The minister responsible for whole-of-government data and digital policy Stuart Robert late on Friday announced "significant progress in implementing improved protection and security for government held data", saying the first bunch of providers had been certified to store sensitive data locally.
Offering further information, the Digital Transformation Agency disclosed the three providers are Australian Data Centres (ADC), Canberra Data Centres (CDC), and Macquarie Telecom's Canberra Campus.
The DTA said the trio of providers have been certified against the requirements defined in the Hosting Certification Framework, which it has administered since March 2019.
"The DTA is working with other providers who have requested certification and will make further announcements in due course," a DTA spokesperson told ZDNet.
Robert declared from last Friday, all relevant government data under the Hosting Certification Framework must be only be stored in either certified assured or certified strategic data centres.
"This includes all future and in-flight projects," Robert, who is actually the Minister for Employment, Workforce, Skills, Small and Family Business, added in a statement.
"The Hosting Certification Framework … strengthens the controls in place for hosting providers by increasing security provisions to protect privacy and improve resilience of data infrastructure."
The DTA is the government's certifying authority for the Hosting Certification Framework.
The framework aims to operationalise the principles outlined in the whole-of-government Hosting Strategy, and to support the secure management of government systems and data.
"The framework will assist agencies to mitigate against supply chain and data centre ownership risks, and enable them to identify and source appropriate hosting and related services," the DTA claims.
According to Robert, who has previously confused legitimate website traffic for a distributed denial of service (DDoS) attack, the Hosting Certification Framework positions the federal government "as an exemplar in data protection and demonstrates our continued commitment to safeguarding the security and privacy protection of government held data".
"The Morrison Government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government," he claims. "This includes knowing how, where and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers."
The Australian Signals Directorate (ASD) shuttered the government's cloud certification program in July, after an independent review recommended for the system be reworked. ASD cloud services certifications, and consequently all services listed on the Certified Cloud Services List, became void.
In its place is the Cloud Security Guidance, which aims to guide organisations including government, cloud service providers, and Information Security Registered Assessors Program assessors on how to perform a "comprehensive assessment of a cloud service provider and its cloud services so a risk-informed decision can be made about its suitability to handle an organisation's data".