ASD's Blueprint for Secure Cloud

Procurement and Outsourcing

This page provides a template and guidance to assist organisations in documenting their approach to procurement and outsourcing associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 8 minutes

As <ORGANISATION-NAME>’s overall approach to implementing controls related to procurement and outsourcing is consistent across all controls addressed within this section, it does not delve into subsections but rather addresses the controls as a group.

Cyber supply chain risk management

Applicability

<ORGANISATION-NAME> uses Azure, Microsoft 365, and other cloud-based Software as a Service (SaaS) products as shared services, as well as Information and Communication Technology (ICT) equipment for client and on-premises components of <SYSTEM-NAME>. As such, controls related to cyber supply chain risk management are directly applicable to <SYSTEM-NAME>.

<ORGANISATION-NAME> is responsible for implementing administrative controls to govern the direct management of supply chain risks and security for <SYSTEM-NAME>.

Organisational policies and processes implemented

Endpoints, networking, ICT equipment and relevant operating systems and applications should be procured through existing <ORGANISATION-NAME> supply arrangements. ICT equipment has been procured for <SYSTEM-NAME> using these existing procurement arrangements.

The following suppliers are used to procure ICT equipment and software for <SYSTEM-NAME>:

Provider NameEquipment or Software ProvidedNotes
MicrosoftWindows Operating System and related applications<NOTES>
AppleiOS Operating System and related applications<NOTES>
AppleiPhones<NOTES>
<HARDWARE-MANUFACTURER-1><LAPTOPS><NOTES>
<HARDWARE-MANUFACTURER-2><SERVER EQUIPMENT><NOTES>
<HARDWARE-MANUFACTURER-3><FIREWALL DEVICE><NOTES>
<HARDWARE-MANUFACTURER-4><PRINTERS><NOTES>
<HARDWARE-MANUFACTURER-5><FIDO2 HARDWARE KEYS><NOTES>

Technical controls implemented

No technical controls are implemented in <SYSTEM-NAME> relating to cyber supply chain risk management.

Managed services

Applicability

<ORGANISATION-NAME> uses managed services in the delivery and operation of <SYSTEM-NAME>. As such, controls related to managed services are directly applicable to <SYSTEM-NAME>. <ORGANISATION-NAME> is responsible for implementing administrative controls to govern the administration and oversight of managed services for <SYSTEM-NAME>.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

<SYSTEM-NAME> only uses managed services that have been procured through existing <ORGANISATION-NAME> supply arrangements.

The following Managed Service Providers (MSPs) are used in relation to <SYSTEM-NAME>:

<MANAGED SERVICE PROVIDER 1>

MSP Name<MSP-NAME>
Managed service name<MSP-SERVICE>
Purpose of managed service<PURPOSE>
Sensitivity/classification of data involved<PROTECTED>
Due date for next security assessment<MMM-YYYY>
Contractual arrangements<LINK>
Point of contact<MSP-POC-NAME>
Contact email<CONTACT-EMAIL>
24/7 contact phone<+61X XX XXX XXX>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

No technical controls are implemented in <SYSTEM-NAME> relating to procurement or outsourcing of managed services.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Cloud services

Applicability

<ORGANISATION-NAME> utilises cloud services in the delivery and operation of <SYSTEM-NAME>. As such, controls relating to cloud services are directly applicable to <SYSTEM-NAME>. <ORGANISATION-NAME> is responsible for implementing administrative controls to govern the direct management of outsourced cloud services for <SYSTEM-NAME>.

Organisational policies and processes implemented

<SYSTEM-NAME> only uses cloud services that have been procured through existing <ORGANISATION-NAME> supply arrangements. All cloud services have been configured to store and process data solely in Australia.

The following cloud services providers are used in relation to <SYSTEM-NAME>:

Microsoft

Contractual details and contacts

FieldValue
Completed IRAP AssessmentYes (<LINK>)
Completed Vendor Assessment by <ORGANISATION-NAME>Yes (<LINK>)
Due date for next security assessment<MMM-YYYY>
Contractual arrangements<LINK>
Point of contact<CSP-POC-NAME>
Contact email<CONTACT-EMAIL>
24/7 contact phone<+61X XX XXX XXX>

Entra ID

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Purview

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Defender

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Exchange Online

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Exchange Online Protection

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

SharePoint Online

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

OneDrive for Business

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Teams

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Forms

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Power Automate

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Power BI

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Power Apps

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Log Analytics

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Whiteboard

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Planner

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

Viva Learning

FieldValue
Included in latest Microsoft IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>
<PROVIDER-2>

Contractual details and contacts

FieldValue
Due date for next security assessment<MMM-YYYY>
Contractual arrangements<LINK>
Point of contact<CSP-POC-NAME>
Contact email<CONTACT-EMAIL>
24/7 contact phone<+61X XX XXX XXX>

<SERVICE 1>

FieldValue
Included in latest <PROVIDER-2> IRAP assessmentYes
Included in latest Vendor Assessment by <ORGANISATION-NAME>Yes
Purpose of using service<PURPOSE>
Description of data involved<DESCRIPTION>
Sensitivity/classification of data involved<PROTECTED>
Availability regions used<REGION>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

No technical controls are implemented in <SYSTEM-NAME> relating to the procurement or outsourcing of cloud services.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

  • None identified

Design

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra