The federal government has certified the first three data centre providers under its new hosting certification framework, with all protected-level data now expected to be stored in these facilities.
Employment minister Stuart Robert, who holds responsiblity for the government’s digital agenda, late on Friday revealed that the first providers had received the green tick, without disclosing their names.
A spokesperson for the Digital Transformation Agency told iTnews this week that three providers on the government’s data centre panel had been afforded the coveted ‘certified strategic’ tag.
‘Certified strategic hosting provider’ is the highest level assurance, and requires data centres and managed services providers to allow the government to specify ownership and control conditions.
The lesser certification is ‘certified assured hosting provider’ – the minimum buy-in for data centre and managed services providers wanting to host protected-level data or government-wide systems.
“Three providers have been certified strategic against the requirements defined in the hosting certification framework,” the DTA said.
“Those providers are Australian Data Centres (ADC), Canberra Data Centres (CDC) and Macquarie Telecom (Canberra Campus).
“The DTA is working with other providers who have requested certification and will make further announcements in due course.”
‘Direct’ providers on the government’s data centre panel were the first to become eligible to apply for certification under the framework in April, with the certification process to run between April and December.
Data centre providers yet to be certified are: NextDC, Fujitsu, Equinix, Datacom, Vocus, NTT, Datapod, iiNet, Hewlett Packard, iseek, Digital Sense and Frontier.
Other ‘indirect’ providers that host government systems and data such as cloud service providers will be able to apply for certification under a second phase, which is expected to take place in September 2021.
New data storage requirements come into effect
With the first providers now certified, Robert said “all relevant government data” for in-flight and future projects “must only be stored in either certified assured or certified strategic data centres.”
Under the hosting certification framework, relevant data is defined as protected-level data and data from whole-of-government systems.
Robert said the hosting certification framework positions the government as an exemplar in data protection, strengthening the controls to improve the resilience of data infrastructure.
“The… government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government,” he said.
“This includes knowing how, where and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers.”
But the rules won’t extend to the Department of Defence, which continues to host protected-level data in Global Switch’s Sydney-based data centre.
The Global Switch facility, which the bulk of federal government agencies will leave by July 2022, is no longer approved on the government’s panel.
Defence removed all its top secret and secret data by May 2020.
Its chief information officer Stephen Pearson told senate estimates last week that staggering the migration of its remaining data was a “risk based decision”.
“We are the biggest holder of data in Global Switch, and the intent was to… take a progressive move out of Global Switch.. to minimise the risk to operations,” he said.
He said Defence was confident that the DTA’s tier one data centre providers will be able to host its data post-Global Switch.
“We are looking to where we would put it, but… of the DTA’s list of tier one data centre providers, all of those would have capacity between them to be able to look after Defence,” he said.
“Because of the nature of where Global Switch is, we’ll have to not just take it out of one data centre, potentially, and put it into another one.
“Global Switch was a disaster recovery site for some other areas as well, so we can’t have all our data centres in one city, so we will split the capacity there and put it in different data centres.”