Information Security Registered Assessors Program

ASD Certified Cloud Services

An IRAP assessment has been completed for these outsourced cloud computing services, and certification awarded by the Australian Signals Directorate (ASD). Australian government agencies contracting these services are advised to request the ASD Certification Letter and Report from the cloud services provider. This report should inform the accreditation decision by the agency, as detailed in the Australian Government Information Security Manual.

ASD broadly uses the US National Institute of Standards and Technology (NIST) cloud computing definition (PDF), which defines three service models for cloud computing. However, we will also include cloud computing services that have alternative billing models to those described by NIST. ASD Cloud Computing Security describes security risk mitigations associated with cloud computing. While ASD Certification will assist agencies to understand the information security risks when contracting cloud computing services, agencies are urged to perform due diligence reviews of the financial, privacy, data ownership, data sovereignty and legal risks associated with contracting cloud computing services.

Agencies must also ensure that the cloud computing service they wish to contract is certified to the classification level of the information the service will store, process and communicate.

ASD Certified Cloud Services List (CCSL)

Cloud provider Cloud service Classification level
Amazon Web Services EBS, EC2, S3 and VPC Unclassified DLM
Macquarie Telecom GovZone (LAUNCH) Unclassified DLM
Microsoft Azure Unclassified DLM
Microsoft Dynamics CRM Online Unclassified DLM
Microsoft Office 365 Unclassified DLM
Sliced Tech IaaS Unclassified DLM
Vault Systems IaaS Unclassified DLM

Other cloud computing services are currently going through ASD's certification process, which we aim to include on this list in the near future. If your organisation has contracted a cloud computing service, please contact us to ensure the service is going through this process. Please also contact us if your agency has already certified a cloud computing service for use in your agency and we will endeavour to incorporate that work into our process.

Why ASD Certification?

Every government agency contracting cloud computing services requires a security assessment and certification in order to achieve accreditation of any outsourced service. Agencies conducting this work in isolation would result in a significant resource burden and cost to both the Commonwealth and the cloud service provider. To reduce this burden, ASD is conducting certification activities for all government agencies to leverage.