Public Services Network (PSN) Projects

Update on the use of the Public Service Network (PSN)

In January 2017 the Government Digital Service stated that use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant – at least for the immediate future. For up to date clarification on the PSN, please contact Dave James, MD at Ascentor.

Why?

The Public Services Network (PSN) is the primary mechanism for information exchange between public sector organisations including central government departments, local authorities and agencies of all shapes and sizes.  The PSN replaced the older GSI networks with a technology solution based on Multi-Protocol Label Switching (MPLS) that offers huge increases in capacity and performance.  Moreover, the PSN is designed to create a competitive marketplace, involving large numbers of Service Providers offering a range of network services.

Not only is the PSN the default network for public sector customers wishing to exchange data, it is becoming the default network to offer services outside the scope of PSN – increasingly public sector customers are seeking connectivity to G-Cloud services via the PSN.  This creates two distinct requirements: those business wishing to offer network services as part of the PSN, and those who wish to provide access to their G-Cloud services via the PSN.

Access to, provision of services to, or over, the PSN each require an appropriate compliance certificate

  • PSN Connection Compliance Certificate:  This is required by customers (organisations sending and receiving information via the PSN) and service providers offering services via the PSN;
  • PSN Service Provision Compliance Certificate:  This is required by service providers offering services via the PSN (who must have a connection compliance certificate);
  • PSN Connectivity Service Compliance Certificate:  This is required by service providers offering connectivity services (e.g. Direct Network Service Providers – DNSP) and network core services such as DNS and NTP;
  • GCN Connectivity Services Compliance Certificate:  This is required by service providers offering backbone services – the Government Conveyance Network (GCN) provides a national backbone network that provides interconnectivity between all PSN users.

Many of the security requirements associated with the different compliance certificates are common, but there are differences that reflect the role of party.

What?

Ascentor has been involved in PSN since its inception, having worked with one of the first Direct Network Service Providers to gain CESG Assured Service (Telecoms) (CAS(T)) and subsequently be approved as a PSN connectivity service provider.  We also worked with PSN service providers and the PSN Encryption Work Group on the development of secure overlay services.  We have also worked with PSN customer organisations and IT service providers to gain compliance certification.

  • PSN Connection Compliance.   Compliance is based around completion of a Code of Connection (CoCo) document and an IT Health Check (ITHC) (penetration test).  The IA compliance requirements are non-prescriptive but encompass all areas of IT security; the information is provided on a self-assessment basis but must be evidenced.  Any failings identified by the ITHC should either be fixed (with evidence), or a remediation plan submitted.
  • PSN Service Provision Compliance.  Compliance is based around completion of a Code of Practice (CoP), which incorporates the requirements of the PSN Service Security Standards (PSSS) process.  PSSS is based on the Cloud Security Principles (CSP) that define 14 security principles (each with its own assurance requirements).  In some cases the service will rely on network infrastructure that extends the PSN – this will require additional certification activities and additional ITHC testing.
  • PSN Connectivity Service Compliance.  Compliance is based around completion of a Code of InterConnection (CoICo) document that is supported by CAS(T) certification (for network providers) or other requirements (e.g.,  evidence of compliance with the CESG network encryption at OFFICIAL guidelines for secure overlay services).  An ITHC (and associated remediation plan) is also required.

Understanding what the requirements are, delivering the appropriate levels of compliance and evidencing this activity are potentially complex.  The summary offered above excludes additional requirements around service management, technical interoperability, governance, contractual and commercial factors (plus defining your service in a manner that delivers against customer requirements).

How?

Ascentor will help your PSN success in two ways:

  • Ensuring you have a roadmap to deliver the required level of compliance certification to meet your business objectives by identifying what requirements you have to fulfil and what you need to do so.
  • Helping you to build an evidence portfolio that will meet all initial compliance requirements and support ongoing compliance requirements.

It is often tempting to leave security and information assurance until the point of project delivery. We would encourage you to recognise that security requirements are central to gaining the compliance certificate you need to operate: building in security from the beginning and ensuring that you can deliver it throughout the project’s life are the keys to success.

Next Steps

Please contact Dave James to arrange an informal discussion with one of our Principal IA Consultants and resident expert in all things PSN.

Telephone: 01452 881712

Email: [email protected]co.uk

Further Reading

From the Ascentor blog: Understanding the new, more simplified PSN compliance

Share
Email Ascentor Image Map