Cloud Policy

Policy requirements

Policy Requirement 1: Entities must prioritise cloud computing solutions when modernising IT infrastructure

This policy prioritises cloud transition across the APS to unlock the benefits of cloud, including modernising IT infrastructure and enabling innovation and new technology such as AI, enhancing digital government transformation and strengthening security.

Prioritising cloud computing means that agencies should consider cloud for new digital initiatives, prioritise moving off legacy systems and transition to cloud where it makes sense to do so, and consider hybrid or multi-cloud models when pure cloud solutions are not justified.

Entities must:

• Adopt cloud solutions for all new digital and ICT initiatives and upgrades unless an alternative is justified.
• Include strategic cloud planning in their Digital Investment Plan (DIP).
• Prioritise timely decommissioning of legacy systems as part of cloud initiatives.

Entities should:

• Where cloud solutions are not fit for purpose, consider how the model adopted can be future-proofed, including by prioritising design for security and future cloud interoperability and portability.
• Plan to reuse existing cloud technologies and architectures, business capabilities and processes, procurement, information and data, skills and capabilities whenever feasible.
• Maintain a legacy technology decommissioning roadmap, with milestones and timelines.

Links and resources

• The Digital Investment Plans (DIPs).
• The Digital and ICT Reuse Policy.

Policy Requirement 2: Entities must leverage contemporary cloud technology to empower innovation, including Artificial Intelligence.

Cloud technology provides a platform for supporting service delivery and a more connected, responsive and data-driven public sector, by enabling interoperability and portability and by powering new technologies such as AI. To fully leverage these opportunities, the APS must access the computing power provided through cloud services.

Entities must:

• Provide access to sufficient cloud computing capability to support innovative technology such as AI.
• Design for interoperability and portability to minimise vendor lock-in. This includes negotiation wherever possible to remove any contract clauses restricting the migration of government data and / or workloads.
• Leverage model clauses in cloud procurement and contracts where they are available (e.g. the collection of AI and cyber risk clauses available from BuyICT).

Entities should:

• Ensure cloud services support open standards, application programming interfaces (APIs) and allow for data portability.

Links and resources

• The Digital Transformation Agency’s Responsible AI in government policy and AI Technical Standards.

Policy Requirement 3: Entities must adopt cloud technologies responsibly and securely

Cloud offers benefits to APS entities, but entities must adhere to best practice to ensure responsible and secure transitions to these services. This policy embeds essential accountability, compliance, security and responsibility practices.

To meet existing obligations to protect Australian Government information and data that is processed, stored or communicated via a cloud service provider, entities must also follow the Department of Home Affairs’ Protective Security Policy Framework.

Entities must

• Define clear roles and responsibilities for cloud oversight, including delegations and internal accountabilities within their governance structures.
• Ensure cloud solutions comply with and align to relevant data security, legislation, standards, guidance and supporting frameworks including:
  • The Privacy Act 1988 and the Australian Privacy Principles.
  • The Disability Services and Inclusion Act 2023, for assistive technology compatibility.
  • The Protective Security Policy Framework, including Direction on Managing Foreign Ownership, Control or Influence Risks in Technology Assets.
  • The Hosting Certification Framework.
  • The Australian Government Information Security Manual.
  • The Australian Signals Directorate (ASD) Cloud Security Guidance.
  • The APS Net Zero Emissions by 2030.
• Define and monitor key performance and reliability metrics to ensure cloud-based services meet the required standards and service level agreements (SLAs).
• Establish real-time, continuous monitoring, logging, analysis and reporting systems to manage, detect and respond to usage demands, performance issues and security threats and to allow for continuous improvement.
• Prepare exit strategies and data migration plans to reduce risk and the cost of future transitions.

Entities should

• Develop guiding internal documents that align with this policy.
• Implement secure by design and secure by default practices to build in security throughout the design and development process.
• Implement DevSecOps, including by embedding security controls and practices throughout the software lifecycle.
• Plan regular monitoring and periodic reviews covering security, privacy, data handling and compliance in line with applicable legislation, consulting with relevant governance and assurance bodies where required.

Links and resources

• ASD Secure by Design foundations
• ASD Foundations for modern defensible architecture

Policy Requirement 4: Entities must actively manage and optimise cloud computing costs

This policy supports entities implementing financial operations (FinOps) practices to maximise cost efficiency and value from cloud investments, and to ensure the effective operation of these services remain financially sustainable.

Entities must:

• Identify the costs of transition, migration and ongoing cost of operations when implementing cloud solutions, including capex and opex funding implications.
• Develop and track organisation-appropriate unit economics for monitoring and optimising cloud usage and spend and assessing cost effectiveness.
• Use panels such as the Cloud Marketplace where possible and consider relevant Single Seller Arrangements.

Entities should:

• Implement FinOps practices to track, manage, monitor and optimise cloud expenditure.
• Capture data to enable transparency and benchmarking to enable the DTA to measure and compare spending patterns across government.
• Consider adopting standardised cost modelling taxonomies to organise cloud spend, resources, and services such as the Technology Business Management framework.

Links and resources

• Australian Government Architecture Cloud FinOps Policy and Cloud FinOps Standard.

Policy Requirement 5: Entities must nurture cloud skills across the APS

A skilled, cloud-ready workforce is critical to ensure the management and security of cloud environments and take full advantage of the innovative technology benefits of cloud. This policy supports entities to attract, build and retain the skilled workforce demanded by cloud transitions.

Entities must:

• Ensure their workforce has the skills to manage cloud environments.
• Include plans to attract, build and retain appropriate cloud skills within workforce planning processes and documents.

Entities should:

• Develop and maintain a cloud workforce development strategy which identifies cloud computing skills gaps and addresses how the entity will attract, build and retain cloud expertise.
• Consider what balance of APS recruitment, retraining of existing staff, transfer of skills by vendor or contracting is the best strategic choice to bridge cloud skill gaps.
• When negotiating with vendors, consider what types of training investment and capability uplift could be provided in the contract with vendors.

Links and resources

• Australian Public Service Data, digital and cyber workforce plan
• Australian Public Service Commission Workforce planning resources