Federal agencies and departments are in the middle of clarifying that their data systems are with certified service providers, as the government moves to further strengthen cybersecurity by mid-2022.
The federal government is requiring all high-value data, whole-of-government systems, and data classed as “protected” to be hosted within certified data centre facilities by June 30 next year.
The shift requires data to be hosted with an appropriate level of privacy, sovereignty, and security controls.
A new website launched by the Digital Transformation Agency is pitched at explaining a framework to assist government service providers with the change.
The framework offers three levels of certification for data systems, with the highest being ‘strategic’, which allows the government to specify ownership and control conditions.
An ‘assured’ level of certification penalises providers with financial disincentives if they change ownership or control, while an ‘uncertified’ level offers minimal protections but can be used for non-sensitive government data or where an internal risk assessment allows.
Government agencies, as part of a transition phase, have been required to identify during tenders or contracts involving data centres whether providers are ‘strategic’ or ‘assured’ in their data storage.
The Digital Transformation Agency has been, since March, working through a staged approach to ensure that the largest footprint of government systems and data reside in certified facilities.
A strategy document from the agency highlights that next year, groups such as systems integrators, managed services providers and cloud services providers will be able to apply for certification under the government’s second phase of implementing the certification framework.