United Kingdom G-Cloud v6 OFFICIAL
Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store—the Digital Marketplace. This enables public-sector organizations to compare and procure those services without having to do their own full review process. Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.
The G-Cloud appointment process was streamlined in 2014 to reduce the time and cost to the UK government, and the government’s security classification scheme was simplified from six to three levels: OFFICIAL, SECRET, and TOP SECRET. (G-Cloud certification levels are no longer expressed as an Impact Level, or IL; Microsoft formerly held an IL2 accreditation for Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365.)
Instead of the central assessment of cloud services previously provided, the new process requires cloud service providers to self-certify and supply evidence in support of the 14 Cloud Security Principles of G-Cloud (currently at version 6). This has not changed either the evidence Microsoft produces or the standards that the company adheres to.
Every year, Microsoft prepares documentation and submits evidence to attest that its in-scope enterprise cloud services comply with the principles, giving potential G-Cloud customers an overview of its risk environment. (As with previous G-Cloud accreditation, it relies on the ISO 27001 certification.) A GDS accreditor then performs several random checks on the Microsoft assertion statement, samples the evidence, and makes a determination of compliance.
The Crown Commercial Service (an agency that works to improve commercial and procurement activity by the government) renewed the classification of Microsoft in-scope enterprise cloud services to G-Cloud v6, covering all of its offerings at the OFFICIAL level:
- Software as a Service (SaaS)–using the cloud to deliver applications.
- Platform as a Service (PaaS)–using the cloud to host, develop, and test applications.
- Infrastructure as a Service (IaaS)–using the cloud in place of servers and other hardware.
- Cloud consulting services–helping customers get the most from the cloud.
The appointment of Microsoft services to the Digital Marketplace means that UK government agencies and partners can use in-scope services to store and process UK OFFICIAL government data, the vast majority of government data. In addition, there are now more than 450 Microsoft partners included in G-Cloud who are resellers of Microsoft cloud services. They can directly assert the compliance of in-scope services with the 14 principles in their own applications. Customers and partners, however, will need to achieve their own compliance for any components that are not included in the attestation and determination of compliance for Microsoft cloud services.
Frequently asked questions
All UK government departments, devolved administrations, local authorities, wider public-sector bodies, and arm’s-length bodies are eligible to buy services in the marketplace. If you’re uncertain of your eligibility, consult the complete list of public-sector organizations.
The Microsoft Cloud in the UK provides reliability and performance combined with data residency in the UK. This provides customers with trusted cloud services that help them meet local compliance and policy requirements. In addition, replication of data in multiple datacenters across the UK gives customers geo-redundant data protection for business continuity, for both pure cloud and hybrid scenarios. We have datacenters in multiple locations across the UK.
Audit reports and certificates
Audit cycle and effective dates
To confirm that Microsoft cloud services maintain their compliance with G-Cloud agreements, the GDS accreditor may review evidence at any time, at its discretion.
Microsoft in-scope cloud services
Virtual Machines, Cloud Services, Batch, Web Apps (formerly Web Sites), Mobile Apps (formerly Mobile Services), Notification Hub, Storage (Blobs, Tables, Queues), SQL Database, Virtual Network, Traffic Manager, Workflow Manager, ExpressRoute, Service Bus, BizTalk Services, Active Directory, Multi-Factor Authentication, Rights Management Service, Media Services, and Scheduler
- Dynamics 365 detailed list
- Microsoft Cloud App Security
- Office 365: Exchange Online, SharePoint Online, and Skype for Business Online
- Power BI cloud service, either as a standalone service or as included in an Office 365 branded plan or suite