Change Control Notice

00016_20170917 to 00025_20191127 HSCN Compliance CR Form

Change Reference:  – 0020 20191127

Title:  –HSCN Obligations -Technical and Security Obligations

Change to:- Obligations Framework 4.3.3 – SP07

Dialogue: – Removal of CAS(T) reference and include reference to the HSCN minimum compliance baseline (Annex A). The obligation will now read as follows.

‘The HSCN Supplier shall maintain a Statement of Residual Risk that includes:

  • All un-remediated ITHC findings higher than medium;
  • All components that are within the HSCN minimum compliance baseline (Annex A).
  • All components of the services that are under the HSCN Consumer’s management, or out of the providers control (e.g. wires only circuits and radio from the mast in terms of mobile respectively), but within the scope of the HSCN Connectivity Service being provided.

Where the HSCN Supplier has no qualifying residual risks the HSCN Supplier may make a nil return.’

NCSC have stated that CAS T is no longer in use. Whilst a new security standard is being established by NCSC, we have established a position where previous CAS(T) requirements are now covered by ISO27001, Annual ITHC and BCDR plans. A statement has already gone to CNSPs so they are aware of the current situation regarding re-certification. The statement is attached above.

Change reason –To meet a regulatory requirement.

Change Level – Major. 

Comments due back on 27th December 2019. No comment is assumed to be acceptance.


  1. Not accepted. All CNSPs consume services/products from communication providers, greater understanding of the implications of this proposed change is required.
    1. This has been discussed at the CAS(T) forum [but not with CN-SPs] and there was an interim solution published by NHS Digital which was designed to maintain the standard with minimal impact to CNSPs. This was shared as part of the change request. The only further demand on CNSPs is that their ISO27001:2013 certification is awarded from a UKAS affiliated auditor. Unfortunately the removal of CAS(T) was beyond the scope of NHS Digital. The NCSC website has a statement around the removal of CAS(T) and that can be located on the following link.
  2. A commercial review of the proposed changes is required.
    1. Please can some more information around this comment be provided. NHS Digital don’t believe that the move to Secure Boundary from ANM means any change to the commercial model.
  3. A call is requested with NHS-Digital to walk thorough the changes.
    1. A call is arranged for 9th January @ 10:00.

The following CN-SPs are consulted

  1. Convergence (Group Networks) Limited
  2. MLL Telecom Limited
  3. Redcentric Solutions Limited
  4. AdEPT Telecom PLC
  5. British Telecommunications PLC
  6. Piksel Limited (Carelink)
  7. Daisy Communications Limited
  8. Exponential-e Limited
  9. IT Professional Services Limited
  10. KCOM Group Public Limited Company
  11. CenturyLink Communications UK Limited
  12. Node 4 Limited
  13. NYNET Limited
  14. OCSL Managed Services Limited
  15. Updata Infrastructure (UK) Limited
  16. The Networking People (Northwest Ltd)
  17. Virgin Media Business Limited
  18. Limited
  19. Gamma Telecom
  20. GTT
  21. High Speed Office
  22. Intercity Technology Ltd
  23. IQVIA Solutions UK Ltd
  24. Logicalis
  25. Telefonica UK Limited
  26. Vodafone
  27. CANCOM UK Managed Services