Assessments of hosting service providers against the Hosting Certification Framework (HCF) have been partially outsourced by the Digital Transformation Agency, as the certification backlog for the data sovereignty scheme continues to grow.
The move raises further questions about integrity of the HCF, which was introduced only last year to temper concerns within government about data sovereignty and risk exposure, including future replatforming costs.
The government’s digital advisor brought in Canberra-based boutique professional services firm Anchoram Consulting to provide “hosting certification assessments” late last month at a cost of $1.8 million over the next year.
According to tender documents, the firm will work “as part of a multi-disciplinary team under the direction of the DTA” to assess hosting service providers against requirements under the sovereignty framework.
The contract, which runs between 26 September 2022 and 25 September 2023, will also see Anchoram Consulting provide “ongoing assessment of providers”, “provider engagement support” and “written analysis and assessment reporting”.
Digital strategy, architecture and discovery general manager Lucy Poole told InnovationAus.com the firm will “support the assessment of a number of providers, including small and medium-sized enterprises” (SMEs) but stressed the DTA will continue to approve all certifications.
“Anchoram Consulting [will] enable the DTA to continue delivering significant security and economic benefits for Australia by strengthening Australia’s hosting protections and providing SMEs an equal opportunity to deliver secure hosting services,” she said.
Asked whether the use of external consultants to assess hosting service providers against the privacy, sovereignty, and security requirements under the HCF compromises the intent of the scheme, Ms Poole said “no”.
But industry insiders believe the use of consultants to assess applications has the potential to skew the outcome and only add to the transparency concerns highlighted by the certification of Amazon Web Services last year.
The decision to call in external consultants for the assessments of applications follows revelations of a HCF certification backlog at the DTA, with dozens of data centre and cloud service providers waiting months for sign-off.
It has created a situation where government agencies are required to seek exemptions for those providers yet to receive certification for “all new and extensions to existing contracts for hosting services”.
As of July, agencies are required to host all sensitive government data, whole-of-government systems and systems rated to a protected classification levels with only certified strategic or certified assured providers.
Ms Poole revealed the backlog in the number of unapproved applications had grown from 29 in July to 33 but would not confirm whether this had any bearing on the recent contract. The number of exemptions for agencies now sits at three, up from one in July.
Providers to be certified as ‘certified strategic’ since July include Google Cloud, data centre providers iseek and Digital Reality, and, most recently, medical IT managed service provider Medihost Solutions and document sharing solution provider Secure Collaboration.
Certified strategic is the highest level of assurance under the framework, requiring providers to allow the government to specify ownership and control conditions, while certified assured offers safeguards if ownership controls or operations change.
The certification process is continuing to average between three and six months, with the timeframe varying “according to each service provider’s circumstances and registration request”, Ms Poole said, pointing to cooperation levels and the number of services for assessment.
The oldest application – which has been “placed on hold at the request of the provider” – is 16 months. The DTA finalised the assessment of the provider in three months, but the provider has been “working through legal complexities relating to its opening environment” since November.
With the HCF now 18 months old, the DTA is turning its attention to the second iteration, and has already contracted Canberra-based consultancy Evolve&Amplify to work on reforming the scheme, including developing costs recovery plans, at a cost of $1.4 million.
The HCF 2.0 is expected to apply to not only data centre and cloud service providers but software-as-a-service providers and managed service providers, which were exempted from the scheme earlier this year.
A virtual information session where the agency will discuss “consideration for the next iteration of the HCF” and related activities with government agencies and industry is planned for later this month.
Do you know more? Contact James Riley via Email.