The Cloud Services Certification Program (CSCP) ceased on 2 March 2020. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) ceased the Certified Cloud Services List (CCSL) on 27 July 2020 and concurrently released the Cloud Security Guidance package.
In July 2019, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) commissioned an independent review of its Cloud Services Certification Program (CSCP) and Infosec Registered Assessors Program (IRAP).
From 2 March 2020, ASD ceased the CSCP and the Australian Signals Directorate (ASD) is no longer the Certification Authority for cloud services for Commonwealth entities, and will no longer be progressing certification activities. This includes re-certification activities. The associated Certified Cloud Services List (CCSL) ceased on 27 July 2020. All ASD cloud service certifications and re-certification letters are now void.
On 27 July 2020, following the closure of the CSCP and CCSL, ASD's ACSC and the Digital Transformation Agency (DTA) released new cloud security guidance co-designed with industry to support the secure adoption of cloud services across government and industry. This new guidance includes:
- Anatomy of a Cloud Assessment and Authorisation
- Cloud Assessment and Authorisation - Frequently Asked Questions
- Cloud Security Assessment Report Template
- Cloud Controls Matrix
The cloud security guidance aims to guide organisations including government, cloud service providers (CSP's), and IRAP assessors on how to perform a comprehensive assessment of a CSP and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation’s data. To assist with the assessment of CSPs and their cloud services, the Cloud Controls Matrix (CCM) can be used by IRAP assessors to capture the implementation of controls. The latest CCM can be found on the webpage for the Information Security Manual (ISM).
The CCM also provides indicative guidance on the scoping of cloud security assessments, and inheritance for systems under a shared responsibility model, though it should be noted that guidance is not definitive and should be interpreted by the assessor in the context of the assessed system. Further, these comments have generally been developed with reference to OFFICIAL: Sensitive and PROTECTED public clouds. This does not preclude their use for other types of cloud services, though additional scrutiny should be applied to their reference in this case. Importantly, the CCM also captures the ability for cloud consumers to implement controls for systems built on top of the CSP's services by identifying where they are responsible for configuring the service in accordance with the ISM.
The cloud security guidance is further supported by the Information Security Manual (ISM), the Protective Security Policy Framework (PSPF), and the Secure Cloud Strategy. Current ASD's ACSC products are also available and support the new guidance:
- Cloud Computing Security Considerations
- Cloud Computing Security Considerations for Cloud Service Providers
- Cloud Computing Security Considerations for Tenants.
The ASD's ACSC will continue to engage with both government and industry to ensure the new guidance is implemented effectively and remains fit for purpose.
The cessation of the CSCP and CCSL—and the adoption of the new cloud security guidance—will allow Commonwealth entities to choose from a wider range of CSPs and cloud services.
Commonwealth entities continue to be responsible for their own assurance and risk management of cloud services.
The DTA’s existing ICT Marketplaces are not affected by these changes and will continue to operate as usual. This includes the Cloud Marketplace panel and its new Approach to Market on 21 May 2020.
The DTA continues to encourage Commonwealth entities to use the Australian Government Secure Cloud Strategy to support their adoption of cloud services, and will continue to work closely with The ASD's ACSC, vendors and broader industry to articulate best-practice cyber security measures.
- The Privacy Act 1988 defines legislative requirements for the handling of private information.
- The Archives Act 1983 regulates government record-keeping requirements
- The Digital Transformation Agency provides the Whole-of-Government Cloud Services Panel (CSP), a non-mandatory procurement mechanism to enable Australian Government agencies to procure cloud services. The CSP lists cloud service providers who have negotiated a contractual head agreement with the Digital Transformation Agency for use by the whole of Australian Government.