A cut-down version of the government data hosting rules that currently apply to data centres and cloud storage will be extended to cloud software and third-party IT services under the second iteration of the Hosting Certification Framework.
The proposed carve-out for software-as-a-service and managed service providers comes as the Department of Home Affairs continues a review of the federal government scheme that has now been underway for more than 18 months.
Introduced in March 2021, the Hosting Certification Framework (HCF) requires data centre and cloud services providers wanting to host sensitive government data and systems be rated to a protected classification level to meet stringent control conditions.
Certified strategic, the highest level of assurance under the framework, requires providers to allow the government to specify ownership and control conditions, while certified assured offers safeguards if ownership controls or operations change.
While the HCF was originally intended to apply to SaaS providers and managed service providers from July 2022, a last-minute change before the scheme came into effect in July 2022 saw those providers exempted.
At the time, the Digital Transformation Agency said the HCF requirements will not apply to those providers in the same way that it does to cloud services and data centres “until the next iteration of the policy is defined”.
But, in an apparent about face, the Department of Home Affairs, which assumed responsibility for the HCF in a reshuffle last year, no longer plans to apply the framework to SaaS and managed services providers in full.
“Home Affairs does not intend to apply the current model of the HCF to SaaS providers and managed service providers,” a departmental spokesperson told InnovationAus.com.
“As part of the review, Home Affairs is consulting broadly to understand what principles within the HCF can apply to SaaS providers and managed service providers and how best to apply those principles.”
Other opportunities to “improve the framework and increase its value to both the Australian government and Industry, as a mechanism to protect sensitive and classified Australian government data” have been identified, however.
Home Affairs has also consulted with industry groups and organisations “on how best to resource the HCF to support timely review of applications under HCF” after a backlog emerged early on in the scheme.
In October 2022, the number of unapproved applications from data centre and cloud services providers sat at 33, up from the 29 in June 2022, which prompted the DTA to grant last-minute hosting exemption to agencies.
Since then, only one cloud services provider, Brisbane-based managed services provider Emantra, has been certified under the HCF. Home Affairs declined to provide the updated number of unapproved applications when asked.
Despite the lack of new entrants to the scheme, Home Affairs has continued to partially outsource the assessment of providers to Canberra-based boutique professional services firm Anchoram Consulting.
Anchoram Consulting began providing hosting certification assessment in September 2022, when it landed a $1.8 million contract with the DTA. That contract, which was transferred to Home Affairs, expired this week.
Home Affairs last week approached the market for a follow on “hosting certification assessments capability”, with the successful tenderer to conduct assessment of hosting service providers and deliver “evidence-based reports on certification assessments” from July.
InnovationAus.com also understands that during consultation on HCF 2.0, some hyperscalers have been receptive to another status with the HCF that recognises and clarifies the issues of sovereignty for customers.
Prompted by a growing web of regulations, Microsoft and Amazon Web Services last year launched sovereign cloud services in Europe, allowing customers to store and process personal data within the bloc.
The spokesperson would not say whether the department is considering adding third layer to the HCF for sovereign data centre and cloud service providers, as has been recommended by local cloud suppliers like Vault Cloud and AUCloud.
Do you know more? Contact James Riley via Email.