier for users to exploit the commercial, strategic and operational advantages of a secure, resilient, multi-supplier network. Our watchword has been “proportionate”; does the process allow users to balance security against other important considerations, be they commercial or strategic? We think it will.
We’ve rewritten the Code Template, stripping out the needless complexity and “one size fits all” approach that made it such a difficult document to use. Organisations wanting to connect to PSN in order to consume services and send and receive data over the network will fill out our new Code of Connection (CoCo), which is much simpler than before.
We’ll also be allowing any organisation to use the CoCo to connect to PSN, so that suppliers find it easier to get connected and start offering services for customers to use. They’ll still have to register each service they provide with us via a Code of Practice (CoP), and give us assurances that those services meet a reasonable standard of security, but by assessing the infrastructure from which their services are delivered once, instead of for every service, we’re removing a lot of the duplication of efforts that they (and we) had to go through previously.
Finally, we’ll be asking providers of what we call “PSN connectivity services” to fill out a Code of Interconnection (CoICo); these services are fundamental to the operation of PSN as a network and so they’ll continue to undergo rigorous accreditation by ourselves, with the help of CESG’s Pan Government Accreditors (PGA).
Rollout
In December we’ll be conducting a small-scale alpha (a prototype) of the new compliance process; the results of this alpha stage will determine how quickly we can move to a beta stage and full rollout, but we’re hoping to be able to implement the new model by the end of January. We know there’s a lot of interest in the changes we’re making and people are keen to take advantage of an easier process as soon as possible, so we’ll keep you updated on our progress as we go.
We’re grateful for all the hard work people have put into achieving PSN compliance in the past; we hope our changes make it simpler, clearer, and faster.
Don’t forget to subscribe to the Government Technology blog.
15 comments
Comment by Phil Gibson posted on
The IA element of the PSN CoCo is very closely based on the GSi Code of Connection which was drafted over 10 years ago when only the requirements of Central Government were being considered and everything was based on Impact Levels. One of the main objectives of PSN was to establish a platform across the four citizen facing areas of the public sector, (Central and Local Government, Police and Health), that would support safe and trusted information sharing. That goal has not been realised and so the opportunity to create more effective and lower cost service delivery models is significantly hampered. It is to be hoped that the changes GDS are introducing to the CoCo are accompanied by a coordinated effort to introduce information governance policies that see all parts of the public sector and indeed the voluntary sector, equipped to fully exploit digital collaboration. Phil Gibson, Chair PSN Suppliers Association.
Comment by David Mead posted on
You’re absolutely right Phil: the world’s moved on a long way since PSN was originally conceived. We’ve deliberately put simplicity, flexibility and proportional risk management at the heart of the new process to help extend the reach to those organisations that are essential to the ongoing success of PSN.
Comment by Alex Atirene posted on
What is the process for signing up to the PSN? I have a client that needs to do this and we do not know where to start.
Comment by Des Ward posted on
I hope that the open standards within the PSN operating model that provide tangible value to customers haven't been taken out. There's been a lot of bad press about the zero tolerance approach (correctly), that has overshadowed the success delivery of collaboration within the supplier community and the creation of an environment based on open standards.
The codes of practices only really relate to security for customers (IA conditions), whereas for suppliers it requires that they co-operate together and have to inform their customers when there is an issue that will affect them. These requirements are not mandated within G-Cloud/Digital Marketplace unless they are PGA accredited.
Comment by David Mead posted on
Des, rest assured we're committed to preserving the successes of the current process while tackling the problems that have been reported to us by customers and suppliers. A big part of our thinking with the new process was to make it far easier - and far more attractive - for new providers to connect and offer their services. And that means big benefits for the connected community.
Comment by Paul Woods posted on
The main issues with PSN compliance were the mixed messages - Zero tolerance/No zero tolerance any more, BPSS checks must be done but you can do it over a number of years due to the cost of implementing it. etc.
What we need as PSN customers is some consistency in what the PSN compliance is and how it's interpreted by the assessors in PSNA/GDS - we have had some organisations pass by saying some things and others questioned or failed on saying the same or similar things. We also need advance notification of what we are expected to be compliant against so that we can plan and budget for continuing to be compliant.
Whilst the simplification of PSN CoCo requirements is good, I'd rather not see the security on the PSN customers/network reduced to a level that may seem not secure enough - otherwise we may need to look at further protecting ourselves from the PSN as we do the untrusted Internet.
Thanks,
Paul Woods
Comment by David Mead posted on
Agreed Paul. The previous approach was just too prescriptive and complicated. The new one maintains PSN security but makes it easier for users to exploit the advantages of a secure, resilient, multi-user network. And by simplifying the process we can minimise "interpretation", which is better for everyone. We'll be telling you more about the process and the requirements early in 2015.
Comment by David Mead posted on
Dear Alex,
Thanks for your comment. The following link will take you the current customer compliance process. We will publish our new compliance process once our pilot is complete early next year.
https://www.gov.uk/apply-for-a-public-services-network-psn-customer-compliance-certificate
You can also contact us on public-services-network@digital.cabinet-office.gov.uk
Comment by Tony Cordina posted on
David, you didn't really answer Angela's question regarding whether or not there is still a need to install a Walled Garden (as per AP02 and AP07). Like Angela's Authority, my LA is spending a lot of time, effort and money in moving our Walled Garden from a short-term/quick-fix solution to a more robust and more resilient one in readiness for our CoCo Submission in August 2015. If this is no longer a specific requirement then we could save ourselves a lot of work.
Another aspect of CoCo for which I would appreciate some clarification is the BPSS requirement. Again, my authority has spent a lot of time, effort and money in ensuring that all PSN Services and GCSx users have undergone all four of the BPSS checks. The latest news received from NLAWARP is that BPSS checks are now only required for ICT staff who have higher access rights/privileges. Does this mean that our users of PSN Services (Tell-Us-Once, Blue Badge etc) and GCSx e-mail account holders no longer need to undergo the four stages of BPSS ?
Comment by Angela Parratt posted on
Do we still all need to implement Walled Garden, is it still mandatory and will we all be assessed on this in same way? I am assuming so but would be helpful to know just how far this 'new' approach extends.
When will a proper statement on Cabinet Offices move and move of what some consider to be sensitive documents to Google be issued?
Comment by David Mead posted on
Dear Angela,
Thanks for your comment.
With the new approach we're replacing the extensive and over-complicated requirements in Annex B of the CoCo with a much simpler, more proportionate set of conditions. We'll continue to assess your compliance against these conditions and ask for evidence like IT Health Checks to support your application. We introduced our new central email address to help make the submission process a bit simpler. It's appropriate for handling data at OFFICIAL, which meets business needs across government including compliance submissions. But we're happy to handle submissions via any channel which works for you - just let us know.
Comment by Lou Valdini posted on
David,
We currently provide direct software support from outside the UK (within the EEA), using staff who are EU and Nato Secret security cleared. Where a department requires us to deliver our software on a UK cloud hosted platform with PSN connectivity, will the new process permit us to support our software using an approved secure remote access method?
Comment by David Mead posted on
Hi Lou,
Thanks for your comment. It doesn't sound like you're planning to deliver your service across the PSN, so you won't need to apply for PSN compliance yourself. Also, based on what you've said about your service, there's nothing in the new process that would prevent your customers from achieving compliance. Customers will need to make their own decisions regarding the offshored elements of your service delivery, based on the data agreements they have in place, but the new PSN compliance process certainly wouldn't block it.
Comment by Arnold Foster posted on
Hi David,
Please can you advise if Keepass is PSN compliant for IT Departments in securely Managing multiple Passwords.
Comment by Mark Smith posted on
Thanks for your question, Arnold. The PSN team doesn't endorse any specific products as the way they're set up and used is just as important as their function. CESG publishes useful password guidance which includes tips on using password management software:
https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach