The Digital Transformation Agency is set to begin assessing data centre and managed services providers that handle federal government data following the release of its long-awaited hosting certification framework.
The framework [pdf], which comes almost two years after the whole-of-government hosting strategy, has been developed to give agencies certainty that hosting providers meet stringent ownership and control conditions.
It is designed to work hand-in-hand with the Foreign Investment Review Board’s existing powers of review, as well as policies like the protected security policy framework (PSPF) and the planned critical infrastructure reforms.
The new framework introduces two new certifications, which all “direct and indirect providers of hosting and related data centre services to government” will need to obtain to host protected-level and whole-of-government systems.
The two certifications are ‘certified strategic hosting provider’ – deemed the highest level of assurance, which requires providers to “allow the government to specify ownership and control conditions” – and ‘certified assured hosting provider’.
This terminology has been tweaked slightly since the release of the March 2019 hosting strategy, which had proposed ‘certified sovereign data centre’ and ‘certified assured data centre’.
“During consultation undertaken while developing this certification framework, it became apparent that the original terminology used in the hosting strategy to describe the two levels of certification would benefit from additional clarity,” the DTA said.
“In particular, the term sovereign was taken as excluding any level of foreign investment or control in a hosting provider.
“Under such an interpretation, given the potential for a level of foreign investment, any public listed hosting provider would be ineligible for the higher level of certification.
“In addition, any privately owned hosting provider would find itself constrained in terms of future growth options that may have exposure to foreign investment.
“For clarity, sovereignty refers to the ability of the government to specify and maintain stringent ownership and control conditions.”
The framework requires that both direct and indirect hosting providers have a minimum set of “core capabilities” that are subject to ownership and control provisions, as well as minimum set of “supply chain capabilities” that are subject to security and risk assessments.
Direct hosting providers are considered those suppliers on the current data centre facilities supplies panel”, which includes Canberra Data Centres, Macquarie Telecom, NextDC, Fujitsu and Equinix.
Indirect hosting providers, on the other hand, are considered systems integrators, managed service providers or cloud services providers that have a commercial arrangement with direct hosting providers.
Where hosting providers do not have control or ownership over the core capabilities underpinning their services, they may also need agreement from the ultimate owners, meaning the certification process will be different for direct and indirect hosting providers.
“When applied to system integrators, managed service or cloud service providers, the framework will include an assessment of the underlying hosting services and data centre facilities that are used,” the framework states.
“As a result, certification of system integrators, managed service and cloud service providers will occur for each data centre facility arrangement used by the provider.
"This may result in certification being granted for only some, but not all data centre facilities arrangements utilised by the provider.
“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies.”
Providers will also be required to undergo a “a stringent initial assessment and the inclusion of clauses in contracts to safeguard against a significant change in ownership, control or the operation of the provider which would increase the risk profile”.
The higher of the two certifications (certified strategic hosting provider) will require additional guarantees “that there will be no significant change in strategic direction, operation or ownership of the provider which would adversely affect” the government.
Certification is expected to take place in a staged approach, starting with all providers on the data centre facilities supplies panel providing services directly to government agencies in April.
Other providers that host government systems and data such as system integrators, managed services providers and cloud services providers will be able to apply for certification under a second phase, expected to take place in September 2021.
In the interim, providers will be able to enter contract negotiations with agencies for solutions that have a hosting service component, but will only be able to enter into a contract if they gain certification at the required level.