Google and IBM have been cleared by the Digital Transformation Agency as approved cloud service suppliers under Australia’s data sovereignty scheme while dozens of other companies wait on authorisation. The agency has been forced to scale back the program as it comes into force this month.
The US giants are the most recent additions to the federal government’s Hosting Certification Framework (HCF), joining the likes of AWS, Microsoft, Oracle, and local companies Vault Cloud and AUCloud among the nine cloud providers now cleared.
Seven more companies have been certified Strategic as either data centre facility providers, service providers, or both.
The certified cohorts are outnumbered by dozens more companies which have applied for accreditation but are yet to be cleared by the Digital Transformation Agency (DTA).
Some are waiting a reported six months plus, with the apparent delay leading to the DTA introducing a last-minute exemption for government agencies to request use of providers that are not yet certified.
The exemption is needed because the HCF came into force this month after a yearlong grace period, mandating that agencies host all sensitive government data, whole-of-government systems and systems rated to a protected classification level with certified providers.
The scheme allows the government to specify and maintain stringent ownership and control conditions on the providers, and follows previous concerns within government about data sovereignty and risk exposure, including replatforming costs.
AThe highest Strategic level — which all the approved companies have obtained so far — guarantees that providers will cover all the government’s reasonable re-platforming costs if they breach the contract.
When introduced last year the scheme was criticised by parts of the industry because of potentially onerous requirements and a lack of transparency in the certification process.
For example, the largest cloud provider in the world Amazon Web Services was awarded strategic certification, which is understood to be based on undertakings it has with the DTA to eventually achieve full compliance.
An InnovationAus.com attempt to have details of the undertakings released under freedom of information laws was rejected. This came despite others in the industry publicly disclosing their certification undertakings to encourage transparency in the scheme.
As the scheme came in to force with a backlog of accreditation requests and a limited number of approved providers, the DTA scaled back the requirements of the scheme.
The HCF requirements now apply only to “all new and extensions to existing contracts for hosting services” and not all existing government contracts, as the DTA had previously stated.
And after warnings from the industry about the challenge of applying the HCF to software-as-a-service (SaaS) providers, the DTA has exempted SaaS and managed service providers from the HCF “until the next iteration of the policy is defined”.
