Tell me in 30 seconds
At the end of 2025, the Department of Home Affairs (the Department) released a consultation paper for proposed enhancements to the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules) for certain asset classes (Consultation Paper).
If you have asset classes in these sectors, this will be relevant to you:
These changes have been prompted by the evolving threat landscape as hostile foreign state actors increasingly target critical infrastructure globally and the Department’s objective to uplift resilience of critical infrastructure assets in line with emerging threats.
Responsible entities who have been preparing and updating their CIRMP will need to review their approach to:
- foreign ownership, control and influence (FOCI)
- technology and cybersecurity
- supply chain management, and
- personnel risks
as well as building in flexibility to deal with specified risk advice from the Department.
Does your organisation have the visibility, flexibility and control you will need to manage these risks?
What you need to do
Submissions on the Consultation Paper are due by 13 February 2026. Indications from town halls is that changes may be made and that there will be further consultation once the exposure draft is released. Although it is clear that the Department intends to enhance the CIRMP Rules particularly as they relate to FOCI. It will also be interesting to see the outcome of the independent review of the operation of the SOCI Act by Dr Jill Slay AM pursuant to s60A of the SOCI Act, which is currently underway.
For more details on the Consultation Paper read the full article here.
Who do these changes apply to?
These enhancements will apply to a subset of asset classes that the Department has indicated are ‘high risk’. The existing CIRMP Rules will continue to apply to those asset classes already subject to those rules (or CIRMP type rules such as the TSRMP rules for telecommunications assets) and there are some asset classes that will remain outside of the CIRMP Rules. The different asset classes have been summarised by the Department as follows:
While some asset classes that are not subject to the CIRMP Rules are critical, these may not have been included because they are subject to an alternative regulatory framework with similar obligations. For instance, critical aviation assets and critical port assets, which are governed by the Aviation Transport Security Act 2004 (ATSA) and the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFS), respectively, are subject to an industry specific all-hazards security framework.
What are the proposed enhancements?
Key proposed amendments to the CIRMP Rules include:
- All hazard: The addition of 2 new all hazard obligations. The first requiring responsible entities to respond to specified risk advice issued by the Department from time to time and the second to deal with foreign, ownership, control and influence (FOCI) risks across all aspects of their asset.
- Cyber security: Four new obligations in relation to security risks, including uplifting compliance under a cyber security framework to maturity level 2 implementing network protection, adopting multi-factor authentication, and considering cyber material risks from new technologies such as the deployment of artificial intelligence (AI).
- Supply chain: Two new obligations in relation to supply chain obligations, focused on FOCI risk. These include an obligation on responsible entities to map their supply chains for major suppliers and critical systems across their physical and cyber supply chains and to establish systems to manage material risks posed by vendors of concern from a FOCI perspective.
- Personnel security: Three new obligations around management of personnel risk, including requiring responsible entities to implement a personnel security plan, strengthen background checking and consider personnel material risks, again particularly through the lens of FOCI risk.
The Department is not proposing any enhancements to physical and natural hazard risk obligations.
When would responsible entities need to comply?
The Department proposes that responsible entities would generally have until 30 June 2028 to comply with the specific risk obligations. For the all-hazard obligations, responsible entities would have 6 months from the commencement of the enhanced CIRMP Rules and for specified risk advices, responsible entities would have 12 months from the date of the advice.
Note: While the timeframe for implementation of the Cyber 4 and Personnel 3 specific risk obligations have not been specified, given all other specific risk obligations are proposed to take effect on 30 June 2028 we expect this will broadly be the date for compliance unless otherwise specified.
While many responsible entities would have considered FOCI risk as part of their CIRMP, those with FOCI risk further up the supply chain may not have focused on these risks and there may be some work to be done to not only develop a FOCI risk management approach within 6 months, but also to do the mapping and uplift work required by the specific risk obligations. If you have not had the need to consider it in detail already, the Department’s guidance on assessing FOCI risk can be found here Foreign Ownership, Control or Influence (FOCI) Risk Assessment Guidance. In any event, the specific obligations are likely to require responsibilities to further uplift their processes and CIRMP to deal with these more detailed specific requirements.
What does it all mean?
The proposed changes will require a review and uplift of a responsible entity’s CIRMP and internal risk management processes. They will require responsible entities to consider the visibility, flexibility and control they have over counterparties to ensure the responsible entity has the information and control it needs to manage these risks, and the flexibility to deal with new or increased risks, including as notified by the Department by way of a specified risk advice.
The Department has provided some case studies which we’ve summarised below to give some context on the obligations and potential mitigations. Text in ‘ ’ is taken from the relevant section of the Consultation Paper.
|
CIRMP RULES
|
PROPOSED ENHANCEMENT
|
CASE STUDY
|
WHAT THIS MEANS
|
|
All-hazard measures |
|||
|
All-hazard 1: Consideration of specified risk advice |
An obligation on responsible entities to consider specific risk advices (SRA) issued by the Department and minimise or eliminate any material risk posed by that specific risk advice on the critical asset as far as reasonably practicable. An SRA could be specific sectors or asset classes, or broadly applicable to all asset classes. Once risk advice has been specified, affected responsible entities have 12 months from the advice to consider any material risks and implement mitigations or eliminate the material risk. |
Under the Protective Security Policy Frame (PSPF) Direction 001 – 2025, Australian Government entities must prevent the access, use or installation of DeepSeek products, applications and web services due to security risk. If the Department specified this PSPF direction as an SRA, high-risk asset classes would be required to consider the installation and use of DeepSeek, and how to minimise or eliminate any material risk, as part of its CIRMP. |
Responsible entities will need to have a process to monitor for SRAs and the flexibility within its processes and contracts to implement any mitigations as a result of an SRA. The nature of the SRA process is that the risks to be notified are not yet known (or at least not yet notified). Responsible entities will need to think about how they will build flexibility into their risk management program and contracts to enable it to respond to SRAs in a timely manner. |
|
All-hazard 2: Foreign, ownership, control and influence (FOCI) |
Responsible entities must consider material risks associated with FOCI, across all aspects of their asset. This will include considering impacts to ‘the availability, integrity, and confidentiality of the responsible entity’s asset that could prejudice the social or economic stability, or national security of Australia arising from, but not limited to dependence on foreign owned, controlled, or influenced vendors, major suppliers, or managed service providers critical to the operation of the asset, and components, systems, or software critical to the operation of the asset.’ Responsible entities have 6 months from the start of the amended CIRMP Rules to minimise or eliminate FOCI |
|
While many responsible entities will have considered FOCI risk under the existing CIRMP Rules, these provisions will require a more structured approach to the assessment and management of FOCI risk. Further, for responsible entities where FOCI risk is a supply chain risk, there may not have been a detailed assessment of that risk. This risk will need to be considered in the context of other specific risk obligations below). For contractors or suppliers who are likely to create a FOCI exposure for a critical infrastructure asset, thought should be given to how the contractor or supplier can provide mitigations or protections to enable the responsible entities they deal with comply with these enhanced requirements. The proposed enhancements are not prescriptive and enable responsible entities to make their own assessment of how to manage these risks. This gives contractors and suppliers an opportunity to propose mitigations for consideration (rather than having many customers propose different mitigations that may be collectively difficult and expensive to implement). |
|
Cyber and information security hazard measures |
|||
|
Cyber 1: Cyber security framework uplift |
Responsible entities must uplift their cybersecurity framework to comply with maturity level 2 by 30 June 2028, and attest to compliance in the July to September 2028 attestation period. Where an entity opts to comply with an equivalent cyber-framework that does not include maturity levels, they must set out in their CIRMP the measures taken to align their cyber program with maturity level 2 of an appropriate cyber maturity framework. |
|
While the Department has always been clear that the intention has always been to continue to uplift resilience, this enhancement means that some organisations may have just completed their implementation of maturity level 1 of a cyber security framework and now need to start a new program to further uplift compliance. |
|
Cyber 2: Critical Systems Network Protection |
Responsible entities must set out in their CIRMP ‘how they have implemented the greatest practical level of segregation between their asset’s critical systems, and other internet-connected, or less secure components that could result in the compromise of, substantive loss of access to, or deliberate or accidental manipulation of a critical system.’ The proposed timeframe for compliance with the critical systems network segregation and recovery requirements is by 30 June 2028, and attest to compliance in the July to September 2028 reporting period. |
A cyber incident occurs where an organisation’s payroll system is accessed without authorisation. The responsibly entity implements network containment actions by isolating the critical asset from the payroll system. The isolation of the critical asset’s function and service enables it to continue while the payroll system is down. |
Historically, Operational Technology (OT) was often physically segregated from IT systems and internet connection. However, increasingly remote access is an integral aspect of the ongoing maintenance and support of critical equipment. As a result, the degree of physical separation between OT and IT systems has decreased. Responsible entities will need to consider the extent of segregation between OT and critical operational systems and other less critical or internet-based systems. Where segregation could be improved, the responsible entity will need to consider how and when this can be achieved, including where it has an operator who is responsible for all onsite operations, including networking. |
|
Cyber 3: Multi-factor authentication |
Responsible entities must set out in their CIRMP how phishing-resistant MFA is used to authenticate: ‘users to their online and internet facing networks’, ‘privileged and unprivileged users of critical systems’, and ‘remote access to their networks and systems.’ To ensure the entities’ processes are robust, they must also ensure they have a central log of authentication attempts that is regularly reviewed. The Department is proposing compliance by 30 June 2028 and attest to compliance in the July to September 2028 reporting period. However, given the time for compliance, the Department is also proposing that responsible entities have a documented plan within the CIRMP that details how compliance will be accomplished in earlier attestation periods. |
|
This is a very specific risk management obligation, and the Department acknowledges that MFA may already be used by a responsible entity and that it may already be required as part of the responsible entity’s cyber program to comply with its chose cyber maturity framework. However, where a responsible entity has not implemented phishing-resistant MFA or has not implemented MFA on all online and internet facing networks, critical systems and remote access, uplift may be required to meet this requirement. |
|
Cyber 4: Enhancing cyber material risks |
More broadly, the Department is proposing to introduce cyber and information hazard specific material risks that the responsible entity must, as far as reasonably practicable, minimise or eliminate in their CIRMP. This will include considering risks arising from:
|
The responsible entity must assess which controls can reasonably be implemented in their cyber program and CIRMP to minimise or eliminate the material risks to their asset arising from AI vulnerabilities. through use of Large-Language Models (LLMs). This could include restricting deployment within the organisation and networks, considering lower-risk alternative AI solutions, or updating policies governing the use of AI. |
It would be more common for these risks to be dealt with in the CIRMP or risk management plan for organisations in other sectors. For example, the Privacy Act requires a degree of visibility and control over offshore access to personal information, and it would be common for companies that hold a large amount of personal information to have restrictions on the offshore transfer or access to this personal information. However, some of these issues have been less relevant in sectors historically focused on physical infrastructure which is predominantly supported onsite. Changes in technology, supply chains, the threat environment and geopolitical circumstances means that these risks are increasingly relevant across all sectors. Responsible entities will not only need to consider its own internal processes and procedures, but also the visibility and control (or otherwise) that it has over counterparties who may use offshore services, may sweat assets or may implement new technologies without the responsible entity having any visibility. |
|
Supply chain hazard measures |
|||
|
Supply Chain 1: Supply chain vulnerability mapping |
In addition to existing CIRMP Rules, responsible entities must establish and maintain a system to map their supply chain for major suppliers and critical systems across their physical and cyber supply chains by 30 June 2028, and attest to compliance in the July to September 2028 reporting period. This exercise should include outlining ‘supply chain vulnerabilities and mitigating controls’, and ‘details regarding supplier diversification and redundancy planning’. |
An entity maps their supply chain and finds that a critical component is produced in Australia, but the supplier has been on the market for a year, with no buyer prospects. Further investigation shows that it is the only supplier in Australia. Acknowledging this risk, the entity considers other options and finds a supplier in New Zealand. Subsequently, the entity updates their business continuity plan to include the alternative supplier in the event that their current supplier becomes unavailable. |
Responsible entities may have done some of this work as part of the original CIRMP process. However, this new requirement will require a process or system to be developed to continue to map these relationships and to consider where there are critical vulnerabilities and opportunities for diversification or redundancy. This can be particularly challenging in sectors where critical equipment may have a long design life, where the technology is proprietary and closely guarded and the opportunity to diversify is limited. |
|
Supply Chain 2: Vendors of concern |
Under this obligation, ‘responsible entities will be required to develop and maintain a system in their CIRMP to manage material risks posed by vendors of concern that expressly consider FOCI risks’ by 30 June 2028, and attest to compliance in the July to September 2028 reporting period. The system must ‘identify risks associated with certain vendors, consider the material risks and their impact if realised, and outline risk-based treatments and controls.’ |
An overseas-based engineering company is required to design a critical component of an asset. The entity considers diversifying options for delivery to mitigate any identified FOCI risks, but subsequent market research shows that diversification is not possible. The entity mitigates this risk by implementing contractual conditions to limit offshoring, through design and implementation phases, restricting access arrangements, and including remediation and step-in clauses. |
In the case study, the Department has acknowledged that it will not always be possible to diversify or to fully eliminate the concerns arising from FOCI risk and ‘vendors of concern’. So, it will be important for responsible entities to consider how they may mitigate these risks, including through contractual provisions. This will require not just a review of the responsible entities’ procurement processes and CIRMP, but also its approach to contracting for critical suppliers (in respect of FOCI, but also other cyber risks such as those outlined in Cyber 4 above). Again, for entities that know they present a FOCI risk to responsible entities as a critical supplier or contractor, thought should be given to mitigations that may be offered to the responsible entity to enable compliance in a manner that is also acceptable to the supplier. |
|
Personnel Security hazard measures |
|||
|
Personnel 1: Personnel security plan |
Responsible entities must establish and maintain a personnel security plan for their organisation by 30 June 2028, and attest to compliance in the July to September 2028 reporting period. Supplementing existing personnel hazard obligations in the CIRMP Rules, responsible entities will need to develop and maintain a system to minimise or eliminate risks associated with:
|
|
While many responsible entities may already have a personnel security plan that forms part of, or is referenced in, their CIRMP, this will need to be reviewed in the context of any specific requirements introduced as part of this obligation. |
|
Personnel 2: Strengthened background checking |
Mandated identification of ‘all critical workers and require onshore critical workers to undergo an AusCheck background check as part of pre-employment screening unless the critical workers holds an Australian Government security clearance of Negative Vetting 1 or above’[1] by 30 June 2028, and attest to compliance in the July to September 2028 reporting period. The Department proposes revalidation through AusCheck at minimum every 5 years, but the responsible entity can choose to revalidate at a higher frequency. For offshore critical workers, the responsible entity will need to consider how it will ‘identify risks associated with such employment, and outline in their CIRMP how they minimise or eliminate, as far as reasonably practicable, the material risks to their asset’.
[1] Ibid. |
|
Again, responsible entities may already have implemented processes that reflect these requirements. However, organisations will need to review their current approach and consider whether it needs to be uplifted to align with these enhanced requirements. |
|
Personnel 3: Enhancing personnel material risks |
Finally, the Department is also proposing to introduce specific personnel hazard material risks that the responsible entity will need to minimise or eliminate, as far as reasonably practicable, in their CIRMP. This will include considering how trusted insiders, such as major suppliers, critical works or managed service providers, could impact the integrity or availability of their asset through unauthorised use or misuse of privileged access to critical systems. |
|
In conjunction with the review of supply chains, responsible entities will need to consider these specific risks in the context of personnel (both employees and contractors, and the employees of service providers). While many organisations control access to their systems and sites, in long term operating agreements, the supplier is often given a higher level of end-to-end responsibility for all aspects of operation on site. In this context, responsible entities will need to consider how they engage with suppliers to ensure the responsible entity has the visibility, control and flexibility to enable the responsible entity to comply with these specific risk requirements. |
What now?
The Department has posed some policy design questions and questions on the regulatory impact of these proposed amendments and has invited submissions by 13 February 2026.
