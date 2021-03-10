The Digital Transformation Agency is set to begin certifying data centre and managed services providers that handle federal government data following the release of its long-awaited hosting certification framework.

The framework [pdf], which comes almost two years after the whole-of-government hosting strategy, has been developed to help agencies to understand and mitigate supply ownership supply chain and risks.

It works hand-in-hand with the Foreign Investment Review Board’s existing approval process, as well as policies like the protected security policy framework and the planned critical infrastructure reforms.

Under the new framework, all “direct and indirect providers of hosting and related data centre services providers to government” will need to obtain one of two certifications, with those that don’t to be considered ‘uncertified’.

The two certifications are ‘certified strategic hosting provider’, which is deemed the highest level of assurance and requires providers to “allow the government to specify ownership and control conditions”, and ‘certified assured hosting provider’.

This terminology has been tweaked slightly since the release of the March 2019 hosting strategy – which had proposed ‘certified sovereign data centre’ and ‘certified assured data centre’ – to remove the term ‘sovereign’.

“During consultation undertaken while developing this certification framework, it became apparent that the original terminology used in the hosting strategy to describe the two levels of certification would benefit from additional clarity,” the DTA said.

“In particular, the term sovereign was taken as excluding any level of foreign investment or control in a hosting provider.

“Under such an interpretation, given the potential for a level of foreign investment, any public listed hosting provider would be ineligible for [a] higher level of certification.

“For clarity, sovereignty refers to the ability of the government to specify and maintain stringent ownership and control conditions.”

Core capabilities

The framework requires that all hosting providers have a minimum set of “core capabilities” that are subject to ownership and control provisions, as well as minimum set of supply chain capabilities that are subject to security and risk assessments.

Where hosting providers do not have control or ownership over the core capabilities underpinning their services, they may also need agreement from the ultimate owners, meaning the certification process will be different for direct and indirect hosting providers

Direct hosting providers are considered those suppliers on the current data centre facilitates supplies panel”, which includes Canberra Data Centres, Macquarie Telecom, NextDC, Fujitsu and Equinix.

Indirect hosting providers, on the other hand, are considered systems integrators, managed service providers or cloud services providers that have a commercial arrangement with direct hosting providers.

“When applied to system integrators, managed service or cloud service providers, the framework will include an assessment of the underlying hosting services and data centre facilities that are used,” the framework states.

“As a result, certification of system integrators, managed service and cloud service providers will occur for each data centre facility arrangement used by the provider.

"This may result in certification being granted for only some, but not all data centre facilities arrangements utilised by the provider.

“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies.”

Certification under the framework is expected to take place in a staged approach, starting with all hosting providers on the data centre facilities supplies panel providing services directly to government agencies from April.

All other providers that host government systems and data such as system integrators, managed services providers and cloud services providers will be able to apply for certification under a second phase from September 2021.