In an effort to guarantee that cloud service providers (CSPs) have the security and compliance controls required to safeguard government data, the government has developed Accreditation Criteria for CSPs.To facilitate and oversee PCFP-related matters, the Ministry of Information Technology and Telecommunication (MoIT&T) has established a Cloud Office. In addition to other deployment strategies, Cloud Office has developed Cloud Service Providers (CSPs) Accreditation Criteria that will aid in guaranteeing that CSPs possess the security and compliance control required to safeguard Government Data.
When CSPs choose to offer their services to Public Sector Entities (PSE), they must meet certain criteria. International benchmarks for security, dependability, affordability, interoperability, availability, and any other specified qualities serve as the foundation for the criterion. The Pakistani government approved the Pakistan Cloud First Policy (PFCP) in February 2022 with the goal of transforming Pakistan digitally through efficient use of the newest cloud-based technology and optimum ICT spending. The majority of PSEs who plan to purchase cloud-based services from CSPs are covered by this policy.
This includes the list of artifacts that CSPs are needed to supply, as well as the general and certification requirements. This agreement also includes the accreditation method, audit procedure, and suspension/termination terms. CSPs will need to fulfill the prerequisites in order to receive Cloud Office accreditation. PSE will have to limit the services it provides to those on an approved list of CSPs.
General Conditions
Any organization in the public or private sectors is considered a CSP.
CSP will adhere to all applicable laws and regulations imposed by the Pakistani government, as well as any amendments or revisions made from time to time.
CSPs are required to comply with the contractual obligations outlined in PCFP Section 10.2, which include Service Level Agreements (SLA), Interoperability Requirements, CSP Migration, and Data Ownership.
In order to provide cloud services, CSP must select one of the four cloud deployment models—public, government, private, and hybrid—as detailed in PCFP Section 7.
CSP must abide by the shared responsibility matrix mentioned in PCFP Annex C or as specified in the CSP and PSE SLA.
Accreditations
A CSP who wants to become accredited must hold the credentials mentioned in this section.
The CSP for the relevant facility should have been listed as the name on the certificates.
A CSP must provide a copy of the updated certification of conformity (with applicable ISO Standards) issued by a certifying body authorized by Assurance Services International to the Cloud Office thirty days before the date of expiration of all applicable certifications.
As mandated by the applicable certification, a CSP must keep a list of certified employees.The auditors registered with Cloud Office are obligated to verify and certify any certificates supplied by the CSP for accreditation. The registered auditors will carry out this verification under the direction of CSP.
