Services certified to be used with information classified at the PROTECTED level are expected to be added to the government’s Certified Cloud Services List (CCSL) by the of the year, according to the Department of Defence.
“Assessments of cloud services at the PROTECTED level are currently underway,” a Defence spokesperson told Computerworld Australia.
The CCSL, which is managed by the Australian Signals Directorate (ASD), is intended to make it easier for government departments and agencies to adopt secure cloud services.
The list was launched last year, with cloud services from Amazon and Microsoft the first to be added to the list.
The services on the list have been assessed under the ASD’s Information Security Registered Assessors Program (IRAP) and had certification awarded by the agency, which is responsible for providing cyber security advice to federal government organisations.
The CCSL means that agencies can adopt a cloud service without having to undertake the same level of scrutiny of its security.
ASD-endorsed IRAP assessors can provide assessment up to the TOP SECRET level. At the moment, services on the CCSL have only certified for use with Unclassified DLM information (data that is not classified but may be sensitive and is not intended for public release).
Under the government’s security classification system, PROTECTED classification “should be used when the compromise of the confidentiality of information could be expected to cause damage to the national interest, organisations or individuals”.
(The four levels of classified information are PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET.)
Currently the services listed on the CCSL comprise offerings from Amazon, Microsoft, Macquarie Telecom, Sliced Tech and Vault Systems. SAP has also commissioned an IRAP assessment of its Canberra-based SAP HANA Enterprise Cloud.
Most of the vendors on the list have previously indicated they are seeking a higher level of certification for their services.
The ASD this week released the updated version of its Information Security Manual, which is its key security document for government agencies.