The federal government will run a “stocktake” of all its internet-facing systems and services by June next year.
A direction [pdf], which was signed by Home Affairs secretary Stephanie Foster on July 5, states there is a “pressing need for Australian government entities to harden their technology management practices”.
Government entities must now audit “any hardware, software or information system, platform, mobile application or as-a-service offering, which stores, processes, transmits or transforms official or security classified information belonging to, or utilised by, the Australian government,” according to the brief document.
The intended outcome is that departments and agencies, among other Commonwealth entities, develop a “technology security risk management plan for all internet-facing systems or services”, that sits within their overall security plan.
The plan will need to detail technology lifecycle management practices, controls to mitigate cyber security vulnerabilities and supply chain risks, and how “continuous visibility and monitoring” of the environment is performed.
A second, related direction [pdf] requires the government to manage risks of foreign ownership, influence or control - collectively FOCI - associated with technology at the time of procurement.
This may be related to increased attention on the use of Chinese-made drones and CCTV cameras by agencies and critical infrastructure operators in recent years, where there has been a push to discontinue usage and replace them with alternatives.
A third direction [pdf] makes it a requirement for all 189 government entities subjected to the protective security policy framework (PSPF) “to share cyber threat information with the Australian Signals Directorate (ASD).”
At a practical level, this means the ASD will form a whole-of-government view of all “cyber threat hunting” capabilities being utilised, and have all entities connect to its cyber threat intelligence sharing (CTIS) platform.
CTIS incorporates threat intelligence signals from public and industry sources.
Palo Alto Networks head of government affairs and public policy Sarah Sloan said in a statement that “this is only the second time the government has used its binding directive powers, the first instance being a mandatory direction to prohibit the TikTok app on devices issued by Commonwealth departments and agencies.”
She added that the “stocktake”, with its focus on attack surface, “is well placed” as an activity to help the government “to find and secure vulnerable systems promptly.”