A strong and effective government-industry partnership is central to achieving the Australian Government’s vision for critical infrastructure security and resilience. Building on industry engagement during the development of amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), we have consulted widely with government and industry partners to develop asset definitions and risk management program rules. We aim to ensure that vital services to Australia’s security, economic prosperity and way of life are included. We also seek to reduce the regulatory burden on industry.
Risk management program - consultation has closed
Hi everyone,
The Australian Government is consulting on the Risk Management Program Rule, under Part 2A of the Security of Critical Infrastructure Act 2018.
Consultation is open for 45 days, ensuring everyone can have a say on these important obligations.
The Risk Management Program – or RMP – will require the owners and operators of certain critical infrastructure assets:
- to identify risk to their business, and
- have a risk plan signed off annually by their board, or other governing body.
RMP is a great opportunity for businesses to identify the full range of risks they face, and then plan out practical steps to mitigate or reduce their exposure.
In parallel, we have developed a discussion paper for you to consider which outlines a proposed framework for conducting background checks for critical infrastructure, to support businesses manage personnel risk.
These checks are not mandatory – and we are not requiring Auschecks for critical workers – but we have provided it as an option for when you are considering how to manage personnel security.
I encourage you to read the discussion paper and have your say on what we’ve proposed.
These are important topics, and I look forward to hearing your views over the period of consultation. There are a number of ways you can get in touch.
My staff and I will be running a series of town halls, Q&As and roundtables – to facilitate discussions on the proposed rules and the consultation paper. Look out for an invitation soon.
The Trusted Information Sharing Network will also be a central point for engagement; so if you are not already a member of the TISN, I encourage you to sign up. Email my team or go to our website for information on how to do this.
We have also prepared a draft guidance note on the Risk Management Program, which alongside the information listed in fact sheets and risk assessments already on our website, has been designed to assist you understand what is required under the RMP rules.
On behalf of myself and my staff; thank you for your engagement to date and I look forward to hearing your views through this next round of consultation.
Thanks.
The Minister for Home Affairs undertook consultation on the proposed risk management program (RMP) between Wednesday 5 October 2022 and Friday 18 November 2022.
The Minister appreciates the feedback provided from industry partners during consultation. The Minister is grateful for the efforts and the written submissions that have been provided. The Minister will consider each submission before making the RMP Rules.
Under Legislation, responsible entities – by which we mean the owner or operator of a critical infrastructure asset – will be need to develop RMPs that are endorsed by their board, council or other governing body.
In developing their RMPs, responsible entities will need to comply with RMP Rules, which focus on four key hazard domains: cyber and information security, personnel hazards, supply chain, and physical security hazards and natural hazards. Governance rules that outline what an entity must have regard to in the development of their risk management program, must also be adhered to.
Proposed asset classes
The Minister for Home Affairs proposes to apply the critical infrastructure risk management program requirements, through the risk management program Rules, to the following asset classes:
- critical electricity assets
- critical energy market operator assets
- critical gas assets
- critical liquid fuels assets
- critical water assets
- critical financial market infrastructure assets used in connection with the operation of payment systems
- critical data storage or processing assets
- certain critical hospitals
- critical domain name systems
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical broadcasting assets.
What we have consulted on
Draft Risk Management Program Rules
Under the amended SOCI Act, the Minister for Home Affairs has the option to require the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (new part 2A of the Act). The draft RMP Rules and the draft explanatory statement that were consulted on, are available below:
Draft Risk Management Program Guidance for Industry
The draft guidance on the requirements to meet this obligation that was consulted on is available at
DRAFT Risk Management Program Guidance (Updated 3 November 2022).
Draft Protected Information Guidance for Industry
The
DRAFT Protected Information Guidance Material - Industry is designed to help stakeholders understand the intended operation of the protected information framework under the SOCI Act.
Draft AusCheck background check
As part of the consultation process, we have also provided a
draft AusCheck Background Checks for the purpose of a Risk Management Program (Updated 28 October 2022). This outlines how background checks for the RMP obligation will be undertaken through the AusCheck scheme. Feedback gathered will be used to amend the AusCheck Regulations 2017 and establish the checking mechanism.
Draft Annual Report Approval form
The draft
Approval of Responsible Entity Risk Management Program Annual Report will allow entities to submit an annual declaration of compliance with the RMP Rules, signed off by their board, council or other governing body.
Consultation summary
The Cyber and Infrastructure Security Centre (CISC) held two all sector introductory town hall meetings on 10 and 12 October to commence consultation. At the meetings, the CISC provided information on the formal consultation process and the proposed RMP Rules, RMP Guidance, AusCheck background check for critical infrastructure, Protected Information Guidance and RMP Annual Report Submission form.
During the 45 day consultation period, the CISC held
four Q&A sessions to provide more detailed information for industry stakeholders.
Regulatory impact
In making the rules under Part 2A of the SOCI Act, the Minister for Home Affairs is required to consider the cost to industry in implementing the obligations for the risk management program. A draft regulation impact statement has been developed, based on costing information provided to the Department by sectors following development of the draft risk management program rules in late 2021.
The regulation impact statement will be finalised and published by the Office of Best Practice Regulation once the Minister makes the final risk management program rules.
Publishing submissions
The Department received 39 written submissions on the exposure draft for the DRAFT RMP Rules. 20 submissions remain confidential upon request from the submitting entity and are not publicly available. Publicly available submissions are available below:
New obligations – Register of Critical Infrastructure Assets and mandatory cyber incident reporting
On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Definitions Rules. Government assistance measures now apply to all critical infrastructure assets (Part 3A of the SOCI Act).
Additionally, the Minister has now made the
Security of Critical Infrastructure (Application) rules (LIN 22/026) 2022 on 6 April 2022, which took effect on 8 April 2022.
Two positive security obligations now apply to certain sets of critical infrastructure assets:
- providing operational and ownership information to the Register of Critical Infrastructure Assets (Part 2 of the SOCI Act) for certain new assets (as below); and
- mandatory cyber incident reporting (Part 2B of the SOCI Act) for certain assets (as below).
Refer to the copies of the DRAFT SOCI risk management (RMP) Rules 2022 - Legislative Instrument and the DRAFT SOCI risk management (RMP) Rules 2022 - Explanatory Statement.
Register of Critical Infrastructure Assets – operational and ownership information
Following a consultation period from 15 December 2021 to 1 February 2022, the Minister for Home Affairs applied the Register of Critical Infrastructure Assets obligations under Part 2 of the SOCI Act to certain critical asset classes. The register of critical infrastructure obligation will apply to the below asset classes, after a 6 month grace period, on 8 October 2022:
- broadcasting
- domain name systems
- data storage or processing
- a critical financial market infrastructure asset (that is a payment system)
- food and grocery
- hospital
- freight infrastructure
- freight services
- public transport
- liquid fuel
- energy market operator
- electricity (that is not within the scope of a critical infrastructure asset prior to the SLACI Act amendments)
- gas (that is not within the scope of a critical infrastructure asset prior to the SLACI Act amendments).
The Minister for Home Affairs has exempted:
- Invicta Sugar Mill, Giru, Queensland
- Pioneer Sugar Mill, Brandon, Queensland
- Racecourse Sugar Mill, Racecourse, Mackay, Queensland
- South Johnstone Sugar Mill, South Johnstone, Queensland.
A factsheet is available explaining the Register of Critical Infrastructure Assets (408KB PDF).
Mandatory cyber incident reporting
The Minister for Home Affairs applied obligations under Part 2B of the SOCI Act to certain asset classes. From 8 July 2022, the asset classes listed below must commence mandatory reporting of cyber security incidents to the Australian Cyber Security Centre (ACSC).
We strongly encourage all of the followiong asset classes to voluntarily provide that reporting to the ACSC now:
- broadcasting
- domain name systems
- data storage or processing
- banking
- superannuation
- insurance
- financial market infrastructure
- food and grocery
- hospital
- education
- freight infrastructure
- freight services
- public transport
- liquid fuel
- energy market operator
- aviation, that is any of the following:
- a designated airport
- an Australian prescribed air service operating screened air services that depart from a designated airport or
- a regulated air cargo agent that is also a cargo terminal operator at a designated airport
- ports
- electricity
- gas
- water.
The Minister for Home Affairs proposes to exempt:
- Invicta Sugar Mill, Giru, Queensland
- Pioneer Sugar Mill, Brandon, Queensland
- Racecourse Sugar Mill, Racecourse, Mackay, Queensland
- South Johnstone Sugar Mill, South Johnstone, Queensland.
A factsheet is available explaining the mandatory cyber incident reporting obligations (319KB PDF).
Critical infrastructure definitions rules
On 23 April 2021, we released the policy paper Protecting Critical Infrastructure and Systems of National Significance, initiating extensive consultation with industry, commonwealth, state and territory government partners, to draft definitions for the following 12 asset classes:
- critical banking assets
- critical broadcasting assets
- critical domain name systems
- critical electricity assets
- critical financial market infrastructure assets
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical gas assets
- critical insurance assets
- critical liquid fuel assets
- critical superannuation assets.
In response to feedback, we revised the proposed asset definitions and on 8 December 2021, following amendments to the SOCI Act, the Minister for Home Affairs made the Critical Infrastructure Definitions Rules. See the legislative instrument.
Resources and Useful Links
For fact sheets and further information about these changes, copies of relevant legislation, and other useful links and resources, visit Cyber and Infrastructure Security Centre Resources.
If you believe that you may be an affected entity, or for further enquiries, contact CI.reforms@homeaffairs.gov.au.