The Australian Government releases its new Cloud Computing Policy - moving from 'may' to 'must'
The Commonwealth Government released its updated cloud computing policy - Australian Government Cloud Computing Policy – Smarter ICT Investment, Version 3.0 October 2014.
The Commonwealth Government has released its updated cloud computing policy, Australian Government Cloud Computing Policy – Smarter ICT Investment, Version 3.0 October 2014 (Policy).
The Policy sets out the Commonwealth's new 'cloud first' policy and is intended to stimulate the take up of cloud computing1 by Commonwealth government agencies.
Under the Policy, 'non-corporate' Commonwealth entities (such as government departments and most other Commonwealth agencies, but excluding Commonwealth bodies corporate) are required to replace any existing information communication and technology (ICT) services with cloud based services where such services:
- are fit for purpose
- offer the best value for money (as defined by the Commonwealth Procurement Rules)
- provide adequate management of risks to information and to ICT assets (as required by the Commonwealth's Protective Security Policy Framework (PSPF)).
The Policy marks a further step from the 'may choose' language of 2011's Australian Government Cloud Computing Strategic Direction paper and the 'explicit obligation to consider' in last year's Australian Government Cloud Computing Policy to a 'must adopt'2 stance, subject to the considerations referred to above.
The Policy's goal is to drive the use of cloud ICT services in the Commonwealth public sector to 'reduce costs, lift productivity and develop better services'. The Policy requires non-corporate Commonwealth entities to:
- use ICT refresh trigger points (including planned system implementations and upgrades) as opportunities to evaluate cloud services
- adopt public cloud services for testing and development needs and for hosting public facing websites
- evaluate private, community, public or hybrid cloud services for operational systems as defined by information requirements
- consider opportunities to develop/adopt cross entity or portfolio cloud services and/or build on initiatives established by other entities
- comply with relevant legislative and regulatory requirements and select cloud services commensurate with the requirements of the information
- update the Agency Solutions Database after acquiring a cloud service
- use the extensive existing Australian Government guidance on ICT (including the Australian Government strategies, policies, better practice guides and frameworks for ICT) to assist in the evaluation of cloud based ICT options.
What are the implications for Commonwealth entities that are not 'non-corporate entities' as specifically covered by the Policy? We would suggest such entities should consider whether they have any opportunity to comply with the Policy, even if not explicitly required by the Policy to do so. Similarly, Commonwealth funded entities, such as tertiary education institutions, might consider whether it would be expedient to examine opportunities to align themselves with the Policy's objectives.
With this new Policy the Commonwealth is declaring its intent and desire to drive the adoption of cloud computing at the Commonwealth level. The Policy expresses the view that there is much room for increased take up of and expenditure on cloud computing by Commonwealth agencies. The Commonwealth cites statistics showing cloud procurements through AusTender since July 2010 have totalled approximately $4.7 million, a small proportion of the approximately $6 billion that the Commonwealth spends on ICT annually.
Accordingly, the new Policy potentially represents a significant opportunity for the providers of ICT services, so long as they and their potential customers can clear the 'fit for purpose' and PSPF hurdles.
As with the 2013 policy, the new Policy sets out some actions for the Attorney General's Department and the Departments of Finance and Communications, to continue driving the cloud agenda, to be implemented over 2014/2015.
1. Note the Commonwealth has adopted the US Government's National Institute of Standards and Technology definition of "Cloud Computing" – see page 8 of the Policy
2. See the Foreword to the Policy from the Minister for Finance and the Minister for Communications.
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.
What is in a name? The disclosure of public servants’ names and contact details under FOI
The OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents.