IRAP

The Information Security Registered Assessors Program (“IRAP”) is an Australian government initiative managed by the Australian Cyber Security Centre (“ACSC”). IRAP is designed to provide independent and standardized security assessments of information technology (“IT”) systems used by government agencies to ensure they meet the Australian Government Information System Manual (“ISM”) standards and the Protective Security Policy Framework (“PSPF”).

IRAP assessors are qualified professionals authorized by the ACSC to evaluate cloud service providers, software platforms, and other digital infrastructure against strict security controls. For cloud service providers and organizations handling sensitive government data, IRAP assessments are a critical factor in demonstrating compliance with Australian government security mandates. A successful IRAP assessment means that a cloud platform has undergone a rigorous security review, helping agencies (public and private) determine whether it is suitable for use in their operations provided to the Australian government.

For more information, visit the IRAP webpage on the ACSC website.

Cloudflare has undergone an IRAP assessment for 36 specific services to demonstrate compliance with Australian government security standards at the PROTECTED level. The PROTECTED level is a high level of assurance that allows the Australian Government to use Cloudflare to process data including and up to PROTECTED.

• IRAP assessment validates that Cloudflare for Government - Australia meets the Australian Government Information Security Manual (“ISM”) security standards.

• Using Cloudflare’s IRAP assessed services, customers can meet Australian government compliance requirements.

• IRAP uses a shared responsibility model therefore customers can inherit specific controls which can lead to efficiency and reduce complexity.

• IRAP PROTECTED ensures that Cloudflare services can be used by government agencies and highly regulated industries while protecting sensitive information that could damage national interests from cyber threats.

Cloudflare for Government - Australia, our data localisation offering is specifically designed to address the unique requirements of Australian public sector customers. This solution builds directly upon our successful completion of the IRAP assessment at the PROTECTED level, demonstrating our continued commitment to security and compliance for the Australian government.

Application Services:
API Shield, Bot Management, Cache Reserve, DDoS Protection, Rate Limiting, SSL/TLS, SSL/TLS for SaaS, Turnstile, WAF, CDN, DNS, Load Balancing, Tiered Cache, Waiting Room

Developer Services:
Cloudflare for SaaS, Durable Objects, R2, Stream, Workers, Workers KV

Network Services:
Magic WAN, Magic Transit, Magic Firewall, Network Interconnect, Spectrum

Zero Trust Services:
Access, Argo Tunnel, Browser Isolation, CASB, Cloudflare Zero Trust, Gateway, Zero Trust WARP Client

Analytics and Insights:
Analytics, Cloudflare Web Analytics, Logs

Privacy and Compliance:
Data Localization

Cloudflare continuously introduces new features/functions across our platform throughout the year, some of which may have not been included in the prior IRAP assessment. Cloudflare may add these to our IRAP assessment scope depending on the annual assessment cycle.

Part of Cloudflare’s approach to IRAP compliance involves transparency about which user controls remain among our customers’ prescribed responsibilities. Cloudflare’s IRAP documentation includes the System Security Plan (“SSP”) with a responsibility section for each control for customers to review.

Your account executive or a member of the sales team can help you get a copy. Super Administrators can access common compliance documentation including Cloudflare’s IRAP attestation letter through the Cloudflare dashboard. Cloudflare requires all future and current customers to sign a nondisclosure agreement (NDA) before our report is provided.

Contact your account executive or a member of the sales team for additional questions.

For detailed instructions, visit Cloudflare’s guide.

Cloudflare’s IRAP documentation package contains the following:

• Assessment Letter

• IRAP Report

• Cloud Security Controls Matrix

Contact your account executive or a member of the sales team for a copy of the package.

Cloudflare’s IRAP assessment cycle occurs once every two years. Customers can expect an updated report approximately three months after the completion of the assessment.

Learn more about how Cloudflare can help your org address compliance requirements.

Visit Cloudflare’s Trust Hub to learn about additional compliance resources.

Learn more about how Cloudflare’s connectivity cloud capabilities help enterprises streamline and map to compliance requirements across multiple standards by visiting our data compliance and protection page.