Overview
The Australian Government is progressing the 2023-2030 Australian Cyber Security Strategy. We commit to making Australia one of the world’s most cyber secure nations by 2030.
Shield 4 of the Strategy, ‘Protect Critical Infrastructure’, explains the importance of uplifting Commonwealth Government cyber security as a key objective of the Strategy. We commit to uplifting the Australian Government’s cyber security to ensure that the Commonwealth Government not only meets the same standards set for critical infrastructure but proves to be an exemplar in managing cyber security risk.
The government has already taken steps to support agencies to adopt stronger security protections. On 1 November 2024 the government issued Protective Security Policy Framework (PSPF) Release 2024. This was the first in an annual series of updates to the PSPF. These updates ensure policy settings are appropriate for the contemporary threat environment to protect, deter and respond to the security threats and challenges we face. This new process gives the Australian Government a best-in-class annual approach to address contemporary protective security threats.
On 8 July 2024, the Department of Home Affairs released three new mandatory directions to government entities. These directions set new mandatory requirements for government entities to:
- share threat intelligence
- manage risks to vulnerable technologies and
- manage foreign ownership, control or influence risks.
Entities will manage cyber security risks of future ICT investments through the Digital Investment Oversight Framework.
Supplementing existing Commonwealth cyber security policy
World leading frameworks and standards shape our governance. This includes the:
- Protective Security Policy Framework
- Information Security Manual and
- Essential Eight Strategies.
These standards help manage the Commonwealth’s cyber security risk. However, cyber security resilience is not a point in time achievement. It is a continuum that considers the changing risk posed by the evolving threat landscape and increasing vulnerabilities introduced by technological progress. We must consider policy uplift to manage contemporary practices and future threats securely.
Consultation
We are giving the public an opportunity for consultation. This will help shape policies covering Commonwealth cyber security resilience. We will action these changes through PSPF Release 25, a new Australian Government Gateway Security Standard and reforms to the Hosting Certification Framework. We understand that updating these documents will impact the government organisations they directly apply to and the broader supply chain.
This consultation package includes the Guiding Principles to embed Zero Trust Culture. It also includes the Australian Government Gateway Security Standard Consultation Paper. This is for consultation to seek feedback that will shape the future direction. The Guiding Principles to embed Zero Trust Culture will help entities plan for the organisational transformations needed to adopt a Zero Trust approach, to better manage the emergent risks stemming from a rapidly evolving cyber threat landscape. The
Australian Government Gateway Security Standard will outline the strategic direction and minimum security standards for the deployment of Gateways and Security Service Edge (SSE) solutions across the Australian Government. The
Australian Government Gateway Security Standard Consultation Paper also outlines the components of the Resilient Digital Infrastructure (RDI) framework. This will provide a consistent structure for the development and management of Australian Government IT infrastructure policy.
In 2025, the department will also consult on changes to our main policy levers:
- Protective Security Policy Framework 25
- Hosting Certification Framework.
We are working with our technical partners, the Australian Signal Directorate’s Australian Cyber Security Centre, to ensure policy and technical guidance align.
Who we want to hear from
We want feedback and input from the Australian public to strengthen our Commonwealth Cyber Security Uplift approach. Consultation is open to all members of the public. We would particularly like to hear from:
- past, current and future Commonwealth providers
- cyber security subject matter experts and
- organisations that are planning or who have commenced similar cyber resilience uplift programs.
How to participate in the consultation
The consultation period for the
Guiding Principles to embed Zero Trust Culture is open from 2 December 2024 and closes on 28 February 2025.
The consultation period for the
Australian Government Gateway Security Standard Consultation Paper is open from 10 February 2025 to 14 March 2025.
Direct any questions and your submissions in response to this consultation paper to consultCCSU@homeaffairs.gov.au.
To help develop submissions for the
Guiding Principles to embed a Zero Trust Culture, the department held Zero Trust Town Hall sessions to share further information on:
- consultation papers and key outcomes
- opportunities and obstacles
- questions and other business.
The department will reach out to relevant stakeholders separately to arrange round table sessions on the
Australian Government Gateway Security Standard Consultation Paper.
Publishing submissions
We will publish responses at the end of the consultation period on our consultation hub. There will be a consent question to confirm whether you agree to us making your response public. If you email us a written submission, you must indicate whether you consent to us making your submission public.
You should not include personal information about other individuals in your submission. Legal requirements, such as those imposed by the Freedom of Information Act 1982 (Cth), may affect the confidentiality of your submission.
Note that this consultation collects your personal information. This is so we can:
- contact you if we need to clarify your response
- confirm your consent to publish information in your response
- seek feedback.
Privacy and information management
The department is undertaking a consultation survey to seek feedback and input into the Commonwealth Cyber Security Uplift approach. Taking part in the consultation is voluntary and by participating in the survey you are consenting to the collection of your personal information and responses, which will be used to support your participation in the consultation. The department is committed to protecting the personal information with which it is entrusted in accordance with the Privacy Act 1988.
The Privacy Notice, available below, outlines:
- how we will collect your personal information
- how it will be used and
- who it may be disclosed to.
With your consent, we may disclose the information collected, including your response, full name and organisation details on the Consultation Hub, which will be publicly available. If you do not provide consent for some, or all of the information to be published on the Consultation Hub, this information will not be publicly available.
The information collected in this survey is transmitted and stored securely in Australia and is handled by the department in accordance with the Australian Privacy Principles.
Participating in the consultation, via the online survey or by providing feedback via email, indicates you are consenting to the collection of your personal information and have read and agree to the Privacy Notice (169KB PDF).
Further information about our personal information handling practices and full contact details is available from the department’s privacy policy.