Govt agencies face annual cyber security audits for next five years

A parliamentary committee has called for cyber security reviews to become a more permanent fixture on the national auditor’s annual work program after a string of subpar audit results.

The finding is contained in the accounts and audit committee report [pdf] into cyber resilience, which said existing accountability mechanisms under the protective security policy framework (PSPF) were “limited”.

The PSPF requires that agencies self-assess against 16 requirements – one of which is the Top Four and Essential Eight controls – each year using a ‘maturity model’ and report the results to the Attorney-General's Department (AGD).

The report, released on Wednesday, recommends that the Australian National Audit Office (ANAO) conduct an “annual limited assurance review” into the cyber resilience of Commonwealth entities.

“The committee considers that greater transparency in the implementation of a cyber resilience culture within corporate and non-corporate Commonwealth entities is required,” it said.

The review would “examine the compliance of corporate and non-corporate entities with the Essential Eight … and be conducted for five years, commencing from June 2022”.

It could do so without exacerbating existing cyber security risks by providing “no more granular public information than is published in existing ANAO cyber resilience audits”.

The review should also “examine and report on the extent to which entities have embedded a cyber resilience culture through alignment with the ANAO’s framework of 13 behaviours and practices”.

The framework – which ANAO considers “key to a strong cyber resilient culture” – is currently used in the audit process, though the committee wants it used to improve “cyber resilience culture”.

The committee said that the cost of the review should be “met by the responsible policy agencies or government”, avoiding the need for the ANAO to use its increasingly scarce funding for the reviews.

The committee has also asked the AGD to provide an “update on its implementation of external moderation models/benchmarking process” to verify entity compliance.

The improvements to the PSPF maturity model, which currently relies on self-assessment, were flagged during the inquiry to ensure there is a way to compare agencies.

Despite changes to the PSPF, recent reporting indicates that Top Four compliance remains relatively unchanged, with 73 percent of agencies reporting either ‘ad hoc’ or ‘developing’ maturity levels.

The committee also wants the AGD to “provide an update on the level of cyber security maturity within Commonwealth entities and the feasibility of mandating the Essential Eight”.

It said it “considers it appropriate” that the government revisit making the Essential Eight strategies mandatory for non-corporate entities.

Commenting on the result of the inquiry in parliament on Wednesday, shadow cyber security assistant minister Tim Watts said the findings of the committee were “alarming”.

“It's an indictment of this government's ongoing failure to ensure the cyber security of its own departments,” he said.

“In fact, it's so bad that the committee has recommended that a new oversight regime is needed, one that will ensure that our vital government services and the data of Australian citizens that is held by Commonwealth entities are appropriately protected at a time of dramatically increasing cyber threats.

He said that the intervention follows years of “staggeringly high rate of non-compliance from the Commonwealth government with its own cyber security framework”.

“A core part of the problem here is the absence of any real form of accountability for government entities that fail to do what is required to be cyber-resilient,” he said.

“Each Commonwealth entity is currently responsible for its own cyber-resilience, but there's no-one marking their homework to ensure that they are compliant.

“Each year, non-corporate Commonwealth entities are required to conduct a self-assessment of their compliance with the PSPF and the Information Security Manual within it.

“When a Commonwealth entity is noncompliant with the Australian Signals Directorate's mandatory Top Four all they have to do is tell their minister and the AGD, and nothing happens.”