Release of the Hosting Certification Framework
10 March 2021
The Hosting Certification Framework has been released, supporting the Government’s commitment to safeguarding and securing government held data. The Framework operationalises the principles set out in the Hosting Strategy
Hosting Certification Framework
The Government is committed to ensuring there are effective controls in place for the critical data holdings and systems that underpin the operation of government. This includes knowing how, where and when data is stored and achieving greater assurance over the operation and supply chains of providers.
The Hosting Certification Framework will assist government agencies to mitigate against supply chain and ownership risks and enable them to identify and source appropriate hosting and related services.
The Framework works in conjunction with a suite of other government policies and frameworks, such as foreign investment policy and the Protective Security Policy Framework, to:
- reduce data sovereignty, ownership and supply chain risks
- ensure government hosting services are more efficient and cost-effective
- provide certainty on the Australian Government hosting operating environment for industry and agencies.
The DTA developed the Framework in consultation with government and industry to ensure it meets the highest standards for data protection and security.
Consistent with the Hosting Strategy, the Framework will allow Government to assess the risk presented by hosting providers and outline the standards, measures and timelines for hosting providers to achieve the Government’s required hosting standards at one of 2 certification levels:
- Certified Assured Hosting Provider arrangements safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile
- Certified Strategic Hosting Provider represents the highest level of assurance and is only available to providers that allow the Government to specify ownership and control conditions.
Previously, the Certified Strategic Hosting Provider was referred to as Certified Sovereign Data Centre. The name of the certification level has been updated following industry feedback. There has been no change to the scope or threshold of assessment required for hosting providers to become certified at either of the 2 levels.
The Hosting Strategy has been updated to reflect this change of terminology.
With the release of the Framework, all interested hosting providers are now able to register for certification at their preferred level of certification by emailing email@example.com.
Subject to the transition arrangements outlined in the Framework, the DTA will commence certification of hosting providers on the current Data Centre Facilities Supplies Panel (Panel 2). Other providers of hosting services such as managed service providers and cloud service providers can register their interest now and will be included in the Phase 2 certification process which will commence at the end of this year.
The Hosting Certification Framework will continue to be iterated as appropriate going forward.