See attached.

PDF icon Download (219.1 KB)
Automatic Transcription: 
Australian Public Service Review

July 2018

Unit 4, 131 Canberra Avenue

Griffith ACT 2603


61 2 6281 9400

Page 1 of 5 31 July 2018
About AIIA

The Australian Information Industry Association (AIIA) is the peak national body representing

Australia’s information technology and communications (ICT) industry. Since establishing 35 years

ago, the AIIA has pursued activities aimed to stimulate and grow the ICT industry, to create a

favourable business environment for our members and to contribute to the economic imperatives of

our nation. Our goal is to “create a world class information, communications and technology industry

delivering productivity, innovation and leadership for Australia”.

We represent over 250 member organisations nationally including hardware, software,
telecommunications, ICT service and professional services companies. Our membership includes

global brands such as Apple, EMC, Google, HP, IBM, Intel, KPMG, Microsoft, Deloitte, and Oracle;
international companies including Telstra, Optus; national companies including Data#3,
TechnologyOne and Oakton Limited; and many ICT SME’s such as Silverstone Edge and Zen

Enterprise and start-ups such as OKRDY.


AIIA welcomes the opportunity to provide input to the Australian Public Service Review. These

observations are framed around the capability, culture and operating models in the APS that our

members have regular exposure to.

In particular our comments are framed against the backdrop of the Government target of becoming a

top three digital government by 2025 as recently announced by Michael Keenan as part of the

Government’s Digital Transformation Strategy.

AIIA members’ feedback focusses on the following areas:

  1. IRAP and CCSL
  2. ICT Procurement

Page 2 of 5 REDACTEDOperating model for ASD IRAP Assessment and Certified Cloud Services List
AIIA members believe that current arrangements in the IRAP assessment and CCSL certifications

processed managed by the APS are both hindering progress on the digital transformation of

government and undermining the ability to have a competitive cloud service market that services

government in Australia.

While a small number of additional certified cloud service providers have been listed in the past 12

months, only six companies are certified at Protected level and twelve at the Unclassified level on the


Based on feedback from AIIA members, the certification process does not support the establishment

of a competitive cloud service market for government. Members question the outcomes and value to

government and industry generally of the process as it stands. Many of our members remain

uncertified despite having made significant investments in seeking to achieve certification. By

comparison, the UK Government have certified the security of almost 1000 cloud service providers

through a modernised scheme.

Operational inefficiency:

The operational issues are

  1. the extended timeframe associated with being listed on the CCSL;
  2. the lack of transparency in the process of reviewing IRAP assessment reports and the
    discrepancy between the requirements of certification and the ASD practice;
  3. the cost of the process for our members, particularly for multiple products, which have often
    satisfied a range of global certification processes

Consequences of the operational efficiency:

  1. there is low level of effective competition in the cloud product and services market to
    support of the Federal Government cloud agenda. Competition drives innovation and price.
  2. despite a desire by Government to be agile to develop and deliver digital solutions, the
    barriers imposed by ASD make progress complex, expensive and slow for industry
    members to provide services to government agencies.
  3. given the costs and time involved, there is a real risk that some vendors may limit their
    involvement in or withdraw completely from the Federal cloud market.

Recommendations for changes to the IRAP assessment operating model:

  1. a well-defined, transparent process which follows a clear progression path and is consistent
    with prescribed government policy. We recommend that ASD sustain the integrity of the
    program for endorsing IRAP assessors. Once an IRAP assessment report is submitted to
    ASD along with an IRAP assessor’s recommendation, it should be listed publicly as having
    been assessed along with the letter of recommendation from the assessor within 2 weeks.
  2. ASD should be advised to adhere to a certification process that is consistent with the ISM
    and PSPF. Notably this process should validate the integrity of the assessment report and
    describe risks as appropriate. Explicitly, it must not be a pseudo-accreditation process, as is
    currently the case. ASD should have no more than 4 weeks to describe deficiencies in the
    integrity of the assessment process and any notable risks.
  3. engagement of the Digital Transformation Agency (DTA) to take a more active role in
    educating agencies to understand and make appropriate risk decisions by leveraging the
    certification and other inputs. The CCSL process has degraded agencies abilities to
    understand and manage risk. This needs to be restored. AIIA is confident that members are
    happy to contribute to and assist with this education.

Page 3 of 5 REDACTED
Operating model for Government ICT Procurement and ICT Procurement

Capability in the APS hinders collaboration

Procurement is often used as the only mechanism for enabling collaboration with the business

community. AIIA members continue to flag challenges they face in ICT procurement. Issues range

from industry engagement to ensure agencies and industry understand the problem to be solved,
complexity within panel arrangements to complexity with bids, contracts that place onerous reporting

requirements on industry, to a lack of feedback on unsuccessful bids and costs associated with joining


APS capability in ICT Procurement:

  1. members continue to observe that procurement areas within government often lack the
    skills required to undertake procurements to deliver complex outcomes for government.
    The procurement process is literally process driven without pause of consideration and
    discussion on the problem sought to be solved; and
  2. developing frameworks/models for early engagement with industry to discuss the problem
    will assist with both capability development in the APS and industry understanding of the
    problems that agencies are trying to solve. Publishing details of an anticipated procurement
    in an agency annual procurement plan and having industry briefings after an RFT is release
    are not sufficient in an era of digital transformation.

APS Operating model in ICT Procurement:

  1. there is also a lack of executional consistency especially evident in Head Agreement for
    panel arrangements. This signals both a move away from use of contract templates and
    also creating different compliance requirements using contractual means; negotiating
    different contractual terms and conditions with agencies are adding to the cost of vendors
    getting on panels;
  2. vendors also have to manage a lack of consistency across agencies in terms of
    procurement requirements resulting in essentially the ‘repackaging’ of the same offering in
    order to meet procurement compliance requirements. Repackaging of standards offerings
    inevitably adds costs especially for SMEs;
  3. contract arrangements do not match what is actually being purchased. The risk/reward
    balance is typically disproportionately loaded against vendors. As well as adding cost to
    offerings, innovation is invariably stifled;
  4. members understand risk profiles for projects differ, but the starting point for
    Commonwealth in all instances is unlimited liability, high insurance level requirements and
    IP ownership. This has no regard to the nature of the work to be done, the changing nature
    of the business and service environment and is arguably an abrogation of risk by the
    Commonwealth. It is also out of step with best practice across the States and Territories
    where IP is retained by the vendor (as appropriate), liability negotiable relative to project risk
    and the roles and responsibilities of the respective purchases and vendor; and insurance
    levels are relative to the nature and scope of the project;
  5. AIIA members note, that procurement arrangements reflect a poor understanding of the
    commercial realities of private sector business – in terms of the need to drive revenue,
    deliver profits as well as manage risk and protect IP. Vendors are being forced to sign up
    to agree to collaborating with other vendors with no regard to IP issues; and
  6. members are also concerned that aggregation of product/service tenders reduces/removes
    the ability of SMEs to engage in the government procurement market.

APS culture forging a ‘Them and Us’ mentality:

  1. AIIA members report a “them and us” approach by government agencies. They report
    significant difficulties in attempts to work collaboratively with project leads. In some
    instances, project leads and project staff adopt from the outset a need to “blame someone”
    in the event that something might go wrong. This approach undermines trust being
    developed between agencies and vendors and limits any ability for an appropriate and
    effective risk sharing relationship.

Page 4 of 5 REDACTED
7. A cultural change that focusses on collaboration and risk sharing between agencies and
vendors to achieve outcomes needs to be championed by senior management in the APS;
8. Governance arrangements for projects need to be set in place at the onset of a project to
ensure there is no abrogation of APS decision-making responsibilities to vendors.

APS Culture and Operating Model does not support innovation in Procurement:

  1. AIIA members note that notwithstanding the deep technology and business expertise and
    experience of industry, agencies issue tenders that request specific technology solutions.
    This is in the absence of articulating clear business requirements and the business
    outcomes that need to be achieved. Early engagement with industry as discussed above
    would help to resolve this issue;
  2. there is no appetite for innovation in the APS regardless of rhetoric. APS need to develop
    capability to understand and assess innovation in a practical sense;
  3. there is no flexibility to stand up Proofs of Concept and agile digital solutions on a just in
    time basis. This goes against market reality of rapidly emerging new technologies and
    service models.
  4. there is a tendency to regress to old supply arrangements – because incumbent vendors
    have a history of supply to agencies this prevents real opportunity to innovate in
    government service delivery;
  5. the new advice to ‘build’ within APS rather than ‘buy’ – members advise that some
    correction is required (the old mega supply arrangements are still being exploited), but APS
    will never attract the talent and skills they need to compete with the current commercial
    market – the skills will (eventually) migrate to where the money is (e.g. cyber skills); In other
    words, models for moving between the public and industry sector need to be piloted and
    stood up; and
  6. endemic risk aversion within APS – no one is able to ‘try things out’ without fear of getting a
    black mark against their career if it fails – we do not have an entrepreneurial economy in
    any shape or form; APS staff need to develop skills in risk assessment and mitigation.

DTA’s authority on ICT procurement is not evident across the APS

  1. AIIA members note that it is not clear what level of authority DTA has over the other
    agencies’ ICT procurement activities.
  2. There are multiple examples of agencies, especially the larger departments such Defence
    as continuing with their own ICT procurement practices regardless of the plethora of
    policies being published by the DTA.
  3. It is important that agencies are consistent in their procurement approaches even though
    the services they deliver are vastly different. This makes it easier for vendors to focus on
    delivering services and tailoring products to achieving agency outcomes rather than
    spending time on understanding and complying with different and inconsistent procurement
    requirements across agencies.

DTA’s Digital Marketplace

  1. AIIA members have noted that the DTA’s Digital Market place has become a platform for
    labour hire firms. It is a jobs board for personnel.
  2. While the DTA has been good at seeking and receiving feedback on the Digital
    Marketplace, the DTA’s follow up actions demonstrate that DTA has neither the technical
    or procurement knowledge and capability to implement the changes being requested by
  3. There is also confusion as to whether the Digital Marketplace is the only platform for Digital
    outcomes in the Australian Government with agencies still publishing tenders for digital
    outcomes on AusTender in preference to the Digital Marketplace. For example, at the date
    of this submission, the following tender notice is appearing on AusTender. It is not listed
    on the Digital Marketplace. The effect of this is that while the DTA now has a Digital
    hardware, professional services and training marketplace, inconsistency in agency
    practices means that sellers are having to keep an eye out on two platforms rather than
    one for digital business opportunities.

Page 5 of 5 REDACTED

This text has been redacted: Date redaction, Date redaction, Date redaction, date redacted