Australian businesses and critical infrastructure operators continue to face a deteriorating risk environment – from cyberattacks and ransomware, to fire and flood, malicious insiders and malign foreign powers – there’s no shortage of risks that need to be thought about and managed in the modern era.

To some critical infrastructure sectors this comes as no surprise – managing risk has been part and parcel of doing business for many years. But for others, thinking about the full range of hazards modern critical infrastructure faces, and planning reasonable, practicable mitigations across the realms of cyber, physical, personnel, and supply chain security, is relatively new.

To assist owners and operators conceptualise risk across these dominions – and to empower them to take action that will lower risk to the ongoing operation of their systems, assets, and businesses –  the Critical Infrastructure Risk Management Program (CIRMP) requirement is now live.

The CIRMP is the third and final of the three positive security obligations legislated within recent amendments to the Security of Critical Infrastructure Act 2018 – the other two being Mandatory Cyber Incident Reporting, and the Critical Infrastructure Asset Register requirement. 

Working together, these obligations uplift Australia’s critical infrastructure security and resilience, further protecting the essential services all Australians rely on.

The Minister for Home Affairs, Clare O’Neil, ‘switched on’ the CIRMP rules on 17 February 2023, following an extended period of consultation. Through this consultation process, the Minister was able to incorporate feedback from critical infrastructure stakeholders that has ultimately made the rules simpler and easier to implement.

Now the rules are in effect, responsible entities for critical infrastructure assets are required to adopt, maintain and comply with a risk management program that identifies and manages material risks of hazards that could have a relevant impact on a critical infrastructure asset.

The plan must identify each hazard where there is a material risk that the occurrence of that hazard could have a relevant impact on the asset, and – as far as it is reasonably practicable to do so – must minimise or eliminate any material risk of such a hazard occurring.  

Through the implementation of agnostic rules, the Cyber and Infrastructure Security Centre (CISC) within the Department of Home Affairs hopes to create a baseline for security across all critical infrastructure sectors in the Australian economy. While many organisations will no doubt already exceed the thresholds set out in the rules, we hope the Risk Management Program (RMP) rules will uplift all critical infrastructure entities, right through supply chains.

In that vein, we envision the rule benefiting not just the responsible entity, but both its upstream and downstream suppliers; ensuring that an awareness of security standards becomes the norm for many Australian businesses.

The inclusion of a requirement for a board or governing body to sign an attestation regarding the RMP lifts the issue of risk management and security from an operational level to the board level.  

By ensuring that directors of companies have these issues at the front of their minds as they make strategic decisions, we will aim to ensure a stronger effort to protect our critical infrastructure at all levels.

This issue particularly goes to the requirement for responsible entities to consider supply chain hazards – we have all seen the significant disruptions in the supply chain caused by the COVID-19 pandemic. By requiring directors and board level decision makers of a responsible entity to be thinking about how best to mitigate possible hazards to their supply chain, we will see more industries consider not just cost but also security and reliability of their supply chains going into the future.  

While pursuing sensible regulation, our approach is not intended to increase the burden on owners and operators, nor to duplicate other mechanisms. For example, where a requirement for an RMP already exists under other legislation, we won’t be enforcing dual reporting.

Similarly, nothing in the rules overrides any existing provisions within the Privacy Act 1988, the Australian Privacy Principles, or the Fair Work Act 2009, and nor do the Rules absolve employers of any other obligations, including relevant occupational health and safety legislation. The Secretary of the Department of Home Affairs, Michael Pezzullo AO, also has the power to review a responsible entity’s Plan, to ensure actions are being taken appropriately.

This ensures the CIRMP sits alongside other important and relevant legislated requirements – it doesn’t overrule, duplicate, or impinge upon them.

Now the Rules are live, there is a six-month transition period for responsible entities to adopt a written CIRMP. If a responsible entity’s asset becomes a CI asset after the Rules commence, the responsible entity must meet CIRMP requirements within six months of the day the asset became a CI asset.

The CISC is committed to working in partnership with all levels of government and industry to support the wider security uplift of Australian critical infrastructure. For some critical infrastructure entities, we recognise that implementation of a CIRMP will be an extensive task. Wherever your business is in terms of maturity, the CISC will assist whenever possible. 

Together, sensible Government regulation and attentive owners and operators can secure Australia’s critical infrastructure – in the process safeguarding our shared security and prosperity.