Joint Australian Signals Directorate and Digital Transformation Agency Public Statement on Independent Review of CSCP and IRAP
2 March 2020
In late July 2019, the Australian Signals Directorate (ASD) commissioned an independent review of its Cloud Services Certification Program (CSCP) and Information Security Registered Assessors Program (IRAP).
The Review considered the perspectives of industry and government stakeholders to ensure the proposed recommendations support Commonwealth entities, Australian businesses and the community while maximising cyber security and resilience to protect against evolving cyber threats.
The review made the following recommendations:
- Close the CSCP and create new co-designed cloud security guidelines with industry
- Grow and enhance IRAP
- Establish Government and Industry Consultative Forums for cyber security
- Update incentives in Procurement and Administrative Instructions and Guidance to reflect the cessation of the CSCP.
Cloud Services Certification Program (CSCP)
In line with these recommendations, ASD will today cease the CSCP. ASD will no longer be the Certification Authority and will not be progressing certification activities. This includes re-certification activities.
All services listed on the Certified Cloud Services List (CCSL) will remain ASD certified until 30 June 2020. All ASD certifications and re-certification letters will be void from this date and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL.
The cessation of the CSCP will open up the Australian cloud market to allow for more home-grown Australian providers to operate. This will also give government customers a greater range of secure and cost effective cloud services.
Commonwealth entities continue to be responsible for their own assurance and risk management activities. In accordance with the Australian Government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess ICT systems.
ASD has developed a number of useful guides for organisations to undertake the appropriate security assessments in relation to cloud services.
It is recommended that any assessment clearly addresses the security controls in the ISM, and ASD cloud security guidance, including:
- Cloud Computing Considerations: https://www.cyber.gov.au/publications/cloud-computing-security-considerations
- Cloud Computing Considerations for Tenants: https://www.cyber.gov.au/publications/cloud-computing-security-for-tenants.
ASD commits to enhancing the existing Cloud Security Guidance with industry.
The Digital Transformation Agency’s (DTA) existing ICT Marketplaces are not affected by this change and will continue to operate as usual. This includes the Cloud Marketplace panel and its new approach to market in early 2020.
The DTA continues to encourage Commonwealth entities to use the Australian Government Secure Cloud Strategy to support their adoption of cloud services, and will continue to proactively work with ASD, vendors and broader industry to articulate best-practice cyber security measures.
Information Security Registered Assessors Program (IRAP)
ASD will enhance its support and delivery of IRAP. Now that the review has concluded, ASD will be accepting applications for new IRAP Assessors and will restart IRAP training sessions.
The boost to the IRAP community will deliver greater resources and higher standards to support government in maintaining its assurance and risk management activities.
ASD will improve the training and assessment of IRAP assessors to bring a greater consistency of skills within the IRAP community.
ASD will establish the Government and select Industry Consultative Forums for cyber security, based on thematic topics and issues.
The Consultative Forums will consist of select government and industry representatives from key stakeholder groups.
The theme of the first Consultative forum will be Cloud security. ASD will use this forum to enhance existing Cloud Security Guidance through the development of co-designed guidelines with industry. These guidelines will further aid Commonwealth entities and Australian businesses to increase their cyber security and resilience.
ASD will send invitations in coming weeks for representatives to serve on the first Cloud Security Consultative Forum. Membership will occur on a rotational basis to ensure input from across industry.
Subsequent thematic Consultative forums will be announced in the coming months.
ASD appreciates the patience of all stakeholders throughout the review process.
The implementation of the independent review recommendations are part of ASD’s continued drive to help make Australia the safest place to connect online.
Further implementation updates will be posted on our website: www.cyber.gov.au.
Further enquiries should be directed to email@example.com.