Certified Service Providers are a vital part to protecting Australian Government data.
Certification under the Hosting Certification Framework ensures Service Providers are offering Australian Government customers secure hosting services.
The Framework applies to all Service Providers that deliver or manage hosting services for Australian Government customers, including the facilities that host government data, their systems and supply chains. Service Providers include:
- Data Centre Providers
- Cloud Service Providers
- Software-as-a-Service (SaaS) Providers.
If you are a prospective Certified Service Provider or already certified, all the latest information and steps you need to take are below.
The Hosting Certification Framework has three levels - Strategic, Assured and Uncertified.
Cybercrime remains one of the most prevalent risks facing the world today. It represents a current and emerging threat to national security and the digital economy as opportunistic cybercriminals take advantage of the systemic global instability caused by the COVID-19 pandemic.
Uplifting the protections for government data is of the utmost importance. It is therefore anticipated that most Australian Government entities may seek hosting services at the Certified Strategic level.
Strategic Certification represents the highest level of assurance to Australian Government customers and offers the most secure storage solutions for government held data.
Certified Strategic Service Providers allow the Australian Government to specify ownership and control conditions.
Assured Certification provides Australian Government customers safeguards through financial penalties, against a Service Provider undertaking significant changes to their ownership, controls and operations, which may increase the risk profile of their government customers.
Compared to Strategic Certification, Assured Certification has:
- lower financial penalties for transition costs should the Service Provider breach Certification
- lower security controls, including personnel security vetting and physical zoning requirements
- Fewer reporting requirements to the Certifying Authority.
Government customers with a low-risk profile and data which has been deemed by the government customer as not requiring additional security protections may seek the services of a Certified Assured Service Provider.
Uncertified offers minimal protections to Australian Government customers. No application is needed for this third tier.
Government customers may use the services of an Uncertified Service Provider to host non-sensitive data, or where their internal risk assessment determines it appropriate to do so.
Hosting Certification Steps
1. Register interest
Service Providers register their interest to be certified under the Hosting Certification Framework.
2. Complete assessment pack
Service Providers submit a series of forms to complete the application process.
3. Formal assessment
Applicants undergo the Certification Assessment process, which on average can take 2 to 4 months.
4. Outcome notification
Applicants are notified of the Certification Assessment outcome and if successful are provided with Certification ID/s.
5. Maintain Certification
Certified Service Providers comply with ongoing reporting requirements to maintain Certification.
Service Providers frequently asked questions
There are five steps in the Certification process.
Step 1 – Register your interest through the Hosting Certification Framework website.
Step 2 – The Digital Transformation Agency will confirm your registration and issue a Hosting Certification Assessment Pack.
Review, sign and return the Hosting Certification Assessment documents by emailing [email protected].
The Hosting Certification Assessment Pack includes:
- Hosting Certification Self-Assessment
- Deed of Certification
- Service Provider Declaration
Step 3 – Your Assessment Pack will be reviewed by the Certifying Authority. If the requirements have been met, a Provisional Certification ID will be issued for each nominated service.
Step 4 – The DTA will notify you when the formal assessment, to receive Full Certification, can commence. The formal assessment may take on average between 2 to 4 months to complete.
Step 5 – Once the formal assessment is complete you will be notified of the outcome and, if successful, be issued with a Certificate of Hosting Certification. The Provisional Certification IDs will be deactivated, and you will be issued new Certification IDs.
Yes, if you have received a Provisional Certification. A Provisional Certification is an interim Certification awarded to Service Providers who complete the Hosting Certification Assessment Pack. This certificate allows a Service Provider to enter into new contracts with government customers before the formal Certification Assessment has been completed.
Assessments may take on average between 2 to 4 months to complete.
The length of time to complete the Certification Assessment process will differ according to each Service Provider’s circumstance. For example:
- size and number of third parties
- cooperation with the process and ability to provide the relevant documentation.
When prioritising Service Providers under the Hosting Certification Framework, significant consideration is given to the number and value of contracts currently held with the Australian Government. This approach looks to ensure the largest number of government customers are engaging with Certified Service Providers.
Prioritisation was initially given to Data Centre Providers on the Data Centre Facilities Supplies Panel (Panel 2), with the intention to progress through the categories as follows:
- Remaining Data Centre Providers
- Cloud Service Providers
- Software-as-a-Service Providers.
All steps are being taken to ensure Service Providers that are yet to undertake the Certification Assessment process, due to the implementation phasing, are not disadvantaged.
From 1 September 2021, any Service Provider not already registered may do so by registering their interest through [email protected].
Certifications require ongoing maintenance. To maintain Certification, a Service Provider must:
- report on any potential or up-coming Relevant Change that may adversely affect the Commonwealth
- complete a Service Provider Contract form biannually
- undertake a Certification review annually
- maintain compliance with the Hosting Certification Frameworks minimum mandatory requirements.
Uncertified Service Providers may continue to supply services to government customers that do not require the provision of certified services.
Service Providers wishing to be Certified can register their interest to be certified at any time through hostingcertification.gov.au.