Why have organisations failed to make PSN compliance deadline?

A number of organisations have failed to meet the PSN security compliance deadline despite the threat of being cut off from critical services

To connect to the new public services network (PSN), organisations - including local councils, government agencies and government departments - have had to ensure their security connections are compliant with a code of connection set by the Cabinet Office.

The deadline for meeting this security compliance passed three days ago at the end of March, but some organisations – including three local councils – have failed to meet the deadline.

Organisations not connected to the PSN risk being cut off from the network and will be unable to access critical Whitehall services such as the Department for Work and Pensions for exchanging details of benefits claimants. 

So what has caused these organisations to miss the deadline?

Two weeks ago, the operations director of the PSN programme at the Cabinet Office, John Stubley, said councils that fail to engage with the Cabinet Office for help are “effectively opting out” of the PSN, and therefore risk being cut off.

But Sarah Hurrell, senior responsible officer (SRO) of the PSN Programme, as well as the commercial director of technology for the Crown Commercial Service, told Computer Weekly yesterday that it wasn’t a “done deal” for the organisations, which have missed the deadline.

“Three councils out of 400-odd haven’t got a signed off robust plan, but we are engaged with them,” she said.

However, Hurrell said more than 95% of the 588 organisations have now become compliant and are fit to transfer from old GSi/GCSX Government Secure Network infrastructure to the new public services network.

But this has not been without difficulties. Towards the end of last year, the row over security compliance hit a tipping point when one local council was only hours away from being disconnected from the network.

The unnamed council was just one of many across the country that has been threatened with disconnection from the PSN for failing to comply with the “highly prescriptive” security rules issued by the Cabinet Office.

Bring-your-own-device (BYOD)

While mobile working and bring your own device (BYOD) schemes have been actively pursued by local authorities to meet austerity budgets, councils have had to reassess whether they can have BYOD and comply with the PSN Code of Connection (CoCo).

In the End User Devices Security and Configuration Guidance released in October CESG effectively said it would not allow confidential data to be used on unsecure mobile devices that shared this data across the PSN.

“Certainly BYOD has been a challenge, without a doubt,” admitted Hurrell.

Disproportionate security controls

CIO of London Borough of Camden, John Jackson said that many BYOD schemes were put in jeopardy due to the “disproportionate security controls.”

He calls these security controls “draconian” at a time when central government and the Government Digital Service are attempting to drive innovation and new thinking.

More on PSN:

“But it’s meaningless,” said Jackson. “The attempt to lock down everything drives dysfunctional behaviours among users who simply forward emails to Google Gmail and more flexible cloud solutions.”

Tony Deacy, CTO, Bath and North East Somerset Council said the council witnessed trouble with compliance when it rolled out its Citrix Access Gateway, which provides access to email and shared drives to council workers at home.

“All councils are cash strapped, so we did see things like BYOD as a huge help going forward,” he said. “For the first time ever the business was going ‘IT is giving us something fantastic, it really works, I can sit on my home PC, access all my shared drives’ and then we go ‘Woah – we might have to switch all of this off.’”

To get around the issue of compliance, Deacy said the council put everything PSN-related through a "walled garden", so it separated the data. “All the PSN data is separate, people can’t access PSN data, but they can continue to access their emails, shared drive and non-PSN applications.”

But Deacy said he knew of some councils in similar situations who couldn’t implement the extra security controls to save their flexible working schemes.

“We can’t get rid of that level of flexibility we implement across the whole council, we’re shutting down buildings, reducing desk ratios, releasing all that real estate and all that cash and to do that people need to be flexible and have to be able to work anywhere.”

Jackson said: “Almost every CIO and authority I've spoken to is angry and disappointed by this year’s turn of events. Despite helpful noises coming out of government recently we've yet to see any meaningful change.”

Jackson believes that unless there is a rethink about the Cabinet Office’s approach, public sector bodies may opt out and seek services elsewhere.

End of support for Microsoft XP

Hurrell said another area causing difficulty in achieving compliance is cost. She said a couple of organisations were experiencing challenges around Microsoft ending support for Windows XP, which would have introduced security risks as the supplier has stopped issuing patches to fix new vulnerabilities.

But the Cabinet Office has just signed a deal with Microsoft to continue providing XP support to the public sector for a further 12 months. “The deal with Microsoft will remove the barrier to some of the entities who were looking at the cost,” she said.

Cash strapped councils

But it is not just the cost of the threat of upgrading from XP, but the whole ordeal costing a huge amount, according to Jackson.

“The changes have cost authorities millions in all probability at a time when we are having to cut frontline services at a time of austerity,” he said.

Deacy agreed, saying costs in becoming compliant were “huge”, mounting up from hiring consultants, paying for staff to do the extra workload on top of their day job, and rolling out two-factor authentication to everyone, rather than only a small number.

“It was a very short period of time too,” he said. “And it takes all your best guys - we’re trying to roll out virtual dekstops, and it just clashes with everything else.”

Deacy said that he is about to start this compliance journey all over again. Because the council became compliant in August 2013, it now needs to submit its 2014 applications by July this year.

“The good thing is this year it doesn’t look like Cabinet Office are changing the rules. In previous years they’ve made it more and more difficult to get local authorities up to that level of security.”

Attitude changes

Deacy said that at the beginning, Cabinet Office came down a little heavy handed on councils who were not complying quick enough. He said Cabinet Office had no up-to-date contacts and all initial notifications surrounding PSN compliance sent to the council went unread. “So the first we knew about it was a massive warning letter to the chief exec saying we were going to be cut off," he says.

But councils have noticed a difference in attitude from the Cabinet Office in recent weeks.

Mike Kenworthy, director of ITC, Harrogate Borough Council – which had some major difficulties  to overcome to achieve  compliance – said he and other councils have seen a change in attitude by the Cabinet Office.

“I have just finished a meeting with our Cabinet Office representative and his attitude was positive and pro-active which is the way dealings with the Cabinet Office should have been from the outset,” he said.

Meanwhile Deacy said he noticed a change in attitude from last summer. “The Cabinet Office started to become more consultative,” he said.

Hurrell said the Cabinet Office is now taking a pragmatic approach to ensuring the remaining organisations achieve PSN compliance. She said forcing organisations to move quickly to make the deadline is likely to incur risk and cost.

“It’s the balance between thinking is it better to do something today and maybe cause trouble or give someone a few weeks to do something?”

Hurrell said the Cabinet Office is now working in a risk-averse way rather than forcing the wrong behavior.

She said this was part of the reason some organisations have missed the deadline, but she said those “will be compliant very soon.”

Hurrell said she was glad to hear some councils were seeing an improvement to the Cabinet Office’s attitude where it is collaborating and talking more with entities. “That’s certainly how I operate,” she said. “I’ve been trying to make sure we’re doing all the right things, and I will try my best to make sure we maintain that.”

Read more on IT for government and public sector

Data Center
Data Management