The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have revealed there are currently seven cloud providers undertaking certification that would allow them to provide cloud services to federal government entities.
In response to a question taken on notice by Australia's Cyber Coordinator Alastair MacGibbon from Senate Estimates in May, the ASD and ACSC also said there are 10 companies waiting for certification to commence, having already completed the Information Security Registered Assessor Program (IRAP) Security Assessments, as well as a further 12 companies conducting IRAP assessments before starting the certification process.
Currently, there are 18 secure clouds, from 11 vendors, on the ASD's Certified Cloud Services List (CCSL).
The CCSL is comprised of clouds certified at unclassified dissemination limiting marker (DLM) level, and also protected level, which is currently the highest security level approved by the ASD.
NTT-owned Dimension Data was then accredited to provide protected-level cloud services to Australian government entities, despite being an international company and one with datacentres outside of the country.
Microsoft was the fifth and final vendor to appear on the CCSL in a protected capacity, receiving accreditation in April for its "government-configured" clouds to be used for Australian government data classified up to that level. But unlike all previous such certifications, Microsoft's certifications were provisional, and came with what the ASD called "consumer guides".
The questions asked of MacGibbon by the committee were in response to concerns over the legitimacy of Microsoft's accreditation. During Estimates he was asked if there had been any negative feedback received regarding Microsoft's accreditation.
"There'd be some suppliers, I'm sure, that don't like the thought of another supplier in a marketplace, and there'd be some who think it's a really good idea. I'm sure a lot of government departments think it's fantastic," MacGibbon said at the time.
Initially taking the question on notice, the ACSC since confirmed it had received written and verbal feedback via its general advice and assistance mechanism on the Microsoft decision.
"This feedback largely comes from government and industry representatives," the ACSC wrote. "Overwhelmingly the questions posed sought clarification on technical aspects of the decision, particularly around security controls."
MacGibbon in May defended the government's decision to hand conditional protected-level certification out to Microsoft, saying he was confident the data on Australians is safe in the hands of Microsoft, despite the Washington-headquartered company having staff scattered around the globe.
It was reported last week that the ASD executive who declined to sign off on Microsoft's Azure and Office365 cloud services being granted the highest certification has since left the agency.
The certifications were subsequently signed off by MacGibbon.
Senators are concerned that Microsoft has emerged with protected-level ASD certification, despite being located outside of Australia, with Alastair MacGibbon labelling the company a 'trusted' partner of government for many years.
The National Audit Office can make adverse findings against departments, but ASD head Mike Burgess is satisfied agencies are taking security seriously.
The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.
Differing views within the recently restructured Australian Signals Directorate, described in one media report as an 'internal brawl' and 'internal frictions', could highlight a deeper, more challenging division.
In volume 22 of Microsoft's Security Intelligence Report, the Redmond giant outlined some of the biggest cyberthreats facing its users.