The groundswell of concern over the UK Government’s change of Security Classifications is starting to grow. In particular, the lack of any clarity on how the old seven-level classification structure maps onto the new three-level classification, which came into force this week, is seen as a major cause for concern.
What is more, it is seen as a major impediment against the growth of the G-Cloud framework, and in particular the growing footholds that many SMEs are gaining in the public sector marketplace through the development of the G-Cloud CloudStore, which acts as the main app store from which public sector organisations can select approved cloud applications.
With no direct mapping from the old government protective marking scheme to the new classifications, there is a lack of clarity about the needs of government organisations and the cloud services they will be able to implement. Peter Groucutt, Managing Director, Databarracks, suggests this uncertainty will harm government targets for IT spending through SMEs.
“There are two initiatives going on at the same time – the G-Cloud framework and the re-classification of data, but they don’t seem to be working together,” he observed. “The new Government security classifications will ultimately simplify the procurement of IT, but during this transition period, it is the SMEs who are likely to suffer the most.
“Unfortunately, in a period of ambiguity like this, buyers naturally tend to revert to what they know – in this case, it is the existing group of legacy SI’s who have been supplying ICT services to Government departments for many years. G-Cloud allows smaller businesses to break that cycle by offering more flexible and cost-effective services to the public sector.”
Groucutt sees several unanswered questions about how these new requirements are going to affect SMEs, and suggests there is little guidance on where they should go for advice. He claims the information is out there but, as it stands, suppliers have to sift through reams and reams of paperwork to understand what is expected of them. There is some detail available on the G-Cloud blog, but this is not yet complete. The blog promises more detail will follow in association with the launch of G-Cloud 6 later this year.
This means that SME’s will have to accommodate this new information, and possibly adapt their applications and services accordingly, while at the same time having to re-G-Cloud 6 comes along. They have to re-tender to be part of G-Cloud every time it is upgraded – that is five tender processes in two years just to have their services on G-Cloud, with no guarantees of any business.
“For most of those SMEs, they needed to learn the Business Impact Level (BIL) of data classification used by G-Cloud and now they need to make another change,” Groucutt said. “SIs have the money and experience to be able to adapt to these changes with little consequence to how they sell their services. If the Government still wants to reach its targets of IT spending with SMEs, they must be mindful of these additional barriers. At its inception, G-Cloud was meant to symbolise a new way for Government departments to source and buy IT. We’re about to enter G-Cloud 5 but, after two years, the same issues seem to be holding it back from making the huge changes we know it’s capable of.”
On balance, Groucutt sees the new security classifications as a positive step which should make it easier and faster for Government departments to choose and purchase the right type of service from vendors in the right security category. However, in its current form he suggests it will only serve to further strengthen the position of the big SIs and take away any advantage that the SME currently holds.
“In order for public sector departments to really see the benefits that smaller providers can offer, there needs to be more support for SMEs trying to meet changing security requirements set by the Government.”