Skip to main content
Home

Hosting Certification Framework

Navigation

  • Home
  • Framework
  • Certified Service Providers
  • For Service Providers
  • For Government Customers
  • Resources
  • Contact us
  • Framework overview
  • Benefits of the Framework
  • Who it applies to
  • Implementation arrangements
  • Certification levels
  • Background to the Framework

Framework overview

The Hosting Certification Framework provides guidance to Australian Government customers enabling them to identify and source hosting services that meet enhanced privacy, sovereignty and security requirements.

Certification under the Framework ensures Service Providers are offering secure services to their Australian Government customers.

The Framework will continue to be iterated to ensure the Government’s commitment to data security can be met, and so Australians can have trust in government systems and the information they hold.

The framework supports the Protective Security Policy Framework and the Information Security Manual.

View the Framework in detail below.

Hosting Certification Framework - March 2021.v2.pdf (540.41 KB)

Benefits of the Framework

The Hosting Certification Framework aims to provide significant benefits to Australian Government customers and Service Providers by:

  • ensuring hosting arrangements comply with data sovereignty, ownership structure, liability, supply chain and transparency arrangements as well as requirements set by the Australian Government
  • reducing risks associated with data sovereignty, ownership and supply chain
  • ensuring government hosting services are more efficient and cost-effective
  • providing certainty on the Australian Government hosting operating environment for industry and entities.

Who it applies to

  • Australian Government customers procuring hosting arrangements for sensitive government data, whole-of-government systems and systems rated at the classification level of PROTECTED.
  • Service Providers that deliver hosting services to Australian Government customers, including the facilities that host government data, their systems and supply chains.
  • The Hosting Certification Framework currently only applies to:
    • Data Centre Providers; and
    • Cloud Service Providers.

Implementation arrangements

  • Hosting Certification Framework requirements apply to new contracts and extensions to existing contracts from 30 June 2022.
  • Extensions to contracts with service providers awaiting certification are restricted to a maximum of 1 year, with the option of a 1 year extension.
  • Where certification of a service provider is pending, entities may apply for an exemption by emailing hostingcertifications@homeaffairs.gov.au.

Certification levels

There are three levels of Certification:

  • Strategic: represents the highest level of assurance and is only available to Service Providers that allow the government to specify ownership and control conditions.

    A Certified Strategic Service Provider offers additional protections to government compared with a Certified Assured Service Provider.



    These include increased security controls. Due to these additional protections, government customers with a high-risk profile or those seeking additional protections for their data may require the services of a Certified Strategic Service Provider.
  • Assured: provides safeguards against change of ownership or control through financial penalties that are aimed at minimising the transition costs borne by the Commonwealth should a Service Provider alter their profile.



    Government customers with a low-risk profile and sensitive data, which has been deemed by the government customer to not need additional security protections, may seek the services of a Certified Assured Service Provider.
  • Uncertified: offers minimal protections to government.



    Government customers may use the services of an Uncertified Service Provider to host non-sensitive data or where their internal risk assessment determines it appropriate to do so.

Identifying which level of Certification is required will be dependent on the government customer’s risk profile as well as the classification and sensitivity level of their data. It will also be subject to their internal risk assessment. Refer to PSPF Policy 9: Sensitive and classified information and PSPF Policy 15: Physical security for entity resources.

Choose the area of the site that applies to you - for the appropriate information, frequently asked questions and steps to follow.

  • For Service Providers

  • For Government Customers

Background to the Framework

In March 2019, the Australian Government released the Whole-of-Government Hosting Strategy (Hosting Strategy), which sets out the principles and policy direction to ensure Service Providers host Australia’s data to the highest standards.

In March 2021, to operationalise the Hosting Strategy, the Hosting Certification Framework was released to assist Australian Government entities to effectively manage and secure their data. The Framework supports the Australian Government’s Protective Security Policy Framework and Information Security Manual and strengthens data security by ensuring the appropriate controls are in place to achieve greater assurance over the ownership, control, operations and supply chains of Service Providers.

The Framework will continue to be iterated to ensure the Government’s commitment to data security can be met, and so Australians can have trust in government systems and the information they hold.

Home Affairs logo

Site links

  • Web privacy statement
  • Accessibility of this website
  • Freedom of information
  • Information publication scheme
  • Copyright and disclaimer
  • Privacy