Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'DTA blog posts (no longer published)'.


Digital Transformation Agency
What are you looking for today?
Search
This document can be found at Home  >
Joint Australian Signals Directorate and Digital Transformation Agency Public
Statement on Independent Review of CSCP and IRAP
Joint Australian Signals Directorate and
Digital Transformation Agency Public
Statement on Independent Review of CSCP
and IRAP
2 March 2020
Tags:  Cloud (/taxonomy/term/20)   Security (/taxonomy/term/14)
In late July 2019, the Australian Signals Directorate (ASD) commissioned an independent
review of its Cloud Services Certification Program (CSCP) and Information Security Registered
Assessors Program (IRAP).
The Review considered the perspectives of industry and government stakeholders to ensure
the proposed recommendations support Commonwealth entities, Australian businesses and
the community while maximising cyber security and resilience to protect against evolving cyber
threats.
The review made the following recommendations:
Close the CSCP and create new co-designed cloud security guidelines with industry
Grow and enhance IRAP
Establish Government and Industry Consultative Forums for cyber security
Update incentives in Procurement and Administrative Instructions and Guidance to
reflect the cessation of the CSCP.
Cloud Services Certification Program (CSCP)
In line with these recommendations, ASD will today cease the CSCP. ASD will no longer be the
Certification Authority and will not be progressing certification activities. This includes re-
certification activities.
All services listed on the Certified Cloud Services List (CCSL) will remain ASD certified until 30
June 2020. All ASD certifications and re-certification letters will be void from this date and the
Australian Government Information Security Manual (ISM) will be updated to remove the
requirement to select cloud services from the CCSL.
The cessation of the CSCP will open up the Australian cloud market to allow for more home-
grown Australian providers to operate. This will also give government customers a greater
range of secure and cost effective cloud services.
Commonwealth entities continue to be responsible for their own assurance and risk
management activities. In accordance with the Australian Government Secure Cloud Strategy
(/our-projects/secure-cloud-strategy), Commonwealth entities are able to self-assess cloud
services using practices already used to assess ICT systems.
ASD has developed a number of useful guides for organisations to undertake the appropriate
security assessments in relation to cloud services.
It is recommended that any assessment clearly addresses the security controls in the ISM, and
ASD cloud security guidance, including:
Cloud Computing Considerations: https://www.cyber.gov.au/publications/cloud-
computing-security-considerations (https://www.cyber.gov.au/publications/cloud-
computing-security-considerations)
Cloud Computing Considerations for Tenants:
https://www.cyber.gov.au/publications/cloud-computing-security-for-tenants
(https://www.cyber.gov.au/publications/cloud-computing-security-for-tenants).
ASD commits to enhancing the existing Cloud Security Guidance with industry. 
The Digital Transformation Agency’s (DTA) existing ICT Marketplaces are not affected by this
change and will continue to operate as usual. This includes the Cloud Marketplace panel and
its new approach to market in early 2020.
The DTA continues to encourage Commonwealth entities to use the Australian Government
Secure Cloud Strategy to support their adoption of cloud services, and will continue to
proactively work with ASD, vendors and broader industry to articulate best-practice cyber
security measures.
Information Security Registered Assessors Program (IRAP)
ASD will enhance its support and delivery of IRAP. Now that the review has concluded, ASD will
be accepting applications for new IRAP Assessors and will restart IRAP training sessions.
The boost to the IRAP community will deliver greater resources and higher standards to
support government in maintaining its assurance and risk management activities.
ASD will improve the training and assessment of IRAP assessors to bring a greater consistency
of skills within the IRAP community.
Consultative Forum
ASD will establish the Government and select Industry Consultative Forums for cyber security,
based on thematic topics and issues.
The Consultative Forums will consist of select government and industry representatives from
key stakeholder groups.
The theme of the first Consultative forum will be Cloud security. ASD will use this forum to
enhance existing Cloud Security Guidance through the development of co-designed guidelines
with industry. These guidelines will further aid Commonwealth entities and Australian
businesses to increase their cyber security and resilience.  
ASD will send invitations in coming weeks for representatives to serve on the first Cloud
Security Consultative Forum. Membership will occur on a rotational basis to ensure input from
across industry.
Subsequent thematic Consultative forums will be announced in the coming months.
ASD appreciates the patience of all stakeholders throughout the review process.
The implementation of the independent review recommendations are part of ASD’s continued
drive to help make Australia the safest place to connect online.
Further implementation updates will be posted on our website: www.cyber.gov.au
(http://www.cyber.gov.au).
Further enquiries should be directed to xxx.xxxxxx@xxxxxxx.xxx.xx
(mailto:xxx.xxxxxx@xxxxxxx.xxx.xx).
ENDS
For media enquiries email us at xxxxx@xxx.xxx.xx (mailto:xxxxx@xxx.xxx.xx)
For other enquiries email us at xxxx@xxx.xxx.xx (mailto:xxxx@xxx.xxx.xx)
© Commonwealth of Australia. With the exception of the Commonwealth Coat of Arms and
where otherwise noted, this work is licensed under the CC BY 4.0 license.