The Australian Signals Directorate’s (ASD) Cloud Services Certification Program (CSCP) has ceased operation, with all ASD certifications and re-certifications for secure cloud services set to become void from the beginning of July.
The ASD’s CSCP had for years been the gatekeeper for cloud services providers and their partners wanting to compete for government contracts involving the handling of sensitive data, with providers accepted onto the agency’s Certified Cloud Services List (CCSL) able to vie for such work.
Specifically, inclusion on the ASD’s CCSL gave cloud services suppliers – along with certain resellers partnering with the selected vendors – the ability to pitch for public sector work requiring an InfoSec Registered Assessors Program (IRAP) security assessment, along with other security checks and balances.
In April 2018, Microsoft Australia was awarded ‘protected’ status on the CCSL, giving the vendor the ability to handle classified and highly sensitive government data.
In January 2019, Amazon Web Services (AWS) was finally awarded ‘protected’ certification status, joining Microsoft, Dimension Data, Macquarie Government, Sliced Tech and Vault Systems on the CCSL.
In a joint statement, the ASD and the DTA said that the CSCP would cease operation from 2 March, while all cloud services listed on the CCSL will remain ASD-certified until 30 June 2020.
As such, all ASD certifications and re-certification letters will also be void from 30 June, and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL, the agencies said.
“The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate. This will also give government customers a greater range of secure and cost effective cloud services,” the entities stated.
The move comes after an independent review of the ASD’s CSCP and IRAP activities recommended that the government close the CSCP and create new co-designed cloud security guidelines with industry.
The review also recommended that the government grow and enhance IRAP, establish government and industry consultative forums for cyber security and update incentives in procurement and administrative instructions and guidance to reflect the cessation of the CSCP.
Meanwhile, Commonwealth entities continue to be responsible for their own assurance and risk management activities.
“In accordance with the Australian Government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess IT systems,” the statement said.
Looking ahead, the ASD plans to enhance its support and delivery of IRAP. Now that the independent review has concluded, the ASD will be accepting applications for new IRAP Assessors and will restart IRAP training sessions.
“The boost to the IRAP community will deliver greater resources and higher standards to support government in maintaining its assurance and risk management activities,” the agencies said.
Closure of the CSCP and the impending disbanding of the CCSL comes nearly a year after the DTA, which is tasked with much of the federal government’s IT procurement, revealed it would launch new certification for public sector data centre providers.
In April last year, the federal government announced a new whole-of-government cloud hosting strategy, covering data centre facilities, infrastructure and data transmission.
The DTA said at the time that, in order to reduce potential risks, a new certification of facilities would be rolled out for data centre providers participating on whole-of-government panels, with the certification being based on the degree of sovereignty assurance they provide to government.
Among the two new certifications to be developed was the Certified Sovereign Data Centre certification, which represents the highest level of assurance and is only available to providers that allow the government to specify ownership and control conditions.
The other was the Certified Assured Data Centre certification, which is designated to safeguard against risks of change of ownership or control through financial penalties or incentives.
The strategy also revealed that ‘protected’ and whole-of-government systems must be hosted in a certified sovereign or certified-assured data centre.
Now, as the CSCP comes to an end, the DTA said that existing government IT marketplaces would not be affected by the change and will continue to operate as usual. This includes the Cloud Marketplace panel and its new approach to market in early 2020.
“The DTA continues to encourage Commonwealth entities to use the Australian Government Secure Cloud Strategy to support their adoption of cloud services, and will continue to proactively work with ASD, vendors and broader industry to articulate best-practice cyber security measures,” the agencies stated.