Cabinet Office attempts to defuse PSN compliance tensions

The Cabinet Office has updated the public services network (PSN) programme to make it easier for councils to meet security requirements

The Cabinet Office has updated the public services network (PSN) programme to respond to concerns that councils find it difficult to meet security requirements.

In a letter from Cabinet chief operating officer Stephen Kelly, he said there will be an “ongoing review of pragmatic risk mitigation” around PSN compliance.

Kelly also said he would like to improve the dialogue with local councils struggling with compliance.

“The PSN team will ensure the PSN infrastructure best serves the interests of all public service organisations. This requires ongoing learning from all parties to deliver a level of security proportionate to the business risk and pragmatic in its implementation,” Kelly said in the letter.

Socitm president Steve Halliday welcomed the news from the Cabinet Office: “We are cautiously confident that the 2014-15 PSN experience will be considerably less frustrating than 2013-14 has been,” he said.

Halliday told Computer Weekly "localism" is a critical aspect of PSN compliance, with different councils having different experiences. “But if you’re going to join into a shared network, there needs to a certain amount of shared trust,” he said.

He said the ongoing pragmatic review would look at what local councils are doing.

More flexibility

Kelly acknowledged councils’ calls for more flexibility around PSN compliance guidelines.

John Jackson, CIO of London Borough of Camden, asked for PSN guidelines to “adopt security frameworks for the public sector that are flexible and adaptable for a new digital era and which are customer centric”.

According to Kelly, by 9 December 2013, nearly 70% of organisations were compliant, with most of the remaining 30% expected to achieve compliance by the March 2014 deadline.

But Halliday said these updates were more of a long-term strategy. 

“Cyber security is forever,” he said. 

“Once we do what we need to do for March 2014, we still need to make sure security is good in 2015, 2016 and so on.”


The recent negotiations came after councils were threatened with disconnection from the PSN for failing to comply with security regulations. Council leaders raised the issue that their existing BYOD schemes could be threatened, due to the regulations.

“Recent changes in security policies are not opening up government but are threatening to do the reverse,”  Jackson said in December 2013.

“The new draconian provisions in the PSN code of connection (CoCo) mean councils that have embraced progressive flexible working strategies and schemes such as bring your own device (BYOD) over the past year will, in all probability, have to abandon them or change them so much that they become unaffordable or untenable.”

But Ian Levy, technical director at CESG, said a lot of the troubled talk around PSN was driven by misunderstanding and bad advice.

Talking at the Government ICT conference in London today, Levy said: “In my personal opinion, if you are not meeting the basic PSN conditions, there is no way you can meet your data protection act requirements for protecting personal data.”

Levy said some councils were becoming confused between PSN security compliance guidelines and common sense. 

“PSN is about creating a community level of trust, it’s not about enforcing central government requirements on local authorities - it’s not about having local authorises by proxy protect the MoD from Chinese state-sponsored attacks. It is about information management,” he said.

He said local authorities that have good network architecture and the ability to make judgements on council information and where it goes will be able to have BYOD schemes. “You can have your BYOD carrier pigeons for all I care, because that’s your information and it’s up to you to make that risk judgment, not me,” he said.

But for central government data that has a protection requirement, Levy said this must be protected in the way the supplier of the information wanted it to be.

“Using the technology available today, we do not believe that we can do BYOD securely for government data,” said Levy.

Read more on Endpoint security