ASD has awarded ASD Certification to the listed cloud service providers for specified cloud services. ASD has issued the providers with a:
- Certification Letter outlining the details of the certification and describing the conditions of holding certification and when re-certification may be triggered.
- Certification Report which provides customers with an overview of the security aspects which should be considered prior to accreditation.
Australian Government agencies procuring these services are advised to request the ASD Certification Letter and Certification Report from the cloud service provider, and consider the ASD advice prior to awarding accreditation. ASD does not distribute the Certification Letter and Certification Report as they are the property of the cloud service provider.
IRAP Security Assessments and ASD Certification are based on the Australian Government Information Security Manual. Australian Government agencies should review the ASD Cloud Computing Security documents, which describe security risk mitigations associated with cloud computing. In addition, Australian Government agencies must perform due diligence reviews of the legal, financial and privacy risks associated with procuring cloud services (which this certification does not include).
ASD Certified Cloud Services List (CCSL)
ASD broadly uses the US National Institute of Standards and Technology (NIST) cloud computing definition (PDF), which defines three service models for cloud computing. However, we will also include cloud computing services that have alternative billing models to those described by NIST.
|Cloud provider||Cloud service||Classification level|
|Amazon||Amazon Web Services (AWS)||PROTECTED*|
|NTT Australia||Protected Government Cloud (PGC)||PROTECTED|
|Macquarie Government||GovZone (Secure Cloud)||PROTECTED|
|Sliced Tech||Gov Cloud Package||PROTECTED|
|Vault Systems||Gov Cloud Package||PROTECTED|
|Amazon||Amazon Web Services (AWS)||Unclassified DLM|
|Dell Virtustream||Dell Virtustream Cloud||Unclassified DLM|
|Education Services Australia||ESA GovZone||Unclassified DLM|
|Google Cloud Platform||Unclassified DLM|
|Macquarie Government||GovZone (LAUNCH)||Unclassified DLM|
|Microsoft||Dynamics CRM Online||Unclassified DLM|
|Microsoft||Office 365||Unclassified DLM|
|Rackspace||Dedicated Hosting Environment (DHE)||Unclassified DLM|
|Salesforce||PaaS, SaaS||Unclassified DLM|
|ServiceNow||ServiceNow SaaS||Unclassified DLM|
|Sliced Tech||IaaS||Unclassified DLM|
|Vault Systems||IaaS||Unclassified DLM|
Last updated January 2019.
For the detailed list of certified cloud services, refer to the cloud service providers' ACSC Certification Report.
* Agencies must configure in line with the guidance in the ACSC Certification Report and Consumer Guide.
Other cloud providers are currently going through ASD's certification process. If your organisation is considering a cloud service that is not on this list, please contact us.
Cloud computing advice
- The Privacy Act 1988 defines legislative requirements for the handling of private information.
- The Archives Act 1983 regulates government record-keeping requirements.
- The Digital Transformation Agency provides the Whole-of-Government Cloud Services Panel (CSP), a non-mandatory procurement mechanism to enable Australian Government agencies to procure cloud services. The CSP lists cloud service providers who have negotiated a contractual head agreement with the Digital Transformation Agency for use by the whole of Australian Government.