Deputy government CIO, Liam Maxwell, has pledged to users and suppliers of the G-Cloud that he will be revealing improved and more streamlined security accreditation processes in the first quarter of next year.
Speaking at the Business Cloud Summit this week in London, Maxwell said: “One of the things I’m taking most seriously is the view that it takes so long to accredit. I give you a commitment, probably in about two or three months, we will have a more streamlined, more effective, accreditation scheme, which helps people get there.”
The government recently released the second iteration of its G-Cloud framework, which has 458 suppliers offering a variety of services to the public sector, all of which are available through an online portal called ‘CloudStore’. The government plans to accredit each service offered only once and then any government body can reuse that service without going through the accreditation process again.
However, the process of getting accredited is perceived to be difficult and lengthy, where only a handful of suppliers have so far been successful.
Maxwell explained that the G-Cloud team is working closely with the national technical authority for information assurance, CESG, on ensuring that this process is improved.
“We do need to have a certain level of security, but we are reviewing this. Our security model will be based more around the user needs – rather than the six or seven layers that we have had before,” he said.
“This will help us rationalise. I really mean that, make the use of security in our applications more rational. We will be particularly strong in making sure that we don’t over engineer, over securitise the products and services that are available on the G-Cloud.”
He added: “The good news is that the people who absolutely agree with us, and work very closely with us on this, are CESG.”
The government applies a Business Impact Level (IL) classification to suppliers to indicate the security level of their services. IL0 (protected) is the lowest level of security, while IL6 (top secret) is the highest. IL2 is often the minimum requirement for government services, for example, it is the minimum requirement for providers bidding for network contracts.
However, Government CIO, Andy Nelson, revealed earlier this year that he is planning to halve the number of security levels it uses internally from six to three in an attempt to simplify the accreditation process for suppliers looking to provide services to the public sector.
Maxwell also explained this week how the Cloudstore is putting the government in a better position of power with traditional IT suppliers. He spoke of IT programmes that cost the government £55 million, but only have 16 users.
Now when a department is quoted a hefty price for an IT project it can use the G-Cloud to see whether this price tag is fair. Maxwell said departments had been quoted tens of millions of pounds for hosting, which was available for under £1 million through the Cloudstore.
However, Maxwell also admitted that improvements can still be made.
He said: “Yes, we haven’t got [Cloudstore] right straight away. It’s in its second go. I was doing a review last night of what we need to do next. The key thing is that it needs to be a shop. We need to make it look more like a shop. We need to get it easier to navigate, need to compare like for like.
“If you can’t compare like for like very quickly, our experience is then officials go back to systems integrators to ask questions, which leads back to large costly IT projects.”