The Australian Cyber Security Centre (ACSC) has announced the closure of the cloud services certification program (CSCP) responsible for giving the Protected status to technology providers including Sliced Tech, Vault Systems, Microsoft and AWS, among others.
The Australian Signals Directorate (ASD), which was responsible for the certifications, commissioned an independent review of CSCP and Information Security Registered Assessors Program (IRAP) in July 2019.
The review recommended the closure of CSCP and creation of new co-designed cloud security guidelines with industry; to grow and enhance IRAP; that government and industry consultative forums for cyber security are created; and to update incentives in procurement and administrative instructions and guidance to reflect the cessation of the CSCP.
Therefore, the ASD will no longer be the certification authority and will not be progressing certification activities including re-certification.
“All services listed on the Certified Cloud Services List (CCSL) will remain ASD-certified until 30 June 2020. All ASD certifications and re-certification letters will be void from this date and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL,” ACSC said in a statement.
“The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate. This will also give government customers a greater range of secure and cost-effective cloud services.”
“We’re pleased to see the announcement from ASD and DTA today around their security standards and accreditations," AC3 CEO Simon Xistouris told CSO. "As a key cloud services provider to State and Federal government, we have been eagerly awaiting the outcome of the independent review, along with our customers and many others in the industry.
"The result of a single program, IRAP, simplifies the approach for agencies and business who are looking to partner with a secure cloud provider. It will also help service providers focus on a single program, enabling them to excel in those controls.
"We are very supportive of the consultative forum. This will enable a holistic view of security requirements for our public sector, which in turn will undoubtedly have a positive impact for the security and safety of all citizens,” Xistouris said.
The ACSC stated that Commonwealth entities remain responsible for their own assurance and risk management activities, and should be able to self-assess cloud services based on the Australian Government Secure Cloud Strategy.
The DTA will continue to proactively work with ASD, vendors and broader industry to articulate best-practice cyber security measures, according to the announcement.
Cloud certification framework plans
In March 2019, the Digital Transformation Agency (DTA) announced plans to develop a new certification framework to assess risk presented by hosting providers that handle government data.
This included a new certification of facilities for data centre providers participating on whole-of-government panels, which raised a question of the continuity of the CSCP.
At the time it was announced two types of certification: Certified Sovereign Data Centre, which will represent the highest level of assurance and is only available to providers that allow the government to specify ownership and control conditions; and the Certified Assured Data Centre, which is designated to safeguard against risks of change of ownership or control through financial penalties or incentives.
Microsoft welcomed the announcement at the time, saying the strategy recognises “data and data centres as having critical importance to national security and to critical infrastructure”, said Microsoft Azure engineering lead for Australia and New Zealand, James Kavanagh at the time.
CDC CEO Greg Boorer said at the time that the company had for a long time anticipated increased scrutiny of data centre ownership.
In 2016 CDC was . That process involved extensive engagement with the government, including the Foreign Investment Review Board, Boorer said.
“We understood that there were a number of significant sensitives around the ownership of data centres emerging, which have really accelerated in recent years with the proliferation of cloud services and more government workloads going in that direction, as well as managed services,” he said.
Since then, CDC has “preemptively and voluntarily” put change of control provisions in place, which includes keeping the government informed of any potential or actual change of control events.
New IRAP training and cyber security forums
On the back of the recommendations, ASD will accept applications for new IRAP Assessors and will restart IRAP training sessions.
“ASD will improve the training and assessment of IRAP assessors to bring a greater consistency of skills within the IRAP community,” ACSC stated.
It will also stablish the government and select industry consultative forums for cyber security, based on thematic topics and issues and will consist of select government and industry representatives from key stakeholder groups.
The theme for the first forum will be cloud security and it will use this to enhance existing cloud security guidance through the development of co-designed guidelines with industry.