Following a period of consultation at the end of 2022, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules) have now been registered under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The Rules commenced on Friday 17 February 2023, kicking off a 6 month grace period during which responsible entities for relevant critical infrastructure assets (CIA) will need to put in place a critical infrastructure risk management program (CIRMP). The CIRMP must be signed off by the entity’s board, and is required to be regularly reviewed and reported on annually.

Which critical infrastructure asset classes do the CIRMP obligations apply to?

The now registered CIRMP Rules are substantially similar to the draft CIRMP Rules which underwent consultation, although there are a few changes to note.

The CIRMP obligations apply to the following assets:

(a)   a critical broadcasting asset;

(b)   a critical domain name system;

(c)   a critical data storage or processing asset;

(d)   a critical electricity asset;

(e)   a critical energy market operator asset;

(f)    a critical gas asset;

(g)   a designated hospital;

(h)   a critical food and grocery asset;

(i)    a critical freight infrastructure asset;

(j)    a critical freight services asset;

(k)   a critical liquid fuel asset;

(l)    a critical financial market infrastructure asset mentioned in paragraph 12D(1)(i) of the Act;

(m)  a critical water asset. 

The updated CIRMP Rules now provide for the CIRMP obligations to apply to 'designated hospitals' (previously this was critical hospitals) and assets used in connection with the operation of specific payment systems, being those that are critical to the security and reliability of the financial services and markets sector.

Note there are exemptions to the CIRMP obligations under the SOCI Act, including in relation to CIA for which a responsible entity holds a certificate of hosting certification (strategic level) issued under the Commonwealth hosting certification framework.

What are the Critical infrastructure risk management program obligations?

Responsible entities of relevant CIA are required to have, maintain, review, and update a CIRMP. The CIRMP is to detail a responsible entity's processes or systems to:

• identify each hazard where there is a material risk that the occurrence of such hazard may impact the availability, reliability, integrity or confidentiality of an entity's CIA; and
• so far as reasonably practicable to do so, minimise and mitigate the material risk and relevant impact of such hazards.

In developing and maintaining its CIRMP, responsible entities should consider, amongst other things, any interdependencies between its CIA and other CIA, the operational context of its CIA, how and who is responsible for developing, implementing, updating and reviewing the CIRMP, and whether any risk management methodologies exist or are required to be uplifted.

The CIRMP Rules specify certain risks are a 'material risk' including the stoppage or major slowdown of a CIA's functions for an unmanageable period, loss of access to a critical component of the CIA, an interference with a CIA's essential operational technology etc.

Importantly, a responsible entity's CIRMP is required to take an 'all-hazards approach'. That is, it must cover all hazards, including:

• Cyber and information security hazards – requiring processes to reasonably minimise the material risk of a cyber and information security hazard occurring and its relevant impact;
• Personnel hazards – requiring processes for identifying suitable critical workers and conducting background checks, as well as processes to reasonably minimise material risks arising from malicious or negligent personnel and offboarding;
• Supply chain hazards – requiring processes to reasonably minimise materials risks associated with unauthorised access, misuse, and disruption including in relation to major suppliers, and their relevant impact on CIA; and
• Physical security hazards and natural hazards – requiring processes to reasonably minimise the material risk and relevant impact of physical security hazards on a physical critical component and natural hazards on CIA, as well as incident response and access and security arrangements.

The CIRMP must be signed off by the responsible entity’s board, council or other governing body (if there is one) and must be regularly reviewed and updated. An annual report must be submitted in approved form within 90 days after the end of the Australian financial year. The first annual report is due within 90 days after 30 June 2024 (end of 2023-24 financial year), although the Cyber and Infrastructure Security Centre (CISC) encourages entities to voluntarily submit an annual report for the 2022-23 financial year. Reports are to be submitted to the Secretary of the Department of Home Affairs, except for responsible entities of assets used in connection with the operation of payment systems critical to the security and reliability of the financial services and markets sector, who are to submit reports to the Reserve Bank of Australia.

Timing for compliance of CIRMP rules

Responsible entities of captured CIA have a 6 month grace period to become compliant with the CIRMP Rules commencing, that is by 17 August 2023. Importantly within 18 months of the CIRMP Rules commencing (by 17 August 2024), responsibly entities must also ensure the CIRMP establishes and maintains a process/system to comply with one of the below specified cyber frameworks or an equivalent framework:

Author: Lesley Sutton, Claire Harris, Ethan Huang, Karen Fanning, Lauren Arthur