The federal government has tightened sovereignty requirements for data hosting vendors and service providers due to security and supply chain concerns.
But nearly six months on, only three vendors have been certified while the department responsible for some of Australia’s most sensitive data declined to say how it will approach the new scheme.
Since March, the federal government has required hosting providers to be certified against a range of security, risk mitigation and ownership requirements to achieve one of two new levels of certification: “Assured” and the higher “Strategic”.
The new certifications are part of a Hosting Certification Framework (HCF), which was developed by the Digital Transformation Agency and operationalises the principles set out in the whole-of-government Hosting Strategy.
In June, the government minister responsible for whole-of-government data and digital policy, Stuart Robert, announced “all relevant government data” under the HCF must be stored in either Certified Assured or Certified Strategic data centres. This requirement came into effect on June 4 and includes all future and “in-flight” projects.
“The Morrison Government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government,” Mr Robert said at the time.
“This includes knowing how, where and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers.”
A spokesperson for the DTA confirmed it will be up to agencies to determine their hosting requirements, including whether their data and systems require certified hosting.
“[Agencies are required to] use Certified Strategic or Certified Assured Data Centres for high value or sensitive data sets, PROTECTED data, or whole of government systems; and assess data and systems for the likelihood of data sensitivity changing over time,” a DTA spokesperson told InnovationAus.
“The DTA supports agencies to specify and source hosting arrangements consistent [with] requirements of the agency’s systems and data holdings.”
Certified Assured requires hosting providers to pass a detailed initial assessment and include clauses in contracts that safeguard government agencies and lessen their exit costs in the event of a significant change of ownership, control or operation of the provider.
The higher Certified Strategic includes all Assured requirements and adds a more stringent initial assessment and requires a guarantee the provider will not change strategic direction operation or ownership in a way which would “adversely affect”:
- the level of confidence the Australian public has in the Commonwealth;
- the Commonwealth’s interests; and
- the certainty of services delivered to tenants for the life of the current government contract/s
Certified Strategic providers must cover the full transition costs associated with exiting a data centre due to a breach of the contract. They are also required to mitigate supply chain risks by adhering to a formal risk management framework, have key personnel vetted by the government and provide support from “locations that do not pose a threat to the Commonwealth”.
Certification approvals at each level will be made by the DTA deputy chief executive officer or an authorised delegate, according to the HCF. Maintaining certification will require providers to notify and obtain approval from the government of any “relevant change” to personnel, strategic direction, ownership, land sale, security or any other circumstance relating to security operations of the data centre.
In short, the HCF wrestles back much more control and oversight of data centres to government agencies while imposing tough new requirements on vendors and potentially significant penalties for breaches. But it raises questions for competition and the role of systems integrators and cloud service providers.
The framework applies to all direct and indirect providers of hosting and related data centre services to government customers, including involved systems integrators, managed service providers and cloud service providers.
A certification process for direct hosting service providers on the government Data Centre Facilities Supplies Panel began in March and remains open, with other registered providers eligible to apply from next month. All other providers are encouraged to apply now.
So far only three companies have been certified: Australian Data Centres, Canberra Data Centres and Macquarie Telecom Group, all are Certified Strategic.
The DTA declined to reveal how many other providers have begun the certification process and if any were direct or indirect providers, except to say it “continues to engage and evaluate additional hosting providers against the Framework”.
The Department of Home Affairs declined to answer repeated requests about how it will assess certification needs or how a provider’s personnel are vetted, making it unclear how the department, which has its own extensive hosting requirements and will be providing security advice to other agencies, will interpret the framework.
Home Affairs secretary Michael Pezzullo has flagged the tightening makes the Australian government an “exemplar” and will “not be very attractive” to multinational cloud vendors which have become popular with federal agencies.
The framework stipulates that for system integrators, managed service or cloud service providers certification will need to happen “for each data centre facility arrangement used by the provider”.
“This may result in a certification being granted for only some, but not all data centre facilities arrangements utilised by the provider. In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies,” the framework said.
This article has been updated to reflect Australian Data Centres, Canberra Data Centres and Macquarie Telecom Group are all Certified Strategic.
Do you know more? Contact James Riley via Email.