Federal agencies will no longer need to seek approval from Australia’s top cyber spy agency when purchasing cloud services.
This week the Australian Signals Directorate and the Digital Transformation Agency announced that ASD’s cloud services certification program (CSCP) had ceased as of March 2.
However, the agencies noted that all services listed on the Certified Cloud Services List (CCSL) will remain ASD-certified until June 30, after which all ASD certifications and re-certification letters will be void.
The government’s Information Security Manual (ISM) will also be updated to remove the requirement to select cloud services from the CCSL, they said.
Government entities will now be able to self-assess their own cloud service risks using practices already used to assess ICT systems, in a bid to “open up the Australian cloud market”, according to the agencies.
“This will also give government customers a greater range of secure and cost-effective cloud services,” they noted.
“Commonwealth entities continue to be responsible for their own assurance and risk management activities.”
The shake-up follows a review by former senior Defence official Brendan Sargeant, commissioned by the ASD in July 2019. The review looked at the CSCP as well as the Information Security Registered Assessors Program (IRAP), according to the agencies.
“The review considered the perspectives of industry and government stakeholders to ensure the proposed recommendations support Commonwealth entities, Australian businesses and the community while maximising cyber security and resilience to protect against evolving cyber threats,” they said.
The review recommended the closure of the CSCP and the creation of “new co-designed cloud security guidelines with industry”, as well as growth and enhancement for the IRAP.
It also called for the establishment of consultative forums for government and industry, with a focus on cyber security.
ASD said it would establish the forums, with the first set to focus on cloud security.
“ASD will use this forum to enhance existing cloud security guidance through the development of co-designed guidelines with industry,” they noted.
“These guidelines will further aid Commonwealth entities and Australian businesses to increase their cyber security and resilience.”