Lots of you have been keenly following the alpha trials of the new PSN compliance process.
We’ll have more news for you on how that alpha is progressing in the next few weeks. In the meantime, I thought I’d address some of the common questions that people have raised.
What is PSN compliance for?
We’ve had feedback from a fantastic range of people right across the PSN community, and one of the most common questions has been: what is the PSN compliance process supposed to achieve?
Our ambition hasn’t changed. We want to provide a reliable, secure, cost-effective network for organisations that use public sector information. That’s why the services that enable the PSN to function (the PSN connectivity services) will continue to undergo a rigorous assessment by CESG’s Pan Government Accreditors.
We want to make sure that the PSN is safe for use at OFFICIAL, which covers the vast majority of what government does. Any organisation that wants to connect needs to show us that they have implemented a set of basic security measures, designed to ensure that they don't pose a threat to the network. That’s really important; we’re trying to keep the network secure and PSN compliance is how we do that.
Do the changes mean I need less security?
The Government Security Classifications (GSC) handed responsibility for assessing and managing information risk back to data owners; this includes when they send their data to other parties. Just as they did under the old PSN compliance regime, some data owners will require you to show that you meet certain security standards before they’ll send you their data. So it’s really important to remember that just because PSN compliance doesn’t demand a particular measure, it doesn’t mean you shouldn’t do it!
Whether it’s a Memorandum of Understanding with a data owner, the Security Policy Framework (if you’re in central government) or the Data Protection Act, you’re likely to be operating under a number of different sets of obligations. The PSN compliance requirements are designed to protect the PSN from its users and users from the PSN; they won’t ensure that information sent across the PSN remains secure once it’s left the network. It’s your responsibility to make sure that you’re meeting all your obligations, and not just the ones that we’ve set.
A good example of this is that we won’t ask you to show us that all your users are checked against the Baseline Personnel Security Standard (BPSS). We’ll only be checking that your IT staff that have higher privileges, such as system and network administrators, are BPSS checked. It doesn’t mean they’re the only people in your organisation who should be checked; it just means they’re the only ones we consider relevant to our objective of protecting the PSN and the connected community.
Why are you changing compliance for services?
A lot of people have asked us why we’re changing the way some PSN services achieve compliance. First, it’s important to emphasise that the services which keep the PSN functioning as a network - the so called connectivity services - will continue to be assessed as before.
For services that sit on top of the network, however, we wanted to open up the marketplace. There are currently just 29 suppliers providing PSN services so there’s a huge opportunity for expansion here. We wanted to make it easier for suppliers (and not just the big, established suppliers) to offer their services over the PSN so customers get more choice and access to innovative solutions.
That’s why we’ve aligned our requirements with the Digital Marketplace model, which has been successful in making thousands of services available to the public sector. And, because we want to protect the network, we’ll still require these organisations to go through a compliance process in order to connect. We’ve also set a baseline against the Cloud Security Principles (unlike in the Digital Marketplace) that these services have to meet, and they’ll have to be able to prove that to us when we demand it.
Future updates
This gives you an idea of some of the questions we’ve been getting since we kicked off the alpha. It’s obviously really great to get this sort of feedback as it shows that people are engaged with what we’re doing and interested in what the output looks like, particularly as it affects them and their organisations. We’ll keep monitoring all your feedback and will aim to publish another update on the common themes in a future blog post.
In the meantime we’ll be providing further information on our changes in the next couple of weeks. Keep an eye on this blog for the latest news!
2 comments
Comment by Kevin posted on
It is nice to see that a pragmatic approach will be used to allow PSN Service Providers to make their services available and allow customers to have a breadth of choice when looking for services. I am currently working with two customers that are at varying stages of the process with one months into the PGA route that will no longer be required, and the other that is looking for guidance to determine what they need to implement to achieve compliance. It would be nice to understand the broad time scales for the new regime to be formally adopted to enable us to manage expectations for customers, and ensure they are not over engineering service offerings.
Comment by David Mead posted on
Thanks for the feedback Kevin. As mentioned in the blog post, the revised process for suppliers of PSN services is now live. You can find all the relevant documents on the PSN website at https://www.gov.uk/government/groups/public-services-network#our-services.