AUCloud becomes the first “Authorised” organisation to provide cloud services under Australian Cyber Security Centre’s (ACSC) new security framework as DTA and other agencies confirm “Authority to Operate”.
AUCloud is delighted to confirm our status as the first Cloud Service Provider to secure Phase 2 “Authority to Operate” under the Australian Cyber Security Centre (ACSC) Cloud Assessment and Authorisation Framework (CAAF). The Digital Transformation Agency (DTA) and other agencies have formally confirmed AUCloud’s services meet the stringent requirements for delivering cloud services.
Mandated in July 2020, designed to protect government data from cyber security threats and developed through an extensive industry-wide consultation to address the concerns of many Cloud Service Providers (CSP) and Cloud Consumers, the CAAF requires detailed information on the ownership and overseas operational access across all data types (metadata, support and analytics data) and not simply customer data.
- Phase 1 assessment by an IRAP assessor provides CSPs Cloud Security Fundamentals and Cloud Services Assessment artefacts that enable a Cloud Consumer’s (typically a Government Agency) risk assessment.
- Phase 2 Authorisation, is the agency specific risk assessment stage, requiring the Authorising Officer within the government agency to issue an “Authority to Operate” for the specific cloud services in the manner outlined.
- Phase 2 essentially ensures the CSP funded IRAP assessment meets the risk profile of the cloud services adopted by individual agencies.
AUCloud Managing Director Phil Dawson said “Focused on data – including the risks of transmission to support centres across the globe and access by unknown or unvetted personnel – the CAAF now ensures that Australia has as diligent as any cloud risk assessment and accreditation process as I have experienced in delivering to governments across the world.
Dawson further added, “The CAAF is already delivering on its objectives, not only to maintain best practice security standards and related controls but to accelerate uptake of cloud services across government by leveraging the work undertaken by early adopter agencies and to expand market access for authorised SaaS services. AUCloud has many Australian SME partners, who, by deploying their SaaS services on AUCloud, are now accelerating their Phase 1 “Assessment” process, making Australian innovation easier and less risky for government to deploy. Coupled with the ability of government agencies to now leverage the Authorisation work undertaken by DTA and others, broader adoption of similar services across government will be fast-tracked.”
Peter Farrelly, Chief Information Security Officer, AUCloud commented “In conjunction with the Whole of Government Hosting Strategy and the new Hosting Certification Framework, which accredited our data centre partner CDC at the highest level of Certified Strategic, the CAAF brings an efficiency and effectiveness to the risk assessment of cloud services, that will assist government agencies undertake their responsibilities under the Government’s framework and accelerate adoption of cloud services to support wider digital transformation. With close involvement from the Australian Cyber Security Centre (ASCS), DTA and others, we are delighted to prove the framework and share the authorisation, artefacts and learnings across government as agencies expand their use of cloud services. Combined with a refresh of the IRAP program and adoption of more cloud-based controls in the ISM, AUCloud is pleased to see the desired benefits of the ACSC’s Cloud Security Guidance beginning to emerge to the benefit of both government consumers and service providers.“