Airwave Service Government Security Classifications Guidance Author: John Stark, Head of Communications Security Home Office Airwave Management Team john.stark@homeoffice.gsi.gov.uk 07718 805804 Enquiries: AirwaveSecurity.Advice@homeoffice.gsi.gov.uk Date: 07 Mar 14 Version: Issue 1.0
Introduction On 2 nd April 2014, the new Government Security Classification Policy (GSCP) will come into force. It will replace the extant Government Protective Marking Scheme (GPMS) with a simplified system which classifies HMG information assets into three types: OFFICIAL, SECRET and TOP SECRET. The new policy will apply to all information that government collects, stores, processes, generates or shares to deliver services and conduct business, including information received from or exchanged with external partners. Further information on the new policy is available on the gov.uk website via the following link: https://www.gov.uk/government/publications/government-security-classifications The Airwave service is a national system with a wide and diverse user community. Not all Airwave user organisations will be adopting the new GSCP at the same. This means that, post 02 Apr 14, there will be Airwave related information that is protectively marked under the extant GPMS or that is classified under the new GSCP. However; the Airwave service itself as a legacy system, will continue to be accredited to GPMS RESTRICTED. Purpose & Scope of this Document The purpose of this document is to provide guidance to the Airwave community on how to handle Airwave related information following the introduction of GSCP. This guidance applies to any organisation that receives or generates information about the Airwave service, including but not limited to: Airwave service contract holders and relevant government departments; Airwave service user organisations; and Airwave service suppliers, equipment manufacturers and contractors. The document contains high level key points to remember plus a set of frequently asked questions (FAQs). Key Points to Remember 1. From 2 nd April 2014, the Airwave service will continue to be accredited to the GPMS level of RESTRICTED. 2. Airwave related information will still need to be protected in the same way as it is now. 3. The core Airwave service will remain suitable for protecting traffic up to and including RESTRICTED under the legacy protective marking scheme. 4. Whilst there is no strict read-across from the extant GPMS to the new GSCP, the Airwave Lead Accreditor considers the Airwave service to be suitable for protecting traffic in the OFFICIAL tier of the new GSCP (i.e. OFFICIAL and OFFICIAL SENSITIVE). 5. Airwave user organisations are adopting the GSCP at different speeds; therefore, you will see Airwave related information protectively marked under both GPMS and GSCP. 6. Consequently, information about the Airwave service that you circulate outside your organisation must always clearly show its classification. For the avoidance of doubt on the part of the receiving organisation, it should also be annotated with clear handling instructions. 7. Existing documentation and central policies related to the Airwave service are not initially being re-classified; although, when policies are reviewed, they may be re-issued under GSCP. For example, the Airwave service Code of Practice is currently issued as NOT PROTECTIVELY MARKED under GPMS when it is reviewed and re-issued, it will be classified as OFFICIAL. March 2014 Airwave Service Government Security Classifications Guidance Page 2
Frequently Asked Questions Airwave user community and adoption of the new GSCP 1. Does our user organisation have to adopt the new GSCP in order to continue using the Airwave service? No. However, your organisation may receive information about the Airwave service that is protectively marked using the new GSCP and must therefore, be aware of how to handle the information. 2. Which organisations that use the Airwave service will be adopting the new GSCP and when? The table below provides an indication (as known at this time) of when major user groups and government organisations will be applying the principles of GSCP for the purposes of Airwave. The list is not exhaustive and is subject to change. Organisation UK central government departments including Home Office Date 2 nd April 2014 HMRC 2 nd April 2014 MoD 2 nd April 2014 Police Forces in England and Wales Planned for October 2014 Police Service of Scotland Ambulance Services in England and Wales Scottish Ambulance Service Fire and Rescue Services in England and Wales Scottish Fire and Rescue Service 3. Is Airwave Solutions Ltd going to be adopting the new GSCP? As a commercial entity, Airwave Solutions Ltd is not bound by the new Government Security Classification Policy. However, Airwave Solutions Ltd (ASL) will need to generate and handle information that may be protectively marked using the new GSCP and will therefore, need to abide by the relevant handling guidance for any information at the new protective markings. It is anticipated that due to the different pace at which its customer base will be adopting the GSCP, ASL will continue to utilise the extant GPMS for an extended period of time. Using the Airwave service with the new GSCP 4. What level of protectively marked information can be passed across the Airwave network? The Airwave service is accredited to carry traffic up to and including the extant GPMS level of RESTRICTED; this remains unchanged. The Airwave Lead Accreditor has determined the Airwave service to be suitable for traffic in the OFFICIAL and OFFICIAL SENSITIVE tier of the new GSCP. March 2014 Airwave Service Government Security Classifications Guidance Page 3
Policy and documentation about the Airwave service 5. Existing central policies and documentation such as the Airwave Service Code of Connection and Airwave Service Code of Practice are all based on the extant GPMS. Are these going to be updated in line with the new GSCP? There is no intention to update any current policies or documentation in line with the new GSCP. Subsequent versions of the central policies and documentation may need to be amended to reflect the new GSCP, dependent on which organisation creates and issues them. For example, if the Home Office issues a document, it must be classified under the new GSCP as the Home Office will be adopting the new GSCP with effect from 02 Apr 14. Handling information about the Airwave service 6. What protective marking should I apply to information about the Airwave service? This is dependent on whether your organisation has adopted the new GSCP. If your organisation has adopted the new GSCP, follow the guidance given in the answer to question 7. If not, you should continue to apply the same markings you would have used under the extant GPMS. Handling information about the Airwave service for organisations that have adopted the new GSCP 7. What protective marking should I apply to information about the Airwave service under the new GSCP? There is no strict read-across between the extant GPMS and the new GSCP. In general terms though, most information about the Airwave service should be classified as OFFICIAL or OFFICIAL SENSITIVE. Appendix A contains a summary of common legacy protective markings for different types of information about the Airwave service; it should not be treated as an exhaustive list. 8. What controls should I apply to information about the Airwave service under the new GSCP? e.g. can I send the information outside my organisation using internet email? Unless the originator has instructed otherwise, you should apply the controls that are required under your organisation's information handling policy. Proportionate good practice will need to be applied in order to protect against compromise. More information on the controls to be applied to the OFFICIAL tier of the new GSCP is available on the Gov.uk website via the link provided in this document s introduction. It is strongly advised that originators of information annotate their documents with handling instructions. This will ensure the receiving organisation whether it has adopted the new GSCP or not is in no doubt as to how to handle the information. 9. How should I handle NOT PROTECTIVELY MARKED or Unclassified information I receive about the Airwave service under the new GSCP? Unless the originator has instructed otherwise, NOT PROTECTIVELY MARKED or Unclassified information about the Airwave service must be handled as OFFICIAL information. March 2014 Airwave Service Government Security Classifications Guidance Page 4
10. How should I handle PROTECT information I receive about the Airwave service under the new GSCP? Unless the originator has instructed otherwise, PROTECT information about the Airwave service must be handled as OFFICIAL information. 11. How should I handle RESTRICTED information I receive about the Airwave service under the new GSCP? Unless the originator has instructed otherwise, RESTRICTED information about the Airwave service must be handled as OFFICIAL SENSITIVE information. 12. How should I handle information from Airwave Solutions Ltd or other 3 rd party suppliers about the Airwave service that does not have a protective marking under the legacy GPMS? Unless the originator has instructed otherwise, information from Airwave Solutions Ltd or other 3 rd party suppliers about the Airwave service must be handled as OFFICIAL information where no protective marking has been applied. Information marked by the supplier as Airwave in confidence or commercially sensitive should be handled as OFFICIAL SENSITIVE information unless your organisations information handling policy states otherwise. Note that some information about the Airwave service is intentionally in the public domain and therefore, should not be subject to strict handling controls, e.g. the information on the Airwave website or in marketing information provided by Airwave Solutions Ltd or other 3 rd party suppliers. If you are unsure, contact the originator of the information for advice on sharing this information. 13. Our organisation has determined that under the new GSCP, it will not routinely mark OFFICIAL documentation. What should we do with information we generate about the Airwave service? The Airwave service is used by a large number of public sector and private organisations, many of which will not be adopting the new GSCP on 2 nd April 2014 (or in some cases not at all). Without a protective marking explicitly written on a document, the document may be treated as NOT PROTECTIVELY MARKED or Unclassified, therefore best practice will be to always protectively mark information about the Airwave service. Information about the Airwave service should be protectively marked with the appropriate classification under either the extant GPMS or the new GSCP. As a minimum, a protective marking under the new GSCP must be applied to information about the Airwave service that is to be circulated outside your organisation. 14. Our organisation already has information about the Airwave service that is marked using the extant GPMS. Do we have to re-classify this information in line with the new GSCP? No. Existing information does not need to have the new GSCP applied to it retrospectively. Unless the originator has instructed otherwise, the information must be handled in line with your organisation s information handling policy. March 2014 Airwave Service Government Security Classifications Guidance Page 5
Handling information about the Airwave service for organisations that will continue to use the GPMS 15. How should I handle OFFICIAL information I receive about the Airwave service? Unless the originator has indicated otherwise, OFFICIAL information about the Airwave Service should be handled as NOT PROTECTIVELY MARKED or Unclassified information in line with your organisations information handling policy. Unless the originator has indicated otherwise, this information must only be used for official purposes by the recipient, and should not be released to the public. If unsure, please refer to Appendix A for a summary of common legacy protective markings for different types of information about the Airwave service or refer to the originator. 16. How should I handle OFFICIAL SENSITIVE information I receive about the Airwave service? Unless the originator has indicated otherwise, OFFICIAL SENSITIVE information about the Airwave Service should be handled as RESTRICTED information in line with your organisations information handling policy. If unsure, please refer to Appendix A for a summary of common legacy protective markings for different types of information about the Airwave service, or refer to the originator. Queries 17. Who do I contact to query document classifications and / handling requirements? In the first instance, you should always contact the document owner. Alternatively, contact the Home Office Airwave Management Team via the details on the front cover of the document. March 2014 Airwave Service Government Security Classifications Guidance Page 6
APPENDIX A: AIRWAVE SERVICE Extant Protective Markings Type of Information / Asset General Maximum Extant Protective Marking Likely GSCP Marking Existence of Airwave service NOT PROTECTIVELY MARKED OFFICIAL (public info) Programme plans, reports and other programme related documentation RESTRICTED OFFICIAL - SENSITIVE Terminals Air Interface Terminal Security Target UK RESTRICTED UK OFFICIAL - SENSITIVE Design specifications and technical implementation methodology for security measures in Air Interface Encrypted radios and data terminals RESTRICTED OFFICIAL SENSITIVE Defective Air Interface Encrypted radio terminal RESTRICTED OFFICIAL SENSITIVE Operational Air Interface Encrypted radio terminal NOT PROTECTIVELY MARKED OFFICIAL Vanilla Air Interface Encrypted radio terminal (i.e. no configuration information) NOT PROTECTIVELY MARKED OFFICIAL Network Network assigned ISSI address range NOT PROTECTIVELY MARKED OFFICIAL Geographical data about Airwave base station sites NOTE: to meet the requirements of Ofcom, some specific geographical information about Airwave base stations is in the public domain. Information about Airwave base station sites containing configuration details about the network design RESTRICTED RESTRICTED OFFICIAL (some public info) OFFICIAL SENSITIVE Geographical information about Airwave infrastructure sites RESTRICTED OFFICIAL SENSITIVE Key Management Baseline service Details of encryption key length and key management procedures RESTRICTED OFFICIAL SENSITIVE Air Interface Airwave key material RESTRICTED OFFICIAL SENSITIVE User Information Individual ISSI or GSSI NOT PROTECTIVELY MARKED OFFICIAL ISSI / GSSI list associated with a single organisation PROTECT OFFICIAL National ISSI / GSSI list associated with multiple organisations RESTRICTED OFFICIAL SENSITIVE Identification of users, user organisations and their respective locations RESTRICTED OFFICIAL SENSITIVE NOTE 1: NOTE 2: NOTE 3: Some additional protective marking caveats apply to Terminals and Key Management information under the extant GPMS. These caveats are detailed in the Airwave Service Code of Practice for Radio Terminals. ISSI = Individual Short Subscriber Identity GSSI = Group Short Subscriber Identity March 2014 Airwave Service Government Security Classifications Guidance Pa