The orginal blog by GDS is here
For the people and organisations that we talk to across the PSN community, the news didn’t come as much of a surprise: there’s been a world of change in IT trends since the PSN was originally set up more than 10 years ago.
However, the same people told us that they were worried that the PSN compliance process was also set to disappear and, if it did, then that would raise big questions:
- how do we know which public sector organisations are still doing the right thing when it comes to security?
- can I securely share my organisation’s valuable resources with another?
- are the people I’m working with sticking to their obligations for handling public sector data?
So, what’s happening with PSN assurance?
You’ll still need to be PSN compliant
Firstly, the good news is that PSN compliance isn’t going anywhere, certainly for a while yet. The TLN agrees that – as one of the only recognised, externally accredited, cross-government common assurance standards – it needs to live on far beyond the end of the physical network.
As James mentioned in his ‘the internet is ok’ blog post, government’s move away from the PSN will take some time. There’s currently no timeline as there’s quite a bit of work to do across the public sector to prepare for these changes.
However, as he emphasised in the post, if you’re going to update or change services in the near future, then you should take the opportunity to move them to the internet and secure them appropriately using the best available standards-based approaches.
In the meantime, PSN-connected organisations will still need to continue to meet their assurance requirements if they want to reach the important government and law enforcement services they need.
So, if you’re a PSN-connected organisation or provide a service over the PSN, you’ll need to ensure you continue to demonstrate to us that your organisation’s security arrangements, policies and controls are sufficiently rigorous for us to allow you to interact with the PSN and those connected to it.
That means you’ll need a valid PSN compliance certificate – and do everything you’ve been doing to get one and maintain it – for the foreseeable future.
But, isn’t the internet ‘ok’
Well, yes it is for the vast majority of the work that the public sector does but, it’s important to understand that organisations should implement the same security activities whether they are connected to the PSN or any other network, including the internet.
However, as James says in his blog post, it’s going to take some time for the public sector to get to a point when the services it needs to use and the information it needs to access each day can be done over the internet.
We’re working with organisations across government and the public sector and the PSN community, as well as suppliers and service providers, to ensure issues are identified and we’ll work together to provide common solutions. And we’ll be telling you lots more about this as the work progresses.
Trust me, I’m a public sector organisation
The PSN compliance process has its roots firmly planted in the need for government departments to understand who is using its data and to make sure they’re using it properly and looking after it.
That scope is much wider today, as it includes an organisation’s security arrangements, policies and controls. However, more importantly, it symbolises a level of trust that’s recognised by everyone across government.
It’s a badge that tells government that an organisation is “doing the right thing” when it comes to their security and that means they can be trusted by everyone: Whether they’re a government department, agency, public body or corporation, devolved administration, local authority, police or criminal justice service, a whole host of service providers or any other organisation across the wider public sector.
Of course, this need for trust won’t go away when government moves away from the PSN network.
It will remain vitally important that organisations across the public sector continue to demonstrate they’re doing the right thing if they’re going to carry on using government services and data.
We’ll need to continue to establish, administer and maintain a level of common trust that will ensure interoperability and interaction with government is preserved.
Like PSN assurance, only better
Today, the National Cyber Security Centre (NCSC) and the Cyber and Government Security Directorate are leading on reducing the risk to the UK by improving its cyber security and cyber resilience. They’ve been impressed with the work that’s taken place around PSN compliance, and are keen that the commitment to “doing security stuff” and maintaining trust across the public sector continues with the same ambition.
So we’ve been looking at ways to expand and reframe PSN compliance in a new context that, while retaining the assurance principles that are the basis of the existing process, will significantly improve the process.
A new context that can tap into the methodology we’ve built for collecting security data; that can make use of the historical data we hold; that can build on the co-operative relationships that we’ve nurtured across the public sector; and, most importantly, make it simpler, quicker and more valued to those who achieve it.
We owe it to ourselves and the PSN community as a whole – who have worked hard to get where we are today – to make it better, and we’ll be keeping the PSN community up to date as we go.