Rule 10: ICT shall be accredited in accordance with current policy
Updated 16 October 2023
The rules are under review and subject to change.
1. Rule rationale
Before any Computer Information Systems (CIS) are allowed to store, process or forward official, or protectively marked, information it must be given security approval known as Accreditation.
2. Rule 10: ICT shall be accredited in accordance with current policy
2.1 Accreditation
All Information Communication Technology (ICT) shall have undergone an accreditation process that ensures compliance with the policy references. This process will produce, as a minimum, the following:
-
A Threat, Vulnerability and Risk assessment in accordance with HMG I A Standards 1 & 2
-
Production and acceptance by the Accreditor of a suitable Risk Treatment Plan
-
An acceptable Identification and Authentication process
-
An Access Control Policy for both the system and data stores within the system
-
An Accountability and Audit regime
-
A patching policy and process. Note: It is strongly recommended that all patches and upgrades released to correct vulnerabilities present on ICT should aim to be applied (including testing and integration) within one month. Where this can not be achieved alternative arrangements must be approved by the system accreditor
-
An Anti Virus policy and process. Note: All AV products shall be planned to be updated with the latest definition files within 24Hrs of publication by the vendor
-
An Installation process will have been followed and installations certified as compliant
-
All Electromagnetic Integration requirements will have been assessed and certified in agreement with Joint Spectrum Agency (JSA)
-
RMADS, or similar, produced to capture all evidence of accreditation
-
SyOPs for the operation of the System
3. Who to contact
For all queries, email CIO-DSAS-ContactPoint@mod.gov.uk
4. Rule requirements: process
Initial gate
Projects shall engage with an approved accreditor. Threat and vulnerability analysis requirements are being progressed.The output shall be documented in the Draft RMADS and / or supporting documents.
Main gate
Projects shall maintain engagement with an approved accreditor. threat and vulnerability analysis requirements are being progressed. The output shall be documented in the Draft RMADS and / or supporting documents.
PDR
Projects shall maintain engagement with an approved accreditor. threat and vulnerability analysis requirements are being progressed. The output shall be documented in the Draft RMADS and / or supporting documents.
CDR
Projects shall maintain engagement with an approved accreditor. threat and vulnerability analysis requirements are being progressed. The output shall be documented in the Draft RMADS and / or supporting documents.
TRRA
Projects shall provide evidence that threat and vulnerability analysis has been undertaken to the requirements of an approved accreditor. The output shall be documented in the RMADS and / or supporting documents. Projects shall have obtained an accreditation certificate from the approved accreditor.