AUCloud Response to Critical Technology Supply Chain Principles

AUCloud supports the Principles as they stand and for the purpose of serving an advisory function to Australian technology businesses that rely on local, national and global supply chains for the hardware/software that enables their products and services. In our view they are, in any respect, good business practice for any cyber aware technology business.

AUCloud supports that the Principles should be voluntary.

As a sovereign cloud IaaS provider, we already align with the core themes of articulated in the Principles, ie., Security by Design, Transparency and Autonomy and Integrity. We effectively align with each of the 10 Principles.

The Principles are entirely consistent with work relating to the Critical Infrastructure Protection Bill, ASD’s Cloud Security Assessment and Authorisation Guidelines and the Data Availability and Transparency Bill and Accreditation Framework. All include a strong focus on appropriate data management and protection. While further harmonization is required across documents (language, definitions), overall they share the same intent, notwithstanding their different purpose. They are consistent in terms of adopting a risk identification and mitigation position to strengthen Australia’s overall sovereign resilience.

We note the ‘sensitivity’ related to Principle 8 regarding the influence of foreign governments on suppliers. The Principle is (as are all the Principles) advisory and aims to encourage businesses to appropriately identify and mitigate potential risks – something they should be doing anyway. It is also entirely consistent with the focus of the Cloud Assessment and Authorisation Framework which similarly identifies the need to consider extraterritorial risks and mitigate accordingly.