{"id":278971,"date":"2021-08-18T07:50:15","date_gmt":"2021-08-18T07:50:15","guid":{"rendered":"https:\/\/www.innovationaus.com\/?p=21423"},"modified":"2021-08-18T07:50:15","modified_gmt":"2021-08-18T07:50:15","slug":"only-three-vendors-can-hold-sensitive-govt-data","status":"publish","type":"post","link":"https:\/\/radiofree.asia\/2021\/08\/18\/only-three-vendors-can-hold-sensitive-govt-data\/","title":{"rendered":"Only three vendors can hold sensitive gov\u2019t data"},"content":{"rendered":"

The federal government has tightened sovereignty requirements<\/strong> for data hosting vendors and service providers due to security and supply chain concerns.<\/p>\n

But nearly six months on, only three vendors have been certified while the department responsible for some of Australia\u2019s most sensitive data declined to say how it will approach the new scheme.<\/p>\n

\"Stuart
Stuart Robert is leading reforms to tighten government oversight and access to data systems holding sensitive government information.<\/figcaption><\/figure>\n

Since March, the federal government has required hosting providers to be certified against a range of security, risk mitigation and ownership requirements to achieve one of two new levels of certification: “Assured” and the higher “Strategic”.<\/p>\n

The new certifications are part of a Hosting Certification Framework (HCF), which was developed by the Digital Transformation Agency and operationalises the principles set out in the whole-of-government Hosting Strategy<\/a>.<\/p>\n

In June, the government minister responsible for whole-of-government data and digital policy, Stuart Robert, announced \u201call relevant government data\u201d under the HCF must be stored in either Certified Assured or Certified Strategic data centres. This requirement came into effect on June 4 and includes all future and \u201cin-flight\u201d projects.<\/p>\n

\u201cThe Morrison Government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government,” Mr Robert said at the time.<\/p>\n

\u201cThis includes knowing how, where and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers.\u201d<\/p>\n

A spokesperson for the DTA confirmed it will be up to agencies to determine their hosting requirements, including whether their data and systems require certified hosting.<\/p>\n

\u201c[Agencies are required to] use Certified Strategic or Certified Assured Data Centres for high value or sensitive data sets, PROTECTED data, or whole of government systems; and assess data and systems for the likelihood of data sensitivity changing over time,\u201d a DTA spokesperson told InnovationAus.<\/p>\n

\u201cThe DTA supports agencies to specify and source hosting arrangements consistent [with] requirements of the agency\u2019s systems and data holdings.\u201d<\/p>\n

An Assured certification requires hosting providers to pass a detailed initial assessment and include clauses in contracts that safeguard government agencies and lessen their exit costs in the event of a significant change of ownership, control or operation of the provider.<\/p>\n

The higher Strategic certification includes all Assured requirements and adds a more stringent initial assessment and requires a guarantee the provider will not change strategic direction operation or ownership in a way which would \u201cadversely affect\u201d:<\/p>\n