Things are changing but, quite rightly, you still have to get accredited. Many tech SMEs are offering services that require IL3 (Impact Level 3) services to government - systems administrators, software developers, technical architects) - who all need to have Security Clearance (SC).
SC is a bit like a Criminal Records Bureau (CRB) check on steroids. It is done by a few specific organisations, including the Foreign & Commonwealth Office, rather than the CRB organisations and they have the access rights to dig deeper into police records and uncover things like spent convictions.
Also, unlike CRB, its focus is not on protecting vulnerable individuals and minors so just wanting to sell stuff to government is good enough. For your interest, the next step up the ladder is called Developed Vetting (DV). In G-Cloud parlance you need DV for IL4 work and above. The process is much more involved and includes face-to-face interviews with partners, family and friends.
However, you do need a sponsoring organization to get SC for your staff. In the past this has been a huge barrier to entry in government ICT since to get a sponsor you generally need to have a government customer, but to get a government customer you needed to have SC. This is one of the ways that Large Systems Integrators Inc. have stitched up the market. But no more.
Now G-Cloud itself will sponsor you for SC and even better you only have to get it done once for each member of staff, as with other security accreditations. You also need to comply with Baseline Personnel Security Standard (BPSS), but that is just internal policies and procedures and largely comes under the category “commercial best practice”. Finally, SC is not expensive; we are paying of the order of £100 per person. It is a bit of a paperchase though, as outlined below.
Stage 1 - Application
1. G-Cloud receives request for National Security Vetting from supplier€¨
2. G-Cloud Security issues BPSS forms to supplier
3. Supplier returns completed BPSS to G-Cloud Security
€¨ 4. BBPS forms passed to CO Personnel Security€¨
5. G-Cloud Security issue e-Vetting registration forms to supplier€¨
6. Supplier returns completed e-Vetting forms to G-Cloud Security (
Stage 2 - Registration
1. e-Vetting forms registered onto vetting system by CO Personnel Security€¨
2. Foreign & Commonwealth Office (FCO) Services process registration€¨
3. FCO Services email individual applicants
Stage 3 - Vetting
1. Applicants log into the e-Vetting system to confirm their registration.
2. Applicants obtain necessary evidence and complete their details on the e-Vetting system. 3. FCO Security conduct Security Clearance (SC) enquiries and complete checks
Stage 4 - Decision
1. Results are passed to CO Personnel Security, whose decision is final
2. CO Personnel Security discuss result with individual applicants only
3. CO Personnel Vetting share the result and expiry date only with G-Cloud Security
4. CO Personnel Vetting instruct CO Finance to invoice supplier
Some valuable advice that we gleamed from Mark Smitham in charge of SC for G-Cloud is as follows;
a) BPSS is good recruitment practice and is an opportunity to prove the ID of your staff.
b) It is important that individuals are honest throughout the application process, i.e. include spent & unspent cautions and convictions.
c) e-Vetting registration forms allow the applicant to nominate their ‘Sponsor Agreed ID number’ (SAIN), which should be their NI or passport number.
d) There is a 2 week window for applicants to log into the e-Vetting system otherwise registration will lapse and the process will need to be re-started.
e) There is a 4 week window for applicants to complete their details on the e-Vetting system.
f) SC enquiries may take up to 2 months to complete and can include: National Security checks, CRB checks (not Disclosure Scotland), and credit reference checks.
g) CO Personnel Security apply a risk managed approach to vetting applications, which permits review of applications early in the process that is intended to be as inclusive as possible.
h) Rights of appeal are discussed with the individual if necessary.
i) Renewal process is to be confirmed.
The best advice I can give you when completing the SC form is honesty. If there’s something you don’t know or aren’t sure about explain it in the additional information box at the end of the form. This will ensure there are no lengthy delays with your application.
Posted by Kate Craig-Wood , owner-manager of Memset, a leading managed hosting and cloud IaaS provider.
Kate is an xpert-advocate of green ICT and cloud computing.