ISM Compliance IRAP Program

I'd like information about IRAP in the Cloud

IRAP Compliance

Protecting Australian government data from access, abuse and disclosure remains a prime consideration when procuring and leveraging cloud services. AWS recognises that customers rely upon the secure delivery of the AWS infrastructure and the importance of having features that enable the customer to create more secure environments. AWS enables customers to meet these objectives by prioritising security in the delivery of its services through the establishment of a robust control environment and making available for use a wide range of security services and features. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services and provide improved security outcomes for the Australian Government.

The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the needs of the Australian Signals Directorate (ASD) Information Security Manual (ISM).

An independent IRAP assessor examined the controls of AWS’s people, process, and technology to ensure they address the needs of the ISM. This assessment and Letter of Compliance is the basis on which a Certification Authority gains assurance to certify AWS infrastructure and provide a recommendation to the Accreditation Authority for appropriate use of the platform.

An agency accreditation is the culmination of an IRAP assessment and formal certification by the ASD operating as the Certification Authority for the Australian Government. This certification provides assurance that AWS has in place the applicable controls of the ASD’s ISM and is the immediate precursor in accrediting AWS for Australian government workloads.

This certification will remove significant burden from individual agencies or their commercial partners having to perform assessments and certifications of the cloud platform for their workloads and instead allows them to focus on their system’s accreditation processes.

AWS is a key partner for Healthdirect Australia. ISM compliance means that we can more securely provide all Australians with access to the right advice on the appropriate care for their health issue, where and when they need it. »

With ongoing funding from CSIRO, the We Feel team is now using AWS to analyze hundreds of millions of tweets before publishing the outcomes on its website. The result is groundbreaking insight into the emotional state of a large and demographically diverse population. Visitors to the website are able to drill into the results by gender, location, and emotional quality. There are currently six primary emotional categories – from joy to fear – with subcategories for more nuanced emotional states, like optimism and nervousness. »

“The scalability of AWS has been enormously helpful,” says Associate Professor Vinsen. “I can add more capacity as I need it with minimal fuss. Using AWS allows us to process upwards of 150 GB of sky images and store more than 400 GB of imaging data every month.” »

"All it would take is to have one popular course and we could see anything upwards of 100,000 people accessing the system. Using AWS, we’re prepared to accommodate that kind of increase.” »

"It is not just about infrastructure by the hour. It is about a whole new way of working that really fits in with our new continuous-delivery approach." »

How do I secure my data on AWS?

AWS provides customers a wide range of security functionality to protect their data in accordance with ASD’s ISM controls, agency guidelines and policies. We are continually iterating on the security tools we provide our customers, and regularly release enhancements to existing security functionality. Additionally, we provide a wide variety of whitepapers, online documentation and security videos for our customers. Our global whitepapers have recommendations for securing your data that are just as applicable to Australian government AWS workloads.

How do I consume AWS's IRAP security documentation and guidance?

How do I consume AWS ‘s IRAP security documentation and guidance?

Australian government customers can leverage our ASD certification and our independent IRAP Assessors Letter of Compliance in order to accelerate their certification and accreditation objectives.

In support of our Australian government customers, we provide a package of security guidance and documentation to enhance their understanding of security and compliance while using AWS as a certified cloud services supplier.

In particular, specific to assessing AWS infrastructure by an IRAP against ISM we provide under NDA (as required) to government organisations or their partners:

- IRAP Report on AWS compliance to the ISM

- ASD Certification Letter of the AWS Infrastructure platform

- IRAP ISM Letter of Compliance

- Control Implementation Summary

Additional reports that are available that evaluate and test controls implemented by AWS Infrastructure and which are available under NDA (as required):

- Service Organisation Controls 1 (SOC1) Type II Report

- Service Organisation Controls 2 (SOC2) Type II Report

- ISO 27001 Certificate & Statement of Applicability

- PCI Attestation of Compliance and PCI Responsibility Summary

To find out more information about the additional reports see the AWS Compliance FAQs.

To request access to AWS’ security documentation as it pertains to Australian Government customers, or contractors conducting business with the Australian government, please contact AWS Sales and Business Development or send an email to awscompliance@amazon.com.

Why do I need an IRAP accredited assessor?

An IRAP assessor is the only individual accredited as qualified to perform an assessment of an ICT system against the Australian Government ISM and describes areas of compliance and non-compliance, describes residual risks and remediation actions and provides recommendations to a Certification Authority on certification.

What are the available IRAP packages and documents that we provide to our customers?

Document Control	Documentation	Federal Agency Package	SLED Package	AWS Partner
DRM	IRAP Report Stage 2	X
DRM	ASD Certification Report	X
Public	ASD Certification Letter	X	X	X
Public	IRAP ISM Letter of Compliance	X	X	X
DRM	Control Implementation Summary	X	X	X

What Compliance Package Do I Need?

Federal Agency Package is requested by Federal government employees or government-authorised contractors who need to conduct a formal accreditation based on the ASD certification and to understand further how AWS addresses the applicable ISM controls.
SLED package is for State or Local government and Government Educational organisations that rely on the federal government and Protective Security Policy Framework (PSPF) for information security and risk management guidance.
AWS Partner package is for those partners looking to build applications on top of AWS for federal government consumption and need clarity on what controls they inherit and what controls they are responsible for.

How are these documents distributed?

· Public documents - are delivered via email or made publicly available on this site.

· NDA documents are emailed as password protected attachments within Adobe pdfs once a NDA has been confirmed as signed. This requires Adobe Reader 9.0 or later to access.

· DRM documents are strictly controlled using digital rights management from Adobe LiveCycle manager and require Adobe Reader 9.0 or later to open. Typically they prevent copying of content and are viewable for a defined period of time to only those individuals who require them.

What are the access requirements for these documents?

All packages require appropriate NDAs between the organisation and AWS. Requests made by contractors conducting security assessments for accreditations on behalf of federal government agencies or SLEDs will also require written permission from a government security representative with authorisation to grant access.

What additional documentation is available to me so that I can gain assurance of running Australian government workloads on AWS?

See: AWS Risk and Compliance Whitepaper

Amongst the certifications and reports that AWS maintains found on the compliance programs page and as an example of the extensive nature of the controls that AWS implements globally. It should also be noted that AWS has an Authority to Operate (ATO) under the United States government FedRAMP program where controls are derived from NIST800-53Rev4. These controls are extensive and publicly available and may provide additional confidence for the customer of the high level of assurance in running workloads on AWS.

Additional reports that are available that evaluate and test controls implemented by AWS Infrastructure:

- Service Organisation Controls 1 (SOC1) TypeII Report

- Service Organisation Controls 2 (SOC2) TypeII Report

o SOC2 Availability

o SOC2 Security

- Service Organisation Controls 3 (SOC3)

- ISO 27001 Certificate & Statement of Applicability

- PCI Attestation of Compliance and PCI Responsibility Summary

- AWS Security Controls Summary

To request access to AWS’ compliance documentation, please contact AWS Sales and Business Development or send an email to awscompliance@amazon.com.

Is AWS on the Department of Finance Whole of Government Cloud Services Panel?

Yes, AWS has been a member of the panel since the 31st of March 2015. Agencies obtain value for money in relation to cloud services and a simplified procurement process going through a pre-assessed provider and a common contractual framework. This ease of procurement enables agencies to move at the pace their mission requires to deliver services effectively to Australian citizens.

What is the ISM?

The ISM is the Australian Government Information Security Manual (ISM) published by the Australian Signals Directorate (ASD), an organisation within the Department of Defense that has a mission to protect Australian Government systems and information.

For more about ASDs role in protecting the Australian information security http://www.asd.gov.au/about/roleinfosec.htm

Does AWS meet the requirements of the ISM?

Yes, AWS has been audited by an independent assessor from the Information Security Registered Assessors Program. The assessment examined the security controls of Amazon’s people, process and technology to ensure that they met the needs of the ASD 2014 ISM.

Where can I find more information on the IRAP program?

http://www.asd.gov.au/infosec/irap/index.htm

Which AWS services are covered by the IRAP Assessment?

The covered AWS services that are already in scope for the IRAP Assessment can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

Will compliance with the ISM increase AWS service costs?

No, there is no increase in service costs for any region as a result of AWS’ ISM compliance.

Where can I find the ISM?

Information Security Manual (ISM)

Is AWS on the Australian Signals Directorate’s Certified Cloud Services List?

Yes, AWS has been certified for Unclassified DLM (UD) workloads by the Australian Signals Directorate (ASD) as the Certification authority and is an inaugural member of the ASD Certified Cloud Services List (CCSL).

Agencies costs and risks are significantly reduced when relying upon the deep expertise of the ASD as the Certification Authority to determine that the residual risk of services are well understood and appropriately assessed. This creates a significantly improved security outcome for Australian government departments while also reducing their costs related to such assessments.

Why is the ISM important?

In October 2014 the Australian Department of Finance and Department of Communications jointly released the Australian Government Cloud Computing Policy 3.0, this mandated a “cloud first” approach for adoption of cloud services by federal government agencies.

“Under the Australian Government’s Cloud Policy agencies now must adopt cloud where it is fit for purpose, provides adequate protection of data and delivers value for money.”

The ISM is the standard that governs the security of government Information and Communication Technology (ICT) systems. It complements the Protective Security Policy Framework (PSPF) produced by the Australian Government Attorney-General’s department. Together this provides a manual for implementing appropriate controls to operate all classifications of workloads in an ICT environment.

It is compliance to the ISM that is used to assess cloud service providers membership to the ASDs Certified Cloud Services List that provides the list of cloud services where ASD has acted as the certification authority. Certification is required for agencies to have workloads accredited to run on Cloud services that are procured through the Department of Finance Whole of Government Cloud Services Panel as the primary procurement vehicle for cloud services for the Australian Government.

What is an IRAP accredited assessor?

These are individuals accredited by the Australian Signals Directorate (ASD) under the Information Security Registered Assessors Program as being appropriately qualified to conduct assessments against the ASD’s control framework, the Information Security Manual (ISM)

What AWS regions are covered?

The IRAP assessment and ASD Certification covers the AWS Sydney region. However, AWS treats all regions equally in terms of the controls, policies and processes that are used to operate them. Agencies should assess their workloads and business needs to determine which AWS region to use.

Can other services be used?

Yes, customers can evaluate their workloads for suitability with other AWS services. Contact AWS Sales and Business Development for a detailed discussion of security controls and risk acceptance considerations.

Where can I find the independent IRAP auditors letter of Compliance for AWS?

IRAP ISM Letter of Compliance

IRAP Compliance Resources