DTA will outsource the hosting of certification assessments as the backlog grows

Hosting Service Provider Reviews against the Hosting Certification Framework (HCF) have been partially outsourced by the Digital Transformation Agency as the certification backlog for the data sovereignty scheme continues to grow.

The move raises further questions about the integrity of the HCF, which was introduced just last year to allay concerns within the government about data sovereignty and risk exposure, including future replatforming costs.

The government’s digital advisor brought in boutique Canberra-based professional services firm Anchoram Consulting late last month to provide “hosting certification reviews” for $1.8 million over the next year.

According to the tender documents, the company will work “as part of a multidisciplinary team led by the DTA” to evaluate hosting service providers against sovereignty requirements.

The contract, which runs between September 26, 2022 and September 25, 2022, requires Anchoram Consulting to also provide “ongoing vendor evaluation,” “vendor engagement assistance,” and “written analysis and evaluation reports.”

Lucy Poole, general manager of digital strategy, architecture and discovery, told InnovationAus.com the company will “support the evaluation of a range of vendors, including small and medium-sized enterprises” (SMBs), but stressed that the DTA will still require all certifications will approve.

“Anchoram Consulting [will] enable the DTA to continue to deliver significant security and economic benefits to Australia by strengthening Australia’s hosting protections and giving SMEs an equal opportunity to provide secure hosting services,” she said.

When asked whether using outside consultants to assess hosting service providers against the HCF’s privacy, sovereignty and security requirements jeopardizes the programme’s intent, Ms Poole said “no”.

However, industry insiders believe that using consultants to evaluate applications can only skew the outcome and compound transparency concerns highlighted by Amazon Web Services’ certification last year.

The decision to bring in outside consultants to assess applications follows revelations of a backlog of HCF certification at the DTA, with dozens of data center and cloud service providers waiting months for approval.

It has created a situation where government agencies must apply for exemptions for those providers who have not yet received certification for “all new and renewals of existing hosting service contracts”.

Beginning in July, government agencies will be required to host all sensitive government data, government systems, and systems with protected classification levels only with certified strategic or certified secured vendors.

Ms Poole revealed the backlog in the number of unapproved applications had risen to 33 from 29 in July but declined to confirm whether that had an impact on the latest contract. The number of exemptions for agencies is now three, up from one in July.

The providers that have been certified as “Certified Strategic” since July include Google Cloud, the data center providers iseek and Digital Reality and most recently the provider of managed services for medical IT Medihost Solutions and the provider of document sharing solutions Secure Collaboration.

Certified Strategic is the highest level of security within the framework, which requires vendors to allow the government to set ownership and control conditions, while Certified Assured provides protection when ownership controls or operations change.

The certification process continues to take an average of three to six months, with the timeframe varying “depending on the circumstances and each service provider’s registration request,” Ms Poole said, noting the levels of cooperation and the number of services being assessed.

The oldest application – which was “on hold at the request of the provider” – is 16 months old. The DTA completed its evaluation of the vendor in three months, but the vendor has been “working through legal complexities related to its launch environment since November.”

With the HCF now 18 months old, the DTA is turning its attention to the second iteration and has already engaged Canberra-based consultancy Evolve&Amplify to work on reforming the system, including developing cost recovery plans, at a cost of 1.4 million dollars.

The HCF 2.0 is expected to apply not only to data center and cloud service providers, but also to software-as-a-service providers and managed service providers, which were exempted from the rule earlier this year.

A virtual briefing is scheduled for later this month where the agency will discuss “considerations for the next iteration of the HCF” and related activities with government agencies and industry.

Do you know more? Contact James Riley via email.

Comments are closed.