Overview
The Australian Government is progressing the 2023-2030 Australian Cyber Security Strategy. We commit to making Australia one of the world’s most cyber secure nations by 2030.
Shield 4 of the Strategy, ‘Protect Critical Infrastructure’, explains the importance of uplifting Commonwealth Government cyber security as a key objective of the Strategy. We commit to uplifting the Australian Government’s cyber security to ensure that the Commonwealth Government not only meets the same standards set for critical infrastructure but proves to be an exemplar in managing cyber security risk.
By July 2025, the Department will release tranche 2 of the Commonwealth Cyber Security Uplift reforms. This comprises of key policies and standards, including the:
- release of the Systems of Government Significance Standard
- release of Protective Security Policy Framework (PSPF) 25
- release of the Australia Government Gateway Security Standard
- adoption of mandatory Zero Trust Principles
- commencement of reforms to the Hosting Certification Framework.
Besides the fundamental reform to the PSPF, we have issued five mandatory directions to manage emergent risk to the Commonwealth. These give strong foundations to improve the Commonwealth’s cyber security resilience and risk management posture.
Supplementing existing Commonwealth cyber security policy
World leading frameworks and standards shape our governance. This includes the:
- Protective Security Policy Framework
- Information Security Manual, and
- Essential Eight Strategies.
These standards help manage the Commonwealth’s cyber security risk. However, cyber security resilience is not a point in time achievement. It is a continuum that considers the changing risk posed by the evolving threat landscape and increasing vulnerabilities introduced by technological progress. We must consider policy uplift to manage contemporary practices and future threats securely.
Consultation
We are giving the public an opportunity for consultation. This will help shape policies covering Commonwealth cyber security resilience. We will action these changes through PSPF Release 25, a new Australian Government Gateway Security Standard and reforms to the Hosting Certification Framework (HCF). We understand that updating these documents will impact the government organisations they directly apply to and the broader supply chain.
This consultation package includes the:
The consultation period for both the Guiding Principles to embed Zero Trust Culture and the Australian Government Gateway Security Standard Consultation Paper has closed.
The first iteration of the
Hosting Certification Framework 2 Policy document is open for public consultation. We have developed this paper to seek feedback on potential updates to the HCF. This reform initiative aims to refine, streamline, and enhance the certification process. It also aims to address challenges encountered by:
- industry
- Non-corporate Commonwealth entity (NCE) customers
- Home Affairs in its capacity as the Certifying Authority.
For more information on how to participate, read the
Hosting Certification Framework 2 – Invitation to Consultation Paper.
We are working with our technical partners, the Australian Signal Directorate’s Australian Cyber Security Centre, to ensure policy and technical guidance align.
Who we want to hear from
We want feedback and input from the Australian public to strengthen our Commonwealth Cyber Security Uplift approach. Consultation is open to all members of the public. We would particularly like to hear from:
- past, current and future service providers to the Australian Government
- cyber security subject matter experts and
- organisations that are planning or who have commenced similar cyber resilience uplift programs.
How to participate in the consultation
The consultation period for the reformed
Hosting Certification Framework Policy is now open. It closes on 31 July 2025.
Direct any questions and your submissions in response to this consultation paper to HCFReform@homeaffairs.gov.au.
Publishing submissions
We will publish responses at the end of the consultation period on our consultation hub. There will be a consent question to confirm whether you agree to us making your response public. If you email us a written submission, you must indicate whether you consent to us making your submission public.
You should not include personal information about other individuals in your submission. Legal requirements, such as those imposed by the Freedom of Information Act 1982 (Cth), may affect the confidentiality of your submission.
Note that this consultation collects your personal information. This is so we can:
- contact you if we need to clarify your response
- confirm your consent to publish information in your response
- seek feedback.
Privacy and information management
The department is undertaking a consultation survey to seek feedback and input into the Commonwealth Cyber Security Uplift approach. Taking part in the consultation is voluntary and by participating in the survey you are consenting to the collection of your personal information and responses, which will be used to support your participation in the consultation. The department is committed to protecting the personal information with which it is entrusted in accordance with the Privacy Act 1988.
The Privacy Notice, available below, outlines:
- how we will collect your personal information
- how it will be used and
- who it may be disclosed to.
With your consent, we may disclose the information collected, including your response, full name and organisation details on the Consultation Hub, which will be publicly available. If you do not provide consent for some, or all of the information to be published on the Consultation Hub, this information will not be publicly available.
The information collected in this survey is transmitted and stored securely in Australia and is handled by the department in accordance with the Australian Privacy Principles.
Participating in the consultation, via the online survey or by providing feedback via email, indicates you are consenting to the collection of your personal information and have read and agree to the Privacy Notice (169KB PDF).
Further information about our personal information handling practices and full contact details is available from the department’s privacy policy.
