About
The Australian Signals Directorate’s (ASD’s) Blueprint for Secure Cloud (the Blueprint) is an online tool to support the design, configuration and deployment of collaborative and secure cloud and hybrid workspaces, with a current focus on Microsoft 365.
The Blueprint was originally developed and released by the Digital Transformation Agency (DTA) in March 2020. Responsibility for the Blueprint transferred from the DTA to ASD in April 2023. This updated version of the Blueprint reflects the latest terminology, advice and changes to the technology stack, and can be found at blueprint.asd.gov.au.
Using the Blueprint
The Blueprint provides better practice guidance, configuration guides and templates covering risk management, architecture and standard operating procedures developed as per the controls in ASD’s Information Security Manual (ISM). It is recommended to refer to ASD’s ISM, the Essential Eight and ASD’s Cloud Security guidance suite when using the Blueprint.
Australian Government organisations should also refer to the Department of Home Affairs’ Protective Security Policy Framework (PSPF). The ISM and PSPF outline requirements and controls for cloud consumers to use in the assessment of a cloud service provider (CSP), its cloud services and the cloud consumer’s own systems (including where organisations have used the Blueprint to configure these systems). For Australian Government organisations, to ensure their cloud systems have achieved the desired security baseline, these systems need to be assessed to gain assurance they meet the security requirements and risk tolerance of the organisations. This assessment should be performed by an Infosec Registered Assessors Program assessor.
Adopting the Blueprint is as much a business transformation as it is a configuration and implementation process. Implementation of the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
Implementation of the Blueprint does not certify or endorse a system as suitable to handle OFFICIAL, OFFICIAL: Sensitive or PROTECTED information, but does provide practical guidance for organisations to consider alongside the requirements in the ISM and PSPF when designing, configuring and deploying cloud or hybrid workspaces.
A refreshed Blueprint
ASD’s Blueprint for Secure Cloud is designed to assist organisations in making, documenting, implementing and communicating decisions within their unique operating context and organisational culture. Guidance on configuration has been segmented into smaller pages aligned with each Microsoft 365 service and application. This will assist organisations in making informed risk-based decisions on how to best implement each of these services to suit their needs.
These updates aim to meet organisations wherever they are in their use of previous versions of the Blueprint, to continue to use it as a tool to manage and track their ongoing implementation of Microsoft 365 services and applications over time and implement new products as they become available.
Intended audience
While the Blueprint is primarily developed for Australian Government organisations, private sector organisations may also find the Blueprint a useful resource. The intended audience for the Blueprint is:
- Administrators, architects, engineers and developers implementing cloud computing services
- Technical management, Information Technology security stakeholders and assessors assessing implementation of cloud computing services
- Business sponsors and other senior stakeholders approving or authorising cloud computing services, and
- Others that have a technical interest in oversight, assessment, authorisation or administration of cloud computing services.
Contact us
If you have any questions or suggestions about the Blueprint, or to request targeted technical advice, please get in touch with us at blueprint@asd.gov.au or on GitHub.