Welcome to the GitHub repository for the Singapore Government's ICT&SS (Infocomm Technology and Smart System) Policy Reform, also known as IM8 Reform. This initiative is part of Singapore's broader effort to support its Smart Nation ambitions by accelerating digital transformation across government agencies. The goal is to improve service delivery, system security, operational management, and policy definition to better protect ICT&SS assets.
The ICT&SS Policy Reform is a transformative initiative aimed at making policy controls leaner, more relevant, and more effective. By allowing for differentiated treatment based on the risk impact levels of systems, agencies can assess risks and apply the appropriate controls tailored to their specific business and technical contexts.
This repository is a public reference for industry partners, providing access to similar control requirements used by agencies. This collaborative approach ensures that the industry can learn and even improve the government's policy standards.
The reform effort is currently focused on low-risk cloud systems, with the first tranche of recommended controls for these systems available in this repository. These controls will be updated progressively to reflect ongoing improvements and feedback.
This catalog lists the control requirements for both government agencies and implementation partners, enabling a collaborative effort to apply the appropriate level of controls for their platforms or systems.
A catalog consists of a central pool of recommended controls designed for low-risk cloud systems that have minimal disruptive impact on an agency’s core functions or the Whole-of-Government.
-
Controls: Each control includes the following elements:
- Statement: A clear and concise description of the control requirement.
- Guidance: Recommendations on how to implement the control effectively.
- Risk Statement: An explanation of the risks that the control is intended to mitigate.
- References: Links or mapping to other relevant policy standards or frameworks that the control aligns with.
-
Profiles: Each control is classified into one of three profile levels:
- Level 0 (Must-Haves): These are essential controls that must be implemented for all systems.
- Level 1 (Should-Haves): These controls are strongly recommended and should be implemented where feasible.
- Level 2 (Good-to-Haves): These are best-practices that can be implemented to enhance security but are not mandatory.
A control may be tagged as a requirement for low-risk systems but classified differently for systems with higher risk.
The ICT&SS policy controls are developed and published using the Open Security Controls Assessment Language (OSCAL), an open-source schema developed by NIST. OSCAL enables a standardised approach to documenting and automating security controls, making it easier for agencies and partners to implement, assess, and maintain compliance with the policy requirements.
The controls are codified in a machine-readable policy format, which enables future automation to monitor and assess the effectiveness of technical control implementation. Industry partners can learn more about OSCAL here.
By adopting OSCAL, the Singapore Government ensures that its ICT&SS policies are not only transparent and accessible but also interoperable with a wide range of tools and platforms used in the industry. This enhances the effectiveness and efficiency of security control implementation across different systems and agencies.
- Browse the Controls and Profiles: The controls are organised in profiles by risk impact levels and system types.
- Contribute: We welcome contributions. Please refer to the contributing guidelines to understand how you can participate.
- Stay Updated: This repository will be regularly updated with new controls and revisions. Watch this repository to stay informed about the latest changes.
This project is licensed under the MIT License, allowing for wide use and collaboration while ensuring proper attribution.
For more information or to provide feedback, please contact GovTech Singapore.
By making these policies open source, we aim to foster greater collaboration and innovation in securing Singapore's digital infrastructure. Thank you for your interest and contributions!