Information Security Registered Assessors Program

On Monday, 2 March 2020 the Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA) announced the results of the review of the Cloud Services Certification Program (CSCP) and Information Security Registered Assessors Program (IRAP). The review made the following recommendations:

• Close the CSCP and create new co-designed cloud security guidelines with industry
• Grow and enhance IRAP
• Establish Government and Industry Consultative Forums for cyber security
• Update incentives in Procurement and Administrative Instructions and Guidance to reflect the cessation of the CSCP

As of March 2, 2020, the ASD is no longer be the Certification Authority and has ceased all certification activities, including re-certification activities. All ASD certifications and re-certification letters will be void from July 27, 2020 and the Australian government Information Security Manual (ISM) has been updated to remove the requirement to select cloud services from the Certified Cloud Services List (CCSL).

Under the Australian government Secure Cloud Strategy, Commonwealth agencies are able to self assess cloud services using practices already used to assess ICT systems.

What now:

On July 27, 2020, the Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) released new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry. AWS continues to undertake IRAP assessments to maintain currency of the assessment and to onboard new services. Commonwealth entities will continue to be responsible for their own assurance and risk management activities. In accordance with the Australian government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess ICT systems. ASD will enhance existing cloud security guidance through the development of co-designed guidelines with industry. These guidelines will further aid Commonwealth entities and Australian businesses to increase their cyber security and resilience.

To date, ASD has developed a number of useful guides for organisations to undertake the appropriate security assessments in relation to cloud services. It is recommended that any assessment clearly addresses the security controls in the ISM, and ASD cloud security guidance, including:

• Cloud Computing Security Considerations and
• Cloud Computing Security for Tenants.

The DTA continues to encourage Commonwealth agencies to use the Australian government Secure Cloud Strategy to support their adoption of cloud services.

In support of our Australian government customers, we provide a package of security guidance and documentation to enhance your understanding of security and compliance while using AWS. AWS provides the following publicly available material:

• Using AWS in the context of Australian Privacy Considerations
• New Quick Start deploys the Compliance IRAP PROTECTED Reference Architecture on the AWS Cloud

You can access the IRAP PROTECTED pack via AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console or learn more at Getting Started with AWS Artifact. This information provides the ability to plan, architect, and self-assess systems built in AWS under the Australian government Secure Cloud Strategy. This pack gives public sector customers everything needed to evaluate AWS at the PROTECTED level and helps individual agencies simplify the process of adopting AWS services. Documentation in the pack include:

• Assessment Letter;
• Cloud Assessment Report;
• Cloud Security Controls Matrix;
• Reference Architecture; and
• Consumer Guide.

Additional reports are available under NDA (as required) that evaluate and test controls implemented by AWS infrastructure and which are available under NDA (as required):

• Service Organisation Controls 1 (SOC1) Type II Report;
• Service Organisation Controls 2 (SOC2) Type II Report;
• ISO 27001 Certificate and Statement of Applicability; and
• PCI Attestation of Compliance and PCI Responsibility Summary.

A Quick Start is available for users who want to create cloud-based workloads that use AWS controls meeting the ISM requirements for sensitive government data handling at the PROTECTED classification level. It automatically deploys the IRAP PROTECTED Reference Architecture on the AWS Cloud in about an hour. The Reference Architecture demonstrates how multiple AWS services are brought together to support a multi-tier web application with associated security and management services that meet ISM PROTECTED requirements. While this solution implements many of the controls that are outlined in the IRAP PROTECTED Reference Architecture, not all of the recommended controls are included in this Quick Start. Remember to follow the guidance in the IRAP PROTECTED package, available on AWS Artifact, before using this solution to store PROTECTED data.

For more information about the additional reports, see the AWS Compliance programs.

For more information, see the IRAP webpage on the ACSC website.

IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of Australian Government information security compliance requirements.

The Australian government Information Security Manual (ISM) outlines a cyber security framework that organisations can apply to protect their information and communication technology (ICT) systems from cyber threats. It complements the Protective Security Policy Framework (PSPF) produced by the Australian government Attorney-General’s department. The ISM and the PSPF provide guidelines and obligations for Commonwealth agencies in implementing appropriate controls in an ICT environment. In addition, Commonwealth agencies should consider relevant guidance published specifically by or for them.

In 2017, the Digital Transformation Agency (DTA) worked with other government bodies and industry to develop the Secure Cloud Strategy. The strategy focuses on helping government agencies use cloud technology.

The ISM is published by the Australian Cyber Security Centre (ACSC), the Australian government’s lead organisation on national cyber security and a part of the Australian Signals Directorate (ASD).

For more about ACSC’s role in promoting and improving Australian cyber security, see the Cyber Security webpage on the ASD website or the ACSC website.

Yes, AWS Cloud services have been assessed by an independent IRAP assessor against applicable ISM controls. The assessment examined the security controls of Amazon’s people, process, and technology. This assessment provides assurance that in respect of these products AWS has in place the applicable controls required for Australian government workloads at the PROTECTED level. For more information, you can also go to AWS Artifact to access the IRAP PROTECTED pack from the most recent assessment.

The IRAP assessment covers in-scope services in the AWS Sydney and Melbourne Regions. The covered AWS services that are in scope for the IRAP assessment can be found on the AWS Services in Scope by Compliance Program webpage.

Yes, subject to compliance with applicable regulations, policies and guidelines that govern your use of cloud services. If a service you want to use is not listed on the AWS Services in Scope by Compliance Program webpage, you can evaluate your workloads for suitability with other AWS services.