Unit 4, 131 Canberra Avenue
Griffith ACT 2603
61 2 6281 9400
Page 1 of 5 31 July 2018
The Australian Information Industry Association (AIIA) is the peak national body representing
Australia’s information technology and communications (ICT) industry. Since establishing 35 years
ago, the AIIA has pursued activities aimed to stimulate and grow the ICT industry, to create a
favourable business environment for our members and to contribute to the economic imperatives of
our nation. Our goal is to “create a world class information, communications and technology industry
delivering productivity, innovation and leadership for Australia”.
We represent over 250 member organisations nationally including hardware, software,
telecommunications, ICT service and professional services companies. Our membership includes
global brands such as Apple, EMC, Google, HP, IBM, Intel, KPMG, Microsoft, Deloitte, and Oracle;
international companies including Telstra, Optus; national companies including Data#3,
TechnologyOne and Oakton Limited; and many ICT SME’s such as Silverstone Edge and Zen
Enterprise and start-ups such as OKRDY.
AIIA welcomes the opportunity to provide input to the Australian Public Service Review. These
observations are framed around the capability, culture and operating models in the APS that our
members have regular exposure to.
In particular our comments are framed against the backdrop of the Government target of becoming a
top three digital government by 2025 as recently announced by Michael Keenan as part of the
Government’s Digital Transformation Strategy.
AIIA members’ feedback focusses on the following areas:
- IRAP and CCSL
- ICT Procurement
Page 2 of 5 REDACTEDOperating model for ASD IRAP Assessment and Certified Cloud Services List
AIIA members believe that current arrangements in the IRAP assessment and CCSL certifications
processed managed by the APS are both hindering progress on the digital transformation of
government and undermining the ability to have a competitive cloud service market that services
government in Australia.
While a small number of additional certified cloud service providers have been listed in the past 12
months, only six companies are certified at Protected level and twelve at the Unclassified level on the
Based on feedback from AIIA members, the certification process does not support the establishment
of a competitive cloud service market for government. Members question the outcomes and value to
government and industry generally of the process as it stands. Many of our members remain
uncertified despite having made significant investments in seeking to achieve certification. By
comparison, the UK Government have certified the security of almost 1000 cloud service providers
through a modernised scheme.
The operational issues are
- the extended timeframe associated with being listed on the CCSL;
- the lack of transparency in the process of reviewing IRAP assessment reports and the
discrepancy between the requirements of certification and the ASD practice;
- the cost of the process for our members, particularly for multiple products, which have often
satisfied a range of global certification processes
Consequences of the operational efficiency:
- there is low level of effective competition in the cloud product and services market to
support of the Federal Government cloud agenda. Competition drives innovation and price.
- despite a desire by Government to be agile to develop and deliver digital solutions, the
barriers imposed by ASD make progress complex, expensive and slow for industry
members to provide services to government agencies.
- given the costs and time involved, there is a real risk that some vendors may limit their
involvement in or withdraw completely from the Federal cloud market.
Recommendations for changes to the IRAP assessment operating model:
- a well-defined, transparent process which follows a clear progression path and is consistent
with prescribed government policy. We recommend that ASD sustain the integrity of the
program for endorsing IRAP assessors. Once an IRAP assessment report is submitted to
ASD along with an IRAP assessor’s recommendation, it should be listed publicly as having
been assessed along with the letter of recommendation from the assessor within 2 weeks.
- ASD should be advised to adhere to a certification process that is consistent with the ISM
and PSPF. Notably this process should validate the integrity of the assessment report and
describe risks as appropriate. Explicitly, it must not be a pseudo-accreditation process, as is
currently the case. ASD should have no more than 4 weeks to describe deficiencies in the
integrity of the assessment process and any notable risks.
- engagement of the Digital Transformation Agency (DTA) to take a more active role in
educating agencies to understand and make appropriate risk decisions by leveraging the
certification and other inputs. The CCSL process has degraded agencies abilities to
understand and manage risk. This needs to be restored. AIIA is confident that members are
happy to contribute to and assist with this education.
Page 3 of 5 REDACTED
Operating model for Government ICT Procurement and ICT Procurement
Capability in the APS hinders collaboration
Procurement is often used as the only mechanism for enabling collaboration with the business
community. AIIA members continue to flag challenges they face in ICT procurement. Issues range
from industry engagement to ensure agencies and industry understand the problem to be solved,
complexity within panel arrangements to complexity with bids, contracts that place onerous reporting
requirements on industry, to a lack of feedback on unsuccessful bids and costs associated with joining
APS capability in ICT Procurement:
members continue to observe that procurement areas within government often lack the
skills required to undertake procurements to deliver complex outcomes for government.
The procurement process is literally process driven without pause of consideration and
discussion on the problem sought to be solved; and
developing frameworks/models for early engagement with industry to discuss the problem
will assist with both capability development in the APS and industry understanding of the
problems that agencies are trying to solve. Publishing details of an anticipated procurement
in an agency annual procurement plan and having industry briefings after an RFT is release
are not sufficient in an era of digital transformation.
APS Operating model in ICT Procurement:
there is also a lack of executional consistency especially evident in Head Agreement for
panel arrangements. This signals both a move away from use of contract templates and
also creating different compliance requirements using contractual means; negotiating
different contractual terms and conditions with agencies are adding to the cost of vendors
getting on panels;
vendors also have to manage a lack of consistency across agencies in terms of
procurement requirements resulting in essentially the ‘repackaging’ of the same offering in
order to meet procurement compliance requirements. Repackaging of standards offerings
inevitably adds costs especially for SMEs;
contract arrangements do not match what is actually being purchased. The risk/reward
balance is typically disproportionately loaded against vendors. As well as adding cost to
offerings, innovation is invariably stifled;
members understand risk profiles for projects differ, but the starting point for
Commonwealth in all instances is unlimited liability, high insurance level requirements and
IP ownership. This has no regard to the nature of the work to be done, the changing nature
of the business and service environment and is arguably an abrogation of risk by the
Commonwealth. It is also out of step with best practice across the States and Territories
where IP is retained by the vendor (as appropriate), liability negotiable relative to project risk
and the roles and responsibilities of the respective purchases and vendor; and insurance
levels are relative to the nature and scope of the project;
AIIA members note, that procurement arrangements reflect a poor understanding of the
commercial realities of private sector business – in terms of the need to drive revenue,
deliver profits as well as manage risk and protect IP. Vendors are being forced to sign up
to agree to collaborating with other vendors with no regard to IP issues; and
members are also concerned that aggregation of product/service tenders reduces/removes
the ability of SMEs to engage in the government procurement market.
APS culture forging a ‘Them and Us’ mentality:
- AIIA members report a “them and us” approach by government agencies. They report
significant difficulties in attempts to work collaboratively with project leads. In some
instances, project leads and project staff adopt from the outset a need to “blame someone”
in the event that something might go wrong. This approach undermines trust being
developed between agencies and vendors and limits any ability for an appropriate and
effective risk sharing relationship.
Page 4 of 5 REDACTED
7. A cultural change that focusses on collaboration and risk sharing between agencies and
vendors to achieve outcomes needs to be championed by senior management in the APS;
8. Governance arrangements for projects need to be set in place at the onset of a project to
ensure there is no abrogation of APS decision-making responsibilities to vendors.
APS Culture and Operating Model does not support innovation in Procurement:
AIIA members note that notwithstanding the deep technology and business expertise and
experience of industry, agencies issue tenders that request specific technology solutions.
This is in the absence of articulating clear business requirements and the business
outcomes that need to be achieved. Early engagement with industry as discussed above
would help to resolve this issue;
there is no appetite for innovation in the APS regardless of rhetoric. APS need to develop
capability to understand and assess innovation in a practical sense;
there is no flexibility to stand up Proofs of Concept and agile digital solutions on a just in
time basis. This goes against market reality of rapidly emerging new technologies and
there is a tendency to regress to old supply arrangements – because incumbent vendors
have a history of supply to agencies this prevents real opportunity to innovate in
government service delivery;
the new advice to ‘build’ within APS rather than ‘buy’ – members advise that some
correction is required (the old mega supply arrangements are still being exploited), but APS
will never attract the talent and skills they need to compete with the current commercial
market – the skills will (eventually) migrate to where the money is (e.g. cyber skills); In other
words, models for moving between the public and industry sector need to be piloted and
stood up; and
endemic risk aversion within APS – no one is able to ‘try things out’ without fear of getting a
black mark against their career if it fails – we do not have an entrepreneurial economy in
any shape or form; APS staff need to develop skills in risk assessment and mitigation.
DTA’s authority on ICT procurement is not evident across the APS
- AIIA members note that it is not clear what level of authority DTA has over the other
agencies’ ICT procurement activities.
- There are multiple examples of agencies, especially the larger departments such Defence
as continuing with their own ICT procurement practices regardless of the plethora of
policies being published by the DTA.
- It is important that agencies are consistent in their procurement approaches even though
the services they deliver are vastly different. This makes it easier for vendors to focus on
delivering services and tailoring products to achieving agency outcomes rather than
spending time on understanding and complying with different and inconsistent procurement
requirements across agencies.
DTA’s Digital Marketplace
- AIIA members have noted that the DTA’s Digital Market place has become a platform for
labour hire firms. It is a jobs board for personnel.
- While the DTA has been good at seeking and receiving feedback on the Digital
Marketplace, the DTA’s follow up actions demonstrate that DTA has neither the technical
or procurement knowledge and capability to implement the changes being requested by
- There is also confusion as to whether the Digital Marketplace is the only platform for Digital
outcomes in the Australian Government with agencies still publishing tenders for digital
outcomes on AusTender in preference to the Digital Marketplace. For example, at the date
of this submission, the following tender notice is appearing on AusTender. It is not listed
on the Digital Marketplace. The effect of this is that while the DTA now has a Digital
hardware, professional services and training marketplace, inconsistency in agency
practices means that sellers are having to keep an eye out on two platforms rather than
one for digital business opportunities.
Page 5 of 5 REDACTED