Jurisdiction Adaptation

Australia

Sovereign cloud framework adapted for Australian government, aligning with PSPF, ISM, Digital Service Standard, and ASD cybersecurity guidance.

AUD 4-6B Annual federal cloud spend
~85% To US providers (AWS, Azure, GCP, OCI)
18 Federal departments
26M Citizens affected

Five Eyes Context: Australia's membership in the Five Eyes intelligence alliance creates complex considerations. While this enables intelligence sharing, it does not protect Australia from US economic coercion or from US surveillance of Australian government operations. Sovereign cloud capability is compatible with—and enhances— alliance participation by ensuring Australia negotiates from a position of strength.

1. Governance Framework Mapping

Key Australian Standards

Framework Owner Relevance to Sovereign Cloud
Protective Security Policy Framework (PSPF) AGD Security policy baseline; mandatory for all agencies
Information Security Manual (ISM) ASD Technical security controls; sovereign cloud must comply
Hosting Certification Framework DTA Cloud hosting certification; strategic vs certified hosting
Digital Service Standard DTA Service design principles; sovereign cloud must enable
Australian Government Architecture DTA Enterprise architecture standards
Essential Eight ASD Mitigation strategies; baseline security requirement

Hosting Certification Framework

The Australian Government Hosting Certification Framework defines requirements for cloud hosting:

Current Strategic Hosting arrangements with AWS and Azure create the sovereignty risk this initiative addresses. The framework needs updating to prioritise sovereign Australian capability.

2. Compliance Requirements

Privacy & Security

Privacy Act 1988

  • Australian Privacy Principles (APPs)
  • Applies to agencies and contractors
  • Cross-border disclosure rules (APP 8)
  • Notifiable Data Breaches scheme
  • OAIC oversight

Critical Infrastructure

  • Security of Critical Infrastructure Act 2018
  • Critical infrastructure risk management
  • Reporting obligations
  • Government assistance measures
  • Data storage systems in scope

Security Classifications

Classification Description Sovereign Cloud Applicability
UNOFFICIAL No damage if compromised Any hosting; sovereign preferred
OFFICIAL Low business impact Sovereign cloud target
OFFICIAL:Sensitive Limited damage; requires care Priority sovereign migration
PROTECTED Damage to national interest High priority; certified sovereign hosting
SECRET Serious damage to national interest Dedicated sovereign environment only
TOP SECRET Exceptionally grave damage Air-gapped Australian sovereign

3. Current State Landscape

Major US Cloud Dependencies

Agency/Department Cloud Provider Key Systems Risk Level
Services Australia AWS myGov, Centrelink, Medicare Critical
ATO (Tax Office) AWS, Azure, GCP Tax filing, myTax, business portal Critical
Home Affairs AWS Immigration, visa, border systems Critical
Defence AWS (unclassified) Unclassified logistics, training High
DTA AWS Digital identity, cloud.gov.au High
Health Azure My Health Record, COVID systems Critical

4. Australian Sovereign Supplier Ecosystem

Current Options

Provider Type Examples Capabilities
Australian-owned DC operators NEXTDC, Macquarie Data Centres, AUCloud Colocation, some managed services; ISM certified
Government-backed ASD-certified environments PROTECTED+ capability; limited scale
Telecoms Telstra, Optus enterprise Australian-owned; network + hosting integration
Sovereign cloud initiatives Vault Cloud, Sliced Tech PROTECTED certified; Australian owned

Regional Considerations

5. Australian Migration Roadmap

Phase 0: Assessment & Planning (Months 1-6)

  • PM&C/DTA mandate for sovereign cloud strategy
  • Whole-of-government cloud dependency audit
  • ASD threat assessment on US cloud risk
  • Hosting Certification Framework update

Phase 1: Pilot (Months 7-18)

  • Select pilot agency (non-citizen-facing first)
  • Australian provider capability demonstration
  • PROTECTED workload pilot
  • Essential Eight validation on sovereign platform

Phase 2: Foundation (Months 19-36)

  • Australian Sovereign Cloud platform establishment
  • ASD certification for PROTECTED+
  • Whole-of-government procurement arrangement
  • State/territory engagement

Phase 3: Priority Migrations (Months 37-60)

  • PROTECTED workloads first
  • Services Australia, ATO critical systems
  • Digital identity infrastructure
  • Health systems migration

Phase 4-6: Completion (Months 61-84)

  • Remaining federal workloads
  • State government coordination (opt-in)
  • US cloud exit
  • SECRET/TS capability enhancement

6. Australian Investment Case Summary

Investment Required

AUD 7-12 billion over 7 years

  • Infrastructure: AUD 3-5B
  • Platform & migration: AUD 3-5B
  • Skills & programme: AUD 1-2B

Returns

AUD 20-45B+ value over 10 years

  • Risk mitigation: AUD 15-35B
  • Economic return: AUD 3-7B
  • Regional security enhancement
  • Five Eyes negotiating position

Australia-specific consideration: As a geographically isolated nation highly dependent on digital connectivity, Australia faces unique risks from US cloud dependency. Sovereign capability also supports regional partnerships with New Zealand and Indo-Pacific allies seeking non-US alternatives.

Recommended Immediate Actions for Australia

  1. PM&C/Cabinet directive establishing digital sovereignty as national priority
  2. ASD assessment of US cloud dependency as national security threat
  3. DTA mandate to update Hosting Certification Framework for sovereign priority
  4. Whole-of-government procurement vehicle for sovereign Australian cloud
  5. New Zealand engagement on potential ANZAC sovereign cloud cooperation
  6. Diplomatic coordination with UK, EU, Canada on cooperative framework
View Business Case
Previous: Canada