Today, the new Government Security Classification Scheme (GSC) goes live. As a result, the whole of government will be changing the way information (and other assets) is classified and protected.
Under the new policy, the classification scheme will reduce from six tiers (from UNCLASSIFIED to TOP SECRET) to just three: OFFICIAL, SECRET and TOP SECRET (and with an additional descriptor for the OFFICIAL tier of ‘SENSITIVE’). The main change is obviously the new OFFICIAL level, which replaces everything from UNCLASSIFIED to CONFIDENTIAL. There are no changes to TOP SECRET.
The GSC will have far-reaching implications for how government departments interact with industry and international partners, including for exports.
Guidance for industry – handling new contracts and information/systems
From today, new contracts, information and systems will be marked and handled under the new scheme. However, Police forces will be moving at around six months behind the pace of other areas, with implementation beginning in October 2014.
ADS has worked with the Cabinet Office, Ministry of Defence and CESG to produce – as far as possible – detailed implementation guidance for the new GSC. You may find the following documents helpful:
- A List X Notice, to provide List X contractors with practical advice and guidance.
- An Industry Security Notice for non-List X companies, to provide practical advice and guidance to non-List X companies.
- A ‘Guide for Defence Contractors’. This is a draft version in both an online and printable form and designed to provide background awareness, basic guidance and tips needed to work the new system. We are inviting questions on this initial version.
- A one page Factsheet.
- An updated Security Policy Framework.
Note that other government departments often following the MoD’s lead in industry engagement in these areas.
It is worth noting that:
- The Security Conditions for Reportable OFFICIAL and OFFICIAL-SENSITIVE information will be very similar to the current RESTRICTED Security Conditions. Implementation of any new conditions will be over a period of time after further consultation.
- Work is still underway on Physical Security policy and the Security Assessment for Protectively Marked Assets. Industry will be consulted on any changes and implementation will take place over a period of time.
- The F1686 process has been revised.
- There is guidance on how to handle international RETRICTED.
Handling legacy contracts and information/systems
In terms of transitioning legacy contracts to the new Policy:
- All departments and agencies have been informed that legacy contracts will not be re-worked to fit the new GSC. Rather, changes will fit into the business cycle during the next 24 months.
- The MoD has confirmed that existing GPMS markings will continue to be used until such time as formal notification via a Security Aspects Letter or Grading Guide is received by Industry. The MoD has an expectation that notifications will take place at either the annual review point or at the next contract change whichever occurs sooner.
- The CONFIDENTIAL tier will be retained for an interim period. In other words, CONFIDENTIAL information will be handled as it is currently. This includes retaining the marking and using the same systems; if existing information systems received accreditation from CIO DSAS before introduction of GSC, then DSAS would be broadly content afterwards (assuming no substantial changes to usage of information e.g. inclusion of ‘new’ SECRET or threat assessments). Accordingly, no action is required if usage of information or threat assessments remains unchanged.
Initial guidance on the international implications of GSC is available.
The US, NATO, France, Germany and Spain have responded to GSC letters.
- With the US, policy statements for handling CONFIDENTIAL and OFFICIAL-SENSITIVE baseline controls were agreed in January 2014 as part of an Exchange of Letters. Amendments to the MOD-DOD security implementing arrangement are now expected to be undertaken. It has been agreed that no amendment to the DTCT is required following confirmation of the policy position through the Exchange of Letters.
- With Spain, an Exchange of Letters to implement GSC has been agreed.
- NATO’s Office for Security has confirmed that it is happy with new arrangements.
- Cabinet Office continues to work with France and Germany to negotiate wording for respective Security Agreements for GSC implementation.
Outstanding areas of concern
Consistency of Approach – Whilst the MoD has made good progress in determining the impacts and devising an implementation strategy, our understanding is that there appears to be less progress in other government departments. Although industry recognises that government departments will have varying levels of effort needed to implement GSC (with the MoD probably being the most complex) it is concerned about the potential variation in GSC application across HMG. A failure to achieve commonality of approach could lead to a range of problems for example: differing handling standards being applied across HMG (especially at the lower tiers) has the potential for increased costs and diminished interoperability;
IT Security Measures – At present, industry still has no clear understanding of the associated IT security measures and how these measures will be applied under GSC. Without the details, it is impossible for industry to assess the implications to their businesses, either in terms of cost or impact on operating capability. Areas such as the requirement and standards for encryption, especially at the OFFICIAL tier, could have a significant bearing on cost. In addition, should government departments adopt differing approaches and standards in the application of IT security controls, this is likely to further compound the problem. Generally speaking, the enterprise systems used by businesses will, for benefits of scale, support multiple contracts and therefore any differences in standards applied by government departments will incur cost and complexity implications.
Assurance / Accreditation – There is still no clarity or visibility of what the requirements are for assurance/accreditation, specifically for systems processing OFFICIAL and OFFICIAL-SENSITIVE information.
ADS continues to engage the government on these issues on behalf of industry, in conjunction with the Defence Industry Security Association (DISA), the UK Council for Electronic Business (UKCeB), and ADMIE.
ADS will also keep a record of implementation challenges, as these arise.