To ask the Secretary of State for the Home Department, what assessment her Department made of the effect on security of the four-year contract awarded to Amazon Web Services in December 2019.
Answered on
21 July 2020
The four-year contract awarded to Amazon Web Services in December 2019 is based on the Crown Commercial Service G-Cloud 11 Framework Agreement (RM1557.11) call-off terms and conditions, together with the supplier’s terms and conditions applicable to the ordered services.
The Home Office has now published a redacted version of the contract available on contracts finder and it can be found here:
The contract utilises standard Crown Commercial Service G-Cloud Terms and Conditions on Security which can be found in Part B – Terms and Conditions, Section 16. These terms can be found either in the published contract or via the CCS website - https://www.gov.uk/government/publications/g-cloud-11-call-off-contract
Officials are unable to define what is meant by ‘the effects on security’. However, security is assessed through internal Home Office governance on individual services and products provided by the supplier as and when they are utilised by the Home Office, not on the AWS platform as a whole.
AWS also have the appropriate accreditations for the services they provide to Home Office and a full list has been provided to us as a buyer under a non-disclosure agreement. A list of publicly available compliances resources, including security compliance, is proved by Amazon Web Services online. https://aws.amazon.com/compliance/resources/
I can confirm that these documents provided highlight how Amazon Web Services complies with the following accreditations, amongst others:
- UK Cyber Essentials & Cyber Essentials+
- ISO27001
- ISO27017
- ISO27018