ASD Certified Cloud Services
ASD has awarded ASD Certification to the listed cloud service providers for specified cloud services. ASD has issued the providers with a:
- Certification Letter outlining the details of the certification and describing the conditions of holding certification and when re-certification may be triggered.
- Certification Report which provides customers with an overview of the security aspects which should be considered prior to accreditation.
Australian Government agencies procuring these services are advised to request the ASD Certification Letter and Certification Report from the cloud service provider, and consider the ASD advice prior to awarding accreditation.
IRAP Security Assessments and ASD Certification are based on the Australian Government Information Security Manual. Australian Government agencies should review the ASD Cloud Computing Security documents, which describe security risk mitigations associated with cloud computing. In addition, Australian Government agencies must perform due diligence reviews of the legal, financial and privacy risks associated with procuring cloud services (which this certification does not include).
ASD Certified Cloud Services List (CCSL)
ASD broadly uses the US National Institute of Standards and Technology (NIST) cloud computing definition (PDF), which defines three service models for cloud computing. However, we will also include cloud computing services that have alternative billing models to those described by NIST.
|Cloud provider||Cloud service||Classification level|
|Sliced Tech||Gov Cloud Package||PROTECTED|
|Vault Systems||Gov Cloud Package||PROTECTED|
|Amazon Web Services||EBS, EC2, IAM, S3 and VPC||Unclassified DLM|
|Macquarie Telecom||GovZone (LAUNCH)||Unclassified DLM|
|Microsoft||Dynamics CRM Online||Unclassified DLM|
|Microsoft||Office 365||Unclassified DLM|
|Salesforce||PaaS, SaaS||Unclassified DLM|
|ServiceNow||ServiceNow SaaS||Unclassified DLM|
|Sliced Tech||IaaS||Unclassified DLM|
|Vault Systems||IaaS||Unclassified DLM|
Last updated September 2017.
Other cloud providers are currently going through ASD's certification process. If your organisation is considering a cloud service that is not on this list, please contact us.
- The Privacy Act 1988 defines legislative requirements for the handling of private information.
- The Archives Act 1983 regulates government record-keeping requirements.
- The Department of Finance provides the Whole-of-Government Cloud Services Panel (CSP), a non-mandatory procurement mechanism to enable Australian Government agencies to procure cloud services. The CSP lists cloud service providers who have negotiated a contractual head agreement with the Department of Finance for use by the whole of Australian Government.