Get your software assured

Before you can go live with your CIS2 Authentication integration, you must complete the various assurance steps.

In this step you'll:

• confirm how you're handling various non-functional requirements, such as security, clinical risk and service management
• explain how you've met our technical requirements
• demonstrate your product to us in the integration test environment
• sign our Connection Agreement

As part of your solution design, it's important to answer some key questions around:

• handling data securely
• managing clinical risk
• using our production environment
• how you can register your product for the NHS Digital National Service Desk 

We can provide input into your solution to ensure you meet our non-functional requirements and avoid common mistakes.

Complete the 'Non-functional requirements' stage in digital onboarding

1. Sign in to digital onboarding.
2. Go to product onboarding.
3. Select your product - this will open the conformance questions for your product.
4. Complete the 4 sections within the 'Non-functional requirements' stage.
5. Submit the 4 sections for review.

There are 4 sections to complete in this stage:

1. Declare data security and information security.
2. Implement a clinical risk management process.
3. Register for service and incident management.
4. Declare your medical device status.

Next steps

We will review your answers within 5 working days and may request additional information through the digital onboarding feedback mechanism.

The technical conformance section is the most important for NHS CIS2 Authentication. It is where you explain how your solution meets our technical requirements. To minimise delays in achieving conformance your answers will need to be comprehensive and address all points raised in each question. Each question should be self-explanatory and will include supporting information where necessary.

You should already be familiar with our technical requirements as you should have referred to them while completing your technical design.

Please do not submit these sections until you have a working solution in the INT environment as we will not review them. The solution should mirror how your production solution would work, e.g. use of UserInfo endpoint, Back-channel Logout, Session Management etc. 

Complete the 'Technical conformance requirements' stage of your conformance questions

1. Sign in to digital onboarding.
2. Go to product onboarding.
3. Select your product - this will open the conformance questions for your product.
4. Complete the 2 sections within the 'Technical conformance requirements' stage:
   • demonstrate your product meets the core conformance criteria
   • demonstrate technical conformance for NHS CIS2 Authentication
   Both sections in this stage require a high level of technical detail and can involve several iterations as we help you along the journey.
5. Submit the 2 sections for review.

Completing the 'Demonstrate your product meets the core conformance criteria' section

We will ask you some questions about your data processing activities, including:

• what personal data is being processed
• the purpose and legal basis for processing it

There is useful information contained in the ICO advice and checklists about controllers and processor roles that will help when answering these questions. You can learn more about what counts as personal data.

Regardless of whether your product is new or existing, you must complete a penetration test to CHECK standards.

The safety case and hazard log should include evidence that new hazards or increased risk have been identified and managed effectively through detailed risk analysis, risk evaluation and risk control.

You can learn more about clinical risk management standards information.

Completing the 'Demonstrate technical conformance for NHS CIS2 Authentication' section

Each question should be self-explanatory and will include supporting information where necessary. You should already be familiar with our technical requirements as you should have referred to them while completing your technical design.

If you have any questions about this section please contact us at [email protected]

Next steps

We’ll review your responses and may ask you for additional information through the digital onboarding feedback mechanism.

Once you have completed your technical implementation, you will need to perform an end-to-end technical conformance test to demonstrate adherence to the required standards. When you are ready to complete the test, please contact us at [email protected] giving us as least 2 weeks' notice.

We'll then do some background checks to validate you meet our requirements. These include:

• checking that you have a configuration in our INT environment
• checking that you have authentication functioning in INT
• checking that you are successfully receiving logout tokens from us if you are using back-channel logout
• your solution is deployed to a test environment and not running on a local developer machine (i.e. localhost)

Demonstrating the end to end authentication of your product

This formal technical conformance test takes place in the integration environment and takes around 2 hours to complete.

If you are migrating from CIS1 to CIS2 Authentication, you will be required to perform the technical conformance test using one of the alternative authenticators other than smartcards over HSCN. The reason for this is to validate that you have removed all CIS1 dependencies from the authentication process.

To run the test, you will need to advise us of the:

• IP address of the user device used to perform the test
• IP address of the server component used to perform the test
• UUID of the user identity used to perform the test
• authenticator you'll be using to perform the test

You will be asked to demonstrate the following: 

• authentication
• back-channel logout
• session management
• Care Identity button

Next steps

Once you've completed your test, we'll issue a solution assurance certificate to you within 5 working days.

Prior to be able to use NHS CIS2 Authentication in a production environment, you must sign our Connection Agreement. This will be issued following completion of the non-functional requirements as detailed in section 5. The Connection Agreement is a legal document that sets out your obligations.

You can download a sample Connection Agreement to review from the digital onboarding page.

If you have previously signed a Connection Agreement, we will re-issue the existing document. In some cases you might need to re-sign it.

You demonstrate and declare your conformance to use NHS England APIs through the digital onboarding service. The Connection Agreement is the contract you sign to legally commit to the details you have provided.

This is a legally binding agreement with NHS England and confirms that the responses and declarations made throughout this onboarding process are accurate and complete.

The signatory must be an officer of the organisation with appropriate authority to make this assertion and accept the terms of the agreement.

You must sign and upload your Connection Agreement before the onboarding process can be completed and you get production access.

Once your software is assured, the next step is to put your software live.