Three Canberra data centres have been accredited to host sensitive Federal Government data under its new certification process.
The certifying authority, the Digital Transformation Agency, said the three providers were Australian Data Centres (ADC) in Mitchell, Canberra Data Centres (CDC) in Fyshwick, and Macquarie Telecom at Canberra Airport.
The DTA said these had been certified ‘strategic’ against the requirements of the Hosting Certification Framework, which was launched in 2019 and is designed to support the secure management of government systems and data and minimise supply chain and data centre ownership risks.
“The DTA is working with other providers who have requested certification and will make further announcements in due course,” a DTA spokesperson said.
The Minister responsible for whole-of-government data and digital policy, Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said the certifications represented significant progress in implementing improved protection and security for government-held data.
Mr Robert said all relevant government data under the Hosting Certification Framework must now be only be stored in either certified assured or certified strategic data centres.
“This includes all future and in-flight projects,” he said.
“The Hosting Certification Framework … strengthens the controls in place for hosting providers by increasing security provisions to protect privacy and improve the resilience of data infrastructure.”
Mr Robert said the Hosting Certification Framework positioned the Federal Government “as an exemplar in data protection and demonstrates our continued commitment to safeguarding the security and privacy protection of government-held data”.
“The Morrison Government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government,” he said.
“This includes knowing how, where and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers.”
Defence will remain an exception as it continues to host protected-level data in China-owned Global Switch’s Sydney-based data centre after removing all its top secret and secret data by May 2020.
The Global Switch facility, which the bulk of federal government agencies will leave by July 2022, is no longer approved on the government’s panel, and Defence is in the process of migrating the rest of its data over the next three to five years.
Defence chief information officer Stephen Pearson told Senate estimates recently that staggering the migration of its remaining data was a “risk-based decision”.
“We are the biggest holder of data in Global Switch, and the intent was to… take a progressive move out of Global Switch… to minimise the risk to operations,” he said.
Mr Person said Defence was confident that the DTA’s tier-one data centre providers would be able to host its data after the exit from Global Switch.
“We are looking to where we would put it, but … of the DTA’s list of tier one data centre providers, all of those would have capacity between them to be able to look after Defence,” he said.
“Because of the nature of where Global Switch is, we’ll have to not just take it out of one data centre, potentially, and put it into another one.
“Global Switch was a disaster recovery site for some other areas as well, so we can’t have all our data centres in one city, so we will split the capacity there and put it in different data centres.”
Direct providers on the government’s data centre panel were the first to become eligible to apply for certification under the framework in April, with the certification process running until December.
Data centre providers yet to be certified are NextDC, Fujitsu, Equinix, Datacom, Vocus, NTT, Datapod, iiNet, Hewlett Packard, iseek, Digital Sense and Frontier.
Other ‘indirect’ providers that host government systems and data, such as cloud service providers, can apply for certification under a second phase, expected in September.