Commercially Supported Shipping Delivery Team, MOD
Security accreditation of the RFA Tanker platform
All systems that process official UK Government data must go through a defined risk assessment and be formally approved by a System Accreditor from the Ministry of Defence (MOD) before becoming operational. We were asked to enable the security accreditation for the new Royal Fleet Auxiliary Tanker including carrying out the prescribed Information Security risk assessment processes for the systems onboard.
The accreditation process for the MOD is defined within Joint Service Publication 440, which complies with the UK Government's Security Policy Framework. This framework sets out mandatory standards and offers guidance on risk management, compliance and assurance.
Frazer-Nash is the Information Security Advisor to the MOD during this process and will deliver technical advice that will lead to system accreditation within approximately nine months. We are involved from the start of the project with the suppliers who are developing the systems onboard the tanker and attend the Security Working Groups where all aspects of the security are discussed.
Risk assessments are required for all threats to the systems and the process is specified within CESG's Information Standard No 1 (CESG is the UK Government's National Technical Authority for Information Assurance). The risks identified during the assessment are mitigated as far as practicable and any residual risks are analysed by the MOD System Accreditor.
The suppliers for the individual systems on the tanker will supply the risk assessments and other accreditation evidence in a Risk Management Accreditation Document Set (RMADS) that will be submitted to the System Accreditor for approval.
Once each supplier has provided the RMADS for their system, Frazer-Nash will develop a platform level RMADS that will lead to the overall accreditation of the tanker.
The benefit to the MOD of this process is that evidence is documented to show that a detailed analysis of the onboard systems has been carried out and all the security risks to their information has been formally assessed and approved.