What suppliers need to know
Channels, Catalogues and Services
We are applying the USA National Institute of Standards and Technology (NIST) definition of public cloud services. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Essentially to be considered a public cloud service, it must reflect the five essential characteristics, be delivered under a SaaS service model and provisioned through the public cloud deployment model.
Cloud Security Risk and Assurance Considerations
Cloud services, like traditional IT systems, come with certain risks. Agencies are required to assess these risks in a way that is particular to their risk appetite and have these signed-off at an appropriate level.
To support these processes and decisions the Marketplace has been designed applying a three tier Security Assurance and Cloud Endorsement Model:
- Tier 1 - Design and Control Effectiveness (e.g. ISO 2700 Certs)
Suppliers have provided additional information and received GCDO and ISO endorsement
- Tier 2 - Design Analysis
Suppliers have provided additional information and received GCDO endorsement
- Tier 3 - Baseline Index (e.g. marketplace confidence & risk index + GC105 Risk Assessment Tool)
Suppliers have an independently verified security risk rating and can provide their service on the marketplace
When you come into the marketplace you will be assigned a tier 3 rating, assuming:
- there is a matched Confidence and Risk Index (CRI) rating (i.e. there is a match in the cloud assurance security brokers cloud registry); and
- you supply a copy of the GC105 Risk Assessment tool (with the supplier questions answered) will be assigned on the baseline of Tier 3.
Note: The GCDO is not endorsing or providing any form of assurance for services listed under a Tier 3 status.
Obtaining Tier 1 or 2 status requires some work which can only be managed outside of the Marketplace. There will be a cost to Suppliers to complete this activity. However this will also come with increasing degrees of GCDO assurance. If you want to know more, please contact us.
Agencies will use the available information to undertake their own certification and assurance activities appropriate for the service(s) being contemplated.
What happens if my Service is not listed in the CASB
If your service is not matched to a listing in the CASB cloud registry, then we will get this added during the on-boarding process. If this step is required, it will take around three days.