On Apr. 6, AST CISC updated about critical infrastructure protection.
AST CISC issued CISC newsflash edition 9, February - March 2023, which updates on various matters, including Security of critical infrastructure (critical infrastructure risk management program) rules (LIN 23/006) 2023 which commenced on Feb. 17, 2023.
Also follows AST CISC Jan. 2023 said it will focus on security, resilience, see #160297.
Newsflash Highlights
Notified of appointment of acting head of AST CISC due to related internal promotion.
AST GVT's 2023 critical infrastructure resilience strategy and plan provides a national framework to guide country's approach to critical infrastructure security and resilience.
Said that this will help guide Australia’s critical infrastructure interests for 2023-28.
Rules above work alongside register of critical infrastructure assets and the mandatory cyber incident reporting obligations, to uplift Australia’s critical infrastructure security.
Reminded entities must establish, maintain a CIRMP by Aug. 18, 2023 as well as have implemented their identified cyber security framework by Aug. 18, 2024; responsible entities must comply with their annual reporting obligations by Sep. 28, 2024.
AST CISC said that in order to assist, it published comprehensive guidance (in Feb. 2023) titled Risk management program rules of critical infrastructure assets guidance.
Discussed AST CISC's inaugural Cyber and Infrastructure Security Conference (CISC).
Also discussed transport security reforms including a consultation regarding the same.
Listed 10 key points government and industry was asked to think about at CISC 2023.
In May 2023, AST CISC informed about cybersecurity exercise program, see #173336.
Australian businesses, critical infrastructure operators continue to face cyberattacks and ransomware; fire and flood; malicious insiders as well as malign foreign powers.
No shortage of risks that need to be thought about and managed in the modern era.
In addition, it reminded that Critical Infrastructure Risk Management Program (CIRMP) requirement is live; discussed requirement for responsible entities to consider supply chain hazards - cited significant disruptions in supply chain due to Covid-19 pandemic.
Inclusion of a requirement for a board or governing body to sign an attestation re the CIRMP lifts issue of risk-management, security from operational level to board level.
Where a requirement for a CIRMP already exists under other law, AST CISC will not be enforcing dual reporting; similarly, nothing in rules overrides any existing provisions within the Privacy act 1988, the Australian privacy principles, or Fair work act 2009.
Rules do not absolve employers of any other obligations, i.e. relevant occupational law.
Reminded of 6-month transition period for responsible entities to adopt written CIRMP.
In addition, AST CISC and AST GVT guided that if a responsible entity’s asset becomes a critical infrastructure asset (CI asset) after Feb. 17, 2023, the responsible entity must meet CIRMP requirements within 6 months of day the asset became a CI asset.
Jun. 2023 Compliance Reminder
On Jun. 28, 2023, AST CISC reminded that reporting entities are obligated to report any notifiable changes to the critical infrastructure asset within 30 days of event.
It also warned any delays in submitting online registration could result in penalties.
Use the Critical infrastructure responsible entity asset registration form for reporting.
It also reminded of related guidance Critical infrastructure risk management program - part 2A security of critical infrastructure (SOCI) act 2018 - factsheet (of Feb. 2023).
This helps understand if asset is a critical infrastructure asset and if such asset needs to be registered; reminded about 6-month grace period above ending Aug. 17, 2023.
Document dated Jun. 28, 2023, received from AST CISC Jul. 26, summarized Jul. 27.
Aug. 2023 Grace Period Ended
On Aug. 18, 2023, AST CISC said six month Critical Infrastructure Risk Management Program (CIRMP) obligation grace period ended; from Aug. 18, entities are expected to have implemented risk management program re their critical infrastructure asset.
AST CISC's said its commitment to working with industry re same has not changed.
In addition, AST CISC linked to a page containing video message re CIRMP; recording of CIRMP town hall meeting; it also linked to guidance material - Protected information - industry guidance for critical infrastructure assets (of Jul. 2023), and related flyer.
In Nov. 2023, AST CISC released risk review re critical infrastructure, see #189971.
In Mar. 2024, AST CISC said it is changing compliance regulatory posture, #203651.
May 2024 Annual Report Reminder
On May 22, 2024, AST CISC reminded of reporting obligations above, due Sep. 28.
In addition, it reminded this first report covering the 2023-2024 Australian financial year can be submitted any time during the period Jul. 1, 2024 to Sep. 28, 2024.
Responsible entities (REs) can submit annual report using link provided by AST CISC.
AST CISC explained that this web form was updated in May 2024 based on feedback from stakeholders who provided voluntary annual reports for 2022-23 financial year.
Changes include clarification about compliance attestation process, clarifying what information is being sought re cyber security and other risk management frameworks.
Web form also provides capacity to attach information to support their annual report.
Such as reports that may have been commissioned to provide assurance to the board, council or governing body that the RE is in compliance with its CIRMP obligation.
Web form does not require REs to provide their actual CIRMP to the AST CISC; AST CISC recommended that a copy of this form be made for record-keeping purposes.
AST CISC may specifically contact entity to request a copy of their CIRMP, if required.
Reminded REs AST CISC does not have ability to grant time extensions for obligations.
On Jun. 28, 2024, AST DHA and AST CISC reminded of reporting obligations relating to the annual report and cyber security framework, and issued corresponding guidelines.
Reminded that the critical infrastructure risk management program (CIRMP) annual report must be submitted, by Sep. 28, 2024, using the annual report form.
It is important that entities ensure they are compliant with their obligations under the SOCI act; guidelines have been provided on how to meet both of these deadlines.
Document dated Jun. 28, 2024, received from AST DHA Jul. 3, summarized on Jul. 5.
Jul. 2024 Additional AST CISC, AST DHA Reminder
On Jul. 29, 2024, AST CISC, AST DHA issued Newsflash edition 16, April - June 2024, includes reminder on Critical infrastructure risk management program annual reports.
Aug. 2024 Annual Report Reminder
On Aug. 30, 2024, AST CISC issued a reminder that the submission period for the first CIRMP annual report FY 2024-2025 started on Jul. 1, 2024 and ends on Sep. 28, 2024.
Reiterated the CIRMP annual report must reflect the cyber and information security framework, and entities had to meet the framework requirement by Aug. 17, 2024.
AST CISC also published the presentation slides from its town hall meeting on CIRMP obligations and compliance, which was held on Jul. 30, 2024.
Regulators
AST CISC; AST DHA; AST GVT
Entity Types
Corp
Reference
PR 8/30/2024; Info 7/30/2024; PR 7/29/2024; Gd, PR, 6/28/2024; Form, PR 5/22/2024; Vid, PR 8/18/2023; Vid 8/7/2023; Gd 7/1/2023; PR 6/28/2023; PR 5/26/2023; PR 4/6/2023; Gd 2/1/2023; COVID-19; ESG; Citation: Privacy act 1988; Australian privacy principles; Fair work act 2009; Security of critical infrastructure act 2018; Security of critical infrastructure (critical infrastructure risk management program) rules (LIN 23/006) 2023;