Security in R-Cloud

Government Security Classification (GSC)

R-Cloud follows the Government Security Classification (GSC) system which was introduced in April 2014. The fundamental principle behind the system is that it improves the security of government information by encouraging everyone to think about how best to protect it.

There are three classifications in the GSC system:

• Official
• Secret
• Top Secret

Information within the R-Cloud Portal can be classified up to Official-Sensitive, although R-Cloud contracts may involve the handling of information at all classifications.

Official sensitive is a security marking, not a classification. The R-Cloud Portal is accredited to handle official information with a sensitive marking, this accreditation includes the distribution of material to registered suppliers for use on their own systems.

Official information with a sensitive marking should be given appropriate protection and comply with any handling rules, for example it shouldn’t be circulated to more people than need to see it. Companies registered under R-Cloud are expected to understand this and to take care of the information to prevent it from being from unauthorised persons.

Official information with a sensitive marking may be shared with people inside and outside of MOD, provided enough care is taken to prevent it being seen by unauthorised persons. This includes emailing it over the internet and working on it using personal computers. For example, if they download information on to a personal computer, does the computer have up to date antivirus software and a fully patched operating system?

Information without a security marking may still be sensitive and need protection. If you fail to take reasonable care of information, it will not be a defence simply to argue it was unmarked.

You can find out more information regarding security by visiting Government Security Clarifications.

Government Functional Standard GovS 007: Security

The Government Functional Standard GovS 007: Security sets out the UK Government’s expectations for protecting government assets (people, property and information). We recommended that you take the time to review this Standard when applying to R-Cloud as it will be relevant to all R-Cloud tasking procedures and contracts.

MOD Identifiable Information (MODII)

Participating in contracts awarded under R-Cloud may require the handling of MODII. This may include:

• All information which is attributed to or could identify an existing or proposed MOD capability, defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure.

To access, hold or generate MODII everyone involved must be appropriately authorised and have undergone basic recruitment checks in keeping with the core principles of the UK Governments Baseline Personnel Security Standard screening (BPSS). Further details can be found here.