Kate's Comment

Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD

10% Topics for Liam (IL3, SMEs & G-Cloud)

I’m seeing Liam Maxwell tomorrow afternoon for a long-overdue catch up. As well as some usual updates and so forth I have a handful of generally-relevant topics I want to raise with him. I wish to give the SME community a last-minute chance to say if I have missed off anything important.

Remember that the topics need to fit into the overarching objective of getting more SMEs into government ICT in order to save the tax payer £billions and improve the quality of public sector services.

Even if I have not explicitly mentioned it below for a particular item, in all cases I’ll be bringing a suggestion of how to fix the problem (ie. not just a list of impractical moans). Anything you may want to add should have a “How to fix it” element. If you do feel we’ve missed something important, please let us know with a comment on this page.

IL3 accredtation

I think we’re the first grassroots SME to go through the whole (ie. data centre up) IL3 accreditation process. We have already had an opportunity to feed back to CESG (they came to us which was nice), but there are some high-level challenges I want to raise that the whole of the 10% group is feeling, eg:

  • PGA is definitely under resourced
  • G-Cloud likewise, especially for getting Security Clearances through.
    • There are hints that SC is being reformed but would like to know what the score is there; it is becoming a blocker for many of us.
  • Needs more up-front, published guidance on what is involved. Excluding our data centre build, it has cost us at least 1 man year of effort which was rather unexpected.


As with IL3, we think we’re possibly the first-ever direct PSN IL3 SME customer (as in, we’re getting it direct from BT over freshly laid fibre into a brand-new IL4-capable data centre). PSN is the foundation stone on which the IL3 G-Cloud is being built and as such it is very important that it be easy for the IL3 G-Cloud community to use.

  • Current pricing is going to exclude most SMEs, and most gov bodies for that matter, though it is early days. Might need encouragement to achieve critical mass (eg. more gov buyers).
  • We have some concerns about PSN’s technical maturity right now.
  • From a procurement perspective, PSN framework competes with G-Cloud, especially for >2 year contracts. Some conflicting messages coming from CO.

I think Liam is aware PSN needs fixing since it is coming in house (into GDS), but it is still worth raising how it could be improved.

New protective markings scheme

While in principal simplifying the old Impact Levels scheme is a sound objective, we are very concerned that the baby may get thrown out with the bathwater.

A published, clearly defined, standardised approach to information security with centralised accreditation (ie. PGA) is absolutely essential for G-Cloud’s success. CESG and industry have moved heaven and earth in the last few years to get to a point where we do have a well-defined approach for IL2 and IL3 accreditations. It is not perfect, but it is a good place to go forwards from.

We should not waste that effort nor slip back to the bad old days where it was every supplier service was being re-accredited with each department that used it.

Supplier payments

Some of our government customers (I won’t name names 😉 are very bad at paying their bills on time, in contravention of CO guidelines. We are not alone in this by any means and it hurts SMEs especially.

Here I’m basically going to ask Liam’s permission to treat those departments as I do my other customers: if the invoice falls past due, the service gets placed on hold. My hope is that this will embolden our SME brethren to follow suit.

PS. I appreciate it is short notice, but my occasional meetings with Liam tend to coalesce at the last minute.