Which entities are subject to the CIRMP obligation?
The CIRMP obligation only applies to responsible entities for the following asset classes:
- critical broadcasting assets
- critical domain name systems
- critical data storage or processing assets
- critical electricity assets
- critical energy market operator assets
- critical gas assets
- designated hospitals (being a subset of ‘critical hospitals’ listed in Schedule 1 of CIRMP Rules)
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical liquid fuel assets
- critical financial market infrastructure assets that are used in connection with a payment system critical to the security of financial services and markets
- critical water assets.
What is the deadline for compliance?
Responsible entities for these assets must comply with the CIRMP requirements before 18 August 2023 (six months after the commencement of the CIRMP Rules). If an asset becomes a critical infrastructure asset (CI asset) after the commencement of the CIRMP Rules, the responsible entity will have to comply with the CIRMP requirements six months after the asset became a CI asset.
Responsible entities have until 18 August 2024 (or a further 12 months from the end of the applicable six month grace period) to have a process or system in place that enables them to comply with a cyber security framework.
Once implemented, responsible entities will need to review the CIRMP on a regular basis and keep it up to date as appropriate.
Importantly, responsible entities must provide a board approved annual report to the Department of Home Affairs' Cyber and Infrastructure Security Centre (CISC) (or other applicable regulator), relating to the entity's CIRMP, within 90 days after the end of the 23/24 financial year, and annually thereafter. This means, the first annual report will be due between 30 June 2024 and 28 September 2024. However, for the 22/23 financial year, the Cyber and Infrastructure Security Centre strongly encourages entities to submit an annual report voluntarily, as a pulse check on how the entity is implementing the CIRMP. The board, council or other governing body must approve the report by completing the Approval Form available on the Department Home Affairs' website.
The Reserve Bank of Australia (RBA) is specified as the relevant Commonwealth regulator for critical financial market infrastructure assets that are used in connection with a payment system critical to the security of financial services and markets. Responsible entities for those assets will be required to give their annual report to the RBA.
What is the format of the CIRMP?
There is no prescribed format for a CIRMP. CISC encourages responsible entities to incorporate existing risk management frameworks and processes into the CIRMP.
What material risks should be addressed in the CIRMP?
Material risks to be identified in the CIRMP include:
- a stoppage or major slowdown of the CI asset’s functioning for an unmanageable period
- a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the CI asset
- an interference with the CI asset’s operating technology or information communication technology essential to the functioning of the CI asset (for example, a SCADA system)
- the storage, transmission or processing of sensitive operational information outside Australia (sensitive operational information includes, among other things, layout diagrams, schematics, geospatial information, configuration information and operational constraints)
- remote access to operational control or operational monitoring systems of the CI asset.
The CIRMP should identify hazards specifically relating to:
- cyber and information security
- supply chain
- physical security.
- Cyber and information security
Before 18 August 2024, or 12 months after the end of the applicable six month grace period mentioned above, a responsible entity must comply with a cybersecurity framework listed in the CIRMP Rules, or an equivalent framework to one of those listed, as specified in its CIRMP. Accordingly, an entity will have a total of 18 months to start complying with a chosen cybersecurity framework.
Cybersecurity frameworks specified in the CIRMP Rules are:
- Australian Standard AS ISO/IEC 27001:2015 (item 1), which is the Australian Standard that adopts the requirements of International Standard ISO 27001
- Essential Eight Maturity Model published by the Australian Signals Directorate, with the condition that the entity is required to meet maturity level 1
- Framework for Improving Critical Infrastructure Cybersecurity published by the US National Institute of Standards and Technology
- Cybersecurity Capability Maturity Model published by the US Department of Energy, with the condition that the entity is required to meet Maturity Indicator Level 1
- 2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited, with the condition that the entity is required to meet Security Profile 1.
If a framework is updated or changes, the entity is required to meet the updated requirements as soon as reasonably practicable.
The responsible entity must establish and maintain a process or system in its CIRMP:
- to identify the entity’s critical workers
- to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access
- as far as is reasonably practicable to do so, to minimise or eliminate material risks arising from:
- malicious or negligent employees or contractors
- the off-boarding process for outgoing employees and contractors.
The process and system for considering the suitability of a critical worker to have access to critical components of a CI asset may be a background check under the AusCheck scheme; however, use of the AusCheck scheme is not mandated. The AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 (Cth) also commenced on 17 February 2023, and it provides for the establishment and operation of the AusCheck background checking scheme for an individual for whom a CIRMP permits a background check.
Supply chain risks
The CIRMP should also address vulnerabilities in the entity's supply chain in areas such as security, suppliers and logistics, and identify hazards throughout the supply chain that could impact the availability, integrity, reliability or confidentiality of the CI asset.
A responsible entity must have regard in its CIRMP to whether:
- the CIRMP lists the entity’s major suppliers
- the supply chain hazards, which could have a relevant impact on the CI asset, are described in the CIRMP.
Physical security and natural hazards
For physical security hazards and natural hazards, a responsible entity must establish and maintain a process or system in its CIRMP:
- to identify the physical critical components of the CI asset
- to control access to physical critical components
- for responding to incidents where unauthorised access to a physical critical component occurs
- for managing and mitigating a variety of physical security hazards and natural hazards to their CI assets.