Skip to main content
Home

Hosting Certification Framework

Navigation

  • Home
  • Framework
  • Certified Service Providers
  • For Service Providers
  • For Government Customers
  • Resources
  • Contact us
  • Government Customers
  • Certification Levels
  • The right level of certification
  • What is a Certificate of Hosting Certification?
  • Procurement process steps
  • Government Customers frequently asked questions

Government Customers

All Australian Government data must be hosted with the appropriate level of privacy, sovereignty and security controls, in accordance with the Whole-of-Government Hosting Strategy.

From 30 June 2022, all new and extensions to existing contracts for hosting services must be with a Certified Service Provider(s).

Extensions to contracts with service providers awaiting certification are restricted to a maximum of 1 year, with the option of a 1 year extension.

Where certification of a service provider is pending, entities may apply for an exemption by emailing hostingcertifications@homeaffairs.gov.au.

Australian Government entities continue to have the autonomy to select the best hosting arrangements to suit their requirements.

 

Certification Levels

The Hosting Certification Framework has three levels - Strategic, Assured and Uncertified.

Identifying which level of Certification will be dependent upon a government customer’s risk profile, the classification and sensitivity level of their data, and subject to an internal risk assessment.

Cybercrime remains one of the most prevalent risks facing the world today. It continues to represent a current and emerging threat to national security and the digital economy as opportunistic cybercriminals take advantage of the systemic global instability caused by the COVID-19 pandemic. 

Uplifting the protections for government data is of the utmost importance. It is therefore anticipated that most Australian Government entities may seek hosting services at the Certified Strategic level.

 

Strategic

Strategic Certification represents the highest level of assurance to Australian Government customers and offers the most secure storage solutions for Government held data.

Certified Strategic Service Providers allow the Australian Government to specify ownership and control conditions.

 

Assured

Assured Certification provides Australian Government customers safeguards through financial penalties, against a Service Provider undertaking significant changes to their ownership, controls and operations, which may increase the risk profile of their government customers.

Compared to Strategic Certification, Assured Certification has:

  • lower financial penalties for transition costs should the Service Provider breach Certification
  • fewer reporting requirements to the Certifying Authority.

Government customers with a low-risk profile and data which has been deemed by the government customer as not requiring additional security protections, may seek the services of a Certified Assured Service Provider.

 

Uncertified

Uncertified offers minimal protections to Australian Government customers.

Government customers may use the services of an Uncertified Service Provider to host non-sensitive data, or where their internal risk assessment determines it appropriate to do so.

 

The right level of certification

Identifying the right level of Certification for the Service Provider required is dependent upon the government customer’s risk profile, the classification and sensitivity level of the data to be hosted and is subject to an internal risk assessment.

 

What is a Certificate of Hosting Certification?

A Certificate of Hosting Certification is the official document issued by the Certifying Authority indicating that a Service Provider’s service(s) has been certified under the Hosting Certification Framework.

Certification is granted to a Service Provider and its nominated services after undertaking the formal assessment process and successfully meeting the requirements of the Hosting Certification Framework for one of two levels, Assured Certification or the highest level of Strategic Certification.

Certificates are accompanied with corresponding Certification IDs for each nominated service. Certification IDs are used during the procurement stage to assist government customers to verify the service(s) being sought are certified and to the level required (Assured or Strategic).

 

Procurement process steps

  • 1. Risk assessment

    Government customers undertake an internal risk assessment.

  • 2. Explore list of Certified Service Providers

    Identify a Service Provider that best suits your needs.

  • 3. Procure

    Source safe and secure hosting services.

     

Government Customers frequently asked questions

  • Procurement activities should include specific hosting requirements such as:

    • Specifying the level of Certified Service Provider required. This is dependent upon the government customer’s risk profile, the classification and sensitivity level of the data to be hosted and is subject to an internal Risk Assessment.
    • Requesting Service Providers include within their submission the Certification ID of the service being procured. The Certification ID will indicate that a specific hosting service has been assessed and has been certified to a specific level. To confirm the Certification ID(s) submitted by Service Providers, contact the Certifying Authority by emailing hostingcertifications@homeaffairs.gov.au.

  • From 30 June 2022, all new and extensions to existing contracts for hosting services should be with a Certified Service Provider(s).

    Extensions to contracts with service providers awaiting certification are restricted to a maximum of 1 year, with the option of a 1 year extension.

    Where certification of a service provider is pending, entities may apply for an exemption by emailing hostingcertifications@homeaffairs.gov.au.

    Government customers seeking to procure services from a Service Provider that is not currently certified should contact the Hosting team hostingcertifications@homeaffairs.gov.au to provide advice on identifying and sourcing an appropriate Service Provider.

  • The Hosting team can assist you and your preferred Service Provider to navigate the Certification process.

    Government customers wishing to procure hosting services from a Service Provider not currently certified should ensure the contract award is conditional on the preferred Service Provider achieving the required level of Certification.

    You can contact the Hosting Team by emailing hostingcertifications@homeaffairs.gov.au who may provide the following assistance:

    • Confirm if the Service Provider has registered for Certification.
    • Provide advice on identifying and sourcing an appropriate Service Provider.

  • The length of time to complete the Certification Assessment process will differ according to each Service Provider’s circumstance. For example:

    • size and number of third parties
    • cooperation with the process and ability to provide the relevant documentation.

    Assessments may take on average between 3 and 6 months to complete.

  • A Certification does not expire but it does require ongoing maintenance. To maintain Certification, a Service Provider must:

    • report on any potential or up-coming Relevant Change that may adversely affect the Commonwealth
    • complete a Service Provider contract form biannually
    • undertake a Certification review annually
    • maintain compliance with the Hosting Certification Framework’s minimum mandatory requirements.
Home Affairs logo

Site links

  • Web privacy statement
  • Accessibility of this website
  • Freedom of information
  • Information publication scheme
  • Copyright and disclaimer
  • Privacy