Jisc Services Ltd


A federated roaming service for the wider public sector, providing seamless connectivity to the end user. Govroam makes offering offsite connectivity easy, delivering savings and efficiencies while enhancing the control employers have over staff roaming behaviours. Operated by Jisc, govroam brings regional roaming initiatives together under a standardised national-scale service.


  • Provides a national standard for federated roaming design
  • Guaranteed minimum service capability allows effective remote working.
  • Service design built on a fabric of trust between participants.
  • Uses your existing staff authentication mechanisms to grant access.
  • Transfer of authentication data secured by end-to-end encrypted protocols.
  • Support offered by end users' home organisation.
  • Free at point of service to end users.
  • Device and infrastructure agnostic, enabling BYOD.
  • Geolocation companion app supports easy venue discovery.
  • Explicitly national in scope, with potential international integration.


  • Reuses and extends the life of existing network infrastructure.
  • Reduces/eliminates the overheads of providing guest connectivity.
  • Supports your mobile workforce, improving productivity by simplifying off-site connectivity.
  • User-friendly roaming, with a “zero-touch” automated process after initial configuration.
  • Secure authentication incorporating a real-time “member in good standing” check.
  • Standardises your guest WLAN provision to an industry best-practice standard.
  • Reduces/eliminates the need for customer-facing visitor support.
  • Reduces/eliminates the use of temporary credentials, improving network security.
  • Reduces/eliminates the need for costly SIM-based data provision.
  • Allows real-time control of the roaming behaviour of your staff.


£300 to £3000 per unit per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11


Jisc Services Ltd

Jisc helpdesk



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Community cloud
Service constraints Scheduled maintenance is under the control of Jisc, and will be announced at least 7 days in advance and will be scheduled into the next available maintenance window.

Unscheduled maintenance, which is only undertaken in an emergency, of the govroam central service, as well as the other servers and services under control of Jisc, will be announced as early as possible.
System requirements
  • Standards based RADIUS Server
  • Compliant Enterprise WiFi Deployment
  • Compliant access control
  • Compliant support process
  • IoS or Android (for use with govroam App)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times For general enquiries or technical questions Members should contact the govroam team at govroam@jisc.ac.uk. The team will acknowledge receipt within 4 hours during a working day, and provide a solution or initiate further investigation to all enquiries as soon as possible, but no later than 5 working days.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Technical boarding, B2B troubleshooting and security incident management is included as standard. Enhanced RADIUS federation design consultancy at SFIO rates. (see service definition for SLA).
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There is a defined technical boarding process supported by both deployment and operations training, an extensive documentation package and unlimited telephone/email support.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Service operations do not require holding end user data. Any business contacts etc will be deleted in accordance with our data protection policy.
End-of-contract process Trust relationship between customer and central RADIUS servers are removed. All public references to customer as a participant are removed.

Using the service

Using the service
Web browser interface No
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service As a connectivity service, the only differences between mobile and desktop are the OS elements required for initial configuration. The service has no interface for the end user.
Service interface No
Customisation available No


Independence of resources Resilience and redundancy in depth across all service elements. Normative use of the service by customers creates minimal load as authentication services are light touch.


Service usage metrics Yes
Metrics types A govroam service report is presented at stakeholder meetings approximately every six months. The report includes information on the number of member organisations and the number of successful roaming sessions.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Other
Other data at rest protection approach Physical access control, very little data to protect. Both datacentres are ISO/IEC 27001:2013 certified.
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach No data to export
Data export formats Other
Other data export formats N/A
Data import formats Other
Other data import formats N/A

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks Combination of end to end 802.11i AES encryption, RADIUS shared secrets, customer operated EAP methods and use of a private network (Janet)
Data protection within supplier network Other
Other protection within supplier network Combination of end to end 802.11i AES encryption, RADIUS shared secrets, customer operated EAP methods and use of a private network (Janet)

Availability and resilience

Availability and resilience
Guaranteed availability The availability of the central service is targeted as 99.9%.
Approach to resilience There are multiple load-balanced instances to handle load in the event of an outage. These are hosted in geographically redundant tier 3 facilities, with redundant backups of infrastructure.
Outage reporting Email alerts are generated against central service as part of the major incident handling process. Major outages are also reported via the service webpage and Twitter account.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication The member organisation determines who can access roaming provision, and controls credential issue and revocation according to their own policies. Govroam receives a connectivity request from a visiting user’s device and securely conveys it to their home organisation, where their identity is confirmed and the home organisation decides, based on its policies, whether the user is allowed to connect. Govroam conveys that back to the visited organisation which then grants or blocks access accordingly, confident that the visitor’s home organisation is aware of the transaction and has just checked that the visitor in question is a member in good standing.
Access restrictions in management interfaces and support channels Access credentials are only issued to required staff, as specified by the RFO.
Note that the govroam app is managed by a third-party consultant.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Description of management access authentication Credentials are issued individually to verified contacts at the request of an RFO.
Two-factor authentication for VPN login provides network access via a secure hosting facility.
Username and password used to access the service.

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 23/06/2016
What the ISO/IEC 27001 doesn’t cover Please contact us for more information
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Please contact us for more information
PCI DSS accreditation date Please contact us for more information
What the PCI DSS doesn’t cover Please contact us for more information
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards ISO 9000. Also aligned with ITILv3. The responsibility for secure provision is split between Jisc, the end-user's home organisation, and the organisation they are visiting. For incidents with actual or potential information security or service integrity implications, we may delegate incident investigation and management to the Janet network CSIRT.
Information security policies and processes ISO/IEC 27001:2013.
Member organisations are required to comply with the Janet Acceptable Use Policy and the Janet Security Policy.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change management controls are applied to industry best practice. In particular, we are aware of the change management principles in ITILv3 and align our processes with these.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a long-established vulnerability management process which is managed through our ISO27001 certified ISMS.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We deploy a variety of effective systems and process; including fire-walling, IDS, inline DDOS prevention, regular internal and external vulnerability scanning, penetration testing, flow logging and centralised logging and authentication. our incidence response process is modelled in NIST/SAN principles. It is managed via dedicated incident response lead and backup roles. This process mandates engagement with CSIRT, SIRO and Infisec security manager. JISC CSIRT works to a 2hr response SLA on Incidents.
Incident management type Supplier-defined controls
Incident management approach We have a long-established vulnerability management process which is managed through our ISO27001 certified ISMS.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)
  • Other
Other public sector networks Potentially, all public sector networks can connect guests through govroam.


Price £300 to £3000 per unit per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Limited functionality.
Trial available for the technical onboarding process, not the roaming function.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑