Government backs down on prescriptive PSN security compliance

Restrictive security measures are out, a more flexible approach to PSN compliance is in, says government CTO Liam Maxwell

The government has admitted the security rigmarole councils had to endure to connect to the public services network (PSN) were too prescriptive, as it moves to a flexible, proportional approach to compliance.

Government CTO Liam Maxwell (pictured) told Computer Weekly the latest government security classifications, which came into force in April 2014, will focus on proportional risk assessment to give local councils more flexibility and responsibility when it comes to security.

He called the previous code of connection (CoCo) requirements a “one-size-fits-all blunt instrument” which didn’t take account of the wide range of PSN customers – including local councils of all shapes and sizes.

He said the government’s previous approach – which left councils struggling to comply with security measures by the April 2014 deadline – was too prescriptive, and the simpler, proportionally user-focused approach was needed to keep organisations connected to the PSN, as some begin to go through the annual compliance process again.

“It was a pretty complicated methodology, which was created under the old impact level system. I think the new government security classifications are going to put greater emphasis on proportional risk assessment and give people more flexibility to make their choices,” said Maxwell.

The new government security classifications are going to put greater emphasis on proportional risk assessment and give people more flexibility to make their choices

Liam Maxwell, CTO, HM Government

“This is probably going to make things more secure by helping people make proportional decisions themselves, rather than following a very old, prescriptive route,” he added.

Maxwell noted that a large number of local councils already have well-qualified IT people internally, who are tasked with implementing security which fits the needs of people in the individual council.

“I think part of having a one-size-fits-all blunt instrument, which [CoCo] was previously, meant councils which had great and competent people in the field were almost being told what to do at that point, where what we’re really trying to do is build a network which meets user needs and gives the great benefits of joint purchasing and the platform effect without onerous security issues,” he said.

The security argument

The argument over PSN security has been one of the most contentious local government IT issues over the past 12 months. To connect to the network, organisations – including local councils, government agencies and government departments – had to ensure their security connections were compliant with a code of connection set by the Cabinet Office.

The deadline for meeting this security compliance was the end of March 2014, but some organisations – including three local councils – failed to meet the deadline. The last council, Telford & Wrekin in the West Midlands, only became compliant at the end of September.

In the months leading up to the compliance deadline, arguments over PSN security compliance between local government and the Cabinet Office hit a tipping point when one local council was only hours away from being disconnected from the network.

The unnamed council was just one of many across the country that had been threatened with disconnection from PSN for failing to comply with the “highly prescriptive” security rules issued.

Some councils were concerned that their bring-your-own-device (BYOD) schemes, which were put in place to meet austerity budgets, would have to be re-assessed to comply with PSN CoCo measures.

But Maxwell told Computer Weekly in an interview that the PSN team had changed. “We changed the people, we changed the team and we changed the approach,” he said.

Maxwell also said new BYOD guidance is in the pipeline, which will clarify what is acceptable for local councils to implement.

In April, the government tried to stabilise the project, with the Government Digital Service (GDS) taking control of the network from the Crown Commercial Service.

Speaking to Computer Weekly, Camden Council CIO John Jackson said the government had recognised it had got it wrong with CoCo in the first place. “I think it's been looking at how it can recover from that and what needs to be done,” he said.

“I just see positives and more positives,” said Jackson, who has previously spoken about how the previous prescriptive controls were disproportionate to risk.

“That’s a big step forward. I was visited by CESG [Communications-Electronics Security Group (CESG) – the IT security arm of GCHQ] this year to talk about BYOD policy, use cases and what could be done. CESG definitely listened to the feedback and completely gets that PSN isn’t about locking it all down, but how we drive innovation and share collaborative working. It recognises that there needs to be more flexibility.”

Jackson added it was good that the government had messed about with the PSN framework. “Let’s not change the bar again,” he said.

Pat Keane, CIO at Bracknell Forest Council, said the authority is preparing its PSN submission for Spring 2015: "Hoping we won't quite have the angst like last year - things are looking better going forward," he said.

Earlier this year, Nick Roberts, president of public sector IT body Socitm, said the compliance problems over the past year had taken up too much of local councils’ time.

“An unfortunate consequence of meeting compliance was that we had to stop doing a bunch of things – projects in progress that were transformative and cross-sector weren’t really able to be undertaken, so there’s a whole chunk of unfinished business, and we want to get that back on the agenda,” said Roberts.

Read more on IT for government and public sector