Public Services Network (PSN) Accreditation – The Process Explained

Update on the use of the Public Service Network (PSN)

This post was originally published in May 2012. In January 2017 the Government Digital Service statedthat use of the PSN will be phased out but clarified the position in March, saying that Government bodies still need to be PSN compliant – at least for the immediate future. For up to date clarification on the PSN, please contact Dave James, MD at Ascentor. In the meantime, we hope you’ll find the original post of help.

There wasa change to the Public Services Network (PSN) compliance process at the end of 2014 which is covered in a new article on the Ascentor site here .

This original post is for those involved with the delivery of the Government’s Public Services Network (PSN). For a service to be ‘approved’ for use it must meet stringent criteria set by the Cabinet Office, one of which is Information Assurance (IA). I hope this article helps to clarify the process and shows that IA is not a bolt on element but a key part of the approvals process that needs careful consideration right from the start.

Before delving into the mysteries of CAS(T), CPA, PEPAS, etc. and the differences between accreditation for infrastructure (such as a DNSP) and accreditation of a service (such as VoIP), I think it is useful to get a handle on some underlying concepts.

PSN Accreditation

Accreditation is part of the risk management process of a public sector organisation. The basic idea is to have a formal process to identify the risks, work out how to manage them and finally to assess, if this is within the risk appetite of the organisation.

Accreditation is a form of IA assessment and is mandatory for organisations that are subject to the Security Policy Framework (SPF) – this does not (currently) include a large chunk of the public sector (local authorities, NHS, etc.), but does include central government departments, NDPBs and most agencies.

What happens when the thing being accredited is used by more than one organisation?

For the PSN, IA is service-based and layered – the guiding principle is to accredit once, reuse as needed. Individual SIROs retain risk ownership for their organisation’s information, but rely on their peers to carry out accreditation for given services. The PSN has an Infrastructure SIRO, who ‘owns’ the shared risk for PSN services and acts on behalf of the other SIROs. Accreditation decisions are made by the Pan-Governmental Accreditor (PGA) on behalf of the PSN Accreditation Panel (PSNAP).

The PSN Authority (PSNA) is the arbiter in all this. It is the PSNA who finally approves a service for use on the PSN – accreditation is a key part of this decision, but there are other (non-IA) requirements to be met: Governance, technical interoperability, service management and commercial. Read “PSN Compliance” to understand how all this fits together.

So how does PSN accreditation work?

The accreditation process and requirements are explained in “PSN Risk Management & Accreditation Reference Document” (RMARD). The approach is based around HMG IA Standard 2 (IS2), although for IL2 there is a lighter-weight process. In practical terms, this means following the IS1 method for risk assessment and the creation of an IS2 Risk Management and Accreditation Document Set (RMADS).

Assurance is a key aspect of any accreditation: PSN assurance requirements are driven by the impact level of the service (IL2/3/4) and the availability of custom CESG assurance services. A good example of this is Commercial Assurance Service (Telecoms) – CAS(T) – this is an assurance service specifically for networks with a 224 profile, and is derived from ISO 27001. The RMARD contains a template for a light-weight RMADS document, where the assurance is based on CAS(T). For other PSN services, assurance may be based on ISO 27001 (for IL2) or CESG Tailored Assurance Service (CTAS) for IL3 and above. There are plans to create specific assurance schemes for other PSN services, similar to CAS(T).

Where do I find the PSN documents?

The key documents mentioned in this post are available from the Cabinet Office website – .

Article by Peter Curran , Principal IA Consultant and PSN specialist at Ascentor


Other articles you might like:


You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.