Service Providers | Hosting Certification Framework

Service Providers

Certified Service Providers are a vital part to protecting Australian Government data.

Certification under the Hosting Certification Framework ensures Service Providers are offering Australian Government customers secure hosting services.

The Framework applies to all Service Providers that deliver hosting services for Australian Government customers, including the facilities that host government data, their systems and supply chains. Service Providers include:

Data Centre Providers
Cloud Service Providers.

If you are a prospective Certified Service Provider or already certified, all the latest information and steps you need to take are below.

Certification levels

The Hosting Certification Framework has three levels - Strategic, Assured and Uncertified.

Cybercrime remains one of the most prevalent risks facing the world today. It represents a current and emerging threat to national security and the digital economy as opportunistic cybercriminals take advantage of the systemic global instability caused by the COVID-19 pandemic.

Uplifting the protections for government data is of the utmost importance. It is therefore anticipated that most Australian Government entities may seek hosting services at the Certified Strategic level.

Strategic

Strategic Certification represents the highest level of assurance to Australian Government customers and offers the most secure storage solutions for government held data.

Certified Strategic Service Providers allow the Australian Government to specify ownership and control conditions.

Assured

Assured Certification provides Australian Government customers safeguards through financial penalties, against a Service Provider undertaking significant changes to their ownership, controls and operations, which may increase the risk profile of their government customers.

Compared to Strategic Certification, Assured Certification has:

lower financial penalties for transition costs should the Service Provider breach Certification
fewer reporting requirements to the Certifying Authority.

Government customers with a low-risk profile and data which has been deemed by the government customer as not requiring additional security protections may seek the services of a Certified Assured Service Provider.

Uncertified

Uncertified offers minimal protections to Australian Government customers. No application is needed for this third tier.

Government customers may use the services of an Uncertified Service Provider to host non-sensitive data, or where their internal risk assessment determines it appropriate to do so.

Hosting Certification steps

Service Providers frequently asked questions

There are four steps in the Certification process.

Step 1 – Register your interest through the Hosting Certification Framework website.

Step 2 – The Digital Transformation Agency will confirm your registration and issue a Hosting Certification Assessment Pack.

Review, sign and return the Hosting Certification Assessment documents by emailing certifications@dta.gov.au.

The Hosting Certification Assessment Pack includes:

Deed of Certification

Service Provider Declaration

Non-Disclosure Agreement

Control Objectives

Step 3 – The DTA will notify you when the certification assessment process, can commence. The formal assessment may take on average between 3 to 6 months to complete.

Step 4 – Once the assessment process is complete you will be notified of the outcome and, if successful, be issued with a Certificate of Hosting Certification and a Certification ID for each certified service.
Assessments may take on average between 3 to 6 months to complete.

The length of time to complete the Certification Assessment process will differ according to each Service Provider’s circumstance. For example:

size and number of third parties

cooperation with the process and ability to provide the relevant documentation.
When prioritising Service Providers under the Hosting Certification Framework, significant consideration is given to the number and value of contracts currently held with the Australian Government. This approach looks to ensure the largest number of government customers are engaging with Certified Service Providers.

All steps are being taken to ensure Service Providers that are yet to undertake the Certification Assessment process are not disadvantaged.

Service Providers not already registered may do so by registering their interest using the Registration of Interest Form.
The Certifying Authority publishes a list of Service Providers who have achieved Strategic or Assured Certification for their nominated service(s). This can be found here.
Certifications require ongoing maintenance. To maintain Certification, a Service Provider must:

report on any potential or up-coming Relevant Change that may adversely affect the Commonwealth

complete a Service Provider Contract form biannually

undertake a Certification review annually

maintain compliance with the Hosting Certification Frameworks minimum mandatory requirements.
HCF requirements apply to new contracts and extensions to existing contracts for hosting services from 30 June 2022. Extensions to contracts with service providers awaiting certification are restricted to a maximum of 1 year, with the option of a 1 year extension.

Where certification of a service provider is pending, government customers may apply for an exemption from the DTA.

Uncertified Service Providers may continue to supply services to government customers that do not require the provision of certified services.

Service Providers wishing to be Certified can register their interest to be certified at any time using the Registration of Interest Form.