2. Overview and governance

This walk-through will explain, how the process will work over the three key stages.

The HSCN Authority will engage with suppliers who have expressed an interest to understand their service offering and make them aware of the HSCN history and current HSCN landscape. Following this engagement, the suppliers will be invited to submit an application form which will be provided by the HSCN Authority.

The HSCN Authority will advise that any Supplier who holds an interest in applying to become a CN-SP downloads the HSCN Obligations Framework, the CN-SP Deed and the Mandatory Supplemental Terms and runs these through their internal governance to assess whether, or not, applying to become a CN-SP is likely to be achievable for them.

If the Supplier upon conducting an internal review process decides that Compliance is likely to be achievable then the first step in the process is for the Supplier to complete the MoU (Appendix 4), sign it and submit the signed document with the completed application form to the HSCN Authority to arrange countersignature. The application form will ask a set of key questions about the Supplier and also existing certification that they hold, covering the mandatory ISO/IEC standards.

1. Summary description and purpose

The first stage of Compliance that, once confirmed, allows a Supplier to progress on to Stage 2. The purpose of this stage is for the Supplier to provide high level detail around how their solution meets the HSCN model. This includes evidencing against the HSCN Obligations Framework and providing responses to mandatory business continuity and security controls.

The Supplier will begin the process by engaging with the HSCN Authority to discuss their application. Following this engagement, the supplier will have the opportunity to complete an application form.  Expressions of interest can be made by contacting the compliance team at [email protected]. 

2. Information required, or pre requisites

The Supplier will be asked to complete an application form. This form will incorporate a set of questions covering:

• The Company – including the Company number, details of leadership, the D-U-N-S number, details of the country of registration; and
• Certification that is held (or the Supplier ‘may’ hold) for the mandatory ISO/IEC – this is ISO 9001 (Quality Management) and ISO27001:2013 (Security Management), which must be undertaken by a UKAS affiliated auditor
• In addition, the Supplier will be asked to declare a formal commitment that they will adhere to the HSCN Obligations Framework and the CN-SP Deed, and will seek no amendments to the published documentation prior to signature
• The supplier will also be asked to return a signed copy of the Memorandum of Understanding with the application form.
• In addition to the questions, there is a set of obligations (from the HSCN Obligations Framework) that any Supplier applying for Stage 1 will need to adhere to. Each obligation will require (1) a short response whether this be a declaration that the applicant will adhere to the Obligation, or a response based upon their solution, (2) a response to meet the requirement of the evidence cell in the spreadsheet (column D) which will state the type of response that is required
• Following on from the Obligations Framework response a High-Level Design document is required that covers the solutions based thinking (including network architecture) of the solution that the applicant is proposing. Each Obligation that is responded to must then be clearly referenced into the High-Level Design Document. Therefore, a synopsis response will be required to the spreadsheet-based Obligation, and this must then be referenced to a High Level Design document section/page number.
• The Supplier will be asked to provide a findings report from their IT Health Check (ITHC) – this must meet the requirements set out in the official government guidance on ITHCs. 
  In addition to the findings report the applicant must also provide the accompanying Remediation Action Plan which will detail how all open issues are to be resolved, and when. The Stage 1 obligations are cited in the HSCN Obligations Framework in Appendix item 1.
• The ITHC review will span all stages of Compliance. Annually, suppliers must provide updated ITHC findings report from a valid testing partner as well as the supporting Remediation Action Plan and  Residual Risk Statement
• The Supplier will be asked for a response to the HSCN Business Continuity controls set (the review of these controls will span both stages 1 and 2).

3. Assessment approach that will be employed

Approach

The HSCN Authority (incorporating the Compliance Review Group) will run a set of checks based on the questions asked and the declarations provided. This will include checks on certificates held through Data Standards Online.

Evidence should be submitted either as a written response (which the HSCN Authority can then check against), or an attachment referenced from the relevant obligation.

Note: The ITHC will require a specific written response in accordance with the standard HM Government guidance linked to above. Further supporting information available in Appendix 5.

Tools

The Compliance Review Group (CRG) administrator will utilise a spreadsheet model that is based on the HSCN Obligations Framework – Equivalent certification held is filtered to enable the CRG to determine a super-set of specific obligations that require assessment.

4. Compliance, or failure notification method

Confirming Stage 1 Compliance (a ‘pass’)

If the Supplier passes Stage 1 checks, then they will achieve CN-SP status – in order for this to be formally confirmed the Supplier will be required to sign the CN-SP Deed at this stage.

Upon receipt of the signed CN-SP Deed, the HSCN Authority will write to the Supplier confirming a stage 1 pass.

In addition, their compliance status will be added to the list of compliant Suppliers on the NHS Digital website stating they are stage 1 compliant only and are in pursuit of full HSCN Compliance.

If the Supplier fails this stage

If a Stage 1 application fails, the Supplier will be advised of this and the reasons for failure provided in writing. In such an instance the Supplier will be able to re-submit an application as long as the requirements cited in the reason for the initial failure are rectified.

5. Maintenance required once this stage has been confirmed

Once a Supplier passes through Stage 1 and becomes a CN-SP it will be legally obliged (due to signing the CN-SP Deed) to maintain its status based on all certifications assessed and obligations adhered to the Stage 3 Compliance checks (which will incorporate a yearly re-assessment of Compliance) will ensure that the HSCN Authority will police adherence robustly.

Stage 1 - Further information

Declaration of commitment to adhere to the HSCN Obligations Framework and CN-SP Deed

It is at this stage where (in the application form) the applicant declares a commitment that they will adhere to the conditions of the HSCN Obligations Framework. The applicant will also formally commit to undertake activities that are key for the service(s) being delivered. This confirms to the HSCN Authority, and indeed, HSCN Consumers.

The application form

The contents of the application form, and the outcomes of the assessment will be held by the HSCN Authority in a data an information management repository. 

The key information required for Stage 1, and asked for on the application form, will include:

• Company name;
• Country of Registration¹
• Name of the company officer signing the CN-SP Deed
• Name of the company officer accountable for completing the Compliance application process and a nominated point of contact for the HSCN Authority whilst the assessment process is being undertaken
• Companies House number and also a D-U-N-S number
• ISO certification claimed – declared
• ISO certification numbers
• PSN Compliance claimed and proof
• The ‘commitment’ statement box check; and
• A statement declaring that ITHC findings will be provided to HSCN for review - and, if necessary, any remediation actions required will have taken place prior to provisioning any service, and the outcomes of this will be available to HSCN Consumers

Evidence should be submitted either as a written response or an attachment referenced from the relevant obligation. These artefacts will then be assessed by HSCN staff with the relevant experience/skills.

If a Stage 1 application fails, the Supplier will be advised of this and the reasons for failure in writing. The Supplier will be able to re-submit an application as long as the requirements cited in the reason for the initial failure are rectified.

The application form for Stage 1 can be obtained by contacting the HSCN Compliance Team.

1. Summary description and purpose

The second stage of Compliance that, once confirmed, allows a Supplier (now the CN-SP) to provision a permanent live connection between their network and the HSCN Authority stood up services (HSCN Central Capabilities) – the Peering Exchange Network, HSCN Data Security Centre Secure Boundary Service and the Network Analytics Service.

Stage 2 therefore engages at the on-boarding stage and can begin once the supplier has submitted the relevant stage 2 evidence and been provided the approval from the HSCN authority to engage with the central capabilities.

Stage 2 Compliance will ensure that the CN-SP is able to connect to the HSCN without putting the network at risk and that the Supplier has the processes in place to support the collaborative approach in the multiple Supplier eco-system, such as working together to solve incidents.

It is at this stage, when the Supplier is close to provisioning HSCN Connectivity Services where an additional assessment will be carried out by the Compliance Review Group covering the Supplier’s technical, security and service management capabilities. This stage will cover the key ‘pre go-live’ checks, including a live Service Rehearsal

Information required, or pre requisites

The Supplier will need to present the following types of evidence at Stage 2:

• A written response (if specifically required) to the Obligations if required in the HSCN Obligations Framework ‘Evidence required for HSCN Compliance’ section – this will include uplifting the Stage 1 High Level Design into a Detailed Low Level Design document
• The Supplier shall meet the requirements of the HSCN CN-SP Service Management Requirement Addendum (Appendix 2) via a detailed Service Management design providing specific responses to this which the Authority can assess (again the specifics on what is required in the response are articulated in the Obligations Framework evidence column D) - the Authority may also request that the Supplier runs service rehearsals or service acceptance tests that are to be witness-able by the Authority. This should be drawn into a specific detailed design which is sectioned out by the process areas listed in the obligations framework
• For Technical/Security and Operations/Governance the Supplier will provide design documentation as stipulated in the HSCN Obligations Framework advising where content related to a specific obligation sits.
• Updates to ITHC documentation prior to going live. If a new ITHC has been performed since the Stage 1 submission, this should be provided as well as any updates made to the existing Remediation Action Plan and Residual Risk Register.
• The Authority will provide guidance on how the Supplier should connect to HSCN infrastructure components such as the Peering Exchange, Secure Boundary and NAS.  This will also include a specification of the types of tests that will need to be run and the Supplier will be asked to provide a test plan to cover their approach to testing.

The specific evidence required is cited in the HSCN Obligations Framework embedded in Appendix item 1

• a statement of residual risk
• operational processes and procedures (or null return if applicable);
• test plans and results – based on Peering Exchange testing;
• sample quality of service utilisation report; and
• for the service management assessment, all suppliers will be required to provide service desk contact details and network monitoring tool accounts

3. Assessment approach that will be employed, or tools

Approach

The assessment approach at this stage will involve the HSCN Authority CRG subject matter experts across the full sphere of technical, security, service management, commercial and legal running an assessment based upon artefacts provided by the Supplier.

Artefacts should be submitted as a written response (which the HSCN Authority can then check against).  The artefacts will likely be existing Supplier design documents and the HSCN Authority will ask the Supplier to point to specific sections of their documentation which covers the requirements of specific obligations (referring to the HSCN Obligations Framework ‘Evidence required for HSCN Compliance’ section).

There are two significant checkpoints within this stage. Only when all S2 documentation is signed off by the HSCN SMEs as Stage 2 Compliant can organisations connect to the central capabilities. Following connectivity to the central capabilities, a further checkpoint will be to validate connectivity to all central capabilities has been completed prior to ports being opened to enable live traffic

Tools

The HSCN Authority CRG administrator will utilise a bespoke spreadsheet model that is based on the HSCN Obligations Framework – this will support the CRG in checking off obligations that have been confirmed as being met based upon the assessment of Supplier presented artefacts.

Central Capability On-boarding

Within the stage 2 process, Suppliers will be provided with detailed connectivity guidance for on-boarding to each of the central capabilities as well as a list of key contacts to engage with each of those services. Successful connectivity to all 3 central capabilities is an integral part of attaining full HSCN Compliance

Secure Boundary

Suppliers will engage with the Secure Boundary supplier directly to discuss on-boarding and arrange a quote for connectivity. Quotes for connectivity from the supplier are valid for 28 days. Prior to formally requesting the quote for connectivity, it is possible to engage with the Secure Boundary provider to establish likely costs based on connectivity set up.

The NHS Secure Boundary on-boarding process is anticipated to take ~12 weeks to complete. This includes a four-week period of post go-live support and anticipates ~2 weeks for change request processes to be fulfilled as part of implementation.

The cost of on-boarding to Secure Boundary depends entirely on the complexity of the solution and the time taken to on-board. Please note this cost is to be covered by the supplier wishing to gain HSCN Compliance.

Peering Exchange

Suppliers will engage with the Peering Exchange supplier directly to discuss connectivity to the carrier neutral facilities (North & South).

There is no direct cost payable to the Peering Exchange Provider for on-boarding activity. However, suppliers will be responsible for their own costs regarding connectivity such as resourcing, testing and purchasing hardware.

When the Supplier has on boarded to the Peering Exchange, they are responsible for monthly connectivity charges based on how much capacity is used.

Network Analytics Service

Suppliers will engage with the Compliance Function for connectivity to the NAS Service. NHS Digital will raise a service request with the networks team to engage with the Supplier directly to arrange this connectivity. There is no direct cost payable to NHS Digital for connectivity to this service. However, suppliers will be responsible for their own costs regarding connectivity.

4. Compliance, or failure notification method 

Confirming Stage 2 Compliance (a ‘pass’)

If the Supplier passes Stage 2 assessment, then they will be allowed to connect to the HSCN via the Peering Exchange. 

The HSCN Authority will write to the Supplier to advise them of their confirmed status; and an addition, their compliant status will be added to the list of compliant Suppliers able to provide live HSCN services on the NHS Digital website.

At this stage, suppliers will be able to use the HSCN Accreditation Marks and market HSCN Connectivity.

If the Supplier fails this stage

If a Stage 2 application fails, the Supplier will be advised of this and the reasons for failure provided in writing. In such an instance the Supplier will be able to re-submit an application as long as the requirements cited in the reason for the initial failure are rectified.

5. Maintenance required once this stage has been confirmed

Once a Supplier passes through Stage 2 and is permitted to connect to HSCN and physically provision services to Consumers they will be legally obliged (due to signing the CN-SP Deed) to maintain the statuses based on all certifications assessed and obligations adhered to – the Live Operations Compliance Management (which will incorporate a yearly re-assessment of Compliance) will ensure that the HSCN Authority will police adherence robustly.

Live Operations Performance (LOP) Management focusses on the assessment of the on-going adherence to the HSCN Obligations Framework – LOP Management can only be conducted when CN-SPs are supplying live HSCN Connectivity Services as it is solely reliant upon live performance.

Although the CN-SPs will be monitored throughout their contract tenures as a matter of course they will be formally assessed once per year, as outlined below.

Those obligations that require a regular data feed will be used to generate a dashboard that will show service status to the HSCN Authority. Performance against quantitative (measurable) obligations will be monitored by the Service Co-ordinator and Network Analytics Service.  Any significant issues will be picked up by the HSCN Authority for actioning.

In the event that either monitoring or a HSCN Consumer complaint raises a significant issue with performance, or adherence to the HSCN Obligations Framework, the HSCN Authority will, with the Service Co-ordinator and Network Analytics capability, work to determine a root cause of the issue. Then, supported by the CN-SP Deed, the HSCN Authority will work to implement a resolution with the CN-SP to ensure the issue is concluded satisfactorily.

Figure 2 presents the key stages, and the logic that supports these stages.

Monitoring types

Ongoing monitoring

The HSCN Authority will carry out operational monitoring on an on-going basis to ensure that the service(s) are being delivered in a manner appropriate to the requirements of the HSCN Obligations. Any issues will be captured by the HSCN Service Coordinator and managed via the HSCN Authority – it is the HSCN Authority that will inform the CN-SP that is in non-compliance and manage the issue through to remedy with the CN-SP.

Once per year assessment

A specific assessment into Supplier conformance to the HSCN Obligations will be carried out once per year on, or as close as possible to, the anniversary date of a CN-SP achieving Stage 1 HSCN Compliance. Again, the HSCN Authority will be responsible for communicating any issues to the CN-SP and managing these through to remedy.

There will be two methods of identifying the Suppliers who have achieved HSCN Compliance:

1. A list of compliant Suppliers on the HSCN website
2. Use of the HSCN Assurance Mark which will be granted subject to specific terms and conditions

Once the Supplier has achieved Stage 2 Compliance, they will be provided with the HSCN Assurance Mark to promote their HSCN service offerings.

Note: HSCN Compliance will not automatically enable a supplier to qualify for any Framework such as those operated by the Crown Commercial Service. The Supplier shall be solely responsible for any such applications in accordance with the relevant procurement regulations.

Issuing the HSCN Assurance Mark – business rules

• The HSCN Assurance Mark will be issued once the Supplier passes Stage 2 compliance and has signed the CN-SP Deed to become a CN-SP
• The HSCN Assurance Mark will be issued to the Supplier via secure NHS Mail as a JPEG file once the CN-SP Deed has been signed; and
• Terms and Conditions covering the use of the HSCN Assurance Mark will be attached to this issue email – this will include legal conditions and guidance covering how the HSCN Assurance Mark should be incorporated in-to documents/web pages.

Note

If a Supplier is deemed to be non-compliant to the HSCN Obligations Framework or the CN-SP Deed, the HSCN Authority can after complying with the process described in the CN-SP Deed require that the HSCN Assurance Mark is removed from Supplier materials – please refer to section 2.3 for more information on the Rejection/Revocation of HSCN Compliance status.

Rejection of HSCN Compliance status

If, based on the Compliance assessment at either Stages 1 or 2 (therefore pre go-live), it is found that a Supplier is not meeting, or adhering, to an obligation, the HSCN Authority will notify the Supplier with specific information covering the item(s) that need to be rectified prior to Compliance being awarded – the Supplier may then take remedial action for reassessment.

Revocation of HSCN Compliance status

Where the Supplier holds HSCN Compliance status and is found to be non-compliant with one or more of the HSCN Obligations, the HSCN Authority may use any of the remedies described in the CN-SP Deed.

Mandatory exclusions

Where the Supplier would be excluded from participation in a procurement procedure pursuant to one of the grounds for mandatory exclusion contained in section 57 of the Public Contracts Regulations 2015, the HSCN Authority shall take this into account regarding that Supplier's HSCN Compliance status, and:

• where the Supplier is in the process of applying for HSCN Compliance status, such status will be rejected
• where the Supplier holds HSCN Compliance status, such status will be revoked

Suppliers (CN-SPs) must hold an ISO27001:2013 certificate based on an audit of their network connectivity service Information Security Management System (ISMS) by a UKAS affiliated auditor. The scope of the audit must be agreed with HSCN Compliance prior to audit.

As part of this pre audit scope NHS Digital and the Supplier must come to an agreement that statement of applicability fully corresponds to the attributes of the service that needs to be audited and it must meet the requirements of the HSCN Minimum Compliance Baseline (MCB).

Security and service management compliance requirements

Annex A (contained within Appendix item 3) sets out the minimum scope for information and service assurance required for the HSCN Security Compliance. 

The minimum baseline set of compliance requirements to become an HSCN Supplier are the following

• requirements marked as HSCN Minimum Compliance Baseline in Annex A – these set out the minimum set of security, business continuity and service management controls
• requirements marked as HSCN Minimum Compliance Baseline under the Business Continuity Planning, Configuration management, Control performance, Governance, Incident management, Operations management, Risk assessment, Scope and Supply chain assurance categories in Annex A – these complete the HSCN baseline for compliance; and
• carry out an ITHC scoped in accordance with guidance provided by NHS Digital – ITHC scoping.

This ITHC ensures a minimum quality of security controls in place and provides information to HSCN Consumers about the quality of a HSCN Supplier’s security controls with regard to HSCN services.

Suppliers must make available a statement of residual risk available to Consumers (current and future) and the HSCN Authority on request.  Residual risks that must be included are

• All un-remediated ITHC findings higher than Common Vulnerability Scoring System (CVSS) rating 4.
• All major non-conformities within the HSCN additional guidance
• All components of the services that are under the Consumer’s management or out of the providers’ control (i.e. wires only circuits and radio from the mast in terms of mobile respectively). Where the Supplier has no qualifying residual risks the Supplier may make a nil return.

Ownership for the Compliance business system will sit in the HSCN Authority which will be responsible for sourcing the required skills. 

Changes to the Compliance process and HSCN Obligations Framework will be managed through the Change Control Process (a separate piece of collateral), which encourages collaboration between industry and the HSCN Authority.

The HSCN Authority will continue to work collaboratively with Innopsis and other industry bodies which may become appropriate, to develop and maintain the Compliance process to meet the needs of both the HSCN Authority and the commercial needs of the Suppliers