Verification Record
AOS-CMP-2026-001-v1.1

The Compellability Gap in Commonwealth Cloud Assurance

An assessment of two Department of Home Affairs instruments, the Foreign Ownership, Control or Influence Risk Assessment Guidance and the Hosting Certification Framework, and whether either, as published, tests if a certified or cleared provider can be lawfully compelled by a foreign government to disclose the data it holds. Amazon Web Services appears as a worked example of how the instruments treat a class of provider; it is not the subject. This page records that the assessment rests on the public record alone: every claim can be checked against a source a reader can open, and where a step is inference rather than record it is marked as inference.

Reference
AOS-CMP-2026-001-v1.1
Date
6 July 2026
Classification
Released
Version
1.1
Author
Brunel Al-Bijwaie, Director, AustraliaOS Pty Ltd
Status

Verification status

The assessment is structured in layered attestation. The counts below show what is in the document; the CLAIM verdicts below show the engine result for the verified layer.

CLAIMs
14
Analyses
4
Recommendations
0

CLAIMs are facts tested by the AustraliaOS verification engine against primary sources. ANALYSIS blocks are labelled AUTHOR REASONED: each is the director's reasoning over CLAIMs and names the step at which a reasonable reader could disagree. This assessment carries no RECOMMENDATION blocks: it ends at its Bounds section and proposes no actions.

CLAIM verdicts

Supported
14
Partially Supported
0
Not Supported
0
Unverified
0
Board reflects the verification run of 6 July 2026 at agentos commit 59e80dd.

SUPPORTED indicates the CLAIM is confirmed by at least one primary source. PARTIALLY SUPPORTED would indicate the source pool confirms the substance of the CLAIM but a specific element in the evidence assembly diverges or could not be fully verified against the available source text. NOT SUPPORTED would indicate the source contradicts the CLAIM. UNVERIFIED would indicate the source was inaccessible to verification at the time of publication. The 14 SUPPORTED, 0 PARTIALLY SUPPORTED, 0 NOT SUPPORTED, 0 UNVERIFIED census confirms every CLAIM in the assessment against a primary source the reader can open.

Sources

Primary sources

Verification draws on three categories of primary source. Each category is named below with the instruments, registers and filings it attests. Every source is publicly accessible and was viewed on 6 July 2026.

Australian Government instruments and directions
  • Department of Home Affairs, Foreign Ownership, Control or Influence Risk Assessment Guidance (Sections 1 and 2)
  • Department of Home Affairs, PSPF Direction 001-2024: Managing Foreign Ownership, Control or Influence Risks in Technology Assets
  • Department of Home Affairs, Hosting Certification Framework (Framework)
  • Department of Home Affairs, Hosting Certification Framework Certified Service Providers register
  • Australian Signals Directorate, Australian Cyber Security Centre, CI Fortify
Provider and corporate record
  • Amazon.com, Inc. Form 10-K for the fiscal year ended 31 December 2021, Exhibit 21.1 (List of Significant Subsidiaries), US Securities and Exchange Commission
  • Amazon Web Services, AWS Australia FAQs (legal record for Amazon Web Services Australia Pty Ltd)
  • Amazon Web Services, Hosting Certification Framework (AWS Security Blog)
  • Australian Business Register, Amazon Web Services Australia Pty Ltd, ABN 63 605 345 891, ACN 605 345 891
  • Google Cloud, HCF Australia Compliance
United States statutory mechanism
  • Clarifying Lawful Overseas Use of Data Act 2018 (US), Pub. L. No. 115-141, div. V, codified in part at 18 USC 2713
Integrity

How to trust this record

The integrity of this verification record rests on public-source reviewability. Every factual claim in the assessment is tied to a named primary source, listed above, that is publicly accessible. Any reader, official, or independent reviewer can fetch the same source, locate the same passage, and confirm or contest the verdict for themselves. The verification does not ask the reader to trust an internal record; it asks the reader to check the public source directly.

AustraliaOS operates under a publicly disclosed interim audit-chain state pending migration to Australian-hosted infrastructure. The audit log entries written by the verification engine for this assessment are unsigned, via the JSONL fallback path, and are not yet cryptographically chained under a HMAC key. This is the same interim state disclosed for production on the AustraliaOS landing page. It is named explicitly here rather than left implicit, in keeping with the doctrine of disclosed accuracy the assessment itself argues for. The integrity guarantee on which this record stands is reviewability of public sources by the reader, not the internal audit chain; the chain is documentary, the public sources are evidentiary.

Scope

What this page is not

This verification record confirms that the factual claims in the assessment match what the named primary sources state at the time of publication. The assessment examines the design of two Commonwealth instruments and one program; it does not assess the conduct of any provider or any government entity, and it alleges no wrongdoing by either. It makes no allegation against Amazon Web Services, Google, or any provider named: that a provider holds Strategic certification, and that a United States company is reachable under United States law, are ordinary and lawful facts.

It makes no claim that any particular Australian Government dataset or system is held with any particular provider, at any tier, or in any location. It does not allege that the CLOUD Act has been invoked, or that any Australian Government data has been compelled, disclosed, or accessed. The subject is legal reachability, a standing property of jurisdiction, not any event. The assessment itself, not this verification page, is the decision-support artefact.

For accountability, signing, and correction process, see the Accountability Statement.

Download

Assessment PDF

The full assessment, authored and signed by the director, is available below. The verification status set out on this page is reflected in the document footer.

PDF · approximately 89 KB · signed by Brunel Al-Bijwaie, Director
SHA 256: fd31859858a2ad1e05282de10df7fe8906fe6db3e7337af6b6aa962470930a88
Recompute the SHA 256 with shasum -a 256 or sha256sum to confirm this file is unaltered since publication.
v1.1: editorial and typographic corrections; no CLAIM added, altered, or regraded; census unchanged.
Brunel Al-Bijwaie
Director, AustraliaOS Pty Ltd