On this page:
Why IRAP?
Security is paramount for whole-of-government digital platforms such as GovCMS. However when the provider of a service claims “we’re secure”, the obvious followup question is “how secure?” How can government agencies hosting their sites with GovCMS be confident? How can GovCMS/Department of Finance be confident?
The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) produces a security standard. This standard is the Australian Government Information Security (ISM). The ISM outlines a cyber security framework that organisations can apply to protect information and systems from cyber threats. See more on IRAP below.
Our contribution
The effort to become IRAP accredited is significant. When Salsa proposed GovCMS 2.0 to the Department of Finance, the exciting part of that proposition was the next-generation technology based on containerisation and Kubernetes (see GovCMS 2.0). However, we knew that among the deeper considerations, and indeed one of the real barriers to change, was that GovCMS 1.0 had an established security footprint that had served the scheme for its first three years. To completely re-engineer systems, processes and service partners, required security to be reassessed from the ground up. A major extra cost of Salsa’s proposition.
Salsa’s strategy to lower this barrier was to offer to share the cost with GovCMS, and by association, sponsor that effort to benefit all existing agencies migrating to GovCMS at launch and those new agencies onboarding to GovCMS post launch. Salsa proposed to sponsor one-third of the cost to achieve IRAP accreditation of systems, processes and people.
The effort and process to achieve IRAP certification is the topic of Salsa blogs such as IRAP certification process and What it takes to security certify a whole-of-government digital platform.
It was a considerable stream of work that took many months, covering the analysis of systems, people and processes and subsequent changes to address compliance, evidence capture, and aligning Salsa processes with Department of Finance processes. In fact, Salsa’s sponsorship of this effort, invested at our cost, was around $45K.
GovCMS’s role
GovCMS worked closely with us so that we could achieve the IRAP certification for the new hosting platform. GovCMS 1.0 had an existing security posture, it would have been an easier path to stick with that security posture and build GovCMS 2.0 on the same technology stack and service provider processes. However, GovCMS chose the new path and that required a greater security investment. Reaching an Official:Sensitive accreditation was a long-term goal for the GovCMS programme. GovCMS sponsored the effort for Salsa to be IRAP assessed as part of its own IRAP assessment. This contribution was significant.
The GovCMS and Salsa teams continue to look for opportunities to further share/reuse the GovCMS investment in IRAP. For example, the IRAP experience and some artefacts have been shared with Victoria’s Single Digital Presence to help plan its security roadmap and approach. Jointly we continue to look for such opportunities, as whole-of-government systems are rolled out in other Australian states and territories. A subset of the GovCMS IRAP work is reusable and is offered to other such programs.
More on IRAP
IRAP stands for Information Security Registered Assessors Program, which provides rigorous information and communications technology security assessment services to the government. The IRAP process uses a registered IRAP assessor to independently assess against the Information Security Manual (ISM). In the case of GovCMS, Salsa prepared its systems, processes and people ready for IRAP assessment. An independent IRAP assessor reported on security compliance as part of GovCMS achieving, first Authority to Operate status to enable GovCMS launch (November 2018), then during 2019, ISM OFFICIAL:Sensitive accreditation status.
