All companies that are certified to the Protected cloud level — which means they can host top-secret government data — will remain certified until the end of this financial year.
After that date, each cloud provider will have to deal with every agency on their own, effectively meaning that they will have to self-regulate.
The review, commissioned by the ASD, looked at both the Cloud Services Certification Program and the Information Security Registered Assessors Program.
The review recommended closing the CSCP and the creation of new co-designed cloud security guidelines with industry.
It also recommended the growth and enhancement of IRAP and the establishment of government and industry consultative forums for cyber security.
Additionally, it said there should be an updating of incentives in the Procurement and Administrative Instructions and Guidance to reflect the cessation of the CSCP.
The DTA's existing ICT Marketplaces will not be changed and will operate as usual.
The ASD has committed to enhancing its support of the IRAP and new IRAP candidates can apply to be accredited. The spy agency will also set up government and industry consultative forums for cyber security.
"The Consultative Forums will consist of select government and industry representatives from key stakeholder groups," the statement said.