Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Properties
id1

ID

RM97

Version

2.01.0

Type

Roadmap Item

Page Properties
id2

Title

Identity and Access Management Support for Virtual SmartcardVendor Agnostic Smartcards

Description

COVID-19 response has presented NHS Digital the opportunity to work with system providers to deprecate support for old middleware and introduce support for vendor agnostic Smartcards including PIV compliant Smartcards.

Date Added

 

Standards and Capabilities

Information Governance, Interoperability

Change Route

Managed Capacity - Other

Change Type

New

Status

Draft

Publication Date

TBC

Effective Date

TBC31st December 2021

Incentives / Funding

Yes

Incentive Dates

Incentive Start Date: The latter of the 10th August 2020 or the date on which this Roadmap Item attains “Published” status.

Incentive End Date: 12th October 2020

Payment Rules

Applicability: Foundation Catalogue Solution Sets that are compliant on the date of publication of this Roadmap Item.

Incentive amount: £[TBA] £100,000 per applicable Foundation Catalogue Solution Set.

Payment Rules (Stage 1 and Stage 2 are defined in the Assurance Approach section)

  • Stage 1 - 50% of the Incentive Amount £50,000 on DevMac receipt with a sliding Scale of 100% on or before 14th September 2020 reducing by 5% each calendar day until 28th September 2020 and remaining at 25% until 5th October 2020 and zero beyond the 5th October 2020. Payment subject to achieving Stage 2 by 12th October 2020.

  • Stage 2 - 50% of the Incentive Amount £50,000 on DevMac FRA receipt with a sliding Scale 100% on or before 21st September 2020 reducing by 5% each calendar day until 5th October 2020 and remaining at 25% until 12th October 2020 and zero beyond the 12th October 2020.

Note, the above method of calculation overrides that set out in paragraph 3 of Part C-1 of Framework Schedule 4.1 (Charges and Invoicing).

Background

Current suppliers’ products adhere to the existing requirement for working with Smartcards on the Windows Platform which is to use the PKCS11 standard, however it inadvertently relies heavily on the vendor proprietary PKCS11 library to communicate with Smartcards as that was the middleware/solution in use at the time.

...

The Entrust Virtual Smartcard launch is a COVID-19 response item and is required to be supported for both authentication and digital signing as soon as possible by the profession.

Outline Plan

NHS Digital have the technical resource available to work closely with the suppliers in a collaborative way to help them identify, code and prove the issues are fixed before allowing the suppliers to complete their assurance cycles. During this collaborative working, NHS Digital would also look to prove out that the EPS advanced signature capability will work with the GP system suppliers in and end to end test so that when ready to launch for Primary Care, it supports the main use cases of authentication and signing of a prescription.

...

Timescale for completion: ASAP

Summary of Change

NHS Digital are looking for the GP System suppliers to remove the reliance on the proprietary interfaces and DLLs in favour of using the generic (NHS Digital) interface that allows for the support of all Smartcard types. This will also help mitigate the medium term roadmap challenges. NHS Digital understand that this will also resolve issues we’ve seen in the INT environment when performing exploratory assurance of the GP Supplier systems with the new Entrust Virtual Smartcard. Two examples are outlined below:

...

These issues are likely to be caused by the application expecting that the target Smartcard is a specific type or one that is compatible when it is not and therefore the commands are failing and causing an error.

Full Specification

The specifications for authentication and digital signing are in NPFIT Spine 1.0 requirements.

...

In order to create a signature, the card must be logged in using the user passcode (which the application must prompt the user for). Then, one or more messages can be hashed and signed. However, it maybe that the passcode is required to be entered each time a message is signed.

Assurance Approach

Overview:

NHS Digital are looking to take a simple approach to assurance

...