Skip to content

Instantly share code, notes, and snippets.

@auxesis

auxesis/2020-03-03-analysis-of-cscp-and-ccsl-scrapping.markdown

Created January 15, 2021 03:51
Show Gist options
  • Save auxesis/2b5777d9910ea89f8c080207c8a4f9bd to your computer and use it in GitHub Desktop.
Save auxesis/2b5777d9910ea89f8c080207c8a4f9bd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
2020-03-03-analysis-of-cscp-and-ccsl-scrapping.markdown

Background:

Why the CSCP + CCSL existed:

  • Make security and risk assessments more efficient by doing centralized vetting of cloud service providers, by our top intelligence agency (ASD)
  • This eliminated the need for each federal government entity (of which there are 300+) to do their own risk assessment.
  • This was meant to make it easier for big service providers (like AWS, Google, Microsoft) to sell into federal government.

This is how it worked:

  • ASD did an IRAP assessment of a providers services, using their own assessors.
  • If the IRAP assessment was accepted by the CSCP, the services covered by that assessment would be made available on the CCSL.
  • Government entities who bought services listed on the CCSL could opt to do less internal risk assessment work.
  • They they could rely on the documentation generated from the IRAP assessment done by ASD.
  • But fundamentally, they need to sign off and accept the risks themselves.

But there were some unintended consequences of the CCSL:

  • ASD had a very high bar that providers had to climb to get onto the CCSL. From talking with folks at Amazon, there was a lot of frustrations at ASD moving the goal posts.
  • ASD didn’t have the capacity to assess and certify the huge volumes of suppliers who wanted to sell into government. As a supplier, when you request to be assessed by the CSCP, you got placed in a queue and had to wait your turn. Turnaround was measured in years, not months nor days. Case in point: AWS’s certification to PROTECTED took them 4 years.
  • ASD’s risk appetite != whole of government risk appetite. ASD have a defense pedigree, and look at the threat landscape through that lens. ASD do realize that federal government customers have different needs and threats to defense. The large government entities (ATO, DHS, DIBP) have much lower risk tolerance than the long tail of 300+ other government entities. ASD’s recommendations were often geared towards the big players, not the long tail.
  • Government entities were fearful to use any provider not vetted by ASD. While there were no policies or regulations that said government entities could only use what’s ASD rubber stamped, APS executive leadership is extremely risk averse. Execs would need to justify to their minister why they were doing something different to what our top spooks recommended.

So what are the actual changes?

  • CSCP and CCSL no longer exist.
  • Government entities need to engage with suppliers directly for doing their own IRAP assessments.
  • ASD will continue investing in their IRAP program, and growing the number of available IRAP assessors.
  • ASD will continue to publish guidance about what good security looks like for cloud.
  • ASD are going to run “Consultative Forums” to get feedback from industry and government about specific topics, to inform that guidance. There’s near zero detail about what this will actually mean in practice. It could be events, it could be an RFP-style process, it could be “an app”. ASD have started setting expectations that it’s going to be a slow process (“ASD appreciates the patience of all stakeholders throughout the review process”)

What do these changes mean for industry?

  • Smaller service providers have one less big hurdle – the CSCP + CCSL – they have to clear to sell into government. They can target specific entities with a risk appetite that matches their service offering. APS leadership have one less thing they can point to (the CCSL), to say why they can’t use a smaller provider that has a better offering.
  • Larger service providers (like AWS, Microsoft, Google) will need to do more compliance work across more government entities. Each government entity has its own distinct culture and risk appetite. Big players will need an army of people to navigate the bespoke compliance hurdles across each government entities. One way to scale assessments is to create libraries of information they can use in IRAP assessments across multiple entities.
  • There will be a high demand for IRAP assessors. If you want to make bank, become an IRAP assessor today!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment