"Page title","Question","Hint","Answer 1","Answer 2","Answer 3","Answer 4","Answer 5","Answer 6","Answer 7","Answer 8","Answer 9" "Service details","Service type","Select one option relevant to your service. For more detail on each category, please take a look at the National Institute of Standards and Technology (NIST) definitions of cloud computing services.","Infrastructure as a Service (IaaS)","Software as a Service (SaaS)","Platform as a Service (PaaS)","Specialist Cloud Services (SCS)","","","","","" "Service description","Service name","Include your product name only. Using additional keywords may impact your acceptance on to the Digital Marketplace.","","","","","","","","","" "Service description","Service summary","Please provide a short description of your service. (Maximum 50 words.) You'll be asked to go into more detail about the features and benefits of your service on the next page. Company information should not be included here. You can provide a company description for your supplier page elsewhere.","","","","","","","","","" "Features and benefits","Service features","Include the technical features of your product, eg graphical workflow, remote access. (Maximum 10 words per feature. Maximum 10 features.)","","","","","","","","","" "Features and benefits","Service benefits","Include benefits that show how your service helps users improve their business. Use active phrases, eg publish content from multiple devices, quickly manage content on the move. (Maximum 10 words per benefit. Maximum 10 benefits.)","","","","","","","","","" "Service definition","Service definition document","Please upload your service definition. Refer to the ITT documentation for further guidance on what to include. This document will not be indexed by search on the Digital Marketplace. Use an Open Document Format (ODF) or PDF/A (eg .pdf, .odt). (Maximum file size 5MB.)","","","","","","","","","" "Terms and conditions","Termination cost","","Yes","No","","","","","","","" "Terms and conditions","Minimum contract period","","Hour","Day","Month","Year","Other","","","","" "Terms and conditions","Please upload your terms and conditions document","Please upload your terms and conditions document. This document will not be indexed by search on the Digital Marketplace. Use an Open Document Format (ODF) or PDF/A (eg .pdf, .odt). (Maximum file size 5MB.)","","","","","","","","","" "Pricing","Service price","This is an indicative price. Users will be able to refer to your pricing document for more information.","","","","","","","","","" "Pricing","VAT included","","Yes","No","","","","","","","" "Pricing","Education pricing","Do you offer special pricing for educational organisations?","Yes","No","","","","","","","" "Pricing","Trial option","","Yes","No","","","","","","","" "Pricing","Free option","","Yes","No","","","","","","","" "Pricing","Pricing document","Please upload your pricing document. This document will not be indexed by search on the Digital Marketplace. Use an Open Document Format (ODF) or PDF/A (eg .pdf, .odt). (Maximum file size 5MB.)","","","","","","","","","" "Pricing","Skills Framework for the Information Age (SFIA) rate card","Please upload your SFIA rate card if you have one. This document will not be indexed by search on the Digital Marketplace. Use an Open Document Format (ODF) or PDF/A (eg .pdf, .odt). (Maximum file size 5MB.)","","","","","","","","","" "Open standards","Open standards supported and documented","Take a look at the GOV.UK Open Standards principles for more information on open standards.","Yes","No","","","","","","","" "Support","Support service type","Choose all that apply.","Service desk","Email","Phone","Live chat","Onsite","","","","" "Support","Support accessible to any third-party suppliers","","Yes","No","","","","","","","" "Support","Support availablility","eg 24/7 or 9 to 5. (Maximum 20 words.)","","","","","","","","","" "Support","Standard support response times","How long will it take until support can begin to be provided? eg 1 hour or 1 business day. (Maximum 20 words.)","","","","","","","","","" "Support","Incident escalation process available","","Yes","No","","","","","","","" "Onboarding and offboarding","Service onboarding process included","","Yes","No","","","","","","","" "Onboarding and offboarding","Service offboarding process included","","Yes","No","","","","","","","" "Analytics","Real-time management information available","","Yes","No","","","","","","","" "Cloud features","Elastic cloud approach supported","","Yes","No","","","","","","","" "Cloud features","Guaranteed resources defined","","Yes","No","","","","","","","" "Cloud features","Persistent storage supported","","Yes","No","","","","","","","" "Provisioning","Self-service provisioning supported","","Yes","No","","","","","","","" "Provisioning","Service provisioning time","How long does it take to get your service up and running? For example 1 to 5 hours, 2 to 3 days.","","","","","","","","","" "Provisioning","Service deprovisioning time","","","","","","","","","","" "Open source","Open-source software used and supported","","Yes","No","","","","","","","" "API access","API access available and supported","","Yes","No","","","","","","","" "API access","API type","Examples of API include RESTful and SOAP.","","","","","","","","","" "Networks and connectivity","Networks the service is directly connected to","Choose all that apply.","Internet","Public Services Network (PSN)","Government Secure intranet (GSi)","Police National Network (PNN)","New NHS Network (N3)","Joint Academic Network (JANET)","Other","","" "Access","Supported web browsers","Choose all that apply.","Internet Explorer 6","Internet Explorer 7","Internet Explorer 8","Internet Explorer 9","Internet Explorer 10+","Firefox","Chrome","Safari","Opera" "Access","Offline working and syncing supported","","Yes","No","","","","","","","" "Access","Supported devices","Choose all that apply.","PC","Mac","Smartphone","Tablet","","","","","" "Certifications","Vendor certification(s)","Examples of certifications include VMware Certified Professional and Oracle Gold Partner. (Optional.)","","","","","","","","","" "Data storage","Datacentres adhere to EU Code of Conduct for Operations","","Yes","No","","","","","","","" "Data storage","User-defined data location","","Yes","No","","","","","","","" "Data storage","Datacentre tier","Choose one","TIA-942 Tier 1","TIA-942 Tier 2","TIA-942 Tier 3","TIA-942 Tier 4","Uptime Institute Tier 1","Uptime Institute Tier 2","Uptime Institute Tier 3","Uptime Institute Tier 4","None of the above" "Data storage","Backup, disaster recovery and resilience plan in place","You can provide more detail on your disaster recovery plan in your service definition document.","Yes","No","","","","","","","" "Data storage","Data extraction/removal plan in place","","Yes","No","","","","","","","" "Data-in-transit protection","Data protection between user device and service","Choose 1","Encrypted PSN service","PSN service","CPA Foundation VPN Gateway","VPN using TLS, version 1.2 or later","VPN using legacy SSL or TLS","No encryption","","","" "Data-in-transit protection","Assurance approach","How can you support the above answer?","Service provider assertion","Independent validation of assertion","Independent testing of implementation","CESG-assured components","","","","","" "Data-in-transit protection","Data protection within service","Choose 1","VPN using TLS, version 1.2 or later","VPN using legacy SSL or TLS","VLAN","Bonded fibre optic connections","Other network protection","No encryption","","","" "Data-in-transit protection","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","CESG-assured components","","","","","" "Data-in-transit protection","Data protection between services","Choose 1","Encrypted PSN service","PSN service","CPA Foundation VPN Gateway","VPN using TLS, version 1.2 or later","VPN using legacy SSL or TLS","No encryption","","","" "Data-in-transit protection","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","CESG-assured components","","","","","" "Asset protection and resilience","Datacentre location","Where are the service provider's datacentres located? Choose all that apply.","UK","EU","USA - Safe Harbor","Other countries with data protection treaties","Rest of world","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Asset protection and resilience","Data management location","Where are the services managed from? Choose all that apply.","UK","EU","USA - Safe Harbor","Other countries with data protection treaties","Rest of world","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Asset protection and resilience","Legal jurisdiction of service provider","Choose 1","UK","EU","USA - Safe Harbor","Other countries with data protection treaties","Rest of world","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Asset protection and resilience","Datacentre protection","Do you tell your consumers what physical security your datacentres have?","Yes","No","","","","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Asset protection and resilience","Data-at-rest protection","How is storage media containing consumer data protected from unauthorised physical access? Choose 1.","CPA Foundation-grade assured components","FIPS-assured encryption","Other encryption","Secure containers, racks or cages","Physical access control","No protection","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","CESG-assured components","","","","","" "Asset protection and resilience","Secure data deletion","How do you erase consumer data when resources are moved or re-provisioned, or when the consumer leaves the service, or when they request it to be erased? Choose 1.","CPA Foundation-grade erasure product","CESG or CPNI-approved erasure process","Other secure erasure process","Other erasure process","","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","CESG-assured components","","","","","" "Asset protection and resilience","Storage media disposal","How is storage media containing consumer data sanitised or securely destroyed at the end of its usable lifetime? Choose 1.","CESG-assured destruction service (CAS(T))","CPA Foundation-assured product","CPNI-approved destruction service","BS EN 151713:2009-compliant destruction","CESG or CPNI-approved erasure process","Other secure erasure process","Other destruction/erasure process","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","Independent testing of implementation","CESG-assured components","","","","" "Asset protection and resilience","Secure equipment disposal","Is all equipment potentially containing consumer data, credentials or configuration information identified at the end of its life or prior to being recycled? Choose 1.","Yes","No","","","","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","CESG-assured components","","","","","" "Asset protection and resilience","Redundant equipment accounts revoked","Are accounts or credentials specific to redundant equipment revoked to reduce their value to an attacker?","Yes","No","","","","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Asset protection and resilience","Service availability","What is the availability of the service? eg 99.99","","","","","","","","","" "Asset protection and resilience","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Separation between consumers","Cloud deployment model","Is the service a public, private, community or hybrid cloud service?","Public cloud","Community cloud","Private cloud","Hybrid cloud","","","","","" "Separation between consumers","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Separation between consumers","Type of consumer","What types of other consumer do you share the service or platform with?","No other consumer","Only government consumers","A specific consumer group, eg Police, Defence or Health","Anyone - public","","","","","" "Separation between consumers","Assurance approach","","Service provider assertion","Contractual commitment","Independent validation of assertion","","","","","","" "Separation between consumers","Services separation","Do you securely separate consumer data and services from other consumers of the service?","Yes","No","","","","","","","" "Separation between consumers","Assurance approach","","Service provider assertion","Independent testing of implementation","Assurance of service design","CESG-assured components","","","","","" "Separation between consumers","Services management separation","Is your management of a consumer’s service kept separate from other consumers?","Yes","No","","","","","","","" "Separation between consumers","Assurance approach","","Service provider assertion","Independent testing of implementation","Assurance of service design","CESG-assured components","","","","","" "Governance","Governance framework","Do you have a governance framework and process in place for the service, eg ISO277001:2013?","Yes","No","","","","","","","" "Governance","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Configuration and change management","Configuration and change management tracking","Do you track the status, location and configuration of service components throughout their lifetime?","Yes","No","","","","","","","" "Configuration and change management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Configuration and change management","Change impact assessment","Are changes to the service assessed for potential security impact, and are changes managed and tracked through to completion?","Yes","No","","","","","","","" "Configuration and change management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Vulnerabilility management","Vulnerability assessment","Are potential threats, vulnerabilities or exploitation techniques which could affect the service assessed, and are corrective actions taken?","Yes","No","","","","","","","" "Vulnerabilility management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Vulnerabilility management","Vulnerability monitoring","Do you monitor relevant sources of information relating to threat, vulnerability and exploitation techniques?","Yes","No","","","","","","","" "Vulnerabilility management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Vulnerabilility management","Vulnerability mitigation prioritisation","Is the severity of threats and vulnerabilities considered and do you use this information to prioritise implementation of mitigations?","Yes","No","","","","","","","" "Vulnerabilility management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Vulnerabilility management","Vulnerability tracking","Are known vulnerabilities within the service tracked until suitable mitigations have been deployed?","Yes","No","","","","","","","" "Vulnerabilility management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Vulnerabilility management","Vulnerability mitigation timescales","Do you make timescales available for implementing mitigations to vulnerabilities?","Yes","No","","","","","","","" "Vulnerabilility management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Event monitoring","Event monitoring","Do you conduct event monitoring and analysis to identify suspicious activity?","Yes","No","","","","","","","" "Event monitoring","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Incident management","Incident management processes","Do you have incident management processes in place and are they enacted in response to security incidents?","Yes","No","","","","","","","" "Incident management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Incident management","Consumer reporting of security incidents","Do you have a defined process for reporting security incidents experienced by consumers and external entities?","Yes","No","","","","","","","" "Incident management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Incident management","Security incident definition published","Do you publish to consumers your definition of a security incident, along with the format, incident triggers and timescales for reporting such incidents?","Yes","No","","","","","","","" "Incident management","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Personnel security","Personnel security checks","What kind of personnel security do you apply to staff who have access to the service? Choose all that apply.","Security clearance national vetting (SC)","Baseline personnel security standard (BPSS)","Background checks in accordance with BS7858:2012","Employment checks","","","","","" "Personnel security","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Secure development","Secure development","Are new and evolving threats reviewed and your services improved accordingly?","Yes","No","","","","","","","" "Secure development","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Secure development","Secure design, coding, testing and deployment","Is development carried out in line with industry good practice regarding secure design, coding, testing and deployment?","Yes","No","","","","","","","" "Secure development","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Secure development","Software configuration management","Do you have configuration management in place to ensure the integrity of the service through development, testing and deployment?","Yes","No","","","","","","","" "Secure development","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Supply-chain security","Visibility of data shared with third-party suppliers","Do you inform consumers how much of their information is shared with, or accessible by, third-party suppliers and their supply chains?","Yes","No","","","","","","","" "Supply-chain security","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Supply-chain security","Third-party supplier security requirements","Do you ensure that relevant security requirements, such as the Cloud Security Principles, are placed on third-party suppliers and delivery partners?","Yes","No","","","","","","","" "Supply-chain security","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Supply-chain security","Third-party supplier risk assessment","Do you manage the risks to your service from third-party suppliers and delivery partners?","Yes","No","","","","","","","" "Supply-chain security","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Supply-chain security","Third-party supplier compliance monitoring","Do you manage your third-party suppliers' compliance with relevant security requirements?","Yes","No","","","","","","","" "Supply-chain security","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Supply-chain security","Hardware and software verification","Do you verify that the hardware and software used in the service are genuine and have not been obviously tampered with?","Yes","No","","","","","","","" "Supply-chain security","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Authentication of consumers","User authentication and access management","Can only authorised individuals from the consumer organisation access management interfaces for the service?","Yes","No","","","","","","","" "Authentication of consumers","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","","","","","","" "Authentication of consumers","User access control through support channels","Can only authorised individuals from the consumer organisation perform actions affecting the consumer’s service through your support channels?","Yes","No","","","","","","","" "Authentication of consumers","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","","","","","","" "Separation and access control within management interfaces","User access control within management interfaces","Can consumers manage only their own service, and not access, modify or otherwise affect the service of other consumers via management tools and interfaces?","Yes","No","","","","","","","" "Separation and access control within management interfaces","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","","","","","","" "Separation and access control within management interfaces","Administrator permissions","Can consumers restrict permissions given to their administrators?","Yes","No","","","","","","","" "Separation and access control within management interfaces","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","","","","","","" "Separation and access control within management interfaces","Management interface protection","Do you tell consumers what functionality and protection is available for management interfaces?","Yes","No","","","","","","","" "Separation and access control within management interfaces","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","","","","","","" "Identity and authentication","Identity and authentication controls","How do your identity and authentication controls ensure that users are authorised to access specific interfaces? Choose all that apply.","Username and two-factor authentication","Username and TLS client certificate","Authentication federation","Limited access over dedicated link, enterprise or community network","Username and password","Username and strong password/passphrase enforcement","Other mechanism","","" "Identity and authentication","Assurance approach","","Service provider assertion","Independent testing of implementation","CESG-assured components","","","","","","" "External interface protection","Onboarding guidance provided","Do you provide onboarding guidance covering secure connection to the service?","Yes","No","","","","","","","" "External interface protection","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "External interface protection","Interconnection method provided","What method of interconnection to the service do you provide? Choose all that apply.","Encrypted PSN service","PSN service","Private WAN","Internet","","","","","" "External interface protection","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Secure service administration","Service management model","Which technical approach do you use for your service management? Choose 1.","Dedicated devices on a segregated network","Dedicated devices for community service management","Dedicated devices for multiple community service management","Service management via bastion hosts","Direct service management","","","","" "Secure service administration","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Audit information provision to consumers","Audit information provided","Do you provide audit information to consumers? Choose 1.","None","Data made available","Data made available by negotiation","","","","","","" "Audit information provision to consumers","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Secure use of the service by the customer","Device access method","Which end device is the cloud service accessible from?","Corporate/enterprise devices","Partner devices","Unknown devices","","","","","","" "Secure use of the service by the customer","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","","" "Secure use of the service by the customer","Service configuration guidance","Do you provide guidance on service configuration options and the relative impacts on security?","Yes","No","","","","","","","" "Secure use of the service by the customer","Assurance approach","","Service provider assertion","Independent validation of assertion","Independent testing of implementation","","","","","","" "Secure use of the service by the customer","Training","Do you provide user or administrator training on the use of the service and its security?","Yes","No","","","","","","","" "Secure use of the service by the customer","Assurance approach","","Service provider assertion","Independent validation of assertion","","","","","","",""