The new cloud certification model and what it means for you

In March 2020, Australia’s Cloud Services Certification Program (CSCP) came to an end.

For many years, the CSCP acted as the gatekeeper for Cloud Services Providers (CSPs) to compete for government contracts requiring secure cloud services. CSPs that were accepted as ‘secure’ were listed in the Certified Cloud Services List (CCSL). Making the CCSL carried many benefits including the ability to pitch for government contracts as well as blocking any potential competition from other CSPs or Australian providers not on the list.

However, in July 2020 the Australian Cyber Security Centre (ACSC) ceased the Certified Cloud Services List (CCSL). The Australian Signals Directorate (ASD) was no longer going to be the Certification Authority for secure cloud services for Commonwealth entities.

The ACSC and Digital Transformation Agency (DTA) also released new cloud security guidance to help government, cloud providers and Information Security Registered Assessor Program (IRAP) assessors in making decisions about cloud vendors and services.

What does this all mean for government organisations?

Theoretically, the end of the CSCP and CCSL will allow Commonwealth entities to choose from a wider range of CSPs and cloud services. This means that CSPs who previously didn’t make the ‘shortlist’ can now be considered by buyers. All things being equal, competition is usually a good thing as it leads to greater innovation and more cost-effective cloud services.

On the flip side, this new decentralised model means that Commonwealth entities will be responsible for their own cloud assurance and risk management activities. While the CCSL unintentionally allowed Commonwealth entities to transfer risk to ASD, the onus has now returned to those entities to accept and own the risk. In other words, agencies are now required to understand, assess, and authorise the cloud services they wish to consume.

This move hasn’t been without debate. Some commentators have suggested that the decentralised model will increase risk and reduce the cyber resilience of organisations; and that decentralising compliance will lead to the application of inconsistent standards and introduce biases during the self-certification process. On the other hand, advocates of the new model long claim the outdated relevance of the CCSL; and that the model was due for a change due to the time, cost and bottlenecks that culminated under the old regime.

There are several models for cloud accreditation, and these aren’t new. These are differentiated by who determines and approves risk. For example, the UK have adopted a decentralised model where government departments have the flexibility to adopt the risk profile required by its mission or organisational requirements. Singapore and Germany have instead opted for a centralised model whereby a central organisation publishes the relevant standards and the CSP attests to the relevant controls. While in the US, the Federal Risk and Authorization Management Program’s (FedRAMP) provides both the standards and runs a review process, but there are two variations of the process part of a more hybrid construct.

It’s fair to say that the efficacy of the new model in Australia will depend on several factors, beyond the scope of this discussion. But for now, it’s too early to tell whether the intent of the deregulated regime will achieve the desired benefits. We’ll need to wait and see.

How is the change likely to impact government organisations in FY21?

The new decentralised and deregulated regime will put more pressure on organisations to accept and manage their own risk. There’s no one else to point the finger at – and the onus will be on the agencies to make sure they’re cyber secure and doing the right thing.

As a result, there are at least two scenarios which may play out.

First, given challenges around COVID-19 and the tighter budgets to deliver core services, Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) are going to face additional pressure. This preoccupation will take up more time, and developing an understanding of how to approach the new responsibility around self-certification will take a back seat. Subsequently, decisions around new technologies and services will slow, non-essential projects may be delayed, and this group will prefer to observe how the regime is operationalised before making any decisions perceived to be high risk.

On the opposite end of the spectrum, there will be CISOs and CIOs that are experienced in dealing with the plenitude of cyber security risks that new technologies and cloud services attract. This cohort will be extremely familiar with the previous CSCP and CCSL, and will understand how the new changes empower them to make their own risk-based decisions. Due to experience, they will make faster decisions around risk, and those that make the decisions will be comfortable in working with IRAP assessors. This group will proactively approach new self-certification and act as leaders for their industry peers. 

How will this impact Managed Security Service Providers (MSSPs)?

Both scenarios will drive MSSPs to become more engaged with their clients, cloud and technology vendors, regulatory authorities and industry partners. In some respects, the new Cyber Security Strategy 2020 already alludes to deeper engagement to support innovation and capability development, and this shift also means that over time, a more defined set of roles and responsibilities may be placed on service providers to support its clients.

In the short term, and while government organisations have their hands full, MSSPs will likely be leaned upon to provide advisory services, risk assessments, support technology decisions and implementations. They’ll also be required to work closely with cloud vendors to obtain guidance on specific cloud technologies, and the risks associated with them.

So while IRAP assessors continue playing a pivotal role in assessing and certifying services, MSSPs will build on the role of the 'trusted advisor' in helping guide technology decisions that enable organisations to achieve their operational requirements and regulatory needs.

Adam Misiewicz is an experienced cyber security consultant and the General Manager of Cyber Security at Vectiq - a Canberra-based services company.

For other recent and relevant articles on security, check out:

• The case for a national security cloud, it's no secret
• The Essential Eight, turning crisis into opportunity
• Avoiding the temptation to compromise security for business continuity during COVID-19
• A Titanic Lesson – Changing the Fate of Government Through The Essential 8
• The risk of emotionally intelligent AI, it's more real than you think