The Cabinet Office and the Government Digital Service (GDS) have opened up the new G-Cloud security process, asking for feedback.
Vendors can view the draft questions they will be required to answer before the G-Cloud 6 opening and GDS claims because this is still the alpha stages, comments are welcomed.
According to a post on the Digital Marketplace blog, the opportunity to review how the procurement framework’s security approach works naturally arose as a result of the recent changes to the government security classification scheme.
“It’s no longer appropriate to use ‘Impact Levels’ to describe the security properties and assurance of different services,” says post author Tony Richards, head of security and accreditation for G-Cloud.
“Instead we’ll be adopting the Cloud Security Principles as a fundamental part of G-Cloud security assurance to help buyers make pragmatic decisions based on relevant, transparent and available information,” he adds.
The post also claims that the increasing number of suppliers and services entering the framework and the future inclusion of other digital frameworks under the Digital Marketplace makes Pan Government Accreditation unsustainable.
It notes that those wishing to procure services via the framework will have their own responsibility to ensure that whatever they purchase is in line with their own security requirements.
The new security approach will require vendors to complete statements asserting how their services meet the Cloud Security Principles and this will be used in their service description of the Marketplace.
Buyers will then be able to have greater awareness of the security detail of the services on the new framework, improving service comparison and enabling pragmatic choice.
To support their claims, suppliers will be able to reuse existing supporting security assurance, but also use new evidence when it becomes available.
“For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud framework on-boarding process,” claims Richards.
“Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud framework.
“Any buyers who are consuming the service will be alerted to the breach and will be advised to move to a new supplier or accept the risk,” he adds.