All Australian Government data must be hosted with the appropriate level of privacy, sovereignty and security controls, in accordance with the Whole-of-Government Hosting Strategy.
All new or in-flight hosting procurements should utilise Certified Service Providers. All existing government contracts (initiated prior to 4 June 2021) should ensure the existing Service Provider is certified by 30 June 2022.
Australian Government entities continue to have the autonomy to select the best hosting arrangements to suit their requirements.
The Hosting Certification Framework has three levels - Strategic, Assured and Uncertified.
Identifying which level of Certification will be dependent upon a government customer’s risk profile, the classification and sensitivity level of their data, and subject to an internal risk assessment.
Cybercrime remains one of the most prevalent risks facing the world today. It continues to represent a current and emerging threat to national security and the digital economy as opportunistic cybercriminals take advantage of the systemic global instability caused by the COVID-19 pandemic.
Uplifting the protections for government data is of the utmost importance. It is therefore anticipated that most Australian Government entities may seek hosting services at the Certified Strategic level.
Strategic Certification represents the highest level of assurance to Australian Government customers and offers the most secure storage solutions for Government held data.
Certified Strategic Service Providers allow the Australian Government to specify ownership and control conditions.
Assured Certification provides Australian Government customers safeguards through financial penalties, against a Service Provider undertaking significant changes to their ownership, controls and operations, which may increase the risk profile of their government customers.
Compared to Strategic Certification, Assured Certification has:
- lower financial penalties for transition costs should the Service Provider breach Certification
- lower security controls, including personnel security vetting and physical zoning requirements
- fewer reporting requirements to the Certifying Authority.
Government customers with a low-risk profile and data which has been deemed by the government customer as not requiring additional security protections, may seek the services of a Certified Assured Service Provider.
Uncertified offers minimal protections to Australian Government customers.
Government customers may use the services of an Uncertified Service Provider to host non-sensitive data, or where their internal risk assessment determines it appropriate to do so.
The right Level of Certification
Identifying the right level of Certification for the Service Provider required is dependent upon the government customer’s risk profile, the classification and sensitivity level of the data to be hosted and is subject to an internal risk assessment.
What is a Certificate of Hosting Certification?
A Certificate of Hosting Certification is the official document issued by the Certifying Authority indicating that a Service Provider’s service(s) has been certified under the Hosting Certification Framework. There are two types of Certifications:
- A Provisional Certification is an interim Certification awarded to Service Providers who complete the Hosting Certification Assessment Pack and have met the Frameworks requirements. This certificate allows a Service Provider to enter into new contracts with Australian Government customers before the formal Certification Assessment has been completed.
- A Full Certification is granted to a Service Provider and its nominated services after undertaking the formal assessment process and successfully meeting the requirements of the Hosting Certification Framework for one of two levels, Assured Certification or the highest level of Strategic Certification.
Certificates are accompanied with corresponding Certification IDs for each nominated service. Certification IDs are used during the procurement stage to assist government customers to verify the service(s) being sought are certified and to the level required (Assured or Strategic).
Procurement Process Steps
1. Risk assessment
Government customers undertake an internal risk assessment.
2. Service Provider type
Determine whether a Certified Service Provider is required, and if so at what level.
3. Explore list of Certified Service Providers
Identify a Service Provider that best suits your needs.
Source safe and secure hosting services.
Government Customers frequently asked questions
Procurement activities should include specific hosting requirements such as:
- Specifying the level of Certified Service Provider required. This is dependent upon the government customer’s risk profile, the classification and sensitivity level of the data to be hosted and is subject to an internal Risk Assessment.
- Requesting Service Providers include within their submission the Certification ID of the service being procured. The Certification ID will indicate that a specific hosting service has been assessed by the DTA and has been certified to a specific level. To confirm the Certification ID(s) submitted by Service Providers, contact the Certifying Authority by emailing [email protected].
An Australian Government customer that has an existing contract with an Uncertified Service Provider, but requires the services of a Certified Service Provider should ensure, by 30 June 2022, the Service Provider becomes certified, or another Certified Service Provider is engaged.
To procure services from a Service Provider not currently certified contact the DTA at [email protected], who may expedite the Certification process or provide advice on identifying and sourcing an appropriate Service Provider.
The DTA can assist you and your preferred Service Provider to navigate the Certification process.
Government customers wishing to procure hosting services from a Service Provider not currently certified should ensure the contract award is conditional on the preferred Service Provider achieving the required level of Certification.
You can contact the DTA by emailing [email protected] who may provide the following assistance:
- Confirm if the Service Provider:
- has registered for Certification
- has a Provisional Certification
- Expedite the Certification process for the preferred Service Provider.
- Provide advice on identifying and sourcing an appropriate Service Provider.
- Confirm if the Service Provider:
The length of time to complete the Certification Assessment process will differ according to each Service Provider’s circumstance. For example:
- size and number of third parties
- cooperation with the process and ability to provide the relevant documentation.
Assessments may take on average between 2 and 4 months to complete.
A Provisional Certified Service Provider may supply their nominated service(s) to an Australian Government customer in the same way as a Full Certified Service Provider. However, government customers should be aware that Provisional Certified Service Providers have not yet undertaken the full Certification Assessment process and therefore may pose a greater risk to a government customer requiring the most stringent of protections.
To receive a Provisional Certification, Service Providers must:
- self-assess their services, supply chains and security controls
- make assurances that they meet the minimum mandatory requirements for their service offering(s) at the Certification level required
- agree to government undertakings.
A Certification does not expire but it does require ongoing maintenance. To maintain Certification, a Service Provider must:
- report on any potential or up-coming Relevant Change that may adversely affect the Commonwealth
- complete a Service Provider contract form biannually
- undertake a Certification review annually
- maintain compliance with the Hosting Certification Framework’s minimum mandatory requirements.