With the milestone of our third procurement framework launch on Friday it’s important to understand just how this affects the security accreditation of services.
First of all, it is important to know that if you already have a service going through the accreditation process then the new procurement framework will not stop that process. Suppliers need a service reference number to submit their service to the programme for accreditation. “Without a signed agreement your service will not be available on CloudStore and will not begin going through the accreditation process (if applicable).” Once in the accreditation cycle, you will need to make sure that your service will still be available on the new framework. Don’t forget to apply to be a supplier on the new G-Cloud framework and ensure your service has a Giii reference number!
If you do not already supply on the existing G-Cloud framework (i.e. you don’t have reference numbers for your services), you are considering applying to be a supplier on the new G-Cloud framework and you feel that some of your services may need accreditation – then it really is worthwhile to start preparing for accreditation NOW! The time it takes for a service to progress through Pan-Government Accreditation (PGA) can depend on the type & scope of the service as well as the target impact level of the information and material that the service or system will handle. Check out our Information Assurance (IA) Guidance for more information. The “extract from HMG IA Standard No.1 Business Impact Level Tables” that is referenced in our guidance is available from our Accreditation References page.
Our accreditation cycle runs monthly deadlines when applications for accreditation are reviewed by the programme for the “necessary quality”. Check our Accreditation Q&A for more details on the quality of scoping templates, programme pool & submission. It is important to know that this process continues across frameworks, so your accreditation preparation can begin before the next procurement framework begins.
Pan-Government Accreditation (PGA) of services can require a range of documentation: scoping statements & DPA checklists, Risk Register & Residual Risk Statement, RMADS, ISO27001 certificate, and Security Operating Procedures. We encourage suppliers to prepare early for accreditation. Start your accreditation preparatory work now!
Do you already provide services that hold PGA status on the current G-Cloud framework? Are you considering providing the same services on the new framework? If the service has not significantly changed then re-accreditation may not be necessary. If this is the case then you must confirm that there has been no change in the scope of your service as agreed during the accreditation process, that the service is still within the lifespan of the accreditation (as defined in the service accreditation certificate), and that none of the re-accreditation conditions have been triggered. For more details on re-accreditation triggers, please check paragraphs 43-44 of our IA Guidance.
A critical part of making G-Cloud services ready and easy to use is achieving security accreditation at a pan government level: do it once, do it well, share & re-use. Check our website for a full list of Pan-Government Accredited (PGA) services available on G-Cloud.
Preparing for a new G-Cloud procurement framework – Accreditation checklist
- Apply to be a supplier on the new G-Cloud framework
- Ensure your service has a Giii reference number
- Consider if your service requires Pan-Government Accreditation, if you have not already done so
- If you have any questions about accreditation then please contact us via email@example.com quoting your reference numbers (including previous service numbers, if applicable)
- Start your accreditation preparatory work (see the Accreditation process, Q&A, and IA Guidance & IA References for more details)