In July 2019, the Australian Signals Directorate (ASD) commissioned an independent review of its Cloud Services Certification Program (CSCP) and Information Security Registered Assessors Program (IRAP). For the public statement on the review outcomes, see Joint ASD-DTA Public Statement on Independent Review of CSCP and IRAP.
In line with review recommendations, as of 2 March 2020 the CSCP will cease. ASD will no longer be the Certification Authority and will not be progressing certification activities. This includes re-certification activities.
All services listed on the Certified Cloud Services List (CCSL) below will remain ASD-certified until 27 July 2020. All ASD certifications and re-certification letters will be void from this date and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL.
The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate. This will also give government customers a greater range of secure and cost-effective cloud services.
Commonwealth entities continue to be responsible for their own assurance and risk management activities. In accordance with the Australian Government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess ICT systems.
ASD has developed a number of useful guides for organisations to undertake the appropriate security assessments in relation to cloud services.
It is recommended that any assessment clearly addresses the security controls in the ISM, and ASD cloud security guidance, including:
ASD commits to enhancing the existing cloud security guidance with industry.
The Digital Transformation Agency’s (DTA) existing ICT Marketplaces are not affected by this change and will continue to operate as usual. This includes the Cloud Marketplace panel and its new approach to market in 2020.
The DTA continues to encourage Commonwealth entities to use the Australian Government Secure Cloud Strategy to support their adoption of cloud services, and will continue to proactively work with ASD, vendors and broader industry to articulate best-practice cyber security measures.
ASD Certified Cloud Services List (CCSL)
|Cloud provider||Cloud service||Classification level|
|Amazon||Amazon Web Services (AWS)||PROTECTED*|
|NTT Australia||Protected Government Cloud (PGC)||PROTECTED|
|Macquarie Government||GovZone (Secure Cloud)||PROTECTED|
|Sliced Tech||Gov Cloud Package||PROTECTED|
|Vault Systems||Gov Cloud Package||PROTECTED|
|Amazon||Amazon Web Services (AWS)||Unclassified DLM|
|Dell Virtustream||Dell Virtustream Cloud||Unclassified DLM|
|Education Services Australia||ESA GovZone||Unclassified DLM|
|Google Cloud Platform||Unclassified DLM|
|Macquarie Government||GovZone (LAUNCH)||Unclassified DLM|
|Microsoft||Dynamics CRM Online||Unclassified DLM|
|Microsoft||Office 365||Unclassified DLM|
|Rackspace||Dedicated Hosting Environment (DHE)||Unclassified DLM|
|Salesforce||PaaS, SaaS||Unclassified DLM|
|ServiceNow||ServiceNow SaaS||Unclassified DLM|
|Sliced Tech||IaaS||Unclassified DLM|
|Vault Systems||IaaS||Unclassified DLM|
* Commonwealth entities must configure in line with the guidance in the ACSC Certification Report and Consumer Guide.
The Digital Transformation Agency provides the Whole-of-Government Cloud Services Panel (CSP), a non-mandatory procurement mechanism to enable Australian Government agencies to procure cloud services. The CSP lists cloud service providers who have negotiated a contractual head agreement with the Digital Transformation Agency for use by the whole of Australian Government.