The Australian Signals Directorate (ASD) will be shuttering the current form of its cloud certification program after an independent review recommended for the system be reworked.
The Cloud Services Certification Program (CSCP) will be replaced with new cloud security guidelines that will be formed following consultation with industry. The Information Security Registered Assessors Program (IRAP), meanwhile, will “grow” and be “enhanced”.
The ASD will also establish government and industry “consultative forums for cybersecurity”.
ASD will no longer be the certification authority and said it would not progress certification activities, which includes re-certification activities.
All services listed on the Certified Cloud Services List (CCSL) will remain ASD-certified until 30 June 2020, after which time all ASD certifications and re-certification letters will be void.
ASD said the vendors and their certifications will be removed from the Australian Government Information Security Manual (ISM).
“The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate,” ASD said. “This will also give government customers a greater range of secure and cost-effective cloud services.”
Currently, there are 13 vendors on the CCSL; four of which are Australian companies. Amazon Web Services, NTT, Macquarie Government, Microsoft, Sliced Tech, and Vault Systems are all currently certified at a protected level.
Local vendors, Sliced Tech and Vault Systems, were the first to receive protected status and were shortly followed by Macquarie Government — part of the Macquarie Telecom Group.
Unlike all previous such certifications, Microsoft’s certifications were provisional, and came with what the ASD called “consumer guides”. In his capacity as Australia’s Cyber Coordinator, security industry veteran Alastair MacGibbon also vouched for Redmond.
Dell Virtustream, Education Services Australia, Google, IBM, Rackspace, Salesforce, and Service Now all have Unclassified DLM status for certain cloud services.
With the expiration of the CCSL, ASD said Commonwealth entities would continue to be responsible for their own assurance and risk management activities.
“In accordance with the Australian Government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess ICT systems,” ASD wrote.
See also: Department of Parliamentary Services gives itself cyber tick of approval
“It is recommended that any assessment clearly addresses the security controls in the ISM, and ASD cloud security guidance, including: Cloud Computing Security Considerations and Cloud Computing Security Considerations for Tenants.”
ASD said it will be accepting applications for new IRAP Assessors and restart IRAP training sessions.
Meanwhile, the establishment of the Government and select Industry Consultative Forums for cybersecurity will consist of select government and industry representatives, with the theme of the first forum to be cloud security.
“ASD will use this forum to enhance existing cloud security guidance through the development of co-designed guidelines with industry,” it said.
In mid-2018 there were seven vendors lined up to receive ASD certification.