The decision to terminate the Australian Signals Directorate (ASD) Cloud Services Certification Program (CSC) gives Australian government authorities just three months to prepare comparable internal capabilities for evaluating the security of third-party cloud services they intend to use. With the CSC now ceased and CCSL certifications running into their last days, the mandatory Australian Information Security Manual (ISM) will no longer require government agencies to choose cloud services from the list. But doing these assessments is not so easy, even for government agencies, and variability is often the result.”]