ASD scraps cloud security certification program

Australia’s cyber spy agency has shuttered the government’s cloud services certification program (CSCP) to remove bottlenecks and confusion around the accreditation of cloud services. 

In a move that promises to unlock the country’s cloud market, the Australian Signals Directorate and Digital Transformation Agency on Monday revealed the program would cease from July.

It follows the findings of an independent review of the program and the information security registered assessors program (IRAP) commissioned by the ASD last July.

The review, which considered the perspectives of industry and government, recommended closing the CCSP and creating “new co-designed cloud security guidelines with industry”.

“In line with these recommendations, ASD will today cease the CSCP, ASD will no longer be the certification authority and will not be progressing certification activities,” the agencies said in a statement.

“This includes re-certification activities.”

The change will mean cloud service providers will loose their protected and unclassified DLM stamp of approval from July 2020.

“All ASD certifications and re-certification letters will be void from this date and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL,” the ASD and DTA said.

The CSCP was introduced to ensure cloud services were comprehensively assessed to maximise the security of data across federal, state and territory governments.

But the certification process has long been criticised as onerous, costly and long-winded for cloud providers looking to sell to Canberra, as well as state and territory governments. 

Only six cloud service providers (Amazon Web Services, Microsoft, Vault Systems, Macquarie Government, Sliced Tech and NTT Australia) have been certified to a protected level since 2017.

A further seven providers, including Google, IBM, Salesforce and ServiceNow, are certified at an unclassified level.

Hyperscale cloud providers like Microsoft, for instance, waited a further 12 months after receiving its protected IRAP certification before being signed off by ASD.

The DTA first acknowledged the CSCP as a “significant barrier” two years ago in its secure cloud strategy, which said having a single accountability for certification created bottlenecks and confusion.

The strategy introduced a layered cloud certification model that gave agencies the ability to self-assess cloud services by reusing “practices already in place for certification of ICT systems”.

The DTA has since released a separate government-wide hosting strategy, which introduces new requirements for data centre and managed services providers that handle government data.

“The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate,” the ASD and DTA said.

“This will also give government customers a greater range of secure and cost-effective cloud services.”

The report has also recommended that ASD “grow and enhance [the delivery of] IRAP”. The agency plans to begin accepting applications for new IRAP assessors and restart IRAP training.

“The boost to the IRAP community will deliver greater resources and higher standards to support government in maintaining its assurance and risk management activities,” the ASD and DTA said.

ASD is also planning to establish consultative forums for cyber security consisting of “select government and industry representatives”.

The theme of the inaugural forum will focus on cloud security

“ASD will use this forum to enhance existing cloud security guidance through the development of co-designed guidelines with industry,” the ASD and DTA said.

“These guidelines will further aid Commonwealth entities and Australian businesses to increase their cyber security and resilience.”

ASD plans to invite representatives to serve on the first cloud security consultative forum in the coming weeks.