G-Cloud Accreditation Rule Change Will Counter U.K. Government Aims

Archived Published: 04 August 2014 ID: G00269468

Analyst(s): |

  Free preview of Gartner research


The U.K. Government Digital Services office will end its pan-government accreditation requirement for suppliers to the G-Cloud procurement framework. U.K. public sector CIOs must decide how much they value this accreditation.

News Analysis


On 30 July 2014, the U.K. Government Digital Services (GDS) office ended its accreditation requirement for vendors supplying to G-Cloud, a U.K. government procurement framework for cloud computing suppliers offering services through the CloudStore online marketplace. GDS has advised that it will release guidance on this new G-Cloud security approach in the coming weeks.


Some agencies will see the GDS's decision to end its accreditation as a step backward, likely to cause more problems than it will solve. It rids the GDS of the burden of conducting assessments, and makes it easier for small and midsize businesses (SMBs) to join G-Cloud. But it also passes the burden of assessing vendors back to government buyers that may be less able to accept it in cases where accreditation is required, and it reduces previous economies of scale. Vendors that already have been accredited will have an advantage for the next 12 months, which may slow G-Cloud adoption or limit competition. The GDS's move potentially compromises some of the original goals of the G-Cloud framework, which include:

  • Driving the use of SMB vendors. Originally, the Cabinet Office set a target of routing 25% of all government IT business through SMBs by the end of the fiscal-year 2015.

  • Addressing government sensitivity toward long-term vendor lock-in by including a requirement that contracts to be of no more than two years' duration.

Even before the GDS announcement, many government CIOs felt pressed by the brevity of the two-year contracts. For example, a local authority that makes a major commitment to move to the cloud may require 12 to 18 months to complete the implementation and determine whether the solution has delivered results. At that point, it may have to go back and review the market, and possibly change its cloud supplier — a risk that many do not want to take. Government CIOs may now find there is little financial or risk management incentive in using CloudStore. Many public sector buyers look for accreditation completed by other organizations, which signifies some sort of protection. The GDS has now left them to perform their own assessment, which in part, will likely rely on commitments or the self-assessment the vendor undertakes. This development may raise the perceived risk of using SMB suppliers, as it may be more difficult to determine whether their claims of security are backed by reality. In addition, budget constraints mean that many local authorities are unable to retain qualified individuals capable of making such assessments..


U.K. public-sector CIOs:

  • If you are considering making a CloudStore purchase, and seek an accredited solution, make that purchase within the next 12 months from an already accredited supplier.

  • Retain qualified security staff to make the necessary future assessments, or make alternative arrangements to train staff or use consultants to undertake this work.

  • Review and determine which of the Cloud Security Principles are appropriate to your service and to what level you will seek assurances from suppliers.

  • Ensure that your organization is aware of the changes in the Government Security Classifications ; in particular, ensure the majority are trained to work with OFFICIAL information.

  • Secure additional security funding where this has previously been given up as cos t savings.

  • Departmental CIOs should rethink their migration path and needs as the implementation may now take more time.

Gartner Recommended Reading

© 2014 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more