UK G-Cloud

UK G-Cloud overview

Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing in line with the UK government’s cloud-first policy. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store known as the Digital Marketplace. This approach enables public-sector organizations to compare and procure cloud services without having to do their own full review process. Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.

The G-Cloud assessment process was streamlined in 2014. Moreover, the government’s security classification scheme was simplified from six to three levels: OFFICIAL, SECRET, and TOP SECRET. For more information, see Government security classifications.

Note

According to published guidance, OFFICIAL-SENSITIVE isn't a security classification. SENSITIVE is a handling caveat for a small subset of information marked OFFICIAL that requires special handling by staff. You shouldn't look for assurances that a system is good for OFFICIAL-SENSITIVE. A system that can handle OFFICIAL data may be appropriate to handle sensitive information. But it would be up to you to ensure that procedural or personnel controls are in place for sensitive information.

G-Cloud certification levels are no longer expressed as an Impact Level (IL). Microsoft formerly held an IL2 accreditation for Azure, Dynamics 365, and Office 365.

Instead of the central assessment of cloud services previously provided, the new process requires cloud service providers to self-certify and supply evidence in support of the UK National Cyber Security Centre (NCSC) 14 Cloud Security Principles.

Azure and UK G-Cloud

Every year, Microsoft Azure prepares documentation and submits evidence to attest that its in-scope cloud services comply with the 14 Cloud Security Principles, giving potential G-Cloud customers an overview of its risk environment. As with previous G-Cloud accreditation, the process relies on the ISO/IEC 27001 certification. A GDS accreditor then performs several random checks on the Microsoft assertion statement, samples the evidence, and makes a determination of compliance.

The appointment of Microsoft Azure to the Digital Marketplace means that UK government agencies and partners can use in-scope services to store and process UK OFFICIAL government data, which comprises the vast majority of government data. In addition, there are now more than 450 Microsoft partners included in G-Cloud who are resellers of Microsoft cloud services. They can directly assert the compliance of in-scope services with the 14 principles in their own applications. If you're a customer or partner, however, you'll need to achieve your own compliance for any components that aren't included in the attestation and determination of compliance for Microsoft cloud services.

You should review a white paper that describes how Azure addresses the UK government 14 Cloud Security Principles.

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiative for UK OFFICIAL and UK NHS, which maps to UK OFFICIAL and UK NHS compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each UK OFFICIAL and UK NHS control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Applicability

  • Azure

Services in scope

For a list of Microsoft online services in scope for the assessment, see the Azure, Dynamics 365, and Online Services UK G-Cloud risk environment report:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

Office 365 and UK G-Cloud

For more information about Office 365 compliance, see Office 365 UK G-Cloud documentation.

Assessment reports

The UK G-Cloud risk environment report covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 online services. You can download the UK G-Cloud assessment report from the Service Trust Portal (STP) UK regional resources section. You must sign in to access audit documents on the STP. For more information, see Get started with Microsoft Service Trust Portal.

  • Azure, Dynamics 365, and Online Services UK G-Cloud risk environment report

Frequently asked questions

Can Azure accommodate OFFICIAL-SENSITIVE data?
According to published guidance, OFFICIAL-SENSITIVE isn't a security classification. SENSITIVE is a handling caveat for a small subset of information marked OFFICIAL that requires special handling by staff. You shouldn't look for assurances that a system is good for OFFICIAL-SENSITIVE. A system that can handle OFFICIAL data may be appropriate to handle sensitive information. But it would be up to you to ensure that procedural or personnel controls are in place for sensitive information.

Who is eligible to use the Digital Marketplace?
All UK government departments, devolved administrations, local authorities, wider public-sector bodies, and arm’s-length bodies are eligible to buy services in the marketplace. If you’re uncertain of your eligibility, consult the Crown Commercial Service guide for the current list of eligible public sector organizations.

What is an arm's-length body?
It is an organization or agency that is funded by the UK government but acts independently of it.

How are Azure and other Microsoft cloud services priced for public sector customers?
The UK Government has signed a Memorandum of Understanding (MOU) with Microsoft entitled the Digital Transformation Agreement 2021 (DTA21), which allows all eligible public sector organizations to benefit from discounts on Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services. The pricing model established under the DTA21 MOU is available to eligible UK public sector organizations via any appropriate procurement framework. Contact your Microsoft representative or licensing solution provider to discover how you can benefit from the DTA21 MOU. Moreover, you should review the G-Cloud buyer’s guide and contact Crown Commercial Services with any questions about buying Microsoft services offered on the Digital Marketplace by our partners. For more information, see Buying services on the Digital Marketplace.

What do local datacenters mean for UK customers, and where are they located?
The Microsoft Cloud in the UK provides reliability and performance combined with data residency in the UK. This support provides you with trusted cloud services that help you meet local compliance and policy requirements. Moreover, replication of data in multiple datacenters across the UK gives you geo-redundant data protection for business continuity, for both pure cloud and hybrid scenarios. We have datacenters in multiple locations across the UK. You can see the UK Azure regions, UK West and UK South, on the Azure geographies map.

Where are the other Microsoft EU datacenters located?
In addition to the UK datacenters, Microsoft has data centers in multiple locations. For the most up-to-date list of all datacenters, visit the Azure geographies page.

Resources