Apply for a Public Services Network (PSN) connection compliance certificate

Question

Accepted Answer

Apply for a Public Services Network (PSN) connection compliance certificate

If you want to connect to the PSN you need to renew or get your first PSN connection compliance certificate. There are 5 steps to completing your application:

Complete a Code of Connection (CoCo)
Provide a network diagram
Provide your ITHC report
Update your contact details
Submit your application documents

A PSN connection compliance certificate may be withdrawn at any time if it’s found that the certified organisation no longer meets the agreed standard.

About the PSN connection compliance certificate

You must use information in the right way when you’re connected to PSN so that it stays a secure environment for public service organisations to share information and services.

Before you can connect to the PSN your organisation needs to pass the PSN compliance process. When you successfully achieve compliance you demonstrate to us that your infrastructure is sufficiently secure that its connection to the PSN would not present an unacceptable risk to the security of the network.

To achieve compliance you must meet our Information Assurance (IA) requirements, which have been designed to provide an achievable and sensible baseline for security. Along with these IA requirements, you’ll also need to make a number of commitments about how you’ll work with us to ensure the ongoing security of the PSN.

The compliance process for obtaining a PSN connection certificate focuses on connecting a specific, predefined infrastructure to the PSN. The same process is used whether you want your entire organisation to be able to access the PSN or just a part of your organisation.

An infrastructure is defined as ‘the situation from which PSN network traffic can be sent or accessed. This encompasses the networks, systems, hardware, processes and staff that will have direct and unmediated access to the PSN’.

There are 5 steps to completing your application to renew or get your first PSN connection compliance certificate.

Step 1: Complete a Code of Connection (CoCo)

The PSN Code of Connection (CoCo) document is essentially an application form to connect to the PSN. It gives us information about the infrastructure you want to connect and outlines the IA requirements you need to meet and the commitments you need to make to us. It includes:

Cover page

You’ll need to complete your organisation’s details, including its registration number (if applicable). If you are a central government department or local authority (such as a district, city or borough council) you won’t need to complete this. If you are registered with Companies House or the Charities Commission, you should provide the unique registration number they have provided you.

You must also provide point of contact details. If your point of contact changes at any time during or after your compliance process, you should let us know.

Your PSN environment

This section asks for information about the infrastructure you want to connect to the PSN. Our IA assessors need this information to understand the nature of the infrastructure you wish to connect to the PSN and the risks it might present. Remember that:

the ‘size’ estimates you use should be accurate
‘number of users’ means the number of users who you would expect to be accessing information and services within your specified infrastructure
‘number of sites’ means the number of physical locations (such as office locations or data centres) over which your users are spread
‘number of internal IP addresses’ means the number of IP addresses within the scope of the infrastructure, not the externally-presentable IP addresses

IA conditions

You won’t need to complete this section, but it’s still extremely important that you make sure you have read and understood our requirements. These requirements set the standard that we expect all PSN-connected organisations to meet, which ensures the security of the public sector data traversing the network. By submitting a signed CoCo to us, you are confirming that your infrastructure meets these standards.

If you do not meet any of these standards, please contact the PSN team. We’ll work with you to identify the remediative work you need to undertake and agree an achievable time frame for their implementation.

Wherever possible, our requirements specify a security outcome rather than prescribe a technical solution. Where we provide examples of solutions, you are welcome to adopt these solutions or explore alternatives.

It’s important to us that the security outcome is achieved, not how you achieve it.

When ‘appropriate’ or ‘appropriately’ is used in the CoCo (and not expanded on in the body text) it means that you should decide what measures need to be taken based on your knowledge of your system, the nature of the data and the applicable risks. You’ll also need to consider any data handling agreements you have with other data owners.

We need to be confident that you have understood and met the following requirements:

1. Operational security

We require you to have policies, processes and procedures in place ensuring the secure operation of your infrastructure.

a. Vulnerability management (patch management)

Even well-managed systems develop vulnerabilities over time. A sensible security policy will not only assess vulnerabilities arising from new systems, hardware etc but will monitor your existing infrastructure for the emergence of exploitable vulnerabilities. Most vulnerabilities can be fixed by patching (a targeted, specific upgrade to a certain device, application or system). This should be done at regular intervals, dependent on the severity of the vulnerability.
Where your infrastructure suffers from a vulnerability that you know is being exploited elsewhere (in someone else’s infrastructure, for example) you should apply a patch immediately.
Not every vulnerability has a patch available, so you need to take some other steps to reduce the potential impact of an exploit against that particular vulnerability.

b. Secure configuration

The default, out-of-the-box configuration of many of the systems, software and services you use are likely to leave your infrastructure vulnerable. It is important that you have control over the configuration of these elements of your infrastructure and use that control to configure them to provide an appropriate level of security.
Malicious software (such as viruses or spyware) is one of the most common threats faced by networked infrastructure, so it is important that you have measures in place to protect your infrastructure against these threats. As an absolute minimum you should have good, well-configured antivirus software for all devices, systems and services.
In order to ensure that secure configuration is achieved across your infrastructure, you need to be able to direct the security patch management for all managed devices.

c. Physical security

Technical security measures may be futile if the physical environment in which your data is held and processed, and in which your staff work, is not appropriately secured as well. Ensuring that only the right people have access to, or sight of, areas where sensitive assets are stored, held or processed needs a combination of physical measures (such as security guards, access controlled doors, identity cards) and policies and procedures which govern their use, monitor compliance and enable enforcement action.

d. Protective monitoring and intrusion detection

Any infrastructure should expect to suffer attacks, either targeted or opportunistic. If the infrastructure has connections to the internet this is all but guaranteed. A good protective monitoring policy will help you identify security incidents quickly and provide you with information that will help you initiate your incident response policy as early as possible. It will also help you prevent identical or similar incidents in the future.
Along with technical controls, you will have businesses processes and policies that promote and ensure the security of your infrastructure. Abuses of these processes pose a significant risk to the security of your organisation, and the security of the PSN.
We have not provided details of specific information your protective monitoring policy should detect and retain. You should design your policy based on the specific details of your infrastructure and the threats you expect to face.

e. Security incident response

A crucial aspect of your overall security state is how you respond to incidents when they occur. Your incident response policy should:
- allow you to mitigate harm quickly and effectively
- include reporting it to the PSN team and other relevant entities of the situation where appropriate
- allow you to prevent similar incidents occurring in the future
Your policy should require you to inform the National Cyber Security Centre (NCSC) of any cyber security incident that it has expressed an interest in, and also keep us informed if the incident impacts the PSN. NCSC reduces the cyber security risk to the UK by improving its cyber security and cyber resilience. It works together with public sector organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management. It publishes practical and proportionate security guidance to help protect both new and existing IT systems.

2. Authentication and access control

Sensible authentication and access control ensures your devices and services are safe against unauthorised access but that your users enjoy access to the devices and services that they need. When End User Devices (EUDs) access corporate services, you can provide an appropriate level of security by requiring:

user-to-device authentication
device-to-service authentication
user-to-service authentication

NCSC’s password guidance recommends not relying on password length or complexity to ensure security. Instead, you should look to apply simple technical controls such as locking users out after a specified number of failed authentication attempts or applying two-factor authentication.

The 5 requirements in the CoCo are a simple, achievable baseline. If you do not meet one or more of these requirements you should tell us what other controls you have in place to mitigate the risk.

3. Boundary protection and interfaces

The boundaries between your network/services and the internet or any other network are the most likely point for an attempted intrusion, so we require you to impose appropriate security controls at these points. A firewall with appropriately configured rule sets

We recognise that you may present services outside of these protected boundaries. In these cases we have imposed additional requirements on how these services communicate with your core infrastructure.

We also recognise that BYOD is an increasingly popular strategy for organisations to let their staff work more flexibly, so we have imposed certain restrictions on how unmanaged devices are used in the context of PSN that allow BYOD policies to be used while ensuring they do not present excess risk to the PSN.

4. Protecting data at rest and in transit

You need to make sure that data is protected by default, whether at rest within your infrastructure, in transit within your infrastructure or in transit between your infrastructure and another environment. There are a lot of different solutions that would accomplish these goals. It is up to you to decide exactly how you achieve data at rest and data in transit protection.

5. User and administrator separation of data

Separation between users prevents one compromised or malicious user posing a risk to others’ data or experience of a service. In general, user access should be based on the principle of least privilege, so that each user should have the minimum level of access necessary to allow them to carry out their function.

This principle is true for cloud services and non-cloud services alike. Refer to CSP 3: Separation between consumers and CSP 9.1: Authentication of consumers to management interfaces and within support channels for further guidance.

6. Users

Implementing security controls on your staff helps protect you against the risk of malicious actors inside your infrastructure. The Baseline Personnel Security Standard (BPSS) provides a strong baseline against which to hold those members of your staff who have privileged access to, for example, corporate services or network configuration. Guidance on HMG personnel security controls (including BPSS) is available.

BPSS requires you to check an individual’s:

identity
nationality and immigration status (right to work)
employment history covering at least 3 years
unspent criminal convictions

7. Testing your security

Independent testing of your network helps you to identify the vulnerabilities and risks your business is exposed to. You need to commission regular IT Health Checks (ITHCs) to test your infrastructure for vulnerabilities. ITHCs can be commissioned from suppliers under several registered schemes, including CREST, CHECK and Tiger.

We have published guidance on how to scope your ITHC.

You’ll need to include your ITHC report in the documents you send us when applying for a compliance certificate. Guidance on exactly what we need to see is provided later in this document.

Security gaps

If you are not meeting any of the IA conditions, this is where you can let us know by contacting the PSN team. Our assessors can then work with you to make sure that this gap is closed or the risk mitigated in some other way.

We recognise that no set of IA conditions can accurately capture the complexity of all possible systems. If you are not meeting one or more of the IA conditions, but are already mitigating the associated risk through other arrangements, you should use this box to let our assessors know.

Commitment statement

Alongside meeting our requirements, you’ll also need to make a set of commitments to us. These commitments dictate how you’ll work with us throughout the compliance process and throughout the period of your connection to the PSN.

Your relationship with us isn’t a contract, so these commitments aren’t legally binding on you or us. However, your connection compliance certificate is issued subject to these commitments. In extreme cases (where we believe that the security of the PSN or other users are exposed to an unacceptable risk as a result of your failure to meet these commitments) your certificate may be rescinded and you may be required to disconnect from the PSN. In addition, past performance against these commitments will be a relevant consideration in future compliance reviews.

It’s important that you read and understand these commitment statements in full. If you are unclear about what they mean, email the PSN team at public-services-network@digital.cabinet-office.gov.uk.

Who signs the commitments will differ depending on the type of organisation. If you are a central government organisation with a Senior Information Risk Owner (SIRO), your SIRO should sign the CoCo. If you are a local authority or other public sector organisation, you should have your chief executive sign the CoCo. If you are a supplier, the signatory should be a board-level individual who is empowered to make legal commitments on behalf of your organisation.

Step 2: Provide a network diagram

You’ll need to provide an up-to-date diagram of your network infrastructure. This enables us to understand the infrastructure that you want to connect to PSN and what risks it might present to other users and the network. The network diagram must be less than 6 months old at the time you submit your application and must be in PDF format (which is the standard format for viewing government documents).

As a minimum, the diagram should include:

your organisation’s name
the date the diagram was created
local connections with approximate number of users, and details the PSN services and non-PSN services remote connections/remote access
all external and third-party connections (with names of organisations, business reason for connection and boundaries of responsibility)
the location of security devices, such as gateways
wireless network devices
infrastructure and connections that are off-shored

Where you have a very large infrastructure, we do not expect your diagram to include every device or user. The main aspects we need to understand are:

service interaction, so it is clear what services you are consuming and whether they are PSN or non-PSN services
onward connectivity, so we know where you are connected to PSN or non-PSN networks
any off-shoring of systems or information
third-party connectivity

Step 3: Provide your ITHC report

You will need to send us the report from your most recent ITHC. This lets us see what vulnerabilities exist in your infrastructure and what action you have taken or plan to take to fix or mitigate them.

Read the IT Health Check supporting guidance to ensure you get the scope right with your chosen ITHC supplier.

The ITHC report you send us must not be older than 12 months old and must not have been used for your previous Code of Connection submission. If the report identifies any ‘critical’ or ‘high’ issues, you should either provide evidence that these issues have been resolved or a remediation action plan to address them.

Remediation action plan

If your ITHC report shows ‘critical’ or ‘high’ issues that you have not yet addressed, your submission should include a Remediation Action Plan (RAP) to address these issues. This RAP should include, as a minimum:

specific actions to be undertaken
planned start and finish dates for this work
details of the ‘owner’ of this work (that is, the individual responsible for ensuring it is actually carried out)
a ‘lessons learnt’ statement explaining how you will avoid the same issue being repeated in future

You can use this Remediation Action Plan (RAP) example template as a guide when preparing your RAP.

Step 4: Update your contact details

You will need to send us the contact details for important roles in your organisation. Providing these details allows the PSN team to make sure the right people are informed about service and security issues that may occur both in the PSN community and more widely. It’s important to keep these details updated and ensure the PSN team are informed of any changes.

You can use this form to provide the contact details or update the details that you have already sent us.

Step 5: Submit your application documents

When you’ve completed steps 1-4 set out in this guide, your final step is to email all the documents to the PSN team at public-services-network@digital.cabinet-office.gov.uk. These documents make up your PSN compliance submission.

Before emailing your submission, please check to make sure:

the network diagram you send is less than 6 months old and is in PDF format
the supporting documents you send are in PDF format
your CoCo is signed by the appropriate authority (your SIRO if you’re a government organisation, your chief executive if you’re a local authority or other public organisation, or a board-level individual if you’re a supplier)

What happens to your PSN compliance submission

The PSN team will validate and review your application. You might be contacted if your submission is incomplete or to confirm details in your application. Most applications are dealt with in 4 weeks.

If the PSN team identifies any issues in your application you may need to address these and resubmit.

When the PSN team has made a decision we’ll write to you to confirm you’ve achieved PSN compliance, and will include your PSN connection compliance certificate. Your certificate is normally valid for 12 months.

Accessing PSN services when you achieve PSN customer compliance

When your organisation achieves PSN customer compliance you can buy connectivity and access services available on the PSN. Read the Access PSN services guidance to find out how you can do this.

Apply for a Public Services Network (PSN) connection compliance certificate