This is a summary of the recent changes to government guidance on the use of End User Devices.
The UK National Technical Authority for Information Assurance, known as CESG, published draft guidance on the use of End User Devices (EUDs) at the OFFICIAL classification. The purpose of the guidance was to discuss the UK government’s approach to EUD security and outline security recommendations for a broad cross section of platforms. The further purpose was to provide system administrators, Senior Information Risk Owners (SIROs), accreditors, and other involved parties to make good quality risk-management decisions, in full knowledge of the residual risks present for each platform.
The UK government currently has five tiers of protective marking: PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, and TOP SECRET. In addition, there are Seven Business Impact Levels (ILs) ranging from IL0 (No impact) to IL6 (extreme impact). These ILs measure the impact to UK Government business if the Confidentiality, Integrity, or Availability of data or a service is compromised.
There is a one-way mapping between these ILs and the five protective marking levels: data marked at PROTECT has IL2 confidentiality, and TOP SECRET has IL6.
Traditionally, any IT security technology used to provide separation of data through cryptographic means – for example VPNs or software used to encrypt hard-drives – needed to go through evaluation with CESG, under the CESG Approved Products Scheme (CAPS). Because the BlackBerry platform used both VPNs and data-at-rest encryption it has been evaluated by CESG for many years, allowing approval for use at IL3 and IL4.
Other security technologies ideally needed to gain Common Criteria (CC) evaluation at a suitable Evaluation Assurance Level (EAL), for example, BlackBerry devices and MDM software, have consistently been CC certified. All of these steps were costly and slow, which led to government IT being costly and using outdated technologies.
The meaning of the OFFICIAL classification
In spring 2013, in order to save money and improve utility of UK government computer systems, the Government indicated its intent to move away from the traditional five tiers towards three tiers instead. These new tiers are OFFICIAL, SECRET, and TOP SECRET.
This overall process has been termed the Government Protective Marking Scheme (GPMS) review. Indications are that under the new scheme most data and services at IL2 to IL4 will now be covered under OFFICIAL. There are also proposed changes to the meanings of SECRET and TOP SECRET.
The purpose of this change will be to simplify the disparate computer networks used currently in the UK public sector. An overall aim for IT security at OFFICIAL is that IT security should align more with industry best practices, using open standards and public documentation where possible, rather than the more customised and costly approaches currently in use.
Thus, government IT systems should, at least in theory, be less costly and use more up-to-date technology.
The GPMS review appears to be ongoing, and many questions have yet to be answered, including:
- How do system approved for OFFICIAL versus RESTRICTED interconnect?
- What is the impact on cloud technologies and the Public Sector Network (PSN)?
- How does OFFICIAL map with other international classifications?
- What does OFFICIAL mean for legacy systems?
- How will the accreditation process differ for OFFICIAL versus other classifications.
Appurity’s security cleared consultants can bring you up to speed on all these issues and provide insight on how they might affect your organisation.
Click here to go to our Mobile Device compliance page.