There is no doubt that malicious cyber activity in Australia is growing in intensity, scale, complexity, sophistication and severity, and the risk of compromise of data and systems within government is rapidly growing.

Governments use and store massive amounts of data about people, businesses and other organisations, and run literally thousands of technical systems on hundreds of different technologies and locations. Knowing who has access to these essential and sensitive resources is vital to keeping them safe and secure.

We have evolved in our use of digital way beyond our beginnings of highly secure IT infrastructure in government-owned and managed facilities locked away from the outside world. Today, it is likely that the online government service that you are using is run from a private business under contract to government.

Through the Hosting Certification Framework (HCF), the DTA makes sure it has visibility and oversight of where Commonwealth data is stored. This will avoid scenarios where, say, a private data centre business that hosts the technology solution – for example, for our border-management system – operates without any physical or cyber security controls to prevent access to the data they host.

Let’s take this scenario another step – what if that same hosting business had good physical and cyber security but used a supplier, say a data storage infrastructure supplier, that did not? To avoid this scenario, service providers that are certified under the HCF are required to comply with a range of physical and cyber security controls, including for their supply chains.

Let’s now go to the extreme. What if this fictious data centre business in our example was sold to another company that had an ownership structure that was counter to Australia’s best interests? The HCF makes sure government is notified and customers are involved in providing informed consent for something like this, as well as providing controls to avoid the costs of moving our data and technology solutions to a different provider.

The HCF was established in 2021. However, we began our work much earlier.

A hosting strategy for government

In 2019 the DTA launched the Whole-of-Government Hosting Strategy. The DTA achieved this milestone in an environment of significant and ongoing change across government. One of these changes was a decline in the use of onsite facilities to host data.

As digital services continued to exponentially grow, government agencies increasingly moved their expanding data holdings to offsite data centres. Over the last 10 years, data centre and cloud growth in Australia has accelerated dramatically, with nearly 300 data centres around the country capable of hosting government data today.

The Whole-of-Government Hosting Strategy provides clear guidance to those entrusted with government-held data to ensure the protection of this highly valuable asset and the security of information.

A certification framework for storing government data

The HCF is the key plank of the Whole-of-Government Hosting Strategy, administered by the DTA. Under the HCF, providers of data-hosting services are ‘certified’ by the DTA after a stringent assessment to ensure their practices comply with the data-protection, ownership-structure, transparency, privacy and security requirements set by government.

Government agencies can then more confidently store their data in an externally hosted environment with a particular provider (or providers), knowing they have been certified under the HCF.

Mid-last year the HCF was incorporated in the Protective Security Policy Framework, which made policy requirements clearer and aligned them with other protective security policies. It is compulsory for Australian Government agencies looking to store sensitive and/or classified information to use a strategic-level HCF-certified provider (‘strategic’ being the highest level of assurance under the HCF).

Since it was released, the HCF has provided safety and security benefits to government through significantly reducing risks associated with hosting data and facilitated more efficient and cost-effective procurement of hosting services across government. This includes a reduction in ‘regulatory burden’ (or cutting the red tape), and an increase in buying power because of whole-of-government agreements.

To date, 22 providers have received certification under the HCF, with more providers in the pipeline.

DTA – continuously improving

The HCF has the potential to deliver even more benefits. The policy is approaching its second anniversary and to ensure it keeps pace with emerging threats and changes in technology, is being reviewed and reformed this year.

The next iteration will continue to focus on protecting and securing government data. However, new topics being explored include:

• arrangements to accelerate the certification process for providers
• more information for current and potential providers about government requirements
• engaging with state and territory governments about leveraging the HCF
• including certification of functions such as Software as a Service (SaaS) and Managed Service Providers (MSPs).

Industry sellers and government buyers are encouraged to participate in this review by completing the survey on the DTA’s digital consultation platform.

You can visit the DTA’s Hosting Certification Framework website for more information on the program including the consultation process being undertaken on the HCF policy reforms.

Email us if you have a suggestion for improving the Hosting Certification Framework.