New security guidelines have been released to help government agencies weigh the security of cloud providers, representing a move towards a decentralised risk assessment system that has some stakeholders concerned.

The new system replaces the certified cloud services list (CCSL), which was previously administered by the Australian Signals Directorate.

The Australian Cyber Security and Centre and the Digital Transformation Agency this week released the new cloud security framework aimed at guiding government, cloud service providers and Information Security Registered Assessor Program (IRAP) assessors in making decisions about vendors and services.

“The release of the new guidance coincides with today’s cessation of the Certified Cloud Services List (CCSL) which will open up the Australian cloud market, allowing more homegrown Australian providers to operate and deliver their services,” Linda Reynolds said in a statement on Monday (July 27).

“This will provide opportunities for Commonwealth, State and Territory agencies to tap into a greater range of secure and cost-effective cloud services.”

Under the new regime, government entities will self-assess the safety of their cloud systems and will be responsible and accountable for their own assurance and risk management.

The Cloud Security Guidance package includes key documents covering cloud service adoption,  CSP provider assessment, frequently asked questions and a cloud security controls matrix template.

Industry reaction

Managing director at Macquarie Government Aidan Tudehope said it was disappointing that the CCSL certification had been abolished but welcomed the guide and anything that would support the local industry.

“Taken alongside Minister (Stuart) Robert’s planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers,” he said.

Strategy director of cloud security technology at FirstWave Cloud Technology Roger Carvosso also said the guidelines would make the government sector more open to homegrown cloud service providers.

It would place greater responsibility on providers who would now have greater market access, he said.

“There is now increased scrutiny on the cyber security posture of these cloud service providers, not just the quality of the security services that they sell to their customers,” Mr Carvosso said.

However Vault Cloud CEO Rupert Taylor-Price said government agencies might struggle to understand if cloud services are secure and suitable, and the decentralisation of compliance requirements could result in inconstant standards.

“The bar for achieving ASD certification was extremely high and provided certainty into data protection,” he said.

“By decentralising compliance requirements we are concerned that government agencies may experience inconsistent standards, not only impacting the service the government receives, but also their ability to interoperate with other agencies and in turn the outcomes for citizens,” he said.

Mr Taylor-Price said this could have security implications and called for continued investment in a certification program.