DTA cloud certification backlog forces last-minute hosting exemption – Strategy – Cloud – Security


A certification bottleneck in the federal government’s Hosting Certification Framework (HCF) has emerged, with dozens of data centers and cloud providers still awaiting approval to retain industry data protected level public.

iTnews may reveal that 29 data center and cloud providers have not yet been certified by the Digital Transformation Agency as “strategic certified” or “assured certified” because the government’s mandate for agencies to only use accredited suppliers comes into effect.

The apparent delay has seen the DTA, which oversees the whole-of-government framework, introduce a last-minute exemption allowing agencies to apply to use vendors who have not yet received certification.

Under the HCF, agencies are required to house all sensitive government data, government-wide systems, and classified systems at a protected classification level with only Certified Strategic or Certified Insured providers starting this month.

Strategic certification is the highest level of assurance in the framework, requiring vendors to authorize the government to specify ownership and control terms, while certified certification provides assurances if ownership controls or operations change. .

Agencies may also use non-certified service providers for “non-sensitive data, or when their internal risk assessment determines it is appropriate to do so”, but have been warned that such services only offer minimal protection.

Since the DTA began accepting certification registrations in April 2021, eight data center providers – AirTrunk, Australian Data Centres, Canberra Data Centres, DCI, Equinix, Fujitsu, Macquarie Telecom and NEXTDC – have been certified.

Eight other cloud service providers, who had the opportunity to register in September 2021, have also been certified: Amazon Web Services, AUCloud, Sliced ​​Tech, Vault Cloud, Microsoft, Kyndryl, Oracle and, most recently, IBM .

But a spokesperson said iTnews that “a total of 45 registrations of data centers and cloud service providers seeking certification” have been received by the DTA since the framework was published, with 29 registrations still to be approved.

A breakdown of the 45 registrations provided by the DTA shows that 10 registrations were filed this year, with the remaining 35 applications received in 2021. The data suggests that some providers are waiting more than six months for certification.

Year Month Registrations
2021 March 12
April 1
May 2
June 1
July 3
August 3
September 2
October 5
November 3
December 3
2022 January 1
March 4
April 2
May 1
June 1
July 1

The spokesperson said the certification evaluation process at the DTA can take “on average three to six months,” but the timeline “differs depending on each vendor’s circumstances.”

Circumstances include the size of a provider, the number of services being evaluated, the number of third parties involved, the extent of the provider’s commitment, and its ability to submit required documentation.

The DTA also pays “particular consideration…to the number and value of contracts currently held with the Australian Government” when prioritizing service providers for accreditation under the framework.

“This approach is intended to ensure that the greatest number of government customers engage with certified service providers,” the spokesperson said.

“Every measure is taken to ensure that service providers who have not yet undertaken the certification assessment process are not disadvantaged.”

Given the backlog of certification registrations, the DTA has introduced an exemption for agencies relying on service providers still awaiting certification for up to two years, including an option to extend a year.

The spokesperson said iTnews the exemption was introduced on June 24, just a week before the agency data mandate came into effect, but did not say whether this was directly in response to the backlog of certifications.

“The exemption reflects the large number of service providers used by the government, different times in time government customers are [at] in the procurement cycle and the need to facilitate transitional arrangements in certain circumstances,” the spokesperson said.

Only one supplier has requested an exemption so far, which the spokesperson said has been granted.

The DTA later also changed the wording on its website so that the requirements now only apply to “all new contracts and extensions of existing contracts for hosting services” and not to all existing government contracts, as was the case previously.

DTA’s website also now states that “HCF requirements will not apply to Software-as-a-Service or Managed Services vendors until the next iteration of the policy is set.”

With nearly 30 providers still awaiting certification, the DTA now faces a similar situation to the Australian Signals Directorate’s Cloud Services Certification Program (CSCP), which was phased out in 2020.

Originally introduced to ensure cloud services were comprehensively assessed to maximize data security, the certification process has been criticized as onerous, expensive and time-consuming for cloud providers looking to sell in Canberra .

Six cloud service providers – AWS, Microsoft, Vault Systems, Macquarie Telecom, Sliced ​​Tech and NTT Australia – were certified at a protected level under the program between 2017 and 2020, while seven other providers were certified at the unclassified level.


About Author

Comments are closed.