United Kingdom Government-Cloud (G-Cloud)
UK G-Cloud overview
Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store — the Digital Marketplace. These enable public-sector organizations to compare and procure those services without having to do their own full review process. Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.
The G-Cloud appointment process was streamlined in 2014 to reduce the time and cost to the UK government, and the government’s security classification scheme was simplified from six to three levels: OFFICIAL, SECRET, and TOP SECRET. (G-Cloud certification levels are no longer expressed as an Impact Level, or IL; Microsoft formerly held an IL2 accreditation for Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365.)
Instead of the central assessment of cloud services previously provided, the new process requires cloud service providers to self-certify and supply evidence in support of the 14 Cloud Security Principles of G-Cloud. This has not changed either the evidence Microsoft produces or the standards that the company adheres to.
Microsoft and UK G-Cloud
Every year, Microsoft prepares documentation and submits evidence to attest that its in-scope enterprise cloud services comply with the principles, giving potential G-Cloud customers an overview of its risk environment. (As with previous G-Cloud accreditation, it relies on the ISO 27001 certification.) A GDS accreditor then performs several random checks on the Microsoft assertion statement, samples the evidence, and makes a determination of compliance.
The appointment of Microsoft services to the Digital Marketplace means that UK government agencies and partners can use in-scope services to store and process UK OFFICIAL government data, most government data. In addition, there are now more than 450 Microsoft partners included in G-Cloud who are resellers of Microsoft cloud services. They can directly assert the compliance of in-scope services with the 14 principles in their own applications. Customers and partners, however, will need to achieve their own compliance for any components that are not included in the attestation and determination of compliance for Microsoft cloud services.
14 Cloud Security Controls for UK cloud using Microsoft Azure provides customer strategies to move their services to Azure and help meet their UK obligations mandated by the CESG/NSCS. The whitepaper provides insight into how Azure can be used to help address the 14 controls outlined in the cloud security principals, and outlines how customers can move faster and achieve more while saving money as they adopt Microsoft Azure services.
Microsoft in-scope cloud services
- Microsoft Cloud App Security
- Dynamics 365
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365: Exchange Online, SharePoint Online, and Skype for Business Online
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
Audits, reports, and certificates
To confirm that Microsoft cloud services maintain their compliance with G-Cloud agreements, the GDS accreditor may review evidence at any time, at its discretion.
- Azure UK G-Cloud Risk Environment
- Azure UK G Cloud Residual Risk
- Intune UK G Cloud Security Cloud Assessment Summary
- Intune UK G cloud Risk Environment
- Intune UK G cloud Residual Risk
- Azure UK G cloud Security Assessment Summary
Accelerate your deployment of UK G-Cloud solutions on Azure
Moving your government services to the cloud is now easier than ever using the Azure Security and Compliance UK Blueprint. This blueprint provides guidance and automated scripts that get you started building compliant solutions today.
Frequently asked questions
Who is eligible to use the Digital Marketplace?
All UK government departments, devolved administrations, local authorities, wider public-sector bodies, and arm’s-length bodies are eligible to buy services in the marketplace. If you’re uncertain of your eligibility, consult the complete list of public-sector organizations.
What is an arm's-length body?
It is an organization or agency that is funded by the UK government but acts independently of it.
What do local datacenter locations mean for UK customers, and where are they located?
The Microsoft Cloud in the UK provides reliability and performance combined with data residency in the UK. This provides customers with trusted cloud services that help them meet local compliance and policy requirements. In addition, replication of data in multiple datacenters across the UK gives customers geo-redundant data protection for business continuity, for both pure cloud and hybrid scenarios. We have datacenters in multiple locations across the UK.
- You can see the new Azure regions, UK West, and UK South, on the global Azure map.
- For Office 365, the UK datacenters collectively comprise the new UK Office 365 region. You can see more on the global Office 365 map.
Where are the other Microsoft EU datacenters located?
In addition to the UK datacenters, Microsoft cloud services has data centers in multiple locations. For the most up-to-date list of all centers visit our data location page.
How can I get copies of the auditor’s reports?
The Service Trust Portal provides independently audited compliance reports. You can use the portal to request audit reports so that your auditors can compare the Microsoft results with your own legal and regulatory requirements.