Home Affairs is streamlining its security vetting procedures for Commonwealth technology suppliers, but there is a quid pro quo for vendors: ‘security can no longer be at a premium’.
The department secretary, Stephanie Foster, has issued a new directive that will allow federal government suppliers to avoid going through duplicate risk assessments when selling into non-corporate Commonwealth entities.
The department will instead coordinate risk assessments through a new centralised capability that will effectively allow agencies to share security assessments across other agencies.
This essentially means that one department could complete a vendor risk assessment and make it available to others through Home Affairs.
It’s understood that participation in the new centralised risk assessment sharing scheme will be decided by each department.
Home Affairs will also set a “baseline” to standardise risk assessments more consistent across government departments and agencies.
Home Affairs deputy secretary for critical infrastructure and protective security Brendan Dowling told iTnews that both vendors and government agencies – particularly smaller ones – had been expressing frustration with the current risk assessment framework for some time.
Smaller agencies, he said, were looking to draw on larger departments for support while suppliers were finding it “a little bit ridiculous” that they might be asked to go through an onerous process for a large department like Defence one week, only to have to go through it again a week later for a different but similar-sized organisation with comparable security needs.
However, in return, Dowling said that the government expected technology vendors to push security considerations to the top of their list of selling points for products.
“What we say to industries is that we will make this process more efficient and easier to access for you, but we do expect you to prioritise security in your products and not at a premium, not as an afterthought, but as a core design feature of your products,” Dowling said.
“So yes, the risk assessment process will be easier, but you will also be set a really clear bar to meet in terms of security”.
Foster issued the new direction under the government’s Protective Security Policy Framework (PSPF) which applies to non-corporate Commonwealth entities – basically all federal government departments and agencies excluding the likes of the ABC, NBN Co and Australia Post.
The direction requires agencies and their vendors to meet the requirements of the federal Commonwealth Technology Standard (CTS) for products, applications and web services used on government systems and devices.
“After considering threat and risk analysis, I have determined that further guidance is required to respond to the growing use of products, applications and web services within Australian Government entities that pose an unacceptable level of security risk to Australian Government networks and data arising from threats of foreign interference, espionage and sabotage,” Foster wrote in the direction.
The direction sets two deadlines for suppliers.
From October 31, entities subject to the direction will be required to identify and remove any applications and web services on the Home Affairs denylist and take steps to prevent them being installed in future.
Currently, the only products on the list the department has made public are the social media application TikTok, AI product built on DeepSeek’s open-source large language model and cyber security products offered by Russian cyber security giant, Kasperksy Services.
The second deadline falls on February 2 next year, when entities subject to the direction will be required to meet three new requirements.
The first will be to develop a policy to “consider” sharing risk assessments through Home Affairs’ new centralised sharing capability.
The second calls on them to create new processes for authorising applications and web services designated under the CTS.
Lastly, the entities will need to report the changes to the Home Affairs security branch.
Dowling said that applications used on agency networks and devices remained a major threat to government security due to weaknesses in supply chains.
However, he said that there had been recent shift in focus to hardware, particularly drones and other forms surveillance equipment.
“When you look at successful cyber-attacks all over the world in recent years, they're often coming through software supply chains, so that will always be a major feature of what we consider," he said.
"But we now have tech like CCTV cameras and drones that are much more of a feature of agencies’ activities and in certain settings, that sort of technology can represent a risk of espionage or sabotage."
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
Digital NSW 2025 Showcase
_(1).jpg&h=140&w=231&c=1&s=0)
