Back in September, James Duncan, the CTO of the Public Services Network (PSN), discussed our aims to make things simpler and clearer for PSN customers.
One of the areas where PSN customers and suppliers have struggled in the past is with PSN’s compliance regime. This currently controls who can and who can’t access PSN. After running PSN for about six months our experience of the compliance regime is that it’s far too complicated.
Feedback from the PSN community has confirmed this. We hear plenty of stories about the drain on resources, unnecessarily complicated requirements and the prescriptive approach to information security which actually prevent organisations from taking responsibility for their own risk assessment and risk management.
A proportionate approach
Ensuring the security of government data by ensuring that organisations connecting to the PSN are secure is important, and we’re going to continue to do that. We realise, however, that as important as security is, it’s only one of the factors you consider when making decisions for your business, and the PSN compliance process needs to recognise this.
We’ve taken great care design a new compliance process. We’ll maintain PSN’s security while making it easier for users to exploit the commercial, strategic and operational advantages of a secure, resilient, multi-supplier network. Our watchword has been “proportionate”; does the process allow users to balance security against other important considerations, be they commercial or strategic? We think it will.
We’ve rewritten the Code Template, stripping out the needless complexity and “one size fits all” approach that made it such a difficult document to use. Organisations wanting to connect to PSN in order to consume services and send and receive data over the network will fill out our new Code of Connection (CoCo), which is much simpler than before.
We’ll also be allowing any organisation to use the CoCo to connect to PSN, so that suppliers find it easier to get connected and start offering services for customers to use. They’ll still have to register each service they provide with us via a Code of Practice (CoP), and give us assurances that those services meet a reasonable standard of security, but by assessing the infrastructure from which their services are delivered once, instead of for every service, we’re removing a lot of the duplication of efforts that they (and we) had to go through previously.
Finally, we’ll be asking providers of what we call “PSN connectivity services” to fill out a Code of Interconnection (CoICo); these services are fundamental to the operation of PSN as a network and so they’ll continue to undergo rigorous accreditation by ourselves, with the help of CESG’s Pan Government Accreditors (PGA).
In December we’ll be conducting a small-scale alpha (a prototype) of the new compliance process; the results of this alpha stage will determine how quickly we can move to a beta stage and full rollout, but we’re hoping to be able to implement the new model by the end of January. We know there’s a lot of interest in the changes we’re making and people are keen to take advantage of an easier process as soon as possible, so we’ll keep you updated on our progress as we go.
We’re grateful for all the hard work people have put into achieving PSN compliance in the past; we hope our changes make it simpler, clearer, and faster.
Don’t forget to subscribe to the Government Technology blog.