A certification bottleneck in the federal government’s hosting certification framework (HCF) has emerged, with dozens of data centre and cloud providers still waiting to receive sign-off to hold protected-level public sector data.
iTnews can reveal 29 data centre and cloud providers are yet to be certified by the Digital Transformation Agency as either ‘certified strategic’ or ‘certified assured’, as the government’s mandate for agencies to only use accredited providers comes into effect.
The apparent delay has seen the DTA, which oversees the whole-of-government framework, introduce a last-minute exemption for agencies to request to use providers that are yet to receive certification.
Under the HCF, agencies are required to host all sensitive government data, whole-of-government systems and systems rated to a protected classification level with only certified strategic or certified assured providers from this month.
Certified strategic is the highest level of assurance under the framework, requiring providers to allow the government to specify ownership and control conditions, whereas certified assured offers safeguards if ownership controls or operations change.
Agencies are also able to use uncertified service providers for “non-sensitive data, or where their internal risk assessment determines it is appropriate to do so”, but have been warned that such services offer only minimal protections.
Since the DTA began accepting certification registrations in April 2021, eight data centre providers – AirTrunk, Australian Data Centres, Canberra Data Centres, DCI, Equinix, Fujitsu, Macquarie Telecom and NEXTDC – have been certified.
A further eight cloud service providers, which were offered the opportunity to register in September 2021, have also been certified: Amazon Web Services, AUCloud, Sliced Tech, Vault Cloud, Microsoft, Kyndryl, Oracle and, most recently, IBM.
But a spokesperson told iTnews that “a total of 45 registrations from data centre and cloud service providers seeking certification” have been received by the DTA since the framework was released, leaving 29 registrations still to be approved.
A breakdown of the 45 registrations provided by the DTA shows that 10 registrations were lodged this year, with the remaining 35 applications received in 2021. The data suggests that some providers are waiting longer than six months for certification.
| Year | Month | Registrations |
| 2021 | March | 12 |
| April | 1 | |
| May | 2 | |
| June | 1 | |
| July | 3 | |
| August | 3 | |
| September | 2 | |
| October | 5 | |
| November | 3 | |
| December | 3 | |
| 2022 | January | 1 |
| March | 4 | |
| April | 2 | |
| May | 1 | |
| June | 1 | |
| July | 1 |
The spokesperson said the certification assessment process at the DTA can take “on average three to six months to complete”, but that the timing would “differ according to each provider’s circumstances”.
Circumstances include the size of a provider, the number of services undergoing assessment, the number of third parties involved, the extend of provider engagement and their ability to submit required documentation.
The DTA also gives “significant consideration... to the number and value of contracts currently held with the Australian government” when prioritising service providers for accreditation under the framework.
“This approach looks to ensure the largest number of government customers are engaging with certified service providers,” the spokesperson said.
“All steps are being taken to ensure service providers that are yet to undertake the certification assessment process are not disadvantaged.”
In light of the backlog of certification registrations, the DTA has introduced an exemption for agencies relying on service providers still awaiting certification that runs for up to two years, including an option for a one-year extension.
The spokesperson told iTnews the exemption was introduced on June 24, just a week before the data mandate came into effect for agencies, but would not say whether this was directly in response to the backlog of certifications.
“The exemption reflects the large number of services providers used by government, different points in time government customers are [at] in the procurement cycle, and the need to smooth transitional arrangements in some circumstances,” the spokesperson said.
Only one agency has applied for an exemption to date, which the spokesperson said had been granted.
The DTA has subsequently also tweaked the language on its website, so that the requirements now only extends to “all new and extensions to existing contracts for hosting services” and not all existing government contracts, as was previously the case.
The DTA website also now states that “HCF requirements will not apply for software-as-a-service or managed service providers until the next iteration of the policy is defined”.
With close to 30 providers still awaiting certifications, the DTA is now facing a similar situation to the Australian Signals Directorate’s cloud services certification program (CSCP), which was dispensed with in 2020.
Originally introduced to ensure cloud services were comprehensively assessed to maximise the security of data, the certification process was criticised as being onerous, costly and long-winded for cloud providers looking to sell to Canberra.
Six cloud service providers – AWS, Microsoft, Vault Systems, Macquarie Telecom, Sliced Tech and NTT Australia – were certified to a protected level under the scheme between 2017 and 2020, while a further seven providers were certified at the unclassified level.
