Secure Data Hosting for Service Providers with the Hosting Certification Framework (HCF)

An Introduction to the HCF

As the Australian Government’s vision to establish six cyber shields to uplift Australia’s security posture progresses, the Government’s frameworks will play a key role in guiding organisations on this endeavour. A key, and often overlooked, component of this is the Hosting Certification Framework (HCF), which ensures sensitive data is stored with the appropriate level of security controls applied. 

The HCF has evolved from the Whole-of-Government Hosting Strategy, launched in March of 2019, which provides policy guidance to the hosting ecosystem of the Australian Government, comprising facilities and infrastructure. 

Advantages of HCF for Service Providers: Fortifying Data Hosting Services

Assisting to safeguard Australian Government systems and the data they hold, the HCF offers guidance to government departments and agencies, ensuring the identification and sourcing of hosting services that meet enhanced privacy, sovereignty, and security requirements. Furthermore, the framework provides assurance that service providers deliver secure services to government customers while allowing government entities the autonomy to select the best hosting arrangements for their specific requirements.

Simultaneously, it optimises efficiency and cost-effectiveness in government hosting services, streamlining processes and fostering resource optimisation for service providers. As a result, meeting the standards established by the HCF not only positions service providers as industry leaders committed to excellence but also establishes them as trusted partners in the secure management of government data.

HCF Relevance to Data Centre Providers and Cloud Service Providers: A Mandate

Currently, the HCF is applicable only to Data Centre Providers and Cloud Service Providers as defined by the Digital Transformation Agency (DTA), and only for new contracts or extensions to existing contracts from 30 June 2022. Extensions to contracts with service providers awaiting certification are restricted to a maximum of one year, with the option of a one-year extension.

Certification Levels: Tailored Security for Service Providers

To achieve certification under the HCF, the service provider needs to work closely with a dedicated DTA team. This collaboration involves a comprehensive evaluation of the provider’s services to determine the appropriate certification level. The DTA team utilises various methods including requesting documentation, conducting virtual or in-person workshops, and performing site inspections to collect evidence and assess the provider’s adherence to the HCF standards.

The certification levels under the HCF are categorised into three tiers:

HFC Tiers

Certification Steps for Service Providers: Strategic Partnership for Success

After ascertaining the most appropriate level of certification for the framework, service providers should follow a structured path toward compliance and recognition. This journey involves:

  1. Reviewing the HCF Readiness Guide
  2. Registering interest in HCF Certification
  3. Completing the assessment pack, including Deed of Certification, Service Provider Declaration, Non-Disclosure Agreement, and Control Objectives
  4. Formal assessment with the DTA team
  5. Receiving outcome notification and Certification IDs
  6. Maintaining certification through ongoing reporting and compliance

For full details for each of the steps, visit the official website of the HCF

Beyond Certification for Service Providers

Certified service providers go beyond obtaining initial certification by embracing continuous assurance activities. This involves the following actions:

Providers proactively report changes affecting compliance, fostering transparency and contributing to the ongoing strength of the HCF.

Regular reporting includes the submission of a biannual Service Provider Contract Form, outlining contracts with government entities, and an annual certification review. These processes ensure ongoing compliance and demonstrate commitment to transparency.

Service providers adapt to potential changes and advancements in cyber security, staying ahead of emerging threats and positioning themselves as leaders in securing government data against evolving challenges.

This continuous assurance phase underscores the proactive and resilient approach of service providers, establishing an ongoing partnership with the DTA and ensuring the consistent elevation of data hosting standards.

The HCF as Part of the Australian Government’s Cyber Security Strategy

It is important to view the HCF within the broader context of the Australian Government’s Cyber Security frameworks. The “2023-2030 Australian Cyber Security Strategy” places an emphasis on building the sovereign capability to assist Australia, as a whole, manage cyber risk. The HCF assists in this, by working in tandem with frameworks such as the PSPF, to address supply chain and data centre ownership risks and helping organisations to secure suitable hosting and related services. 

The HCF and How Sekuro Can Help

To date, Sekuro has been a trusted partner and provider of cyber security solutions to both corporate and government sectors. As such, it has the knowhow to assuredly take its clients through the structured paths required to achieve the selected certification level. In addition to helping to achieve HCF certification, Sekuro is able to ease the burden of compliance and certification maintenance throughout its partnership with its clients post-certification.


In summary, the HCF plays a pivotal role in guiding service providers towards the highest standards of security and compliance in government data hosting. Crucially, by aligning with the framework, providers not only contribute directly to enhancing the government’s cyber security posture, but also reinforce the broader national strategy of safeguarding digital assets and critical infrastructure.

For expert guidance and seamless integration into the HCF, take the next step with Sekuro by reaching out through our Contact Us page.

Sita Bhat

Principal Consultant, Sekuro

Sita Bhat is a Principal Consultant at Sekuro, and leads the Governance, Risk and Compliance (GRC) team across various states in Australia - working with numerous global tech giants. Sita is an IRAP Assessor and is passionate about sharing her skills and knowledge, and championed the first GRC related stream inside Sekuro's Hackcelerator program.

Hollie Brown, Consultant
Hollie brown

Consultant, Sekuro

Hollie is a Consultant within the GRC team at Sekuro, specialising in IRAP assessments. She has a passion for cyber security in the areas of governance, risk management and compliance, with a background in developing cyber security solutions based on frameworks, risk, and gap assessments.

Scroll to Top