On 27 July 2020, following the closure of the Cloud Services Certification Program (CSCP) and the associated Certified Cloud Services List (CCSL), the Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) released new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry.
The Cloud Security Guidance aims to guide organisations including government, cloud service providers (CSP), and Information Security Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation’s data.
The Cloud Security Guidance package includes:
To assist organisations to transition from the CSCP to this new assessment framework, ACSC has also developed the Cloud Assessment and Authorisation Framework - FAQs.
The Cloud Security Guidance is supported by forthcoming updates to the Australian Government Information Security Manual (ISM), the Attorney-General’s Protective Security Policy Framework (PSPF), and the DTA’s Secure Cloud Strategy.
Current ACSC guidance is also available and supports the new guidance:
- Cloud Computing Security Considerations
- Cloud Computing Security Considerations for Cloud Service Providers
- Cloud Computing Security Considerations for Tenants.
The DTA provides the Whole-of-Government Cloud Services Panel (CSP), a non-mandatory procurement mechanism to enable Australian Government agencies to procure cloud services. The CSP lists cloud service providers who have negotiated a contractual head agreement with the DTA for use by the whole of Australian Government.