Search

Test

Off

Procurement and contracts

2.1 Single seller arrangements (SSAs) are pre-negotiated, whole of Australian Government technology agreements with specified sellers, established to leverage the government's collective buying power and ensure consistency with legal terms and conditions. They are not a procurement pathway.

2.2 The policy and legislative environment is constantly changing. Similar to other long term contractual arrangements (e.g. Digital Marketplace Panel 2), an SSA may become out of step with policy changes over the life of the contract. For example, the recent introduction of the Supplier Code of Conduct on 1 July 2024 required updates to be made to the SSAs. This necessitates the periodic review of the SSAs throughout their life to ensure ongoing alignment to the policy and legislative environment as it changes.

2.3 To manage this, the Digital Transformation Agency (DTA) routinely undertakes procurement policy compliance assessments for the SSAs. Further, the SSAs include clauses that allow updates to be made to the SSAs as policy and legislative environment changes.

2.4 When undertaking any procurement activity, there are a range of policies any digital procurement needs to consider, as depicted in the chapter overview above. Some policies have specific values that trigger different requirements for digital procurements are triggered, which is depicted in the figure below.

The figure depicts 11 policy thresholds, from $0 to $100 million. Refer to the accordion for Figure 12 for a long description. — Figure 12 Policy thresholds

Description of Figure 12

The figure depicts 11 policy thresholds, from $0 to $100 million, as follows:

$0:

All policies without a financial threshold are applied as default.
Pay on Time policy, invoices are to be paid within 20 days or 5 days if Pan-European Public Procurement On-Line (PEPPOL) enabled

$10,000:

Contracts to be published within 42 days of arrangement being entered

$80,000:

Tenders must be put out to open market on AusTender, subject to Limited Tender rules
Completion of the Fair Criteria Checklist and the Consider First Assessment Tool
Suppliers must provide a Certificate of Compliance with the Workplace Gender Equality Act

$80,000 to $200,000:

Mandatory Set Aside requiring Indigenous enterprises be engaged first on procurement opportunity

$1 million:

Vendors to provide Supplier Environmental Sustainability Plans for ICT goods
ICT contracts need to consider economic benefit to Australia

$2 million:

Consultancy contract reporting

$4 million:

Statement of Tax Record must be submitted as part of any Open Tender response and be maintained throughout the contract
Payment Times contractual clauses to be included requiring suppliers to pay sub-contractors up to $1m (GST inc) within 20 calendar days or pay interest

$7.5 million:

Indigenous Procurement Plan required, including Mandatory Minimum Requirements for contracts / panels to be awarded to Indigenous enterprises where contracts are wholly delivered in Australia

$10 million:

Skills guarantee requires targets for ICT projects for gender equality, apprentices and cadets to be set

$20 million:

Australian Industry Participation Plan required

$100 million:

Modern Slavery Reporting by suppliers who have revenues over $100m
Digital contracts cannot exceed $100m in value (and three years), unless an exemption has been granted.

Off

The figure depicts 11 policy thresholds, from $0 to $100 million, as follows:
$0:
- All policies without a financial threshold are applied as default.
- Pay on Time policy, invoices are to be paid within 20 days or 5 days if Pan-European Public Procurement On-Line (PEPPOL) enabled
$10,000:
- Contracts to be published within 42 days of arrangement being entered
$80,000:
- Tenders must be put out to open market on AusTender, subject to Limited Tender rules
- Completion of the Fair Criteria Checklist and the Consider First Assessment Tool
- Suppliers must provide a Certificate of Compliance with the Workplace Gender Equality Act
$80,000 to $200,000:
- Mandatory Set Aside requiring Indigenous enterprises be engaged first on procurement opportunity
$1 million:
- Vendors to provide Supplier Environmental Sustainability Plans for ICT goods
- ICT contracts need to consider economic benefit to Australia
$2 million:
- Consultancy contract reporting
$4 million:
- Statement of Tax Record must be submitted as part of any Open Tender response and be maintained throughout the contract
- Payment Times contractual clauses to be included requiring suppliers to pay sub-contractors up to $1m (GST inc) within 20 calendar days or pay interest
$7.5 million:
- Indigenous Procurement Plan required, including Mandatory Minimum Requirements for contracts / panels to be awarded to Indigenous enterprises where contracts are wholly delivered in Australia
$10 million:
- Skills guarantee requires targets for ICT projects for gender equality, apprentices and cadets to be set
$20 million:
- Australian Industry Participation Plan required
$100 million:
- Modern Slavery Reporting by suppliers who have revenues over $100m
- Digital contracts cannot exceed $100m in value (and three years), unless an exemption has been granted.

Establishment and use of an SSA

2.5 A procurement process includes steps that precede an agency preparing, negotiating or entering into a contract, with requirements set out in the CPRs.

2.6 This necessitates consideration of the mechanism to appoint an SSA seller against two core components:

The head agreement, which does not include any liability to the DTA or any Commonwealth agency. This is established by the DTA as a standing offer. (Under Appendix B: Definitions within the CPRs, a “Contract” is defined to include a standing offer (and a panel) as relevant money may become payable under the standing offer. Further information is also available on Understanding Panel Arrangements.)
The contract, which sits under the head agreement, and includes the products and services to be purchased. This buyer signs this contract. In some cases, the DTA enters into these contracts, under the relevant head agreement, for a coordinated purchase on behalf of the Commonwealth.

2.7 There has been a long-standing pattern of predictable usage of all but one of the sellers who have an SSA (refer to the SSA spend profile and Appendix A: Overview of SSA sellers sections of this report). The establishment of the SSAs provided the opportunity to leverage the collective buying power of agencies by consolidating sourcing arrangements into one contracting framework. Recognising this, the DTA has implemented SSAs in a manner consistent with the Limited Tender provisions under Division 2, paragraph 10.3 of the CPRs which states:

a new tab

2.8 The establishment of the head agreement is consistent with these Limited Tender provisions.

2.9 When established, the SSA is listed as a Coordinated Procurement on Finance’s website. Consistent with the CPRs, where buyers select an SSA seller as part of a procurement process (refer to SSAs’ place in the procurement lifecycle):

NCEs must contract the SSA seller under the SSA per the Coordinated Procurement provisions (refer to paragraphs 4.11 and 4.12 of the CPRs).
All other entities which have signed up to the SSA may contract the SSA seller using the SSA at their discretion.

"We want to win based on the merits of our technologies and expertise and we strongly encourage our customers to run competitive procurement processes"

Nicholas Flood, Managing Director IBM Australia & New Zealand, April 2025

2.10 Of note, the DTA is actively working with buyers to encourage them to undertake market scans and competitive procurement processes, rather than solely relying on SSA Coordinated Procurement. Further, buyers engaged by the review commonly cited conducting such market scans and competitive assessments independently, stressing the SSAs are ‘a contracting framework, not a procurement pathway’.

2.11 As part of negotiating the SSAs, the DTA may agree to pre-commit to purchasing products and services from the SSA seller. This pre-commitment reflects the existing and projected usage patterns with the SSA seller, which is consistent with the Limited Tender provisions under the CPRs.

2.12 Consideration is also required of the use of the SSAs for products and services. The findings of this assessment at a high level were:

Products (e.g. M365 by Microsoft or ECC6 by SAP for enterprise resource planning) are mostly protected by patents, copyrights, or other exclusive rights, or are proprietary information. Where these protections are in place, buyers’ continuity of the use of these products necessitates purchase from the SSA seller or an authorised reseller commercially established by the SSA seller (e.g. Data#3 is the incumbent Microsoft reseller to the Australian Government).
Services can, in limited circumstances, also meet the requirements around proprietary information (e.g. intellectual property) or the provision of services which are not available from others due to compatibility requirements. However, the review found there is a dynamic technology services market that can also meet buyer requirements, which necessitate competitive procurement processes to be run for services.

2.13 The applicability of SSAs to products and services can be summarised broadly as:

Table 4 Products and services and SSA justification
Product only Although not the only consideration, when a product is exclusively available from a single seller, it reinforces the justification for an SSA. Refer to Defining conditions that warrant an SSA section of this report for further information.	Service only Establishing an SSA solely for services is unlikely to be justifiable, as expertise exists widely and professionals with deep technical knowledge are often mobile.
Product in principle, services in addition If the primary driver for an SSA is the product, the agreement is justified. Adding services where they are intrinsically linked to specific products can be a logical approach.	Services in principle, products in addition Where services are the key rationale for an SSA, numerous providers exist. Any minor products offered by the seller are unlikely to be sufficiently utilised by the Australian Government to warrant an SSA.

2.14 The Australian National Audit Office reviewed the use of the Limited Tender provisions through an audit in 2020 entitled “Establishment and Use of ICT Related Procurement Panels and Arrangements” that sought to “assess the extent to which entities’ establishment and use of ICT related procurement panels and arrangements supported the achievement of value for money outcomes”. Regarding the IBM SSA specifically, the Australian National Audit Office concluded:

"DTA's planning and approach to market for the establishment of the IBM Arrangement complied with the CPRs and demonstrated adoption of key sound practices identified in Finance guidance. DTA documented clear objectives for establishing the arrangement and approached IBM via a limited tender as part of a coordinated approach to expand the number of whole of Australian Government arrangements in place."

2.15 There is an observed tension between entering the SSA as a Limited Tender and the Australian Government’s intention to use the SSAs as a contracting framework that buyers utilise following a competitive market assessment. This is further conflated by the way the SSAs are positioned publicly as discussed in the Updating key websites and branding section in this report.

2.16 Discussions with Finance indicated there is an opportunity to consider amending the CPRs to address this observed tension, and the other findings of this report. The amendment could be similar to the articulation of Coordinated Procurement or Cooperative Procurement to distinguish the SSAs and address risks identified in Seller lock-out. This amendment would have two key benefits:

Enable a mechanism to compel mandatory usage of the contracts across the Australian Government, without requiring the use of Coordinated Procurement which effectively establishes the SSA sellers as a panel of one.
Make clear buyers must follow a competitive market assessment.

2.17 Finance noted, however, a glass house rule (assessing whether the addition of such an exception for the SSAs would create any other issues for other sectors of the economy (e.g. construction)) would need to be applied to consider how the amendment may apply to other sectors of the Australian economy.

2.18 The DTA should engage with Finance to distinguish within the CPRs whole of Australian Government digital contracts from Coordinated Procurements to address the risk of SSAs being utilised as a procurement pathway.

Digital Sourcing Contract Limits and Reviews Policy

2.19 The Digital Sourcing Contract Limits and Reviews Policy (this policy is only applicable to non-corporate Commonwealth entities) supports agencies to structure contracts to reduce risk, drive competitive outcomes and increase flexibility. Concerns were, however, raised by both agencies and sellers about the policy’s thresholds, which imposes:

A $100 million cap on contract values (first established in 2016 and revised in 2020, buyers and sellers noted this threshold has not kept pace with inflation or the relative cost of technology).
A three-year maximum duration for the initial contract term length, plus a three-year maximum for any subsequent option period.

2.20 The policy provides for a Joint-Ministerial Exemption where any digital contract exceeds the relevant thresholds, which states:

An exemption from this policy can be granted jointly by the requesting NCE's [non-corporate Commonwealth entity] portfolio minister and the Minister responsible for the DTA.
The requesting NCE must demonstrate a special need for an alternative arrangement and their exemption request must be premised on a genuine intent to meet the policy requirements. They must also include evidence to support any claims.

2.21 Applying for the exemption was noted to add administrative burden to agencies contemplating entering digital contracts that exceeded these thresholds. The SSAs however are automatically exempt from these limits as they are listed as a mandatory category on the digital whole of Australian Government panel, which, in addition to the SSAs, include:

Data Centre Panel 3.
Hardware Marketplace.
Software Marketplace.
Telecommunications Marketplace.

2.22 The SSAs can offer better pricing due to the automatic exemption under the policy, by:

Enabling a longer contractual timeframe, which allows SSA seller proposals and contracting costs to be amortised over a longer period.
Entering contracts over $100m, which allows the SSA sellers to amortise their costs over a broader base of revenues.

2.23 The factors reduce the commercial risk profile of the SSA sellers when providing their pricing, enabling them to compete more effectively than other sellers in the market.

2.24 This unintended consequence of improving the competitive position of the SSA sellers, in particular the three-year contract limit, also appears inconsistent with the Australian Government’s policy stance on encouraging procurement opportunities for Small and Medium Enterprises (for example, per the Buy Australian Plan), and Indigenous entities (for example, per the Indigenous Procurement Policy).

2.25 The DTA should review the existing Contracts Limits and Review Policy to ensure competitive neutrality between sellers.

Commonwealth Australian Industry Participation (CAIP) Plans

2.26 The CAIP Plans policy for Australian Government funded projects has been established by the Department of Industry, Science and Resources (DISR) to ensure Australian industry have:

Full, fair and reasonable opportunity to bid to supply key good and services for the project.
The opportunity to show their capabilities when the company purchases or subcontracts these goods and services.

2.27 Whilst CAIP Plans are not mandatory, contracts under the SSA head agreements often exceed the $20m threshold for development of a CAIP Plan. Further, when considering the collective spend on SSA sellers, the threshold is exceeded for all SSA sellers except Rimini Street. More than 40 contracts were entered into by buyers over the past five years which exceeded the $20 million threshold.

2.28 Underlying this issue is the nature of how CAIP Plan requirements are managed, which devolves responsibility for agreeing the details of the plan to buyer agencies. Although this approach is consistent with the policy intent of “Government entities that fund their projects are responsible for applying this policy”, the review heard that buyers generally do not implement CAIP Plans at a contract level. This means the Commonwealth is not getting the full industry participation outcome sought from this policy in relation to the SSAs.

2.29 The establishment of CAIP Plans for each SSA seller at a head agreement level is further discussed in the Enhancing growth of the Australian technology sector section of this report.

2.30 When determining what can reasonably be expected of the sellers with SSAs, it is acknowledged that most of the sellers provide platforms, upon which others build specific solutions. The solutions are commonly built by members of the sellers’ Australian partner network. With this in mind, the CAIP Plans could target a range of opportunities for Australian industry inclusion, including:

Commercial partnerships with, or sub-contracting to, Australian companies for Australian Government work.
Direct investment in Australia (e.g. building sovereign data centres) necessitating Australian companies in the supply chain.
Innovation and investment programs.
Seller investment in skilling initiatives within educational institutions (e.g. school, TAFE, universities).
Training and certification programs to uplift capability in Australian industry.
Global network initiatives to incorporate Australian businesses into the SSA global supply chain.

2.31 Further, as discussed in Broader ecosystem, the priorities outlined in the Buy Australian Plan align well with the use and implementation of the CAIP Plans.

Australian Skills Guarantee

2.32 The Australian Skills Guarantee is a policy designed to use government investment in major technology projects to help train the next generation of skilled workers. It applies to procurements with an estimated individual value of over $10m. (Limited to Non-Corporate Commonwealth Entities, and Prescribed Corporate Commonwealth Entities under the Public Governance, Performance and Accountability Act 2013. Note too, this policy also applied to construction contracts, but this was not within scope of this review.) However, buyers have the discretion to determine if it is reasonable to apply the targets.

2.33 Of course, the SSAs are not technology projects, rather they are a contracting framework. Therefore, in practice, buyers are unlikely to implement or manage the targets within the construct of the SSA and associated agency-level contracts, as relevant to agency technology projects. This was confirmed during agency consultations.

2.34 Recognising this outcome, it is important to establish meaningful Skills Guarantee targets with SSA sellers at a head agreement level.

2.35 Further discussion of benefits associated with training and education provisions within the SSAs is provided in the section “Secondary Benefits”.

Indigenous Procurement Policy

2.36 The Indigenous Procurement Policy aims to stimulate Indigenous entrepreneurship, business and economic development, providing Indigenous Australians with more opportunities to participate in the economy.

2.37 The Indigenous Procurement Policy sets two levels at which Indigenous procurement outcomes are managed:

Mandatory set-aside: applicable to remote procurements and all other procurements wholly delivered in Australia between $80k to $200k (GST inclusive).
Mandatory Minimum Requirements (MMR): applicable to high value contracts wholly delivered in Australia valued at $7.5 million or more (inclusive of GST).

2.38 In aggregate, the Australian Government’s total spend exceeds the mandatory set-aside threshold at a whole-of-government level and will typically exceed this threshold at an individual contract level. (The Indigenous Procurement Policy applies to specific contracts, rather than the overall spend with a seller.)

2.39 Many SSA contracts will meet the MMR threshold of $7.5m and the refined “wholly delivered in Australia” requirement introduced in July 2025. As such, buyers need to ensure the 3-4% target under the MMR is met for any SSA contracts, including acquittal of whether the SSA seller was compliant at the end of the contract.

2.40 It was noted by the review the targets for Indigenous Procurement, which are managed at a Portfolio level, were substantially exceeded in the most recently reported financial year. Further, most of the SSAs include clauses which provide for Indigenous Participation Plans to be set by agencies, where agency contracts exceed the relevant threshold, and IBM has an active MMR IPP in place.

Other policies

2.41 The Supplier Code of Conduct came into effect 1 July 2024 and outlines minimum expectations of suppliers and their subcontractors while under contract with the Australian Government. Paragraph 6.12 of the CPRs mandates this code, stating all relevant entities must incorporate the Code into all forms of Commonwealth contracts. Provisions for this code of conduct have not yet been incorporated into all the SSAs.

2.42 DTA advised that the Certificate of Compliance required as per the Workplace Gender Equality Procurement Connected Policy was obtained where relevant for each of the SSAs, with no issues noted. Further, Microsoft has submitted the Workplace Gender Equality optional statement.

2.43 Each of the SSA sellers have published a Modern Slavery Statement as required under the Modern Slavery Act 2018.

2.44 The updated direction of the Australian Government regarding “The new APS ERP approach” encourages autonomy and choice, testing the market and support for smaller entities. The review considered this new approach to be consistent with the intent for the SSAs to be utilised as a contracting framework, and noted agencies are no longer obligated to utilise GovERP as required previously under the moratorium in place. Supporting this position is:

"The new approach does not prevent entities from seeking or continuing to receive transactional services from existing transactional processing providers."

Emerging changes

2.45 There are also key emerging changes, which include:

Procurement and Sourcing Policy – the DTA is consulting on whether this policy replace the Digital Sourcing Consider First and Fair Criteria policies.
Environmentally Sustainable Procurement Policy – this policy has recently come into force from 1 July 2025 for ICT goods (e.g. hardware, computers, servers) and requires the establishment of a new Supplier Environmental Sustainability Plan for any contracts over $1m (including GST) which will require 6-monthly reporting to the buyer, and from the buyer to the Department of Climate Change, Energy, the Environment and Water.

Digital and Investment

Data and Digital Government Strategy

2.46 The SSAs align well with the Data and Digital Government Strategy, which sets a clear expectation that the Australian Public Service (APS) will strengthen partnerships:

The Government spends on average around $70 billion each year on procurement activities, helping to drive economic, social and sustainability outcomes for Australia. This includes procuring a significant range of data and digital products, services and support from industry – everything from software and hardware, corporate systems, analytics tools and cloud services. This represents an opportunity to partner with industry, through the Commonwealth Procurement Framework, to identify the best solutions to deliver government services. The Framework also helps Government to take advantage of industry innovations, and seek industry’s support to solve emerging problems, through mechanisms like requests for information

2.47 Notwithstanding the Strategy’s concurrent expectation to reduce the reliance of the Australian Government on those external to the APS as “in 2021, almost half of its digital and technology workforce were contractors, service providers and consultants” , there is a clear recognition that partnering with industry is key to identifying the best solution to deliver government services.
List of Critical Technologies in the National Interest

2.48 The SSA sellers products align well with several of the technologies listed by the Department of Industry, Science and Resources on the ‘List of Critical Technologies in the National Interest’, including:

Advanced manufacturing and materials technologies, such as IBM Maximo enables predictive maintenance, smart factory operations, and asset optimisation.
AI technologies, such as SAP Business AI, Microsoft Copilot, and Amazon Q and Oracle Generative AI/machine learning, IBM Watson.
Advanced information and communication technologies, such as Microsoft Teams, Amazon EMR (Elastic MapReduce), Oracle’s Distributed Cloud Solutions and Roving Edge, and IBM Voice Gateway and Hybrid Cloud with Red Hat OpenShift.
Quantum technologies, such as Microsoft’s Majorana 1 chip, IBMs Quantum System Two and Amazon Braket.
Biotechnologies, such as IBM research which contributes to computational biology through AI-driven drug discovery and bioinformatics platforms.
Clean energy generation and storage technologies, such as IBM Maximo which supports energy efficiency, emissions tracking, and intelligent asset management for renewable energy systems.

Digital and ICT Reuse Policy

2.49 The consolidated contracting of the SSAs is in clear alignment with the intent of the Digital and ICT Reuse Policy to “Reuse wherever possible” and “Enable reuse by others”. Further the Reuse Standard published on the Australian Government Architecture, also notes the desire for reuse:

In the Australian Government context, the term 'reuse' means using an existing component within the process of realising a new digital or ICT solution, as grouped into the following categories:
...
Procurement
Commercial, legal, and licensing agreements
Whole of Government procurement resources
Procurement processes

2.50 SSAs, however, require the relevant buyer and the seller to agree on the application of any intellectual property rights, transfer rights and pricing metrics.
Digital Service Standard

2.51 The SSAs broadly align with the Digital Service Standard in the following areas:

Connect services: The policy expectation is to 'design for interoperability' and 'join up services'. This is easier to achieve in a stable technology environment, as dynamic technology environments require reintegration or rearchitecting for interoperability. Nonetheless, the SSAs encourage contracts to address interoperability and integration requirements, although these requirements may change over the products lifecycle.
Don't reinvent the wheel: Applying lessons from predecessors is easier to do with comparable technology platforms / products. The SSAs deal with technology change and evolution.
Innovate with purpose: SSAs ease the uptake of innovations and emerging technologies as they become available through the established contractual mechanisms. The SSAs facilitate access to product and service improvements.

2.52 No other key points of note were identified for:

Using AI in the Australian Government.
Digital and ICT Investment Oversight Framework.
Benefits Management Policy (except as per Improving reporting in this report).
Data, digital and cyber workforce plan.

Cyber and security

2.53 A range of cyber security and related legislation, policies and frameworks are applicable to the SSA ecosystem, and government procurement and contracting more generally. As the technology and cyber security sector continues to rapidly evolve and responds to new and emerging threats and vulnerabilities, the Australian Government and sellers must continually adapt.

2.54 The SSAs generally support these legislative and policy settings by facilitating buyers’ alignment with the requirements through head agreements and underlying contracts, and through enabling government agencies to meet the requirements, for example through providing products that are or can be assessed against the Information Security Manual (ISM) requirements.

2.55 However, the SSAs generally contain lower levels of base protections specific to cloud services contracts. The SSAs offer opportunities to include improved protections in contracts, but these need to be negotiated with the sellers. Therefore, when considering the cyber and security legislative and policy ecosystem, there remains opportunities for the government to introduce greater consistency in representing cyber and security requirements. The SSA terms and conditions related to cyber and security are represented in various forms and structures throughout the SSA head agreements, with varying levels of detail and various references to specific legislation and policy.
Protective Security Policy Framework (PSPF) and Information Security Manual (ISM)

2.56 Central to the Australian Government cyber security policy landscape is the PSPF which, across six security domains, prescribes what applicable government entities must do to protect their people, information and resources, both domestically and internationally. The relevance to SSAs is evident through this PSPF statement:

"Non-government organisations and third-party service providers may be required to implement aspects or parts of the PSPF. This will be detailed in relevant deeds or agreements between the Australian Government and the non-government organisations or third-party service providers."

2.57 SSA head agreements contain provisions related to compliance with the PSPF and ISM requirements. In some cases, the responsibility for including these provisions in contracts between government agencies and SSA sellers is devolved to the buyer. The is represented in various ways, for example:

Compliance with the requirements of the PSPF, ISM and Privacy Act (either in accordance with the head agreement, or as specified in a contract with a government entity).
Compliance with other specified security requirements.
Developing a Commonwealth Data Protection Plan for Customer Data, which must be consistent with the requirements of the Privacy Act 1998, PSPF and ISM requirements.

2.58 While devolving responsibility is considered appropriate, as it allows agencies to consider their risk context in negotiating these terms, this introduces challenges relating to:

Consistency in the application of the minimum PSPF and ISM requirements and standardisation of the terms and conditions.
Ensuring the contract adequately covers security requirements specific to an agency.
Maintaining relevant expertise within procurement and contract management teams to ensure the provisions are appropriate in the context of the agency.

2.59 The SSAs also generally reference seller or other security standards. While alternative or additional standards may be appropriate, agencies must have the capability to assess these alternative standards and be aware of their obligations to report compliance with these standards in their protective security reporting. This approach risks introducing inconsistencies in the application of Australian Government cyber security standards.

2.60 While the SSAs contain general provisions relating to cyber security, stakeholders identified the need to establish a minimum or standardised set of cyber and security clauses for inclusion in SSAs that cannot be overridden. Consultation with the Department of Home Affairs (Home Affairs) and ASD will be essential to identify and define these requirements.

2.61 Further, stakeholders identified the need to define digital and data sovereignty and localisation requirements as they relate to critical products and capabilities in the technology sector. Once agreed, there is an opportunity for the Australian Government to undertake analysis of the types of capabilities and data that warrant being subject to sovereignty requirements.

2.62 To achieve the above, Home Affairs, ASD and the DTA together should:

Establish the minimum set of cyber and security clauses within SSAs which cannot be overridden by seller terms when a buyer enters a contract.
Define data and digital sovereignty, with consideration of localisation requirements and existing policy (e.g. the Hosting Certification Framework).
Undertake an assessment of the existing Australian Government technology landscape to identify the specific technology and capability that should be subject to data and digital sovereignty requirements.
Determine the appropriate mechanism to enforce the requirements (e.g. Protective Security Policy Framework directives).

2.63 The approach to implementing additional provisions in SSAs will require consideration due to the additional requirements this will place on both buyers and sellers. For example, to reduce the burden, the following could be considered:

Head agreements with SSA sellers could include specific provisions for digital and data sovereignty related to the capabilities they provide, enabling the buyer to include any additional requirements in their contracts by exception.
PSPF Directives could require Accountable Authorities to implement measures to achieve compliance with digital and data sovereignty, placing the onus on buyers to negotiate and manage these requirements with SSA sellers.

Secure Cloud

2.64 Section 15 of the PSPF includes direction on cyber security programs, including:

The Secure Cloud Strategy that emphasises the advantages to be gained from moving from on-premises, owned and operated infrastructure to cloud computing, while recognising the challenges in adoption including lack of knowledge, outdated operating models, and difficulties in gaining business support for the transition.
To assist with adopting secure cloud (as described by the Secure Cloud Strategy), agencies are required to use Cloud Service Providers that have completed an Infosec Registered Assessors Program (IRAP) assessment for their cloud services. The sellers with an SSA offering cloud-based services support this requirement with a range of cloud-based services having undergone IRAP assessment that can be consumed by government entities.
Due to the evolving nature of the products and services offered under the SSA arrangements, it is imperative that agencies maintain awareness of which specific products and services are IRAP assessed when establishing arrangements with the SSA sellers and ensuring that emerging products are assessed on an as required basis.
The Hosting Certification Framework (HCF) assists the Australian Government agencies to identify and source hosting services aligned to their risk profile, classification and sensitivity of their data, and internal risk assessment. The HCF applies to Data Centre Providers and Cloud Service Providers, and enables certification at three levels : In collaboration with the SSA sellers, the DTA could maintain a centralised list for reference by buyers.
- Strategic: represents the highest level of assurance and is only available to Service Providers that allow government to specify ownership and control conditions. A Certified Strategic Service Provider offers additional protections to government compared with a Certified Assured Service Provider. These include increased security controls. Due to these additional protections, government customers with a high-risk profile or those seeking additional protections for their data may require the services of a Certified Strategic Service Provider.
- Assured: provides safeguards against change of ownership or control through financial penalties that are aimed at minimising the transition costs borne by the Commonwealth if a Service Provider alters their profile. Government customers with a low-risk profile and sensitive data, which has been deemed by the government customer to not need additional security protections, may seek the services of a Certified Assured Service Provider.
- Uncertified: offers minimal protections to government. Government customers may use the services of an Uncertified Service Provider to host non-sensitive data or where their internal risk assessment determines it appropriate to do so.
The SSAs support the intent of the HCF through various means:
- Several SSA sellers provide certified cloud services, including Certified Strategic.
- SSA sellers provide solutions that leverage certified cloud services.
- SSA sellers provide solutions that do not require the use of certified cloud services, for example, a SaaS product hosted in a non-certified data centre where the use case involves non-sensitive data and acceptance through a risk assessment.

2.65 For both IRAP assessed and HCF certified cloud services, government entities must maintain awareness and visibility of the scope and currency of the assessments. This is particularly important as only a subset of the offerings (within the broad ecosystem of products and solutions) from the SSA sellers (and sellers more generally) are IRAP assessed or HCF certified.
Cyber Security Act 2024 (Cyber Security Act)

2.66 The Cyber Security Act includes measures to:

Mandate minimum cyber security standards for smart devices.
Introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments.
Introduce a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents.
Establish a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned.

2.67 Legislation, in the form of Rules, supports the measures under the Cyber Security Act. The initial rules took effect on 30 May 2025 (Ransomware Payment Reporting Rules and the Cyber Incident Review Board Rules) and further rules will come into effect 4 March 2026 (Security Standards for Smart Devices Rules).

2.68 The Cyber Security Act and Rules are applicable to the SSA sellers where they meet the definition of a ‘reporting business entity’. The review identified that the head agreements do not reference the Cyber Security Act, largely attributable to the Act coming into effect in late 2024.

Security of Critical Infrastructure Act 2018 (SOCI Act)

2.69 The SOCI Act establishes the legal obligations for entities that own, operate, or have direct interests in critical infrastructure assets. The 2023 Critical Infrastructure Resilience Strategy defines critical infrastructure as:

those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.

2.70 The SOCI Act defines each class of critical infrastructure asset and applies to SSA sellers where they meet the definition of a “responsible entity” in the SOCI Act.

2.71 The review notes that while the above arrangements are positive, the head agreements with the SSA sellers inconsistently reference or include provisions specific to the SOCI Act. For example, head agreements contain:

Consultation provisions relevant to the SOCI Act.
Clauses specific to incident reporting.
In some cases, no specific reference to the SOCI Act.

2023-2030 Australian Cyber Security Strategy (ACS Strategy)

2.72 The ACS Strategy outlines a range of initiatives aligned to six ‘cyber shields’ that will help Australia become a world leader in cyber security by 2030, with the intention of working with industry to reinforce the shields and build cyber resilience. It can be reasonably expected that emerging regulation, policies, frameworks and amendments will need to be reflected in any current and future SSAs.

Privacy Act 1988 (Privacy Act)

2.73 Head agreements for the SSAs contain specific provisions related to the Privacy Act, requiring SSA sellers to ensure compliance.

Incorporate feedback: Offer users the ability to provide feedback, report issues and suggest service improvements. Promptly act on feedback and provide a timely, transparent response describing how it’s being actioned.
Raise awareness of your service: Plan an ongoing awareness campaign and deploy it across a variety of channels to reach your users. Consider training your frontline staff so they can inform, suggest or demonstrate the service to people.

Your responsibilities

To successfully meet this criterion, agencies will need to:

understand the diversity of your users
comply with legislation and standards, including the:
- Disability Discrimination Act 1992
- latest version of the Web Content Accessibility Guidelines (WCAG)
- Australian Government Style Manual
implement a feedback mechanism.

When to apply

Apply Criterion 3 during the Discovery and Alpha phases and build upon the understanding of users developed in Criterion 2 (‘Know your user’). This criterion will extend outcomes to cater for the needs and unique challenges facing different user groups.

Adhere to this criterion in all phases of the Service design and delivery process to keep up with changing user needs.

Questions for consideration

Who are the users that will use the service?
Which types, if any, are disproportionately affected?
How can agencies track impact on different types of users?
What cultural, language, access or socioeconomic barriers need to be planned for?
How will agencies make the service inclusive and accessible for all?
How are the voices of marginalised and vulnerable users being heard?
How will the service be available for people who can’t use digital?
Can existing inequalities be prevented in a digital world?

How to apply criterion 3

Broader ecosystem

2.74 Among other priorities, the Buy Australian Plan sets out an intention to leverage Commonwealth procurement, such as the SSAs, to:

Table 5 Key strategies of the Buy Australian Plan relevant to SSAs
Key provision	Discussion
Open the door to more government work for more small and medium businesses by decoding and simplifying procurement processes	Finance have established initiatives outlined in the Buy Australian Plan to support decoding and simplifying procurement processes. Establishing CAIP Plans will support this initiative.
Establish a Secure Australian Jobs Code to prioritise secure work in government contracts and ensure that government purchasing power is being used to support businesses that engage in fair, equitable, ethical and sustainable practices	This Code is not yet in force, however, will need to be considered in the future when implemented.
Provide more opportunities for First Nations businesses with a view to maximise skills transfer so that we can get more First Nations workers into long-term skilled work	The SSAs include Indigenous Procurement Policy provisions that align with achieving this policy intent.
Use government spending power to take action on climate change and support energy projects	No inconsistencies were identified with Australia’s long-term emissions reduction plan as required under Net Zero Emissions by 2030.

2.75 Further to the requirements associated with encouraging competition under the CPRs, the Competition and Consumer Act 2010 makes provisions for four key aspects relevant to the SSAs:

Table 6 Key provisions of the Competition and Consumer Act 2010
Key provision	Relevance to the SSAs
Contracts, arrangements or understandings that restrict dealings or affect competition (section 45)	Sellers must not enter contracts, arrangements or understandings which substantially lessen competition.
Prohibition of contracts, arrangements or understandings affecting the supply or acquisition of goods or services (section 45E)	Sellers must not prevent or hinder the supply or acquisition of goods or services it has agreed to provide.
Misuse of market power (section 46)	Sellers with substantial market power must not engage in conduct that substantially lessens competition in the marketplace
Exclusive Dealing (section 47)	Sellers must not enter arrangements to the exclusion of all others.

2.76 Further to the above, established international trade agreements shape procurement obligations, promoting transparency, non-discrimination and open competition in government procurement.

2.77 Whilst most of the SSA sellers are leaders in their respective markets globally and compliance with the Competition and Consumer Act 2010 is a matter for the Australian Competition and Consumer Commission (ACCC) as the regulator, no evidence of breaches relevant specifically to the SSAs of the above provisions were submitted to the review. The review acknowledges the recent report by the ACCC entitled ‘Digital platform services inquiry’.

2.78 Further engagement with the Department of the Treasury (Treasury), who oversee the application of the Competition and Consumer Act 2010, indicated there are no concerns with the establishment or use of the SSAs. Ongoing monitoring by the DTA of the work being undertaken by Treasury regarding the ‘Digital platforms – a proposed new digital competition regime’ is required as this may introduce new obligations regarding the competitive landscape relevant to the SSAs.

2.79 Further discussion on broader competition considerations are outlined within the Seller lock-out, Buyer locked into seller and Enhancing growth of the Australian technology sector sections of this report.

2.80 Notably new sustainability reporting requirements have come into force under Chapter 2M of the Corporations Act 2001 for financial years beginning on or after 1 January 2025.

2.81 No other key points of note were identified for:

APS Net Zero Emissions by 2030.
APS Reform Agenda.

Overall alignment

2.82 The SSAs meet most of the policy’s applicable , however, gaps exist in the inclusion of some policies in all of the SSAs (e.g. Supplier Code of Conduct is not included in all SSAs) and the policy’s implementation effectiveness (e.g. CAIP Plans and Skills Guarantees targets are not actively in place).

2.83 This necessitates improvement in some areas identified:

As the policy and technology environment changes over time, the SSAs can become out of step, resulting in gaps in meeting the current policy environment that will need resolution. In particular, this relates to the value of many of the contracts established under the SSAs substantially exceeding the thresholds for CAIP Plans and the Skills Guarantee . Compliance with these policies has been deferred to buyers when establishing contracts under the head agreement, and the review anecdotally confirmed that buyers have not implemented these policy requirements.
The automatic exemptions under the DTA Contract Limits and Reviews Policy create an advantage for some SSA sellers, as the SSAs sellers can provide pricing reflective of a larger contract value (i.e. greater than $100m) and over a longer period of time (i.e. more than 3 years) than would otherwise be allowed. Some SSA sellers also shared their preference for longer arrangements, indicating this would enable them to provide improved pricing through greater discounts.
While the agreements contain provisions allowing inclusion of legislation and policy as they evolve, consideration is required of the minimum cyber and security requirements applicable to the products and services provided by SSA sellers (and which cannot be excluded in contracts). Consultation will be required with the Home Affairs and ASD to identify and define these requirements where warranted.
Stakeholders identified the need to define digital and data sovereignty and localisation requirements as they relate to the products, services and solutions in the technology sector. Until there is common agreement and understanding of these concepts, the Commonwealth’s ability to undertake an analysis of the types of data, information, products and services requiring stronger cyber and security (and other) provisions is diminished.

2.84 Further, ongoing monitoring by the DTA is required of the upcoming changes, including:

The new sustainability reporting requirements introduced under Chapter 2M of the Corporations Act 2001 for financial years beginning on or after 1 January 2025.
The Environmentally Sustainable Procurement Policy which came into force from 1 July 2025 for ICT goods, requiring establishment of new Supplier Environmental Sustainability Plan. This is particularly relevant for physical IT products (e.g. hardware).
The implementation of the Secure Australia Jobs Code as indicated by the Buy Australian Plan.
The outcome of the DTAs consultations on the Procurement and Sourcing Policy and related standards.