“Don’t look for assurance that a system is ‘good for OFFICIAL-SENSITIVE'”
Computer Business Review sees more and more technology vendors announcing products suitable for “OFFICIAL-SENSITIVE” classified workloads.
Amid the government’s “cloud first” policy and with a wide range of public sector buyers looking to shift compute or storage workloads to the public cloud, it’s a seller’s market; dubious claims of security accreditation proliferate as a result.
Sometimes the providers say their services are “OFFICIAL-SENSITIVE-accredited”.
This, also, means nothing whatsoever.
As Cabinet Office guidance makes crystal clear: “‘OFFICIAL-SENSITIVE’ is not, strictly, a classification.” (And there is no accreditation scheme in place for this made up category, nor indeed for the real category of “OFFICIAL”).
It adds: “Don’t look for assurance that a system is ‘good for OFFICIAL-SENSITIVE’. A system that can handle OFFICIAL data may be appropriate to handle sensitive information.”
What is “SENSITIVE” information then? (It’s another popular term in marketing packs).
The term, again, is not a security classification.
Rather, it is a “handling caveat for a small subset of information marked OFFICIAL that require special handling by staff.”
So What Are the UK’s Security Classifications? (And What is a System that can Handle OFFICIAL Data)?
Happily, for simplicity’s sake, there are just three security classificiations: OFFICIAL, SECRET and TOP SECRET.
When it comes to “OFFICIAL”, there simply isn’t any official accreditation scheme to handle such data or workloads.
The typical threat profile for the OFFICIAL classification is broadly similar to that faced
by a large UK private company with valuable information and services, government guidance notes.
“It anticipates the need to defend UK Government data or services against compromise by attackers with bounded capabilities and resources.”
Technical controls at this level will be based on “assured, commercially available products and services, without need for any bespoke development.”
In short, IT designed to be appropriate for OFFICIAL is expected to make use of good, well configured and managed commercial technologies… Like, well, the technologies everyone should be using.
Hold On, But… OFFICIAL-SENSITIVE!
The government’s own use of OFFICIAL-SENSITIVE as a descriptor is where the waters get a little muddy.
It notes: “There is no requirement to explicitly mark routine OFFICIAL information. Baseline security measures should be enforced through local business processes.”
“[But] In such cases where there is a clear and justifiable requirement to reinforce the ‘need to know’, assets should be conspicuously marked: ‘OFFICIAL–SENSITIVE’” (even though, as noted above, this is not security classification).
Regardless: if you are a public sector buyer and being told a solution is accredited for SENSITIVE, OFFICIAL-SENSITIVE or just plain and old fashioned OFFICIAL workloads, it is nonsense and to be disregarded. There is no such accreditation.
Buyers can refer istead to the NCSC’s Cloud Security Principles for security guidance. There are also minimum cybersecurity standards applied to public sector customers; these essentially define normal good security practices.
As one official told us: “HMG customers moving to the cloud need to make a judgement about what is right for them, manage any particular/specific risks they face and importantly maintain any technology they procure (or have confidence it will be done for them in a shared responsibility model typical of cloud).”
Meanwhile, be wary of made up accreditations…