Sovereign Cloud IaaS Provider AUCloud welcomes the release today of the ACSC’s new Cloud Assessment and Authorisation Framework (CAAF). Replacing the former Cloud Services Certification Program (CSCP) and the Certified Cloud Services List (CCSL), the Framework provides a more transparent and efficient process, avoids the delays of previous arrangements, reduces duplication and misinterpretation whilst encouraging agility, re-use and knowledge transfer of learnings for the benefit of Cloud Consumers.
With the Protective Security Policy Framework (PSPF) and ASD’s Information Security Manual (ISM) central to the Cloud Assessment and Authorisation Framework (CAAF), clear delineation and ownership of roles between Cloud Consumers, Cloud Service Providers (CSPs) and IRAP assessors is welcomed. Importantly the new arrangements reinforce the responsibilities of Cloud Consumers to manage risks within their specific context; Cloud Services Providers supporting a multi-tenanted customer base; and assessors balancing consistent and prescriptive reporting with open text narrative.
The introduction of the Framework, which ensures both consistency and transparency in areas such as the ownership and operation of CSPs and of the definitive data types under management, also provides the basis for a more effective process for Agencies. The relevance of these issues to assessing cyber risk is critical, especially in the context of related data flows.
The scaling limitations of former arrangements have been addressed with ACSC now clearly positioned as custodian of the process rather than undertaking the process itself. The commitment to provide increased investment to support and train the IRAP community is important acknowledgement of the need for consistency of approach and decision making.
Similarly, the planned programme of enhanced support and training across Cloud Consumers and CSPs (as well as IRAP professionals) will assist with a shared understanding of the process, including the implications of shared responsibilities and reassessments following material events to the CSP or their services. This all makes for a much more efficient and transparent process.
The new Framework also recognises the financial investment and time costs for Cloud Consumers and CSPs alike and how these can be reduced through the sharing of reports, incremental assessments and addendums.
New arrangements provide an effective process to address legacy inheritance whilst recognising the rapid rate of change inherent within digital technologies. Processes for in-flight and future risk assessments, and the respective responsibilities of Cloud Consumers and CSPs in assessing and reporting changes in risk status, is clear.
ACSC is to be congratulated for its leadership and effort in undertaking an extensive and balanced consultation process to get this result. We understand a broad range of providers of cloud services to Australian governments have participated in the process including global multinationals, local Australian start-ups and providers of IaaS, PaaS to SaaS services from overseas headquartered corporations to State and locally Canberra based operations.
Overall – and at the core of new arrangements, is recognition of the role of government as a custodian of sensitive citizen data and the related privacy obligations it has to all Australians. Commentary at the time of the release of the CovidSafe App was clear that citizens regard the safety of their privacy and security as a priority. The new Framework provides a higher level of assurance that Cloud Consumers (i.e. Agencies) have undertaken a thorough assessment of their CSPs and will have ongoing visibility of any changes that could affect their risk profile.