AIIA responds to ASD and DTA review of cloud certification and IRAP programs


The Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA) have announced the findings of its review into the Cloud Services Certification Program (CSCP) and the related Information Security Registered Assessors Program (IRAP).

Whilst recognising that the current system was not working smoothly for industry or government, the Australian Information Industry Association (AIIA) is concerned that the proposed changes, without clear communication and a concerted effort to raise agency capability, may impact on cloud adoption within the Australian Government.

While acknowledging that the move reflects existing policy under the Secure Cloud Strategy, the AIIA is concerned that the proposal to discontinue the CSCP effective immediately and close the published ASD certified list of providers from 30 June 2020 may cause confusion without appropriate guidance and support to agencies.

Further the ASD announced: “All ASD certifications and re-certification letters will be void from this date and the Australian Government Information Security Manual (ISM) will be updated to remove the requirement to select cloud services from the CCSL.”

The concern of AIIA centres around the notion that the closure of the list and removal of the central role the ASD has had for certifying cloud platforms does assume that agencies have the requisite skills and capabilities to appropriately assess and accept this risk.

The mixed ability for small and even larger government agencies to conduct cyber threat risk assessments may lead to risk adverse behaviours due to a lack of cyber skills in agencies resulting in a decline in adoption of latest cloud technologies and digital services. We encourage the DTA and ACSC to support agencies to develop these capabilities or to share information through communities of interest.

The AIIA welcomes the expansion of the IRAP assessors scheme should this lead to improved confidence in the assessments by agencies of appropriate risk to enable latest cloud services adoption in their businesses. We support the government in ensuring the need for higher standards in the IRAP community to aid agency and industry confidence in the program.

The AIIA looks forward to working with government and ensuring that the Cloud Security Consultative Forum is well represented by industry experts to ensure the implementation of the changes work for both industry and government.