Update at 26 Nov 2013 Graham Gardiner and Gerard Oakes Recap New GSC Policy issued to Government departments in Dec 12 Minister for Cabinet Office Francis Maude announced GSC changes as part Civil ID: 775987
Download Presentation The PPT/PDF document " Government Security Classification (GSC..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Government Security Classification (GSC) Review- Update at 26 Nov 2013
Graham Gardiner and Gerard Oakes
Slide2Recap
New GSC Policy issued to Government departments in Dec 12Minister for Cabinet Office (Francis Maude) announced GSC changes as part Civil Service Reform policy on 17 Oct 2013Anticipated go-live date is 2 April 2014Going from current 6 markings to 3 classifications:
OFFICIALThe majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
SECRETVery sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
TOP SECRETHMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
Above indicates colour codes for media
(Buff)
(Pink)
(Red)
Slide3GSC – Key Points
No direct mapping between GPMS and GSC – “jagged edge”
No expectation to retrospectively re-grade historic or legacy material but;
need to manage existing RESTRICTED and CONFIDENTIAL until such time as it is ‘life expired’
No UNCLASSIFIED – all information generated by HMG has value and thus needs protection
All HMG information will be at least OFFICIAL
Government Departments can choose whether they mark OFFICIAL information
MOD does not intend to do so
Cabinet Office view t
hat
vast majority of information (90%) will sit in
OFFICIAL
Slide4GSC – Key Points
Step change in
protection measures
from OFFICIAL to
SECRET
Cabinet Office guidance for handling ‘New’ SECRET expected shortly
TOP
SECRET – no change
Number of descriptors reduced to 3
Personnel
Commercial
Limited
Circulation
Descriptors can be used on OFFICIAL
– SENSITIVE and above
Security Caveats (e.g. UK EYES ONLY)
can only be
applied to
information classified SECRET and above
Slide5Implementation
Cabinet Office have agreed that MOD will take lead for Industry
GSC Security Working Group (SWG) comprising MOD, Cabinet Office and following Industry Associations representation:
DISA (Graham Gardiner, Gerard Oakes)
UKCEB (Hugh Fraser)
ADMIE (Andy Thomas, Alex Graham)
ADS (Mark Phillips)
TechUK
(Gordon Morrison, Joe Taylor)
Agreement that GSC SWG will be the sole route for communicating with Industry
Working Group meets monthly to work on immediate concerns
Slide6Immediate Concerns
Deterring wholesale migration of RESTRICTED to the SECRET
Delineation between OFFICIAL and
OFFICIAL-SENSITIVE
Agreeing
the way forward for defence industry IT systems currently accredited to operate at CONFIDENTIAL
High
level
only
Technical
controls to be applied to
OFFICIAL / OFFICIAL-SENSITIVE
IT
systems
Impact
on international collaboration and information
exchanges
Slide7Wholesale Migration of RESTRICTED to SECRET
Risk mitigated in part by softening of original Cabinet Office stance (90% in the OFFICIAL
category)
Most
MOD
information that used to be marked RESTRICTED is likely to attract an OFFICIAL – SENSITIVE marking post 2 April 2014
Procedural
and technical controls
to
protect
OFFICIAL-SENSITIVE have yet be agreed but:
OFFICIAL-SENSITIVE
information must be
marked
One of the 3 Descriptors can be added to highlight sensitivity
Security Caveats (e.g. UK EYES ONLY) must not be applied to OFFICIAL SENSITIVE or OFFICIAL
information
MOD require BPSS for access to OFFICIAL-SENSITIVE but not for OFFICIAL (different to Cabinet Office view)
Slide8Way Ahead on CONFIDENTIAL High IT Systems
MOD
DSAS has analysed industry responses Industry Security Notice (ISN)
on CONFIDENTIAL IT systems
Problem not as large as originally
envisaged
Intent is to issue new ISN with guidance for companies – likely to be in New Year
General
expectation
that
over
time,
i.e. at the next IT system refresh, CONFIDENTIAL IT systems will upgrade to the standard for SECRET systems
Way forward will be to manage systems under extant arrangements until major equipment refresh thereafter system needs to be
accreditable
as a SECRET system
Potential
that review may conclude, under the new rules, that a CONFIDENTIAL system is now only processing
OFFICIAL-SENSITIVE
Slide9OFFICIAL / OFFICIAL-SENSITIVE IT Systems Technical Controls
CESG working on revised technical controls for SECRET and OFFICIAL / OFFICIAL-SENSITIVE IT systems
CESG controls unlikely to be available until March 2014 therefore current controls remain in place until new ones are promulgated
IT Security requirements / accreditation standards for OFFICIAL-SENSITIVE / OFFICIAL IT systems driven by CESG proposals
Expect no
change on
Day
1
MOD studying variety of Accreditation
requirements
- may
differ depending on risk assessment of system processing
OFFICIAL
MOD
confident
that assessment
tool will process circa 80% of systems through the ‘Green Channel’ i.e. without further work or evidence required
Slide10International Collaboration / Information Exchanges
Government has written to the National Security Authorities of 40 partner countries to inform them of the GSC changes
Clarification sought by some countries with ongoing negotiations with USA and France over specific concerns
Further discussions with NATO and WEU
Some
nations (
USA,
Canada, Australia) pursuing similar reviews
Intention is that ’foreign’ CONFIDENTIAL will be protected as UK SECRET
On-going discussions regarding ‘classification escalation’, legacy data and impact on foreign industry
No change to information marked ‘RESTRICTED USML’ under Defence Trade Cooperation Treaty (DTCT)
UK required to demonstrate controls framework for OFFICIAL - SENSITIVE
Slide11Contractual Aspects
MOD DE&S Commercial will be making changes to DEFCONs as a consequence of GSC
DEFCON 659 and 531 will be amended but not totally re-written
‘Contract notices’ will be promulgated to explain the changes
New Projects will use revised documents and SALs / Grading Guides reflecting new classifications
Revised SALs / Grading Guides for existing contracts will not be available by 2 April 2014 but;
‘General guidance notice’ expected to be issued pre 2 April
JSP 440 being rewritten to simplify content and reflect GSC changes
CPNI expected to confirm that Physical Security requirements will conform to
SAPMA baseline
standards
Slide12Awareness and Education
Cabinet Office material available on their website but is lacking detail
MOD training plan and material under development:
Posters
E-learning package
Guides
FAQs
Detailed MoD training material expected to be available in Jan 14
Slide13DECS / DE&S Website
Switched off in July 2013 without a replacement solution
Intention was to eventually move to G-Cloud but timescales
unknown
MOD have a plan for interim solution that will provide a service for companies connected to RLI
Expected to be in place in near future
Currently no plans to introduce an interim electronic solution for companies who are not connected to the RLI
MOD seeking agreement to circulate a CD ROM to industry in near future