ACSC shutters cloud certification program

The Australian Cyber Security Centre (ACSC) will shutter its Cloud Services Certification Program (CSCP) following an independent review commissioned by the Australian Signals Directorate.

The program, which was used by the Australian Signals Directorate to certify technology providers to handle government data up to the Protected classification status, will be replaced with new co-designed cloud security guidelines developed in collaboration with industry.

As a result of the change, the ASD will no longer act the certification authority for government use of cloud services.

All existing certified cloud services will retain this status until June, but the requirement to select cloud services from the list of certified providers will be removed from the Information Security Manual.

“The cessation of the CSCP will open up the Australian cloud market to allow for more homegrown Australian providers to operate. This will also give government customers a greater range of secure and cost-effective cloud services,” the ASD said in a statement.

Previously the list of certified providers included a substantial number of overseas providers, such as Microsoft, AWS and IBM. But it also included some Australian companies, including government IaaS cloud provider Vault Systems.

Federal government entities will be required to self-assess cloud services, with the ASD recommending that this assessment be based on the security controls of the ISM and cloud security guidance previously released by the agency.

Meanwhile, the separate Information Security Registered Assessors Program (IRAP) will be expanded in response to the review’s recommendations. The ASD shortly plans to begin accepting applications for new assessors and hold new training sessions in support of the program.

The ASD also plans to continue to work with the Digital Transformation Agency, in consultation with industry, to develop best-practice cybersecurity measures.

Image credit: ©stock.adobe.com/au/tippapatt