Govt agencies cleared to certify CSPs in cloud security shake-up

Unveils replacement to scrapped Certified Cloud Services List (CCSL)

The Australian Cyber Security Centre has unveiled new guidelines for allowing cloud service providers to sell to the federal government, handing more responsibility over to individual agencies themselves.

Drawn up with the Digital Transformation Agency (DTA), the new Cloud Security Guidance allows government agencies to assess and self-certify their solutions.

The move means cloud service providers (CSPs) will no longer need certification from the ACSC and instead will need reviews from the information security registered assessors program (IRAP) every two years.

In theory, the move should widen access to CSPs as currently only six cloud service providers (Amazon Web Services, Microsoft, Vault Systems, Macquarie Government, Sliced Tech and NTT Australia) hold the highest protected level since 2017.

The new guidelines replace the Cloud Services Certification Program (CSCP), which ceased operation in March, as well as the Certified Cloud Services List (CCSL).

From 27 July, all Australian Signals Direct (ASD) certifications and re-certifications for secure cloud services are now void.

According to the ACSC, previous IRAP Reports written prior to the new guidance are still valid, but agencies are advised to “consider the age and relevance of these reports when reviewing them”.

In cases when an agency wants to use a CSP’s service that has not previously been assessed, or where it has made significant changes to a previously assessed cloud, supplementary reviews will be required. 

“The release of the new guidance coincides with today’s cessation of the CCSL,  which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” Defence Minister Linda Reynolds said.

AWS welcomed the move, claiming it will give the government access to a greater range of secure and cost-effective cloud services.

Macquarie Government was less impressed by the end of the CCSL but also welcomed the new certification regime.

"This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends,” Aidan Tudehope, managing director at Macquarie Government, said.

“Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.”

However, AWS said in a statement that "the CLOUD Act does not change another country's local laws, nor does it give US law enforcement unfettered access to data stored in the cloud. It recognises the right for service providers to challenge requests that conflict with another country's laws or national interests.

"The CLOUD Act requires US law enforcement to obtain a formal warrant through rigorous, pre-defined legal processes, including review and approval by an independent judge, to ensure compliance with the law. It applies only to a narrow category of data: evidence sought in connection with a serious crime, such as terrorism, over which the US has jurisdiction.

"AWS customers, choose the AWS Region or Regions in which their content and servers will be located. This allows customers with geographic specific requirements to establish environments in a location or locations of their choice, including on-shore in Australia through the AWS Asia Pacific (Sydney) Region," the company said.

Vault's CEO Rupert Taylor-Price also threw his hat in the ring to criticise the change, arguing the CCSL set an "extremely high" security bar.

"By decentralising compliance requirements we are concerned that government agencies may experience inconsistent standards, not only impacting the service the government receives, but also their ability to interoperate with other agencies and in turn the outcomes for citizens,” he said.

“Although there may be initial cost savings for the ASD there may be overall cost, delays and security implications in the future. However, if Australia continues to experience a threat landscape at the level the Prime Minister outlined recently, the continued investment in a certification programme is in our national interest.”