How organisations can renew or get a PSN service provision compliance certificate so they can use a current connection to provide a service to PSN customers.
Apply for a Public Services Network (PSN) service provision compliance certificate
If you’re an organisation already connected to the PSN and you want to use it to provide a service to other PSN-connected organisations, you need a PSN service provision compliance certificate. There are 2 steps to renewing or getting your first PSN service provision compliance certificate:
PSN services must be provided from an infrastructure that holds a valid PSN connection compliance certificate. This could be your infrastructure or someone else’s. You’ll need to provide these details when you complete your application.
In some cases, the delivery of your service from your nominated infrastructure may involve the construction or deployment of additional physical or virtual infrastructure. For example, your service may be hosted in a PSN-connected IaaS environment, in which you deploy an operating system and some software that you then provide as a service. In such cases the PSN team may ask you to carry out additional assurance work (such as an ITHC) on this additional infrastructure to provide assurance that all PSN-connected infrastructure meets our requirements. For more information on the requirements for PSN-connected infrastructure read our guidance.
If the infrastructure you plan to use to deliver your service doesn’t have a valid PSN connection compliance certificate, you can apply for a PSN connection and a PSN service provision compliance certificate together, and we will conduct each assessment in parallel. If this is the case, simply send us your Code of Connection (CoCo) and Code of Practice (CoP) together at the same time. Make sure you tell us when you apply for compliance that you’re applying for both certificates. We’ve provided guidance on how you can apply for a PSN connection compliance certificate.
A PSN service provision certificate may be withdrawn at any time if it’s found that the certified service no longer meets the agreed standard.
About the PSN service provision compliance certificate
Before you can provide your service to PSN-connected organisations you need to pass PSN’s Service Security Standards (PSSS) process. When you successfully pass you demonstrate to us that the service you intend to provide is suitable for handling public sector information at OFFICIAL and does not present unacceptable risk to the security of the PSN.
PSSS is based on the Cloud Security Principles (CSP). We have identified the implementation objectives which are relevant to PSN services and established a minimum implementation requirement against each. These minimum requirements are outlined and explained later in this document.
Because services can only be delivered from a PSN-compliant (and therefore appropriately secure) infrastructure, your application to supply a service won’t have to undergo a full audit. However, we will be auditing a sample of our services each year. If your service is selected for a review, you are required to assist us by giving us reasonable access to your service and information relating to it.
Along with meeting these standards, you’ll also need to make a number of commitments about how you’ll work with us to ensure the ongoing security of the PSN.
A PSN service is defined as ‘a functional service available to PSN-connected organisations from a PSN-connected infrastructure in order to enable the fulfilment of a specific business activity’.
There are 2 steps to completing your application to renew or get your first PSN service provision compliance certificate.
Step 1: Complete a Code of Practice (CoP)
The PSN Code of Practice (CoP) document is essentially an application form to provide a PSN service. it gives us details of the service you want to provide and tells us which PSN-compliant infrastructure it will be delivered from. It also outlines the standards your service will need to meet. An explanation of each section is provided below.
You’ll need to complete your organisation’s details, including its registration number (if applicable). If you’re a central government department or local authority (such as a district, city or borough council) you won’t need to complete this. If you are registered with Companies House or the Charities Commission, you should provide the unique registration number they have provided you.
You must also provide point of contact details for your organisation. If your point of contact changes at any time during or after your compliance process, you should let us know as soon as possible using this form.
Your PSN service
The section asks you to give us details about the service you want to provide.
1. Service name
Please provide the name of the service you are proposing to provide.
2. Name of PSN-compliant infrastructure
We will not issue a PSN compliance certificate for any service until we have the agreement of the infrastructure owner. If you are intending to deliver the service from a third-party’s infrastructure, you must ensure that the terms of your agreement with them are finalised before submitting your application to us.
3. Service description (for users)
You should provide enough information for users/potential users to be able to ascertain what the service actually does. An in-depth technical description of how it functions is not necessary here. We publish details of all PSN-compliant services and we will include this information.
4. Service description (for PSN team assessors)
This enables us to understand the type of service you want to provide and what risks (security and operational) it could present to the PSN. Please fill in as much detail as you can against each of the specific considerations.
So we can understand the potential security implications around your service, you need to identify any connections between your service and an environment which is not PSN-compliant (such as the internet or a corporate network that has not been subject to a compliance assessment by the PSN team). We need information on all these connections, along with details of how you manage the security of these connections. Depending on the nature of the connection, this management may occur via technical controls or good business practices.
PSN Service Security Standards
We developed PSSS using the CSP as a basis. Each CSP is expressed as an overarching principle, within which are a number of questions about how that principle is implemented in a service. Some of the principles or questions either did not apply to the PSN or were already met through the assessment process for your service’s underlying infrastructure.
Against each relevant question, we have specified an acceptable baseline (the minimum level of response that you should give to the question that will satisfy our security requirements). These minimum requirements are the PSSS, and are outlined and explained below.
The CSP also suggests a number of different ways that service providers give assurance about the implementation methods they have chosen, ranging from ‘Service provider assertion’ to ‘Assurance in the service components’. As standard, you are not expected to supply us with evidence against each of the requirements as part of your application. However, your PSN-connected customers may ask to see it and, if your service is selected for a compliance review, we will expect to find all the evidence in place.
Guidance on each of the assurance methods is provided by the CSP.
Each PSSS is, therefore, expressed in the form below.
Cloud security principle 1 - Data in transit protection
|a. How is data protected between the user’s device and the service?||TLS or other encrypted protocol is expected. Otherwise an explanation of why it is inappropriate or unachievable.||Independent testing of implementation|
|b. How is data protected when exchange with other services?||TLS or other encrypted protocol is expected. Otherwise an explanation of why it is inappropriate or unachievable.||Independent testing of implementation|
- We generally require data in transit, whether between user and service or between different services, to be protected using Transport Layer Security (TLS) or other encryption protocol. However, we recognise that for some services or data, this may be inappropriate or impossible. If that is the case for your service or the data it will handle, you must explain to us why you won’t use TLS or another encryption protocol.
Cloud security principle 2 - Asset protection and resilience
|a. Where are the service provider’s data centers located?||UK, EU, EEA or other countries with Data Protection Treaties||Contractual commitment|
|b. Where are the services managed from?||UK, EU, EEA or other countries with Data Protection Treaties.||Contractual commitment|
|c. Where is the service provider’s legal jurisdiction?||Must be stated||Contractual commitment|
|d. What is the availability of the service?||SLA must be stated||Contractual commitment|
We require PSN services to be stored and managed inside the UK, EU, EEA or any country with a suitable Data Protection Treaty. In practice, as PSN connection points only exist in the UK, it is likely that your service will be only stored in the UK.
We also require you to ensure you state clearly to your customers what legal jurisdiction applies to you and the service you intend to provide. You must also agree a Service Level Agreement (SLA) with your customers about the availability of your service.
Cloud security principle 3 - Separation between consumers
|a. Is the service a public, private, community or hybrid cloud service?||PSN Services cannot be delivered from public cloud.||Independent testing of implementation|
|b. What other types of consumers do you share the service with?||PSN services can only be shared among PSN consumers||Contractual commitment|
|c. Do you securely separate consumer data and services from other consumers of the service?||Yes||Independent testing of implementation|
|d. Is your management of a consumer’s service kept separate from other consumers?||Yes||Independent testing of implementation|
The service that you offer to PSN-connected organisations must not be accessible from a network that is open for public use (such as the internet). You must only offer that service to organisations that have a valid PSN connection compliance certificate. This should be written into the contracts for the supply of the service that you sign with your customers. We will publish a list of all PSN-compliant organisations on our website.
You must also ensure your service separates one consumer’s data from another and that consumers are not able to access the management interfaces for other consumers.
Cloud security principle 4 - Governance
|a. Do you have a governance framework and processes in place for the service?||Yes||Independent validation of assertion|
- We require you to have a governance structure in place, though we do not specify a particular governance standard. There are a number of commercially-available governance standards that will satisfy this requirement.
Cloud security principle 5 - Operational security
|a. Do you make available to consumers time scales for implementing mitigations to vulnerabilities?||Yes||Independent validation of assertion|
|b. Within your service, do you conduct event monitoring and analysis to identify suspicious activity?||Yes||Independent validation of assertion|
|c. Do you have incident management processes in place and are they enacted in response to security incidents?||Yes||Independent validation of assertion|
|d. Do you publish to consumers your definition of a security incident, along with the format, incident triggers and time scales for reporting such incidents with service consumers?||Yes||Independent validation of assertion|
PSN-connected environments are committed to implementing patches for ‘critical’, ‘important’ and ‘other’ vulnerabilities within 14, 30 and 60 days respectively. Additionally, patches for vulnerabilities which are being exploited in the wild should be implemented immediately. You must patch any software you are using to deliver your service within the same timescales.
You must monitor your service so you can detect and respond to attempted and successful attacks, misuse and malfunction. You must also have in place an incident management process that minimises the impact of incidents on your customers. Wherever possible, you should be able to demonstrate how these processes have been enacted in response to previous incidents.
In addition to having processes in place, we require you to set out for customers, in an accessible and useful format, how they can expect your incident management to operate.
Cloud security principle 6 - Personnel security
|a. Do your staff who have access to the service (physically or logically) have adequate personnel security screening for their role?||BPSS or equivalent for users who have administrative privileges.||Independent validation of assertion|
We require any of your staff who have administrative privileges within the service to have undergone pre-employment checks commensurate with BPSS, which requires you to check:
- 3 years’ employment history
- nationality and immigration status (right to work)
- unspent criminal convictions
Cloud security principle 7 - Secure development
|a. Are the new and evolving threats reviewed and the services improved in line with them?||Yes||Independent validation of assertion|
|b. Is development carried out in line with industry good practice regarding: secure design, coding, testing and deployment?||Yes||Independent validation of assertion|
|c. Do you have configuration management in place to ensure the integrity of the service through development, testing and deployment?||Yes||Independent validation of assertion|
- Security must be considered throughout the design and development of your service, and during its operational life, in order to minimise its vulnerability to compromise. You should be able to describe your approach to ensuring secure development throughout the life cycle and show how adherence to your stated approach is assured.
Cloud security principle 8 - Supply-chain security
|a. Do you manage your third-party suppliers’ compliance with the relevant security requirements?||Yes||Independent validation of assertion|
- You are responsible for ensuring that your supply chain supports all the security principles that the service claims to support. Your procurement process for any software, hardware or services should ensure that your third-party suppliers support the security of the service.
Cloud security principle 9 - Secure consumer management
|a. Can only authorised individuals from the consumer access the management interfaces for the service?||Yes||Independent testing of implementation|
|b. Can consumers access, modify or otherwise affect the service of other consumers via management tools and interfaces?||Yes||Independent testing of assertion|
- You must ensure that access to management interfaces is limited to individuals authorised for higher-privileged access. Access should be granted according to business need, following the principle of ‘least privilege’. We also require you to make sure that an authorised individual from one consumer cannot access the management tools interfaces for another consumer’s service.
Cloud security principle 10 - Identity and authentication
|a. Do your identity and authentication controls ensure that users are authorised to access a specific interface?||Username and strong password/pass phrase enforcement.||Independent testing of implementation|
We require you to implement suitable identity and authentication controls, ensuring that users can only access interfaces needed for their legitimate role. This will involve, as a minimum, the combination of username and a ‘strong’ password/pass phrase. A ‘strong’ password is typically one that:
- comprises a minimum number of characters in length (for example, eight characters)
- differs from the associated username
- contains no more than two identical characters in a row
- is not a dictionary word
- includes a mixture of numeric and alpha characters
- has not been reused within a predetermined period of time (such as six months)
- has not been used for another account.
Remember that this is a minimum requirement, along with password strength there are a number of other ways of strengthening authentication processes such as locking users out after a number of failed attempts or using two-factor authentication. Weaker passwords may be acceptable when combined with another method of strengthening authentication processes.
Cloud security principle 11 - External interface protection
|a. What method of interconnection to the service do you provide?||Must be stated||Independent testing of assertion|
We require you to identify the networks from which the service can be accessed (including management interfaces) and to describe to your customers how the connections are protected against attacks through them.
A well-scoped penetration test and evidence that its recommendations have been implemented will provide confidence that that external interfaces are robustly configured to counter known weaknesses and vulnerabilities.
Cloud security principle 12 - Secure service administration
|a. What technical approach do you use for your service management?||The service management model used must be stated||Independent validation or testing of assertion (depending on solution)|
There are a number of service management models outlined in the CSP guidance, ranging from management occurring through ‘dedicated devices on a segregated network’ to ‘Direct service management’, where the service is managed from devices which are also used for normal business use.
We require you to clearly inform your customers which service management model you are using, so that they can make an informed choice when buying services.
Cloud security principle 14 - Secure use of the service by the customer
|a. Do you provide guidance on service configuration options and the relative impacts on security?||Yes||Independent validation of assertion|
- As the provider, you hold ultimate responsibility for the security of your service. We therefore require you to provide your consumers with guidance about the different configuration options your service provides and the security implications of these options.
This section of the CoP asks you to provide a number of different people’s contact details.
1. Service desk
Typically, if you are providing a service you will have a service desk to deal with routine queries and concerns from your users. Depending on the size of your organisation and the scale and complexity of your service, this could be one individual or an entire department. Please provide the contact details for this service desk, including as much information as you can in the fields provided..
2. Escalation points
In situations where you routine service desk is unable to answer a query or resolve a problem, the issue will need to be escalated. The escalation route will differ widely from organisation to organisation; it may be that the size of your organisation and the scale and complexity of your service means that you don’t have three levels of escalation. This is not a problem; just provide as many escalation points as exist for the service you offer.
As an example, the first point of contact might be the service manager, the second might be the formal point of contact between your organisation and the PSN team (a relationship manager, for example) and the third might be a head of operations, board director or chief executive.
3. Security manager
You should have an individual who is responsible for information security with respect to the services you provide. Please provide this individual’s contact details so that we can contact them directly regarding security incidents and concerns.
You need to make a number of commitments to us about the service you intend to provide. The CoP isn’t a contract, so these commitments aren’t legally binding on you or us.
However, your PSN service provision compliance certificate is issued subject to these commitments. In extreme cases (where we believe that the security of the PSN or other users are exposed to an unacceptable risk as a result of your failure to meet these commitments) we may rescind your certificate and require you to cease provision of the service. In addition, your record of keeping these commitments will be a relevant factor in future compliance reviews.
It’s important that you read and understand these commitments before signing them. If you are unclear about what they mean, email the PSN team at email@example.com.
The commitment statement should be signed by an authorised signatory from your organisation; this will be somebody who has authority to make commitments on behalf of your organisation, usually a board-level individual.
A scanned copy of your commitment statement, signed in ink, is acceptable..
Step 2: Submit your application documents
When you’ve completed the above steps set out in this guide, your final step is to submit the documents to us. To do this just simply email the documents including any supporting material to the PSN team at firstname.lastname@example.org. These documents make up your PSN service provision compliance submission.
What happens to your PSN service provision compliance submission
The PSN team will validate and review your application. You might be contacted if your submission is incomplete or to confirm details in your application. Most applications are dealt with in 4 weeks.
If the PSN team identifies any issues in your application you may need to address these and resubmit. When the PSN team has made a decision we’ll write to you to confirm you’ve achieved PSN compliance, and will include your PSN compliance certificate. Your compliance certificate is normally valid for 12 months.
Supplying your service(s) over PSN once you receive your PSN service provision compliance certificate
When your organisation has a PSN service provider compliance certificate you can provide your service(s) over the PSN. Read the Supply services over PSN guidance to find out how you can do this.