Higher security and risk management standards apply to government hosting service providers under the recently introduced Hosting Certification Framework.
As of 1 March 2021, Australian government agencies have been subject to the new Hosting Certification Framework (the Framework), requiring vendors providing them with hosting services to gain certification against a number of defined security, risk management and risk mitigation standards. The Framework will affect the way federal government agencies go to market – where they are entering into a procurement process or agreement that includes hosting services, agencies must specify their requirements for certification.
The Framework, a subset of the Whole of Government Hosting Strategy and the government’s broader digital transformation strategy, is aimed at ensuring the secure management of government data and systems and minimising supply chain and data centre sovereign ownership risks.
You may recall our earlier article from 2019 foreshadowing the rollout of the Framework - Long-awaited security certification introduced for data centres. In this piece, we look to dive a little deeper now that the Framework is in action.
Who is classified as a ‘hosting provider’?
Hosting providers primarily provide space in data centres for use by tenants, and supply the necessary infrastructure and services to make this possible (e.g. electricity, climate control, real estate, cabinets, racks, security etc.). They may also provide telecommunications functionality as between data centres and customers.
Hosting providers, like any other businesses, vary in respect of which areas of functionality they supply in-house, and which are outsourced. As part of the Framework, however, the following core capabilities are subject to ownership and control provisions, and if not ultimately owned or controlled by the provider they may need to be flowed down the provider’s supply chain to allow them to achieve certification:
- Land ownership;
- Data Centre Facility Assets/Building Ownership;
- Core Infrastructure Ownership (generators, electrical power and management of climate control through cooling and ventilation);
- Physical Access Security; and
- Data Centre Facility Monitoring Systems.
The framework applies not only to direct providers of data centre services to Australian Government customers, it also extends to other service providers that leverage hosting services such as managed service providers, cloud service providers and systems integrators. However the certification process will take place in phases, with providers on of the Data Centre Facilities Supplies Panel initially able to apply.
Two tiers of certification
Hosting providers are able to be certified within two different categories:
1. ‘Certified Assured Hosting Provider’ (CAHP)
The CAHP level of certification represents the lesser of two tiers, but still requires a detailed initial assessment and the inclusion of clauses in contracts aimed at safeguarding against a significant change of ownership, control or operation of the provider. The contractual provisions will also be targeted at reducing transition costs related to moving away from the data centre due to a breach.
2. ‘Certified Strategic Hosting Provider’ (CSHP)
CSHP certification adds to the baseline CAHP requirements and provides the highest level of assurance. CSHP certification additionally requires:
- a more extensive initial assessment;
- guarantees from the provider that there will be no significant change in its strategic direction, operation or ownership which would adversely affect the level of confidence the Australian public has in the Commonwealth, or the Commonwealth's interests or the certainty of services for the life of the current government agreement(s);
- contractual clauses which will cover the full reasonable transition costs of moving away from the data centre due to a breach;
- compliance with a risk management framework;
- vetting of key personnel; and
- supply of remote-in support from locations that do not present a risk to the Commonwealth.
CSHP certified providers are also subject to more stringent ongoing reporting, review and change disclosure obligations.
What is the impact of certification?
While certification is evidently encouraged, a higher level of certification under the Framework does not ensure that the vendor will win a tender or secure a contract, and the vendor isn’t prevented from providing services to an agency if it only has a lower level of certification (provided this meets the need of the agency). Moreover, an ‘uncertified’ provider (that is, a provider that is not certified as a CAHP or CSHP) is still eligible to provide services in certain circumstances where risk assessments determine it is appropriate. However, ‘uncertified’ providers may not host PROTECTED or whole of government systems – those systems must be hosted in a CSHP or CAHP data centre.
A helpful comparative guide has been provided as part of the framework and is reproduced below:
Source: Hosting Certification Framework, March 2021 – Table 4
Interaction with other regulatory frameworks
Interestingly, the Framework works symbiotically with a number of other pieces of existing regulations and guidelines, such as the Australian Government Protective Security Policy Framework (PSPF), the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the Foreign Acquisitions and Takeovers Act 1975 (FATA Act), and the Foreign Acquisitions and Takeovers Regulation 2015.
For example, take the Foreign Investment Review Board (FIRB). FIRB advises the government on foreign investment policy, and plays a large role in evaluating whether investment proposals are contrary to the national interest, looking at matters like national security and competition. By relying on certain mandatory safeguards imposed as part of the Certification Framework, government agencies are able to more readily deal with such national security and competition issues themselves, particularly given the focus of the Framework on maintaining oversight of the ownership and control of hosting providers and their supply chains, and managing the risk and cost of adverse changes.
As government agencies amass an ever-increasing store of data, and rely more heavily on hosting providers and their supply chains, additional requirements around strategic ownership and risk mitigation seem apt. Moreover, the Framework’s interoperability with other core security and procurement policies appears to make it a fit-for-purpose puzzle piece in the government’s overarching digital transformation strategy.
Currently, three providers have secured CSHP status under the Framework, being Australian Data Centres, Canberra Data Centres and Macquarie Telecom (Canberra Campus). The current timeline means that providers on the present Data Centre Facilities Supplies Panel are likely to gain certification ahead of other providers. However, care has been taken to ensure this does not prevent other providers from engaging in a market approach. Any provider that has registered its interest in certification is able to respond to a government RFT for a solution that includes hosting services at the certification level for which it has registered interest, and if down-selected, its certification may be expedited.
Written by Alexander Ryan, Stephanie Essey and Tim Gole.