Google has become the latest cloud service provider to be cleared to carry sensitive public sector data and protected-level systems under the federal government’s hosting certification framework (HCF).
Google Cloud revealed its ‘certified strategic’ status overnight, making it the ninth cloud provider to be accredited at that level.
Certified strategic is the highest level of assurance under the framework, and requires hosting providers and data centres to allow the government to specify ownership and control conditions.
Amazon Web Services, AUCloud, Sliced Tech, Vault Cloud and Microsoft were all endorsed as certified strategic in late 2021, followed by Kyndryl, Oracle and IBM this year.
There are also eight data centre providers – AirTrunk, Australian Data Centres, Canberra Data Centres, DCI, Equinix, Fujitsu, Macquarie Telecom and NEXTDC – that carry the certification.
No providers are yet to gain the lesser certification of ‘certified assured’, which offers safeguards to agencies if ownership controls or operations change.
Under new rules that came into force this month, agencies can only host sensitive government data, whole-of-government systems and systems rated to a protected-level with such providers.
The mandate applies to “all new and extensions to existing contracts for hosting services”, after the Digital Transformation Agency quietly changed the scope of the policy.
Agencies are also able to use uncertified service providers for "non-sensitive data, or where their internal risk assessment determines it is appropriate to do so", but with only minimal protections.
In a statement, Google Cloud A/NZ vice president Alister Dias described the certification as an “important milestone” that would allow the company to work more closely with agencies.
“Being ‘certified strategic’... means our security controls meet the requirements set by the DTA, which ensures the security management of critical infrastructure, supply chains, government data and systems,” he said.
Dias said Google Cloud also maintains an IRAP certification, which confirms [its] security controls meet the requirements prescribed by the... Australia Cyber Security Centre”.
Google’s addition on the HCF provider list means there are now 28 data centre and cloud providers that are awaiting certification under the whole-of-government HCF.
As revealed by iTnews earlier this week, the backlog has resulted in a last-minute exemption clause that allows agencies to request to use providers that are yet to receive certification.
One unnamed agency has applied for and had an exemption granted by the DTA to date. The exemption will run for at least one year.