Update on the use of the Public Service Network (PSN)
This post was originally published in July 2015. In January 2017 the Government Digital Service stated that the use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant at least for the immediate future. For up-to-date clarification on the PSN, please contact Dave James, MD at Ascentor. In the meantime, we hope you’ll find the original post of help.
The previous process
The previous PSN compliance process was widely viewed as far too expensive, time-consuming and complex to implement. Nor was it considered to be particularly accommodating to initiatives designed to cut costs in public sector organisations – such as bring your own device (BYOD) and remote working.
That’s why the Government Digital Service (GDS) made a commitment at the end of 2014 to make the new PSN compliance process simpler, clearer and faster. Accordingly, the new process could be described as having more to do with what you have done – than how you did it. It went live at the end of May – so what are the main changes you need to know?
The new process
The new compliance process reflects the changing security needs of public sector organisations. To achieve compliance, you must meet Government Information Assurance (IA) requirements, which have been designed to provide an achievable and sensible baseline for security. Along with these IA requirements, you’ll also need to make a number of commitments about how you’ll ensure the ongoing security of the PSN.
There are now 5 steps to completing your application for a PSN connection compliance certificate. This new process applies whether you are renewing or applying for your first PSN connection:
- Complete a Code of Connection (CoCo)
- Provide a network diagram
- Provide your IT Health Check (ITHC) report
- Update your contact details
- Submit your application documents
Of the above new steps, the CoCo is likely to be the most time-consuming. Essentially it is an application form to connect your infrastructure to the PSN that requires details such as network size, number of sites, user numbers and the number of IP addresses on the network.
The CoCo also covers operational security, authentication and access control, boundary protection and interfaces, protecting data at rest and in transit, user and administrator separation of data, and security testing. The CoCo stage requires high-level sign-off – either the Chief Executive for Local Authorities or the Senior Information Risk Owner (SIRO) for Central Government departments.
The network diagram must be under six months old and will show local connections with approximate user numbers and details of PSN and non-PSN service remote connections. It must also show security device locations, external and third-party connections, wireless devices and off-shore infrastructure and connections.
The ITHC must be under 12 months old and will give insight into the vulnerabilities that may exist in the organisational infrastructure and any action taken, or being planned, to rectify or mitigate them.
As PSN compliance is just focused on the network, not a Trust Framework, the real focus of the new process is on the endpoint connections and whats being done on the network. The internet has no security, therefore, what you do must enhance security in line with the baseline requirements of the PSN. After all we are only trying to adhere to Commercial Best Practice – for an OFFICIAL network.
Other changes you should be aware of:
- The Code of Practice for Service Providers is based on Cloud Security Principles of Self Assertion – you may find our article on this topic helpful.
- No Annex B (Now called Annex A in Connectivity Services).
- No prescriptive Technical Controls – you don’t need to adhere to prescriptive controls as long as you can justify that the controls you are using are sufficient to protect OFFICIAL information.
- BPSS clearance is required for Technical Administration staff only.
- New compliance certificates are issued for 12 months or 24 months depending on the level of maturity (determined by criteria such as the detail of the evidence, documentation completed on time, and a robust remediation plan in place if required).
We understand that future certification may require Cyber Essentials Plus but this is yet to be confirmed. If you are interested in Cyber Essentials, you might find our guide to the process helpful.
Do you need help with your PSN compliance?
For an informal chat about how Ascentor can help, please contact Dave James.