At a time when global cyber security threats have never been more real, the Australian Signals Directorate has abandoned its Cloud Services Certification Program, until now the gold-standard for cyber security in government.
The certification program, under which the ASD would test and approve cloud platforms and services being sold into government, is to be replaced by a decentralised system of self-regulation that will follow guidelines to be co-developed with industry.
In a joint announcement with the Digital Transformation Agency, the ASD also said it would enhance its support for the information security registered assessors program (IRAP), and will start accepting applications for new IRAP assessors.
ASD will also establish a series of government and industry consultative forums for cyber security. The forums will be used to enhance existing cloud security guidance through the development of co-designed guidelines with industry.
The sweeping changes, which goes to the core of government cybersecurity capability, were announced following an independent review commissioned by the ASD last July and conducted by Prof Brendan Sargeant from the National Security College at the Australian National University.
Prof Sargeant is a former deputy director intelligence at the Defence Signals Directorate and served as a minister/councillor for defence policy at the Australian Embassy in Washington.
Based on the review, the ASD on Monday ceased to be the government’s certification authority. It will not proceed with the certification activities already underway, and it would not recertify any any existing services.
All services listed on the Certified Cloud Services List (CCSL) will remain ASD certified until June 30 2020. All ASD certifications and re-certification letters will be void from that date. The federal government’s Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL.
Incredibly, the certifications are to be replaced by Commonwealth entities conducting self-assessments of cloud services, and the ASD says it has developed a set of guidelines for government entities to undertake their own assessments of cloud services they intend to use.
The closure of the ASD accreditation program has not been unexpected. The program had become unwieldy. When Microsoft had been awarded ‘Protected’ status on the Certified Cloud Services List for what had effectively been non-compliant services (there were caveats written into certification) for Azure and Office360, it left the program open to criticism – and ultimately exposed to risk.
The certification program had been under fire for the length of time it took ASD to run a ruler over new services – some local companies waited years – and for the sometimes political interventions that seemed to fast-track some vendors over others.
With the closure of the program, the back log of services waiting to be accredited has now been rather suddenly cleared.
What comes next will rely to a large extent on the security guidance that will be co-designed by the ASDs planned Government and Industry Consultative Forums for cyber security, based on themed topics and issues.
“The theme of the first Consultative Forum will be cloud security. ASD will use this forum to enhance existing cloud security guidance through the development of co-designed guidelines with industry,” the ASD said.
“These guidelines will further aid Commonwealth entities and Australian businesses to increase their cyber security and resilience,” it said.
ASD will send invitations in coming weeks for representatives to serve on the first Cloud Security Consultative Forum with membership occurring on “a rotational basis” to ensure input from across industry.