Skip to main content

The Cloud Services Certification Program (CSCP) ceased on 2 March 2020. ASD will cease the Certified Cloud Services List (CCSL) on 27 July 2020. Concurrently ASD will release the Cloud Security Guidance package. This is to ensure that arrangements, including guidance and industry preparation, are consistent with the threat environment.

In July 2019, the Australian Signals Directorate (ASD) commissioned an independent review of its Cloud Services Certification Program (CSCP) and Information Security Registered Assessors Program (IRAP). For the public statement on the review outcomes, see Joint ASD-DTA Public Statement on Independent Review of CSCP and IRAP.

In line with review recommendations, as of 2 March 2020 the CSCP will cease. ASD will no longer be the Certification Authority and will not be progressing certification activities. This includes re-certification activities.

All services listed on the Certified Cloud Services List (CCSL) below will remain ASD-certified until 27 July 2020. All ASD certifications and re-certification letters will be void from this date and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL.

The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate. This will also give government customers a greater range of secure and cost-effective cloud services.

Commonwealth entities continue to be responsible for their own assurance and risk management activities. In accordance with the Australian Government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess ICT systems.

ASD has developed a number of useful guides for organisations to undertake the appropriate security assessments in relation to cloud services.

It is recommended that any assessment clearly addresses the security controls in the ISM, and ASD cloud security guidance, including:

ASD commits to enhancing the existing cloud security guidance with industry.

The Digital Transformation Agency’s (DTA) existing ICT Marketplaces are not affected by this change and will continue to operate as usual. This includes the Cloud Marketplace panel and its new approach to market in 2020.

The DTA continues to encourage Commonwealth entities to use the Australian Government Secure Cloud Strategy to support their adoption of cloud services, and will continue to proactively work with ASD, vendors and broader industry to articulate best-practice cyber security measures.

ASD Certified Cloud Services List (CCSL)

Cloud provider Cloud service Classification level
Amazon Amazon Web Services (AWS) PROTECTED*
NTT Australia Protected Government Cloud (PGC) PROTECTED
Macquarie Government GovZone (Secure Cloud) PROTECTED
Microsoft Azure PROTECTED*
Microsoft Office 365 PROTECTED*
Sliced Tech Gov Cloud Package PROTECTED
Vault Systems Gov Cloud Package PROTECTED
Amazon Amazon Web Services (AWS) Unclassified DLM
Dell Virtustream Dell Virtustream Cloud Unclassified DLM
Education Services Australia ESA GovZone Unclassified DLM
Google Google Cloud Platform Unclassified DLM
IBM Bluemix Unclassified DLM
Macquarie Government GovZone (LAUNCH) Unclassified DLM
Microsoft Azure Unclassified DLM
Microsoft Dynamics CRM Online Unclassified DLM
Microsoft Office 365 Unclassified DLM
Rackspace Dedicated Hosting Environment (DHE) Unclassified DLM
Salesforce PaaS, SaaS Unclassified DLM
ServiceNow ServiceNow SaaS Unclassified DLM
Sliced Tech IaaS Unclassified DLM
Vault Systems IaaS Unclassified DLM

* Commonwealth entities must configure in line with the guidance in the ACSC Certification Report and Consumer Guide.

Related information