There has always been a tension between government agencies’ desire to harness the economic and technological benefits that cloud solutions offer, and their need to ensure that appropriate security measures exist to protect the data in their care. Until now the Certified Cloud Services List (CCSL) administered by the Australian Signals Directorate (ASD) has offered something of a “safe harbour” for Commonwealth, and State and Territory government agencies attempting to navigate these complex waters.
However, earlier this month, the ASD and the Digital Transformation Agency (DTA), following a review of the Cloud Services Certification Program (CSCP) and the associated Information Security Registered Assessors Program (IRAP), called time on the CCSL, which will cease operation on 30 June 2020.
What is the Certified Cloud Services List?
The CCSL offers a list of cloud services that are certified as being compliant with the various security requirements of the Commonwealth’s Information Security Manual, in relation to both PROTECTED and UNCLASSIFIED data. This has served both Commonwealth and State and Territory government agencies alike as an aide in specifying the requirements that must be met in procuring cloud-based solutions and in evaluating the compliance of proposed solutions with relevant regulatory requirements.
So, why the change?
In the joint statement, the ASD and DTA noted that the objective of this approach is to “open up the Australian cloud market to allow for more home-grown Australian providers to operate” and “give government customers a greater range of secure and cost-effective cloud services”. The statement indicates this will be achieved by the ASD “enhancing” its support and delivery of the IRAP program, and improving “the training and assessment of IRAP assessors”. As part of this, ASD will establish “Consultative Forums” to enhance guidance, the first of which will be dedicated to cloud security.
So, what's the consequence?
The effective deregulation of the cloud security certification process represents both a risk and an opportunity for government agencies planning to procure a cloud solution. While the CCSL has to date drawn a “bright line” around providers complying with the relevant security requirements, a past criticism of the list has been the slow rate at which IRAP assessments have been able to be completed and changes to the list made. This has resulted in a somewhat limited and static menu of potential cloud solutions for government users to choose from, particularly in relation to PROTECTED data, where only six providers have completed the certification process.
With an increase in the number of IRAP assessors with whom government agencies can work to complete their own independent assessment, there will likely be an increase in competition and the number of technical solutions that can be supported. This is particularly important in relation to niche software products, where (unless the relevant software is able to be deployed on a platform provided by a certified cloud service provider) there has been a barrier to using the solution.
However, a return to “first principles” certification also requires careful planning. Agencies will need to factor in the time and cost of completing an independent IRAP certification process (or such other equivalent or alternative certification) in planning cloud procurements to demonstrate that the proposed solution meets the relevant government security requirements. Government agencies should monitor developments to the ASD's cloud security guidance to ensure they are taking appropriate steps to evaluate the security of their cloud solutions.
And finally, a further issue to consider is the impact of the cessation of the operation of the CCSL on existing contracts, particularly where the contract references the use of a cloud solution having received IRAP certification from the ASD and being included on the CCSL as a proxy for specific functional and non-functional requirements that must be met by the solution. In those cases, it may be necessary to agree with the vendor an alternate set of requirements which the solution must comply with to avoid the discontinuance of the CCSL leaving an unintended void.