Exchanging data with DWP and other public sector services using Secure FTP Hosting & SFTE

What is SFTE? 

Single File Transfer External (SFTE) is the DWP’s strategic file transfer gateway, enabling secure file exchange with thousands of partner organisations including banks, housing associations and other government departments, such as HMRC and DVLA. It supports the secure, automated transfer of files in and out of the DWP environment. 

SFTE supports FTP Secure (FTPS) using Explicit TLS in Passive mode, offering improved security compared to older file transfer protocols. It has been mandated as part of the DWP Data Strategy 2023-2030, which aims to streamline data exchange while protecting citizens’ personal information. 

Understanding the shift from GFTS to SFTE 

The DWP’s legacy system, GFTS, served as the primary conduit for electronic data interchange between the department and its partners. However, with technological advancements and increasing security concerns, the need for a more robust and scalable solution became evident. 

SFTE is designed to securely handle bulk data transfers in and out of the DWP. It leverages Explicit FTPS (File Transfer Protocol Secure) in Passive mode, ensuring encrypted data transmission over TLS (Transport Layer Security) versions 1.2 or 1.3. This bolsters security by supporting mutual TLS authentication, where both client and server validate each other’s certificates, and also incorporates username/password authentication for added protection. 

With SFTE, DWP has moved away from VPN-reliant transfers towards a more scalable infrastructure that leverages TLS v1.2 (or higher) and SHA-2 certificates issued by public Certificate Authorities (CAs). Authentication now uses both username/password and two-way certificate handshakes so that only authorised parties can initiate or receive transfers. 

Technical overview: sending and receiving files via SFTE 

To successfully exchange files with DWP, your organisation must meet specific configuration and security requirements. Here’s a quick overview of what’s involved: 

Sending files to DWP 

You’ll need to: 

• Use FTPS in Explicit Passive mode with TLS v1.2+. 

• Host a file transfer server that supports passive port ranges (8050-8249). 

• Provide DWP with: 

• The CIDR range of your IP addresses. 

• Your file decryption keys (if applicable). 

• A publicly signed certificate from a recognised Certificate Authority. 

• Trust DWP’s root certificate (issued by Digicert). 

DWP will then provide you with: 

• A dedicated username and password, with an account set up for you on SFTE. 

• A port number and DNS details for the SFTE endpoint. 

• Details of its Digicert public CA. 

Receiving files from DWP 

You’ll need to: 

• Set up an FTPS server accessible via the internet. 

• Use a third-party certificate from a public CA (self-signed certificates are not accepted). 

• Configure your system to accept connection from DWP’s whitelisted IP addresses. 

• Share your DNS, port and public CA details with DWP. 

• Provide an account on your system so that DWP can access your server. 

• Trust DWP’s Digicert root CA. 

In return, DWP will: 

• Share its outbound CIDR IP addresses for safelisting. 

• Supply the necessary certificate chain for you to verify incoming connections. DWP will provide the link to download its Digicert certificate, which you will need to install on your server. 

Key configurations when configuring your SFTP hosting 

While the SFTE system is robust, it also has strict compliance requirements that can catch organisations off guard. Here are some best practices to bear in mind: 

1. Use FTPS with Explicit Passive TLS 

DWP mandates FTPS (not SFTP or SCP) with Explicit Passive TLS, which means your system must open a wide port range and respond from a fixed external IP. NAT (Network Address Translation) configurations can interfere with this, so you’ll need to make sure your infrastructure handles connections correctly. 

2. Use approved cipher suites and TLS versions 

SFTE only supports specific TLS cipher suites, and using unapproved cipher suites may block your connection altogether. You will therefore need to use one of the following: 

• TLS_AES_256_GCM_SHA384  

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  

• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384  

• TLS_AES_128_GCM_SHA256  

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  

• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256  

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384  

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  

• TLS_RSA_WITH_AES_256_GCM_SHA384  

• TLS_RSA_WITH_AES_128_GCM_SHA256 

3. Implement retry and recovery policies 

Transfers may fail temporarily due to network issues or other factors. SFTE recommends implementing retry policies in your client configuration to avoid manual resubmission or delays, and enabling the auto recovery of any file that initially fails to transfer. 

4. Prepare for virus scanning and quarantine 

All incoming and outgoing files are automatically scanned for viruses by DWP. Files that fail will be quarantined and deleted, and DWP will notify you of this. Ensuring your files are malware-free before sending them will therefore save time and reduce disruption. 

Final thoughts 

The DWP’s shift from GFTS to SFTE represents a significant milestone in secure public sector data exchange. Organisations must adapt to this change by understanding the technical requirements involved and adopting compatible SFTP hosting solutions. Doing so can ensure secure, efficient and compliant data transfers with DWP and other governmental bodies. 

The transition to SFTE is a real upgrade in how public sector organisations exchange sensitive data. While the requirements are technical and prescriptive, they are ultimately designed for data integrity and security in a digital-first world. 

Need to learn more about DWP’s SFTE file transfer system or compliant SFTP hosting solutions? At Ridgeon Network, we already supply various clients with Secure FTP Hosting solutions that are compatible with receiving files from DWP over SFTE. Get in touch with Ridgeon Network’s expert team today for more information.