Having come to the end of the Australian financial year 2023-2024, the nation’s Cyber and Infrastructure Security Centre (CISC) outlined that the Critical Infrastructure Risk Management Program (CIRMP) Annual Report for this period should be submitted between July 1, 2024, and Sept. 28, 2024, using the Responsible Entity Risk Management Program – Annual Report Form. Additionally, by Aug. 17, 2024, responsible entities are required to establish and maintain a cybersecurity framework under Section 8 of the Security of Critical Infrastructure (SOCI) CIRMP Rules.
On the CIRMP Annual Report compliance, the CISC said “We have conducted a limited series of trial audits with responsible entities in preparation for determining industry compliance with SOCI Act obligations. We found that many entity’s existing processes and procedural documents meet SOCI obligations. However, they had not been packaged into a CIRMP Annual Report.”
It added that there is no need for a responsible entity to repackage, rewrite, or deconstruct existing material. A responsible entity can meet its CIRMP Annual Report obligation by creating an overarching document that references existing internal processes and procedural documents and attaching the document to the CIRMP Annual Report form. Internal documents do not need to be supplied with an annual report, however, the agency may ask for them at a later date.
Furthermore, if the responsible entity has a board, council, or other governing body, the CIRMP Annual Report needs to be approved by the relevant body. The internal documents referenced in the CIRMP Annual Report can be endorsed without being endorsed.
The CIRMP Annual Report form references two types of frameworks in section 3.3. It refers to ‘Cyber Security Frameworks’ and ‘Security Frameworks’. For the 2023-2024 CIRMP Annual Report, this information will assist the agency in understanding industry progress.
The Cyber Security Framework obligation is being turned on from 17 August 2024 for the 2024-2025 CIRMP Annual Report. From this date, responsible entities subject to this obligation must comply with section 8 of the SOCI CIRMP Rules in which five designated cyber security frameworks are outlined. This includes achieving the specified level of maturity for one of the selected frameworks, or an equivalent alternative framework.
For the 2023-2024 CIRMP Annual Report, due by Sept. 28, the CISC requires entities to report whether they have an existing cybersecurity framework in place. “The security framework refers to the standard you are using to develop your CIRMP to manage all hazards. These hazards encompass physical security, natural disasters, personnel risks, supply chain vulnerabilities, cybersecurity threats, and information security risks. Unlike the cyber security framework, there is no prescribed general security framework in the SOCI CIRMP Rules, and as such no prescribed maturity rating,” the agency added.
From Aug. 17, 2024, responsible entities that are subject to this obligation must comply with section 8 of the SOCI CIRMP Rules. For the 2023-2024 CIRMP Annual Report, responsible entities do not need to show they were compliant with this requirement over the 2023-2024 financial year. However, when submitting the 2024-2025 CIRMP Annual Report, responsible entities will need to show that they were compliant with this obligation from Aug. 17.
When addressing cyber and information hazards, the SOCI CIRMP Rules currently specify five frameworks. However, entities can use an alternative framework if they consider it to better address the risk vectors threatening an entity’s critical assets. Entities must specify in their CIRMP why they have selected a specific cyber security framework not listed in the SOCI CIRMP Rules, how it is an equivalent framework, and how they use that framework in their risk management program.
CISC detailed that choosing an alternate framework does not reset the regulatory clock, and the relevant date is still Aug. 17 2024 for being compliant with the cyber security framework obligation. There is no ability to extend deadlines or grant an exemption. However, if a responsible entity will not be compliant by the deadline, they must contact CISC. Failure to submit the required information or to establish communication may result in compliance and enforcement actions.
If a responsible entity is unlikely to be compliant by the August deadline, then the entity should provide CISC with the components of their cyber security framework already in place; outstanding components; any roadblocks that are preventing full compliance; and a Board approved plan and timeframe for coming into compliance along with periodic progress reporting for achieving compliance.
“We will review the reasons and circumstances for non-compliance, as part of our compliance and enforcement activities,” according to the CISC. “We will also monitor periodic progress reporting to ensure entities become compliant as soon as possible.”
Earlier this year, the CISC updated guidance materials aimed at bolstering cyber security measures for Systems of National Significance (SoNS), which represent the country’s most critical infrastructure assets. The comprehensive guidance includes specific instructions for SoNS on fulfilling the Incident Response Planning obligation and detailed guidelines for meeting the Cyber Security Exercise obligation. These enhanced obligations are part of Australia’s ongoing efforts to strengthen the resilience and security of its vital infrastructure against cyber threats.
This post was originally published on the 3rd party site mentioned in the title of this this site