Cyber and security

2.53 A range of cyber security and related legislation, policies and frameworks are applicable to the SSA ecosystem, and government procurement and contracting more generally. As the technology and cyber security sector continues to rapidly evolve and responds to new and emerging threats and vulnerabilities, the Australian Government and sellers must continually adapt.

2.54 The SSAs generally support these legislative and policy settings by facilitating buyers’ alignment with the requirements through head agreements and underlying contracts, and through enabling government agencies to meet the requirements, for example through providing products that are or can be assessed against the Information Security Manual (ISM) requirements.

2.55 However, the SSAs generally contain lower levels of base protections specific to cloud services contracts. The SSAs offer opportunities to include improved protections in contracts, but these need to be negotiated with the sellers. Therefore, when considering the cyber and security legislative and policy ecosystem, there remains opportunities for the government to introduce greater consistency in representing cyber and security requirements. The SSA terms and conditions related to cyber and security are represented in various forms and structures throughout the SSA head agreements, with varying levels of detail and various references to specific legislation and policy.

Protective Security Policy Framework (PSPF) and Information Security Manual (ISM)

2.56 Central to the Australian Government cyber security policy landscape is the PSPF which, across six security domains, prescribes what applicable government entities must do to protect their people, information and resources, both domestically and internationally. The relevance to SSAs is evident through this PSPF statement:

"Non-government organisations and third-party service providers may be required to implement aspects or parts of the PSPF. This will be detailed in relevant deeds or agreements between the Australian Government and the non-government organisations or third-party service providers."

2.57 SSA head agreements contain provisions related to compliance with the PSPF and ISM requirements. In some cases, the responsibility for including these provisions in contracts between government agencies and SSA sellers is devolved to the buyer. The is represented in various ways, for example:

  • Compliance with the requirements of the PSPF, ISM and Privacy Act (either in accordance with the head agreement, or as specified in a contract with a government entity).
  • Compliance with other specified security requirements.
  • Developing a Commonwealth Data Protection Plan for Customer Data, which must be consistent with the requirements of the Privacy Act 1998, PSPF and ISM requirements.

2.58 While devolving responsibility is considered appropriate, as it allows agencies to consider their risk context in negotiating these terms, this introduces challenges relating to:

  • Consistency in the application of the minimum PSPF and ISM requirements and standardisation of the terms and conditions.
  • Ensuring the contract adequately covers security requirements specific to an agency.
  • Maintaining relevant expertise within procurement and contract management teams to ensure the provisions are appropriate in the context of the agency.

2.59 The SSAs also generally reference seller or other security standards. While alternative or additional standards may be appropriate, agencies must have the capability to assess these alternative standards and be aware of their obligations to report compliance with these standards in their protective security reporting. This approach risks introducing inconsistencies in the application of Australian Government cyber security standards.

2.60 While the SSAs contain general provisions relating to cyber security, stakeholders identified the need to establish a minimum or standardised set of cyber and security clauses for inclusion in SSAs that cannot be overridden. Consultation with the Department of Home Affairs (Home Affairs) and ASD will be essential to identify and define these requirements. 

2.61 Further, stakeholders identified the need to define digital and data sovereignty and localisation requirements as they relate to critical products and capabilities in the technology sector. Once agreed, there is an opportunity for the Australian Government to undertake analysis of the types of capabilities and data that warrant being subject to sovereignty requirements.

2.62 To achieve the above, Home Affairs, ASD and the DTA together should:

  • Establish the minimum set of cyber and security clauses within SSAs which cannot be overridden by seller terms when a buyer enters a contract.
  • Define data and digital sovereignty, with consideration of localisation requirements and existing policy (e.g. the Hosting Certification Framework).
  • Undertake an assessment of the existing Australian Government technology landscape (the Digital Investment Plans could be used to support this activity) to identify the specific technology and capability that should be subject to data and digital sovereignty requirements.
  • Determine the appropriate mechanism to enforce the requirements (e.g. Protective Security Policy Framework directives).

2.63 The approach to implementing additional provisions in SSAs will require consideration due to the additional requirements this will place on both buyers and sellers. For example, to reduce the burden, the following could be considered:

  • Head agreements with SSA sellers could include specific provisions for digital and data sovereignty related to the capabilities they provide, enabling the buyer to include any additional requirements in their contracts by exception.
  • PSPF Directives could require Accountable Authorities to implement measures to achieve compliance with digital and data sovereignty, placing the onus on buyers to negotiate and manage these requirements with SSA sellers.

Secure Cloud

2.64 Section 15 of the PSPF includes direction on cyber security programs, including:

  • The Secure Cloud Strategy that emphasises the advantages to be gained from moving from on-premises, owned and operated infrastructure to cloud computing, while recognising the challenges in adoption including lack of knowledge, outdated operating models, and difficulties in gaining business support for the transition.
  • To assist with adopting secure cloud (as described by the Secure Cloud Strategy), agencies are required to use Cloud Service Providers that have completed an Infosec Registered Assessors Program (IRAP) assessment for their cloud services. The sellers with an SSA offering cloud-based services support this requirement with a range of cloud-based services having undergone IRAP assessment that can be consumed by government entities.
  • Due to the evolving nature of the products and services offered under the SSA arrangements, it is imperative that agencies maintain awareness of which specific products and services are IRAP assessed when establishing arrangements with the SSA sellers and ensuring that emerging products are assessed on an as required basis.
  • The Hosting Certification Framework (HCF) assists the Australian Government agencies to identify and source hosting services aligned to their risk profile, classification and sensitivity of their data, and internal risk assessment. The HCF applies to Data Centre Providers and Cloud Service Providers, and enables certification at three levels: In collaboration with the SSA sellers, the DTA could maintain a centralised list for reference by buyers.
    • Strategic: represents the highest level of assurance and is only available to Service Providers that allow government to specify ownership and control conditions. A Certified Strategic Service Provider offers additional protections to government compared with a Certified Assured Service Provider. These include increased security controls. Due to these additional protections, government customers with a high-risk profile or those seeking additional protections for their data may require the services of a Certified Strategic Service Provider.
    • Assured: provides safeguards against change of ownership or control through financial penalties that are aimed at minimising the transition costs borne by the Commonwealth if a Service Provider alters their profile. Government customers with a low-risk profile and sensitive data, which has been deemed by the government customer to not need additional security protections, may seek the services of a Certified Assured Service Provider.
    • Uncertified: offers minimal protections to government. Government customers may use the services of an Uncertified Service Provider to host non-sensitive data or where their internal risk assessment determines it appropriate to do so.
  • The SSAs support the intent of the HCF through various means:
    • Several SSA sellers provide certified cloud services, including Certified Strategic.
    • SSA sellers provide solutions that leverage certified cloud services.
    • SSA sellers provide solutions that do not require the use of certified cloud services, for example, a SaaS product hosted in a non-certified data centre where the use case involves non-sensitive data and acceptance through a risk assessment.

2.65 For both IRAP assessed and HCF certified cloud services, government entities must maintain awareness and visibility of the scope and currency of the assessments. This is particularly important as only a subset of the offerings (within the broad ecosystem of products and solutions) from the SSA sellers (and sellers more generally) are IRAP assessed or HCF certified.

Cyber Security Act 2024 (Cyber Security Act)

2.66 The Cyber Security Act includes measures to: 

  • Mandate minimum cyber security standards for smart devices.
  • Introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments.
  • Introduce a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents.
  • Establish a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned.

2.67 Legislation, in the form of Rules, supports the measures under the Cyber Security Act. The initial rules took effect on 30 May 2025 (Ransomware Payment Reporting Rules and the Cyber Incident Review Board Rules) and further rules will come into effect 4 March 2026 (Security Standards for Smart Devices Rules).

2.68 The Cyber Security Act and Rules are applicable to the SSA sellers where they meet the definition of a ‘reporting business entity’. The review identified that the head agreements do not reference the Cyber Security Act, largely attributable to the Act coming into effect in late 2024.

Security of Critical Infrastructure Act 2018 (SOCI Act)

2.69 The SOCI Act establishes the legal obligations for entities that own, operate, or have direct interests in critical infrastructure assets. The 2023 Critical Infrastructure Resilience Strategy defines critical infrastructure as:

those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.

2.70 The SOCI Act defines each class of critical infrastructure asset and applies to SSA sellers where they meet the definition of a “responsible entity” in the SOCI Act.

2.71 The review notes that while the above arrangements are positive, the head agreements with the SSA sellers inconsistently reference or include provisions specific to the SOCI Act. For example, head agreements contain:

  • Consultation provisions relevant to the SOCI Act.
  • Clauses specific to incident reporting.
  • In some cases, no specific reference to the SOCI Act.

2023-2030 Australian Cyber Security Strategy (ACS Strategy)

2.72 The ACS Strategy outlines a range of initiatives aligned to six ‘cyber shields’ that will help Australia become a world leader in cyber security by 2030, with the intention of working with industry to reinforce the shields and build cyber resilience. It can be reasonably expected that emerging regulation, policies, frameworks and amendments will need to be reflected in any current and future SSAs. 

Privacy Act 1988 (Privacy Act)

2.73 Head agreements for the SSAs contain specific provisions related to the Privacy Act, requiring SSA sellers to ensure compliance. 
 

Next page

Chapter 2: Broader ecosystem

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession