Bumpy ride for the Security Manual
House Rules: The Information Security Manual has hit choppy waters this year
The government document that rides herd over Federal agency cyber security has been on a wild ride this year.
The normally staid process of updating what is known as the Information Security Manual (ISM) got turned on its head as the Coalition government sought to lock in what it saw as best practice cyber policy from the UK and US as well trying to modify the certification process for cloud vendors seeking to hold confidential government data.
The ISM is a potent document in the federal cyber scene. It not only sets out government agencies’ cyber security posture, but also aligns with the certification process for cloud providers that aspire to hold sensitive government data.
This is the ASD Certified Cloud Services List (CCSL) and the gold standard for cloud vendors is to score Protected status under the CCSL.
Up until April this year, the CCSL had just four vendors with the Protected classification level. These were local players Dimension Data, Macquarie Government, Sliced Tech and Vault Systems.
The Coalition government has made no secret of its desire for government agencies to use more cloud services and in April, Microsoft Azure joined the Protected CCSL roster.
Microsoft is understood to have been awarded Protected Certification while not having met the same strict ISM-informed criteria as the four other Protected level cloud services providers.
Microsoft’s Protected Certification was awarded on a provisional basis with some caveats – the ASD called them Consumer Guides – for potential government users.
In part this was because the architecture and widely dispersed nature of a global cloud provider did not necessarily fit within the guidelines of the ISM.
Then Minister for Law Enforcement and Cybersecurity Angus Taylor was bullish about Microsoft scoring Protected status on the CCSL back in April.
“We know that if government is going to really drive a digital transformation agenda, cloud is a crucial part of it. But it’s also crucial for security and privacy," Mr Taylor said at the time.
"I’m very confident cloud can provide a more secure environment. You don’t get to this level unless we know exactly where the data is being housed."
“We have already got four Protected status providers and this is the fifth and the biggest and gives us a mix of smaller local players and a big global player," Mr Taylor said then.
“That mix gives us the potential to accelerate the process and part of it is changing the way government does projects in moving away the big, old style IT project to the more modern, agile faster moving projects," he said.
Microsoft Azure’s Protected status gave it a big advantage over arch competitor AWS, although Microsoft had taken the trouble to invest in two new Canberra region Azure data centres and co-location facilities which sit within the federal government’s secure ICON network.
In May, just after the Azure certification, strange things began to happen to the ISM.
The Australian Cyber Security Centre (ACSC) released a new draft manual for consultation that was quite different to the existing ISM which in past yearly updates had seen just incremental changes.
It appeared that ownership of the federal cyber manual had shifted from the ASD to the ACSC.
Industry insiders who saw that draft noticed a big shift away from strict compliance language containing many ‘shoulds’ and ‘musts’.
The previous emphasis on compliance in the ISM was replaced with a more risk management oriented approach to cyber.
The document also scored a new moniker and was called Cyber Security Manual (CSM).
Moving on from ‘tick the boxes’ cyber compliance to a risk management approach had been fashionable at the UK government’s National Cyber Security Centre and that approach had been picked up by Australia’s cyber czars.
The US’ National Institute of Standards and Technology (NIST) cyber assessment and authorisation practices also takes a risk management approach and the CSM is understood to have incorporated the NIST risk management framework.
The draft CSM appeared to be ‘back filling’ the methodology used to give Microsoft its Protected Certification.
But then things got truly weird in federal cyber manual land.
Soon after its appearance for consultation, the CSM disappeared from view as if it had never existed and was replaced in mid-June with a fresh version of the ISM that had minimal changes, leaving everyone not only baffled, but wondering about the integrity of the cyber manual process.
Then came the Coalition’s political hurricane that swept away Malcolm Turnbull, installed Scott Morrison as PM and caused a ministerial reshuffle that saw Angus Taylor switched to the position of Energy Minister.
With the Morrison government way behind in the polls and far more interested in political survival than the minutiae of cyber policy reform, so it is unlikely there will be any further action in cyber manual policy until after the next federal election.