Commonwealth security snapshot – NSW Cyber Security Standards Harmonisation Taskforce recommendations report
Partner Gavan Mackenzie and senior associate Nick Topfer provide updates on issues related to Commonwealth procurement and contracting. Our focus for this snapshot is the recommendations report by the NSW Cyber Security Standards Harmonisation Taskforce.
A report recently released by the NSW Cyber Security Standards Harmonisation Taskforce has recommended the adoption and use of common cyber security standards (including by government agencies) to address cyber security risks.
The taskforce is a collaboration between the NSW Government, Standards Australia, and AustCyber. The taskforce seeks to improve the cyber security practices of business and governments, including through the adoption of common standards.
The report can be accessed here.
What’s in the report?
The report argues that:
- Consistent adoption and compliance with cyber security standards by Australian businesses and government agencies can help raise the cyber security posture of those businesses and agencies.
- Consistently using ISO and IEC standards as baseline requirements (including in regulatory and procurement models) will help to streamline compliance and reduce costs by enabling businesses to leverage existing compliance processes.
To achieve this, the report provides recommendations across seven key sectors (cloud services, defence, education, energy, financial services, health, and telecommunications).
Some of the recommendations that are relevant to Commonwealth agencies include:
- Using ISO and IEC standards as the baseline requirements for information security, protective security, supply chain security, and risk management.
- Harmonising standards and certification requirements with those that already exist internationally (particularly in the defence sector) and revising existing standards to more specifically address cyber security risks.
- Developing material that communicates the business benefits of adopting applicable standards and the practical realities of implementing those standards (including providing guidance about how they relate to existing regulatory and policy requirements, such as the Protective Security Policy Framework).
- Exploring mechanisms to consider, and weight, tenders based on whether tenderers demonstrate that they have considered and adopted recognised international standards in relation to cyber security and risk management together with the development of routine compliance reporting and assurance processes.
How is the report relevant to Commonwealth agencies?
Appropriately managing cyber security risks is an ongoing task for Commonwealth agencies. There are already a range of existing Commonwealth policies and frameworks that are designed to help agencies to mitigate against cyber security risks.
When developing cyber security requirements for contracts and procurement activities, agencies may wish to consider and leverage international standards and any future harmonised standards as and when they are developed (e.g. to the extent such standards are not already addressed in existing Commonwealth policies and frameworks).
Ensuring consistency with international and harmonised standards may also assist to reduce the cost of business for vendors transacting with the Commonwealth (e.g. if business can leverage existing investment in compliance and if those standards align with industry practice).
It will be interesting to see how existing and new standards develop over time following the release of this report and how they interact with existing Commonwealth security and procurement policies, practices and regulatory reforms. We will continue to monitor developments in this space and how they may impact upon Commonwealth agency contractual and procurement practices.
How can we help?
Agencies need to ensure that their contractual and procurement arrangements keep pace with developments in cyber security standards and practices.
We can help agencies do this because we have:
- Extensive experience helping Commonwealth agencies to implement security policies and requirements as part of their contractual and procurement arrangements.
- Developed bespoke legal mechanisms and remedies to proactively manage and mitigate against cyber security risks (including in relation to supply chains, personnel, cloud products, and telecommunication services).
- Successfully negotiated cyber security arrangements with major vendors to secure improved security arrangements (including vendors that are reluctant to agree to Commonwealth requirements).
If you are interested in finding out more about how to address cyber security risks, including as part of your agency’s contractual arrangements and procurement processes, please let us know.
MICTA/ICTA contracting framework mandated for use by NSW Government from 1 September
MICTA/ICTA framework must be used in place of the previous ProcureIT v3.2 framework
‘Contracting out' of limitation periods – a guide for Government entities
The relevance of Price v Spoor for Government clients.
New case on clause 4.6 requests – is it a development standard?
By Joshua Same & Georgia Appleby
Recent judgment in Elimatta Pty ltd v Read and Anor  NSWLEC 75, implicating the drafting of clause 4.6 requests