Govt Sets Up Accreditation Criteria for Cloud Service Providers

The government has formulated Accreditation Criteria for Cloud Service Providers (CSPs) which will help to ensure that CSPs have the necessary security and compliance control to protect government Data.

A Cloud Office has been established under the Ministry of Information Technology and Telecommunication (MoIT&T) to facilitate and supervise the matters related to PCFP. Besides other implementation measures, Cloud Office has formulated Accreditation Criteria for Cloud Service Providers (CSPs) which will help to ensure that CSPs have the necessary security and compliance control to protect Government Data.

The Criteria are formulated for CSPs opting to provide services to Public Sector Entities (PSE). The criteria are based on international benchmarks such as security, reliability, cost, interoperability, availability, and any other established parameters.

Pakistan Cloud First Policy (PFCP) was approved by the Government of Pakistan in February 2022 which envisions the digital transformation of Pakistan by optimized ICT spending and efficient utilization of the latest cloud-based technologies. The policy mainly applies to all PSEs intended to procure Cloud-based services from CSPs.

This provides the general and certification requirements along with the list of artifacts required from CSPs. The accreditation procedure, audit process, and suspension/termination clauses are also included in this document. CSPs will be required to meet the requirements to get the accreditation from Cloud Office. PSE will be required to provision services from an accredited list of CSPs only. The Cloud Office will maintain an accredited list of CSPs for PSE and will have the authority to revoke the accreditation of CSP in case of non-compliance.

General Requirements

1. CSP shall be any Public Sector or Private Sector Organization.
2. CSP shall abide by all relevant policies and legal requirements issued by the Government of Pakistan as may be amended or revised from time to time.
3. CSPs must fulfill contractual requirements as mentioned in Section 10.2 of PCFP that is Service Level Agreements (SLA), Interoperability Requirements, Migration between CSPs, and Data Ownership.
4. CSP shall offer Cloud Services by choosing a model from the Cloud Deployment Models (Public Cloud, Government Cloud, Private Cloud, and Hybrid Cloud) [As specified in Section 7 of PCFP].
5. CSP shall adhere to the shared responsibility matrix referred in Annex C of PCFP or as agreed in SLA between CSP and PSE.
6. There should be sufficient capacity offered by CSP at an overall level in the compute, network storage, etc. to swiftly provision new resources in response to unanticipated additional / reduced requirements from PSE (as per the SLA between CSP and PSE)
7. The PSE shall be provided by CSPs with access rights (including the underlying secure connection) to the user administration/portal of cloud services (availed by PSE) to have visibility into the dashboard, SLAs, management reports, etc.
8. The PSE shall also be provided with the visibility of where its data is stored i.e.; geolocation of the data center as well as the accessibility matrix (who can view or process the data including the 3rd party partners of CSPs).
9. The PSE requiring Enhanced and Highest levels of security shall also be provided with the option to allocate personnel with CSP for stationing in a data center that is hosting the data of the PSE.
10. CSP shall make the services available online, on-demand, and dynamically scalable up or down as per request for service from PSE with multi-factor authentication via an appropriately secure connection i.e. TLS.

Certifications

1. A CSP seeking to get accredited shall have the certifications listed under this section.
2. The certificates should have been issued in the name of the CSP for the relevant facility.
3. A CSP shall renew all applicable certifications 30 days prior to the date of expiry and submit a copy of the renewed certification of compliance (with applicable ISO Standards issued by a certification body accredited by Assurance Services International) to the Cloud Office.
4. A CSP shall maintain a list of certified staff as required in relevant certification.
5. All certifications provided by the CSP for accreditation are subject to verification/confirmation by the auditors registered with Cloud Office. CSP will arrange for such verification to be done by the registered auditors.

Privacy

1. For Baseline Level – ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
2. For Intermediate, Enhanced, and Highest levels – Sector-specific HIPAA (Health Insurance Portability and Accountability Act) – Requirement for cloud services handling healthcare-related information to maintain confidentiality, integrity, and availability of electronically protected health information (ePHI), with stringent controls on data access and transfer.
3. For Intermediate, Enhanced, and Highest levels – Sector-specific PCI DSS (Payment Card Industry Data Security Standard) – Standard that requires cloud providers processing, storing, or transmitting credit card information to adhere to rigorous security measures, ensuring the protection of cardholder’s data against breaches and fraud.

Service and Quality Management

1. ISO/IEC 20000-1:2018 Information technology — Service management — Part 1: Service management system requirements
2. ISO 9000 Family – Quality Management Note: for Intermediate, Enhanced, and Highest levels only.

Data Centre

1. Tier II (for Baseline level)
2. Tier III Data Centre facility certified via TIA-942, Uptime Institute or equivalent (for Intermediate, Enhanced, and Highest level).

Audits of CSP

1. All the accredited CSPs are subject to comply with ICT audit requirements mandated by PCFP.
2. Audits can either be carried out at regular intervals or as needed.
3. The Cloud Office will publish a list of designated auditing bodies on its website.
4. CSP to ensure that their audit is done by an auditor registered with the Cloud Office.
5. If required, the Cloud Office will designate any auditing body to carry out the audits based on the criteria outlined by the Cloud Office.
6. CSPs will be required to share the internal audit report as well as the 3rd party audit report with the Cloud Office within one month of the receipt of these reports from the audit department/firm.

Suspension and Termination of Accreditation of CSP

1. Cloud Acquisition Office (CAO) or PSE can submit complaints to the Cloud Office regarding accredited CSP.
2. Upon receiving a complaint from CAO or PSE or on its own motion, the Cloud Office may issue a show cause notice to the CSP identifying non-compliance with a contractual obligation or a term of its accreditation, asking for a written explanation.
3. Cloud Office will carry out initial conflict resolution through direct negotiation, mediation and or arbitration.
4. If Cloud Office finds the CSP in violation of any requirement, it may: a. Issue warnings and impose financial penalties b. Suspend some of the services being provided by the CSP c. Suspend all the services being provided by the CSP d. Terminate the accreditation of the CSP