Australia’s cyber spies will stop certifying secure internet gateway (SIG) services in preparation for the centralisation of federal government networks through a series of cyber hubs.
The Australian Signals Directorate and Digital Transformation Agency revealed the policy change on Monday, paving the way for an expansion of the hub model from as early as July next year.
Cyber hubs were first flagged in the government’s cyber security strategy last year to reduce the number of target networks and allow it to focus investment on a smaller network footprint.
They are seen as critical to uplifting the cyber security of public sector networks, complementing work to implement the Essential Eight controls which has proved difficult for agencies of all sizes.
Since July, the government has been piloting three cyber hubs in Defence, Home Affairs and Services Australia to inform a future whole-of-government operating model by testing core services.
But even as the 12-month pilot continues at the three agencies, the government’s SIG policy has now been “modernised” to ensure it is “consistent with and supports the implementation of cyber hubs”.
“It is envisioned that the future cyber hubs operating model… will see cyber hubs providing a range of cyber security services, including SIG services, to non-corporate Commonwealth entities,” ASD and the DTA said in a statement.
“As such, consideration is being given to how SIG services should integrate with a future cyber hubs model.
“DTA will provide timely advice to Commonwealth entities, cyber hub providers and industry during the government’s development of cyber hubs subject to government approval.”
With the hubs expected to “centralise the management and operations of Commonwealth entities for cyber monitoring, detection and response capabilities”, ASD “will no longer progress re-certification activities” for commercial or government SIGs.
Existing certified gateway providers – Emantra, Macquarie Telecom, NTT, Optus, Sliced Tech, Telstra and Verizon – will remain certified until ASD’s role as certification authority ceases on 1 July 2022.
The two agencies said the changes would better enable and encourage agencies using existing SIGs to the adopt “emerging cyber security technologies and capabilities”
“Entities will be empowered to adopt a new risk-based authorisation model, consistent with the consideration of other cyber architecture such as the adoption of cloud environments,” they said.
“Security guidance, co-designed by the Australian Cyber Security Centre with government and industry from key stakeholder groups, will be developed through consultative forums to support the policy enhancements.”
The agencies said the model aligned with the approach they had adopted for cloud services since ditching the cloud services certification program in early 2020 to remove bottlenecks.
Changes to ASD’s role as the SIG certification authority comes two-and-a-half years after the DTA last reviewed the government's shared gateway scheme to give agencies more flexibility.
The then policy mandated a core internet gateway reduction program for all agencies, but granted them the freedom to deploy services that best served their cyber security posture.
The DTA is now expected to work with the Attorney-General’s Department and the Australian Cyber Security Centre to ensure the new SIG policy aligns with the protective security policy framework.
“In the interim, entities will continue to meet their SIG requirements in line with the PSPF obligations, and existing industry partners will continue to provider services in line with current arrangements,” ASD and the DTA said.