How commercial suppliers can renew or get a PSN connectivity service compliance certificate so the service can be used by public service organisations connected to the PSN.
Apply for a PSN connectivity service compliance certificate
If you’re a supplier and want to provide your connectivity service on the PSN you need to get it compliant and confirm that it meets certain obligations. Your PSN connectivity service compliance certificate is awarded by the PSN compliance team.
There are 5 steps to renewing a PSN connectivity service compliance certificate or getting it for the first time.
- Complete a Code of Interconnection (CoICo) and provide the necessary supporting information
- Read and understand the PSN obligations for connectivity services
- Provide evidence that your service meets the necessary level of assurance
- Update your contact details
- Submit your application
A PSN connectivity service compliance certificate may be withdrawn at any time if it’s found that the service no longer meets the agreed standard.
About PSN connectivity service compliance
Before you can provide connectivity services to PSN-connected organisations you need to pass the PSN connectivity services compliance process. This demonstrates to us that the connectivity service you are proposing will ensure appropriate confidentiality, integrity and availability of OFFICIAL data travelling across the PSN, and that it meets the technical interoperability and service management obligations necessary to support an end-to-end service. Your service will be assessed by the PSN compliance team.
To achieve connectivity service compliance your organisation and your proposed service must meet a series of obligations. These obligations are divided into:
- service management
- technical interoperability
These obligations dictate how you will design, build and operate your service and are further explained in this guidance. You’ll need to read and understand how these obligations apply to your organisation and your service as you’ll need to make a commitment that you comply when you complete your application. This gives us confidence that we can safely introduce your service to the network.
We’ve published a guide that lists all of the current Public Services Network (PSN) obligations.
If you’re renewing an application you’ll have previously submitted a Public Services Network (PSN) Code of Interconnection Annex A spreadsheet. You don’t need to do this as part of your submission now, you’ll just need to check a box when you complete your application to confirm you meet the obligations.
There are 5 steps to completing your application to renew or get your first PSN connectivity service compliance certificate.
Step 1: Complete a Code of Interconnection (CoICo)
The Code of Interconnection (CoICo) is your application form to provide a connectivity service. It gives us information about your organisation, details of the service you want to provide and a provides a list of requirements that your service needs to meet.
You’ll need to complete your organisation’s details and point of contact information. If these contact details change at any time after you submit your CoICo, you should let the PSN compliance team know using this form.
Your PSN connectivity service
You’ll need to give us details of the service you intend to provide.
1. Service name
Please provide the name of the service you are proposing to provide.
2. Service description (for users)
You should provide enough information for users and potential users to be able to understand what the service does. An in-depth technical description of how it functions is not necessary. We publish a list of all PSN-compliant services and we will include your information.
3. Service description (for PSN assessors)
We won’t be able to properly assess your application unless you provide us enough information to understand your service and how it will operate. Please provide as much detail as you can against each of the specific considerations.
You need to provide a high-level architectural schematic that illustrates how your service will operate consistent with the description you have given.
You’ll also need to provide an up-to-date diagram of your network and management infrastructure. This enables us to understand the infrastructure that you want to connect to PSN and what risks it might present to other users and the network. The network diagram must be less than 6 months old at the time you submit your application and must be in PDF format.
As a minimum, the diagram should include:
- your organisation’s name
- the date the diagram was created
- local connections with approximate number of users, and details the PSN services and non-PSN services remote connections/remote access
- all external and third-party connections (with names of organisations, business reason for connection and boundaries of responsibility)
- the location of security devices, such as gateways
- wireless network devices
- infrastructure and connections that are off-shored
Where you have a very large infrastructure, we do not expect your diagram to include every device or user. The main aspects we need to understand are:
- service interaction, so it is clear what services you are consuming and whether they are PSN or non-PSN services
- onward connectivity, so we know where you are connected to PSN or non-PSN networks
- any off-shoring of systems or information
- third-party connectivity
This information will allow us to assess your service and understand the operational and security risks it may pose to the network. This information will not be published.
Along with meeting our requirements, you’ll also need to make a set of commitments to us. These commitments dictate how you’ll work with us throughout the process and throughout the period of your connection to the PSN.
Your relationship with us isn’t a contract, so these commitments aren’t legally binding on you or us. However, your compliance is subject to these commitments. In extreme cases (where we believe that the successful operation or security of the PSN are exposed to an unacceptable risk as a result of your failure to meet these commitments) your certificate may be rescinded and you may be required to withdraw your service from the PSN. In addition, past performance against these commitments will be a relevant consideration in future compliance reviews.
Step 2: Read and understand the PSN obligations for connectivity services
When you submit your application you’ll need to confirm your organisation and your service meet a series of obligations. You will need to read and understand these obligations before you sign and submit your application. The obligations are divided into:
Governance and service management
The Public Services Network (PSN) obligations for connectivity services collection contains documents that place governance and service management obligations on all PSN connectivity services. The obligations let connectivity service providers work together, respond quickly and share relevant information with one another - even across contractual boundaries - to help all public sector end-users resolve any operational issues that may arise.
The Public Services Network (PSN) technical interoperability documents and obligations for network services provide us with assurance that your network service will work seamlessly at a technical level with other PSN networks. The technical interoperability requirements focus on Multiprotocol Label Switching (MPLS) configuration, Asynchronous System (AS) deployment, Quality of Service (QoS) classes, IP addressing and Domain Name Services.
Step 3: Provide evidence that your service meets the necessary level of assurance
You’ll need to provide us with evidence that your service meets the necessary level of assurance.
If your service is a GCN, DNSP or other PSN network, you must provide a current CAS(T) certificate and surveillance report. The surveillance report must not be older than 12 months old and must not have been used for your previous application.
You should read CESG’s policy and guidance to ensure you get the right controls assessed and you understand the audit cycle.
If your service is an encrypted overlay or a PKI that supports the PSN Protected service, you must provide evidence that you meet CESG’s Network encryption at official guidance. For all other connectivity services, you must provide evidence that you meet CESG’s Securing Technology at Official guidance.
Provide your ITHC report
You will need to send us the report from your most recent ITHC. This lets us see what vulnerabilities exist in your infrastructure and what action you have taken or plan to take to fix or mitigate them.
Read the IT Health Check supporting guidance to ensure you get the scope right with your chosen ITHC supplier.
The ITHC report you send us must not be older than 12 months old and must not have been used for your previous CoICo submission. If the report identifies any ‘critical’ or ‘high’ issues, you should either provide evidence that these issues have been resolved or a remediation action plan to address them.
Remediation action plan
If your ITHC report shows ‘critical’ or ‘high’ issues that you have not yet addressed, your submission should include a Remediation Action Plan (RAP) to address these issues. This RAP should include, as a minimum:
- specific actions to be undertaken
- planned start and finish dates for this work
- details of the ‘owner’ of this work (that is, the individual responsible for ensuring it is actually carried out)
- a ‘lessons learnt’ statement explaining how you will avoid the same issue being repeated in future
You can use this Remediation Action Plan (RAP) example template as a guide when preparing your RAP.
Step 4: Update your contact details
You will need to send us the contact details for important roles in your organisation. Providing these details allows the PSN team to make sure the right people are informed about service and security issues that may occur both in the PSN community and more widely. It’s important to keep these details updated and ensure the PSN team are informed of any changes.
Typically, if you are providing a service you will have a service desk to deal with routine queries and concerns from your users. Depending on the size of your organisation and the scale and complexity of your service, this could be an individual or a department. Please provide the contact details for your service desk, including as much information as you can in the fields provided.
Where your service desk is unable to answer a query or resolve a problem, the issue will need to be escalated. The escalation route will differ widely from organisation to organisation. We ask for details to cover 3 levels of escalation, but if the size of your organisation and the scale and complexity of your service means that you’re can’t supply this many just provide as many escalation points as you can for the service you offer.
For example, your first point of contact may be your service manager, the second may be the formal point of contact between your organisation and the PSN team (such as a relationship manager) and the third may be a head of operations, board director or chief executive.
Your organisation should have someone who is responsible for information security with respect to the services you provide, so we will need their contact details so that we can contact them if there are security incidents or concerns.
You can use this form to provide the contact details or update the details that you have already sent us.
Step 5: Submit your application
When you’ve completed the above steps set out in this guide, your final step is to submit your application to us. You can do this using the PSN team contact centre online portal. Your application will need to be completed by the authorised signatory or named point of contact on your CoICo.
When submitting your application through the portal you’ll need to complete a submission form, which will ask you to:
- enter an email address (or sign-in if you already have an account)
- enter a message (just let us know what your application is for and if you have any further information or comments you’d like to include)
- enter your existing PSN compliance reference (if you’re renewing an application you can find it in our list of PSN-compliant services) - if this is a new application just ignore this bit
- select which type of PSN connectivity service your application is for
- confirm your service complies with the PSN obligations for connectivity services by putting a check in the ‘I confirm..’ box
- attach the relevant documents: a PDF of your completed and signed CoICo, evidence that your service meets the necessary level of assurance and your updated contact details form
- verify you’re a human by putting a check in the ‘I’m not a robot’ box
- click ‘submit’ to send your application
What happens to your connectivity service compliance application
The PSN team will review and validate your application. You might be contacted if it’s incomplete, to confirm or clarify details in your application or to ask for additional information.
If the PSN team identifies any issues in your application you may need to address these and resubmit.
When the PSN team has concluded its compliance review, they will make a decision as to whether your service can receive connectivity service compliance.
If the PSN team confirms your connectivity service compliance, we’ll let you know and we’ll include your PSN connectivity service compliance certificate. At this point, you may start to provide your service. Your certificate is valid for 12 months.
Providing your service once you receive your PSN connectivity service compliance certificate
When your organisation has received your PSN connectivity service compliance certificate you can provide your service to PSN customers. Read the Supply services over PSN guidance to find out how you can do this.