Understanding the new, more simplified PSN compliance

Update on the use of the Public Service Network (PSN)

This post was originally published in July 2015. In January 2017 the Government Digital Service stated that the use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant at least for the immediate future. For up-to-date clarification on the PSN, please contact Dave James, MD at Ascentor. In the meantime, we hope you’ll find the original post of help.

This post is an update covering the changes to the compliance certificate process of the Government’s Public Services Network (PSN) at the end of 2014; with links to relevant articles we feel will further understanding.

The previous process

The previous PSN compliance process was widely viewed as far too expensive, time-consuming and complex to implement. Nor was it considered to be particularly accommodating to initiatives designed to cut costs in public sector organisations – such as bring your own device (BYOD) and remote working.

That’s why the Government Digital Service (GDS) made a commitment at the end of 2014 to make the new PSN compliance process simpler, clearer and faster. Accordingly, the new process could be described as having more to do with what you have done – than how you did it. It went live at the end of May – so what are the main changes you need to know?

The new process

The new compliance process reflects the changing security needs of public sector organisations. To achieve compliance, you must meet Government Information Assurance (IA) requirements, which have been designed to provide an achievable and sensible baseline for security. Along with these IA requirements, you’ll also need to make a number of commitments about how you’ll ensure the ongoing security of the PSN.

There are now 5 steps to completing your application for a PSN connection compliance certificate. This new process applies whether you are renewing or applying for your first PSN connection:

  1. Complete a Code of Connection (CoCo)
  2. Provide a network diagram
  3. Provide your IT Health Check (ITHC) report
  4. Update your contact details
  5. Submit your application documents

Of the above new steps, the CoCo is likely to be the most time-consuming. Essentially it is an application form to connect your infrastructure to the PSN that requires details such as network size, number of sites, user numbers and the number of IP addresses on the network.

The CoCo also covers operational security, authentication and access control, boundary protection and interfaces, protecting data at rest and in transit, user and administrator separation of data, and security testing. The CoCo stage requires high-level sign-off – either the Chief Executive for Local Authorities or the Senior Information Risk Owner (SIRO) for Central Government departments.

The network diagram must be under six months old and will show local connections with approximate user numbers and details of PSN and non-PSN service remote connections. It must also show security device locations, external and third-party connections, wireless devices and off-shore infrastructure and connections.

The ITHC must be under 12 months old and will give insight into the vulnerabilities that may exist in the organisational infrastructure and any action taken, or being planned, to rectify or mitigate them.

As PSN compliance is just focused on the network, not a Trust Framework, the real focus of the new process is on the endpoint connections and what’s being done on the network. The internet has no security, therefore, what you do must enhance security in line with the baseline requirements of the PSN. After all we are only trying to adhere to “Commercial Best Practice – for an OFFICIAL network.

Other changes you should be aware of:

  • The Code of Practice for Service Providers is based on Cloud Security Principles of Self Assertion – you may find our article on this topic helpful.
  • No Annex B (Now called Annex A in Connectivity Services).
  • No prescriptive Technical Controls – you don’t need to adhere to prescriptive controls as long as you can justify that the controls you are using are sufficient to protect OFFICIAL information.
  • BPSS clearance is required for Technical Administration staff only.
  • New compliance certificates are issued for 12 months or 24 months depending on the level of maturity (determined by criteria such as the detail of the evidence, documentation completed on time, and a robust remediation plan in place if required).

We understand that future certification may require Cyber Essentials Plus but this is yet to be confirmed. If you are interested in Cyber Essentials, you might find our guide to the process helpful.

Do you need help with your PSN compliance?

For an informal chat about how Ascentor can help, please contact Dave James.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch