The transition to the new Government Security Classification has the potential to limit use of services from SMEs via the G-Cloud framework. Last week the new Government Security Classification Policy will be launched and will see the move away from seven security levels to just three - Top Secret, Secret & Official.
With no direct mapping from the old government protective marking scheme to the new classifications, there is a lack of clarity about the needs of government organisations and the cloud services they will be able to implement. Peter Groucutt, Managing Director, Databarracks, suggests this uncertainty will harm government targets for IT spending through SMEs: “There are two initiatives going on at the same time – the G-Cloud framework and the re-classification of data, but they don’t seem to be working together.
“The new Government security classifications will ultimately simplify the procurement of IT, but during this transition period, it is the SMEs who are likely to suffer the most. Unfortunately, in a period of ambiguity like this, buyers naturally tend to revert to what they know – in this case, it is the existing group of legacy SI’s who have been supplying ICT services to Government departments for many years. G-Cloud allows smaller businesses to break that cycle by offering more flexible and cost-effective services to the public sector.
“There are already unanswered questions about how these new requirements are going to affect SMEs, with little guidance on where to go for advice. The information is out there but, as it stands, suppliers have to sift through reams and reams of paperwork to understand what is expected of them. G-Cloud has posted some detail on its blog – with a promise of more detail to follow for G-Cloud 6 later this year.
“For SME’s who have been on the programme since G-Cloud i, they will have already gone through five tender processes in two years just to have their services on G-Cloud with no guarantees of any business. For most of those SMEs, they needed to learn the Business Impact Level (BIL) of data classification used by G-Cloud and now they need to make another change. SIs have the money and experience to be able to adapt to these changes with little consequence to how they sell their services. If the Government still wants to reach its targets of IT spending with SMEs, they must be mindful of these additional barriers. Groucutt continued: “At its inception, G-Cloud was meant to symbolise a new way for Government departments to source and buy IT. We’re about to enter G-Cloud 5 but, after two years, the same issues seem to be holding it back from making the huge changes we know it’s capable of.
“The new security classifications are a positive step and should make it easier and faster for Government departments to choose and purchase the right type of service from vendors in the right security category. However, in its current form it will only serve to further strengthen the position of the big SIs and take away any advantage that the SME currently holds. In order for public sector departments to really see the benefits that smaller providers can offer, there needs to be more support for SMEs trying to meet changing security requirements set by the Government.”