Introduction

1.1 The security of government information and communications technology (ICT) systems, networks and data supports Australia’s social, economic and national security interests as well as the privacy of its citizens. Malicious cyber activity has been identified as a significant threat affecting Australians, exacerbated by low levels of cyber maturity across many Australian Government entities.⁷

1.2 The Australian Signals Directorate (ASD) Cyber Threat Report 2022–23 identified that:

the regional strategic environment continues to deteriorate, which is reflected in the observable activities of some state actors in cyberspace. In this context, these actors are increasingly using cyber operations as the preferred vector to build their geopolitical competitive edge, whether it is to support their economies or to underpin operations that challenge the sovereignty of others. In the Australian Security Intelligence Organisation’s Annual Report 2021–22, espionage and foreign interference was noted to have supplanted terrorism as Australia’s principal security concern.⁸

1.3 The Department of Defence’s (Defence’s) mission and purpose is to defend Australia and its national interests in order to advance Australia’s security and prosperity. Defence’s 2022–23 Annual Report states that, to enable the warfighting capabilities of the Australian Defence Force (ADF) globally, it is supported by one of the largest and most complex ICT environments in the nation.⁹

1.4 Defence’s 2022 Cyber Security Strategy states that ‘Malicious cyber activity now represents one of Defence’s most critical risks.’¹⁰ This risk was reflected in the 2023 Defence Strategic Review, which found that limited workforce availability had resulted in project slippage and insufficient ADF and Australian Public Service (APS) staff to manage heavily outsourced ICT functions. The review recommended:

• the appointment of a ‘dedicated senior official for Chief Information Officer Group (CIOG) capability management leadership and a dedicated senior official accountable for [Defence’s] secret network’, and rebalancing of the CIOG workforce to a 60:40 APS- and ADF-to-contractor ratio;
• enhancement of Defence’s cyber security arrangements in collaboration with ASD; and
• increasing Defence’s cyber security operations capability in CIOG and decommissioning legacy systems and platforms.¹¹

1.5 The Australian Government agreed to the recommendations.

Protective Security Policy Framework

1.6 The Protective Security Policy Framework (PSPF) was introduced in 2010 to help Australian Government entities protect their people, information and assets, both at home and overseas. The PSPF sets out the government’s protective security policy approach and is comprised of 16 core policies.¹² Under the PSPF, all entities are required to develop their own protective security policies and procedures. PSPF Policy 10 Safeguarding data from cyber threats and Policy 11 Robust ICT systems outline how entities can safeguard their ICT systems and mitigate their exposure to cyber security risks.

PSPF Policy 10 — Safeguarding data from cyber threats

1.7 PSPF Policy 10 Safeguarding data from cyber threats requires entities to mitigate common security threats by implementing eight essential mitigation strategies (the Essential Eight).¹³ Prior to February 2022, only four of the strategies were mandatory. Entities must implement Maturity Level 2 for each of the eight strategies to be compliant.¹⁴ Defence’s system authorisation process requires consideration of the Essential Eight as part of supporting security documentation (see paragraphs 2.58–2.59).

PSPF Policy 11 — Robust ICT systems

1.8 PSPF Policy 11 Robust ICT systems requires that entities ensure the secure operation of their ICT systems to safeguard their information and data and the continuous delivery of government business by applying the Information Security Manual’s (ISM) cyber security principles during all stages of the lifecycle of each system. Specifically, PSPF Policy 11 requires that:

Entities must [emphasis in original] only process, store or communicate information and data on an ICT system that the determining authority (or their delegate) has authorised to operate based on the acceptance of the residual security risks associated with its operation.¹⁵

When establishing new ICT systems, or implementing improvements to an existing system, the decision to authorise (or reauthorise) a system to operate must [emphasis in original] be based on the Information Security Manual’s six step risk-based approach for cyber security.¹⁶

1.9 The ISM six-step process is outlined in Figure 1.1 below.

Figure 1.1: ISM six-step risk-based process

Source: ANAO analysis of PSPF Policy 11.

1.10 Prior to August 2020, PSPF Policy 11 used the terms ‘certification’ and ‘accreditation’ and referred to the key decision-making roles for certification and accreditation as the ‘certification authority’ and ‘accreditation authority’ respectively. Since August 2020, PSPF Policy 11 refers to ‘certification’ as ‘assessment’ and ‘accreditation’ as ‘authorisation’. The key decision-making roles for assessment and authorisation have been defined in PSPF Policy 11 as the Chief Security Officer (CSO) or Chief Information Security Officer (CISO) and ‘authorising officer’ respectively.¹⁷

ICT system authorisations in Defence

1.11 Defence has developed Administrative Policy Arrangements which establish the authority and hierarchy for Defence documents. This hierarchy, and its relationship to key documents referred to throughout this report are outlined in Figure 1.2.

Figure 1.2: Hierarchy of Defence documents

Source: ANAO analysis of Defence’s Administrative Policy Arrangements.

Defence Security Principles Framework

1.12 Defence has established the Defence Security Principles Framework (DSPF) to support compliance with the requirements of the PSPF. DSPF Principle 23, which is supported by Control 23.1 ICT Certification and Accreditation, outlines Defence’s requirements for ICT assessment and authorisation including that:

• all Defence ICT systems must be authorised prior to processing, storing or communicating official information;
• the authorising officer is based on the level of assessed system risk; and
• ICT systems are to be re-authorised under various conditions including when: new or emerging threats are identified; a cyber security incident occurs; changes to the certified system architecture occur; or the system’s authorisation expires.

1.13 The DSPF is supported by directives and instructions issued by Defence’s Services and Groups, discussed further at paragraphs 2.26–2.38.

Defence Cyber and Information Assurance Branch

1.14 The Defence Cyber and Information Assurance Branch (DCIAB) sits within Defence’s Cyber Command¹⁸ and is responsible for ensuring cyber security risks are effectively quantified and managed across Defence systems and networks. This includes the provision of ICT system assessment and authorisation services conducted by the Cyber Security Assessments and Authorisation (CSAA) Directorate within DCIAB. Defence’s CISO is the head of DCIAB.¹⁹

1.15 Between 2020–21 and 2022–23 DCIAB’s expenditure increased by 234 per cent. The number of contractors engaged by DCIAB increased by 72 per cent and the number of APS and ADF personnel increased by 3 per cent over the same three-year period.

Defence ICT systems

1.16 Defence defines a ‘system’ in its ‘Cyber Security Assessment and Authorisation Framework’ as:

a single or a group of interacting Information and Communication Technology (ICT) hardware and/or software components that enable users to accomplish a task (i.e. that stores, processes or communicates information). Systems may include other systems.

1.17 In September 2021, Defence commenced an ICT inventory project to develop a ‘comprehensive knowledge base of all current Defence portfolio ICT systems, networks, applications and services’ (see paragraphs 3.7–3.11).

1.18 Approximately 48 per cent of the systems that have been identified through the inventory project are systems that ‘manage the creation, processing, presentation and storage of information’ and need to be authorised in accordance with PSPF Policy 11. Of these systems, 5 per cent were recorded in Defence’s system for managing ICT authorisations as at June 2024. The data recorded in Defence’s ICT authorisation management system is not complete or accurate (see paragraphs 3.15–3.26).

Rationale for undertaking the audit

1.19 Through its 2022 Cyber Security Strategy, Defence has recognised that ‘Malicious cyber activity now represents one of Defence’s most critical risks.’ Robust ICT systems protect the confidentiality, integrity and availability of the information and data that entities process, store and communicate. PSPF Policy 11 outlines how entities can safeguard ICT systems through assessment and authorisation activities to support the secure and continuous delivery of government business.

1.20 Questions regarding Defence’s system authorisation process were raised at hearings of the Senate Foreign Affairs, Defence and Trade Legislation Committee in June 2021, including in relation to:

• Defence’s use of provisional authorisations beyond 12 months for systems where security concerns have not been sufficiently addressed;
• deficiencies in Defence’s processes for identifying and assessing risks as part of the authorisation process; and
• DSPF compliance with the ISM.

1.21 This audit was conducted to provide assurance to the Parliament on Defence’s arrangements for the management of ICT systems security authorisations.²⁰

Audit approach

Audit objective, criteria, and scope

1.22 The audit objective was to assess the effectiveness of the Department of Defence’s arrangements to manage the security authorisation of its ICT systems.

1.23 To form a conclusion against this objective, the following high-level criteria were adopted.

• Does Defence have fit-for-purpose arrangements for the security authorisation of its ICT systems?
• Has Defence implemented its arrangements for the security authorisation of its ICT systems?

1.24 The audit scope included examination of the arrangements Defence has in place to identify, assess, and mitigate or accept ICT system security risks, and examination of Defence’s implementation of its arrangements. ICT systems included in the scope of the audit are systems that process, store or communicate official information.

1.25 The scope did not include examination of the authorisation of Top Secret ICT systems. These authorisations are done by the Australian Signals Directorate (ASD), not Defence.

Audit methodology

1.26 The audit methodology included discussions with relevant Defence officials and an examination and analysis of Defence records.

1.27 The audit was open to contributions from the public. The ANAO did not receive any submissions.

1.28 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $504,803.

1.29 The team members for this audit were Jarrad Hamilton, Hugh Balgarnie, Candy Chu, Sky Lo, and Amy Willmott.

2.1 Protective Security Policy Framework (PSPF) Policy 11 Robust ICT systems mandates that entities must only process, store or communicate information and data on an ICT system that the ‘determining authority’ has authorised to operate based on the acceptance of the residual security risks associated with its operation. The decision to authorise a system must be based on the Information Security Manual’s (ISM’s) six-step risk-based approach to cyber security (see Figure 1.1).

2.2 Since February 2022, PSPF Policy 10 Safeguarding data from cyber threats has required entities to mitigate common security threats by implementing eight essential mitigation strategies, known as the ‘Essential Eight’ (see footnote 13). Prior to this update, only four of the strategies were mandatory. Defence has established policies to support PSPF Policy 10 and 11 through ICT assessment and authorisation in the Defence Security Principles Framework (DSPF) and Service-level directives, instructions, and policies.

Has Defence established an appropriate policy and governance framework for the security authorisation of its ICT systems?

Defence Security Principles Framework

2.3 Defence has established its primary policy requirements for ICT system assessment and authorisation through the DSPF. The DSPF was introduced in July 2018, replacing the Defence Security Manual (DSM). The introduction of the DSPF reflected Defence’s stated transition from a ‘compliance model of security management under the Defence Security Manual’ to a ‘principles based approach’ under the DSPF. The DSPF states that this approach:

• Allows all parts of Defence to manage security within their operational context and constraints. This recognises the best security decisions are made in accordance with agreed principles, with a desired outcome in mind.
• Ensures the most appropriate people are setting security requirements. Those who know their business are best placed to set security standards and requirements for that aspect of Defence business.

2.4 Under DSPF Principle 23, Control 23.1 ICT Certification and Accreditation requires that ‘All Defence ICT systems must be accredited prior to processing, storing or communicating Official information’ and outlines: Defence’s high-level process for assessment and authorisation, including Authorising Officer levels, which are aligned to risk ratings; an assessment and authorisation flowchart; and requirements for re-authorising ICT systems.

2.5 The DSM included similar authorisation requirements to the DSPF, but also included additional requirements that were not retained after the introduction of the DSPF, such as:

• annual review and monitoring of authorised ICT systems (see footnote 74);
• mandatory training for Authorising Officers (see paragraph 2.74);
• recording the extent of a system’s compliance against all applicable ‘must’ and ‘should’ statements contained in the ISM, as part of the assessment process;
• the issuing of a dispensation (provisional authorisation) for a specified timeframe by the relevant Group Head or Service Chief in exceptional circumstances;
• the closure of a system and withdrawal of provisional authorisation where there is a failure to meet the conditions of the authorisation within the specified timeframe; and
• not using the provisional authorisation process ‘as a means to circumvent the proper application’ of the authorisation process.

2.6 The DSPF states that it is a ‘flexible policy framework’ and that ‘DSPF documents will be reviewed and updated as necessary’. Prior to 10 May 2024, DSPF Principle 23 was last approved by the Chief Security Officer in July 2020, and had not been updated to reflect amendments made to PSPF Policy 11 in August 2020, including mandating the ISM’s six-step authorisation process and changes to PSPF language.²¹ An updated version of DSPF Principle 23 and Control 23.1, which reflects the six-step process and updated PSPF language, was approved by the Chief Information Security Officer (CISO) on 10 May 2024.

2.7 DSPF Control 20.1 Information Systems Lifecycle Management was last reviewed in July 2020 and only recognises four of the ISM’s Essential Eight strategies as being mandatory. This is not in line with the requirements of PSPF Policy 10, which were amended in February 2022 and state that ‘[t]o meet the minimum requirements established under the PSPF maturity model, entities must implement Maturity Level Two for each of the eight essential mitigation strategies’.

DSPF roles and responsibilities

2.8 Roles and responsibilities for personnel involved in the assessment and authorisation process are primarily established in the DSPF through Control 20.1 Information Systems Lifecycle Management and Control 23.1 ICT Certification and Accreditation.

2.9 Prior to updates to the DSPF in May 2024, the Control Owner for these controls was Defence’s IT Security Advisor (ITSA), which is an Executive Level 2 (EL2) position.²² The DSPF states that Controls Owners are ‘An SES or ADF [Australian Defence Force] Star Rank Officer assigned accountability and authority to manage a specific defence security risk. These will be derived from the DSPF Principles and Expected Outcomes. The relevant Control Owner in each instance may be a Group Head or Service Chief, or a more appropriate subordinate’. As at March 2024, the only controls in the DSPF delegated below SES or ADF Star Rank Officer level were controls delegated to the ITSA. The CISO (an SES Band 1 Officer) has been appointed as the Control Owner in Defence’s May 2024 updated DSPF Control 23.1.The ITSA no longer has a defined role in the updated DSPF Control 23.1.

2.10 Table 2.1 outlines the roles and responsibilities as established in the July 2020 approved DSPF controls (which applied at the time this audit commenced in November 2023).

Table 2.1: ICT security authorisation roles and responsibilities, as per July 2020 DSPF

Note a: This responsibility is established under Control 19.1 Information Systems (Logical) Security.

Note b: As discussed at footnote 19, ICTSB transitioned to DCIAB as part of a restructure in December 2023.

Note c: Since 2018, the DSPF has established the Commanding Officer of Air Force’s 462 Squadron as the Assessment (Certification) Authority for Air Force standalone systems. PSPF Policy 11 stipulates the Chief Security Officer (CSO) or CISO as the responsible officer for ensuring that the assessment process has given due consideration to ‘risk, security, functionality and business requirements’. Prior to being updated in August 2020, PSPF Policy 11 established the CSO (or delegated security advisor) as the ‘Certification Authority’. Defence advised the ANAO in June 2024 that the Commanding Officer of 462 Squadron was delegated the Authorising Officer role from Air Force’s Provost Marshall (the Air Force’s Single Service Security Authority) ‘well before the creation of the PSPF / DSPF and the CSO role. This delegation is understood to have been grandfathered into the DSPF in 2018 from the Defence Security Manual.’

Note d: Defence advised the ANAO in May 2024 that no formal Control Owner approval has been provided for Defence’s assessment and authorisation process (discussed at paragraphs 2.53–2.73), Deputy Chief of Army Directive 01-20 — Army ICT Security Plan (discussed at paragraphs 2.27–2.30), the Navy Cyberworthiness policy (discussed at paragraphs 2.31–2.32) or Air Force instruction AFSI (OPS) 05-02 (discussed at paragraphs 2.33–2.35). Defence further advised in June 2024 that Control Owner approval was not provided for Air Command Standing Instruction AC SI(OPS) 05-50 (discussed at paragraph 2.36).

Note e: The ‘Assessment Authority’ role is not specifically outlined in PSPF Policy 11. As noted at Note c, PSPF Policy 11 stipulates the CSO or CISO as the responsible officer for ensuring that the assessment process has given due consideration to ‘risk, security, functionality and business requirements’.

Note f: The DSPF states that whether an outside consultant will be required ‘will be dependent on the Group/Service and the Protective Marking of the material to be processed, stored and communicated on the system’.

Note g: Defence advised the ANAO in August 2024 that this requirement was included to ensure that the assessment of systems outside of the CISO’s assessment responsibilities (such as Air Force systems) were reported to the ITSA.

Source: ANAO analysis of the DSPF.

2.11 The DSPF also establishes Authorising Officer ‘escalation thresholds’ for system authorisation, outlined in Table 2.2.

Table 2.2: DSPF system authorisation escalation thresholds per July 2020 DSPF Control 23.1

Note a: O4 rank is equivalent to a Lieutenant Commander (Navy), Major (Army), or Squadron Leader (Air Force).

Note b: O5 rank is equivalent to a Commander (Navy), Lieutenant Colonel (Army), or Wing Commander (Air Force). The updated DSPF Control 23.1, approved by the CISO in May 2024: does not distinguish between CIOG systems and Group/Service systems; has set the minimum level for risk acceptance as SES Band 1 or 1 Star; and does not refer to CSA or CSE roles.

Source: ANAO analysis of DSPF.

2.12 The DSPF also includes tables to outline the specific personnel appointed to the roles of Authorising Officer, Assessment Authority, Cyber Security Executive (CSE) and Cyber Security Advisor (CSA) for 14 Defence Services or Groups and five ‘Special Portfolios’.²³ As noted in Table 2.1, these positions are the key decision-makers for system assessment and authorisation.

2.13 Until DSPF Control 23.1 was updated in May 2024, the following details were missing for the six years since the DSPF was established in 2018:

• the responsible CSE had not been defined for 13 Services or Groups;
• the responsible CSA had not been defined for 12 Services or Groups; and
• the responsible Authorising Officer, Assessment Authority, CSE, and CSA had not been defined for three special portfolios.

2.14 Further, the Groups and Services reflected in the DSPF had not been updated to reflect structural changes made in Defence since July 2020. For example:

• various groups are not included, such as the Associate Secretary Group, Australian Defence Force Headquarters, Defence Intelligence Group, Guided Weapons and Explosive Ordnance Group, and Naval Shipbuilding and Sustainment Group; and
• four Groups listed either no longer exist or have been renamed.²⁴

2.15 Defence’s September 2022 draft Cyber Security Enterprise Governance Framework, established to consolidate and describe the governance arrangements that support cyber security in Defence, noted that:

The DSPF … is out of date with references to roles and responsibilities that are no longer relevant, to authorities and delegations that do not match the positions and there are several gaps or areas with TBC roles, responsibilities and expectations have not been defined. Some updates to the DSPF are planned however, more are required and the cadence for these updates needs to be more frequent to keep up with the evolving security landscape.

2.16 As a result of the May 2024 update, the DSPF Control 23.1 no longer includes a table of specific personnel appointed to key decision-making roles, but states that ‘[t]he list of the appointments for Groups and Services who can assess and authorise Defence ICT systems prior to operational use can be located on the Defence Intranet’. The DCIAB intranet page includes a list of ‘functional appointments for Groups and Services across Defence’ that was updated in April 2024. The updated list aligns with the current Defence organisational structure, and the Assessment Authority and Authorising Officer appointments are complete for all Groups and Services. The list of appointments does not include CSA or CSE roles.

Assessment and authorisation independence requirements

2.17 As outlined in Table 2.1, Security Assessors are required to maintain independence throughout the assessment process. Under the July 2020 DSPF Control 23.1, System Owners were required to maintain independence from the Authorising Officer.²⁵

2.18 Defence advised the ANAO in February 2024 that Conflict of Interest and Statutory Declaration forms are completed for each contractor, and that it maintains a list of contractors against each Security Assessor to ensure they are not assigned assessment of a system to which a company in their employment chain has a stake.²⁶ Defence further advised that ‘This process is not currently formalised within policy.’

2.19 Defence advised the ANAO in May 2024 that independence between the System Owner and Authorising Officer is maintained ‘through checks performed by the Certification Consultant [Security Assessor] as part of commencing and completing the Security Assessment Report and development of the [Decision] Brief’ and that this check ‘is not currently formalised in [Assessment and Authorisation] process documentation’.

Delegating system authorisation

2.20 PSPF Policy 11 notes that ‘An impartial (and in some cases independent) security assessment can be a valuable tool in authorisation decisions.’ As outlined in Table 2.2, under the July 2020 DSPF Control 23.1, the CISO was the Authorising Officer, responsible for authorising high-risk Group/Service managed systems where a CSE has not been appointed. As outlined in Table 2.1, the Assistant Secretary of the ICT Security Branch, who fulfils the role of CISO, is also the Assessment (Certification) Authority, responsible for assessing all ICT systems except those within Air Force. Thus, under the July 2020 DSPF Control 23.1, for high-risk Group/Service managed systems where a CSE had not been appointed, the CISO could both assess and authorise those systems. For significant-risk Group/Service managed systems where a CSA had not been appointed, the Authorising Officer was the ITSA, who reports directly to the CISO. The May 2024 updated DSPF Control 23.1 and associated list of appointments (see paragraph 2.16) no longer provides for the CISO or ITSA to fulfil Authorising Officer roles.

2.21 ANAO analysis of Defence’s ICT authorisation management system data identified systems where the CISO was recorded as both the Assessment Authority and Authorising Officer. Of the systems which had an Authorising Officer recorded, 7 per cent had recorded the Authorising Officer as the ‘Chief Technology Officer / Chief Information Security Officer’. For 18 per cent of those systems the CISO was also the Assessment (Certification) Authority.

2.22 Army, Navy and Air Force have each appointed CSAs and CSEs. Chief of Army Directive 02/20, issued in March 2020, states that, while the Director General Special Operations Modernisation is not a CSA, that position is responsible for authorising systems with significant risk.²⁷ The DSPF does not provide for the Authorising Officer role to be delegated to this position.²⁸ Army Standing Instruction (Protective Security) was signed by the Chief of Army in August 2022, and superseded Directive 02/20. The Standing Instruction appointed the CSA role to the Director General Land Operations.²⁹

2.23 In response to an internal audit in May 2020 into Certification and Accreditation of Defence ICT Networks, which found that Defence’s assessment and authorisation process lacked clarity and consistency, Defence advised that it would conduct an ‘evaluation of current delegated Accreditation and Certification Authorities and determination of the appropriate approach to future delegation of Accreditation and Certification Authority’.³⁰ Defence advised the ANAO in March 2024 that amendments to delegations are being made as part of the transition to the Assessment and Authorisation Framework (see paragraphs 2.49–2.51).

ADF service group policies

2.26 Army, Navy and Air Force have each issued policies, instructions or directives to support compliance with DSPF Principle 23 and Defence’s assessment and authorisation process (discussed at paragraphs 2.53–2.73).³¹ Figure 2.1 outlines the documentation issued by Army, Navy and Air Force to support DSPF Principle 23 as at July 2024.

Figure 2.1: Service-level documents supporting the DSPF

Note a: Defence advised the ANAO in August 2024 that the Assessment and Authorisation Framework ‘was developed to replace the DICAF’.

Note: Where a document hierarchy has been established in Service issued documentation, this is reflected by arrows in Figure 2.1. The remaining documents are ordered by the seniority of the approving officer.

Source: ANAO analysis of Defence documentation.

2.27 In December 2019, the Deputy Chief of Army issued Directive 01/20 Army ICT Security Plan to ‘provide clear direction on the responsibilities, processes and activities required to effectively manage the Cyber Security and Worthiness of Army’s in-service ICT and information assets.’ In this context, the directive:

• states that ‘all Army ICT systems must be accredited prior to processing, storing or communicating unofficial, official, sensitive or classified Defence information’; and
• outlines System Owner responsibilities for monitoring the expiry of system authorisations and seeking re-authorisation, as well as the requirements for system security documentation.

2.28 For ‘Some Distribution Limitation Marker (DLM) or FOUO [For Official Use Only] systems’ the Chief of Army directive provides for a ‘streamlined security assessment’ and approval process ‘in lieu of a formal certification and accreditation.’

2.29 Defence advised the ANAO in April 2024 that this streamlined process was ‘a reference to an old and obsolete … whitelisting process and that all Defence (Army) systems are to go through the normal accreditation process’. Defence also advised that:

the updated version of the Army ICT Security Plan (currently awaiting delegate approval) states “IAW [in accordance with] DSFP Principle 23, all Army ICT … systems must be accredited prior to processing, storing or communicating official or classified Defence information”.

2.30 As noted at paragraph 2.27, this requirement was set out in the 2019 Deputy Chief of Army directive. Defence advised the ANAO in June 2024 that the Army ICT Security Plan was ‘in the final stages of review prior to release’.

2.31 In August 2022, Defence released a Navy ‘Cyberworthiness’ policy, approved by the Director General of Navy Intelligence and Information Warfare to ‘significantly reduce cyberworthiness risks to all Navy owned ICT … materiel and support systems.’³² The policy notes that the DSPF is the ‘authoritative source for managing security risks and their associated controls’, and outlines the ISM six-step process for system assessment.

2.32 Defence acknowledges in the cyberworthiness policy that some inconsistency exists between the policy and the DSPF — namely, that Navy’s system for rating risks does not align with the DSPF’s risk evaluation matrix.³³ The policy also states that the Chief of Navy is the System Owner for all Navy systems and the Authorising Officer for systems with a risk rating of ‘Extreme’. This means that for systems with an ‘Extreme’ risk, the Chief of Navy is both the System Owner and the Authorising Officer — a situation that does not align with the DSPF. As outlined in Table 2.1, the July 2020 DSPF requires the System Owner to be independent of the Authorising Officer.

2.33 Air Force instruction AFSI (OPS) 05-02, issued in September 2018, details Air Force’s approach to managing cyberspace security risk. The instruction establishes the Commanding Officer of 462 Squadron (462SQN) as the ‘Certification Authority’ for Air Force and states that ‘Air Force information systems owners may use other DSPF authorised Certification Authorities if 462SQN is unable to support (due to either lack of capacity or specialist skill requirements) or where a more suitable option exists’.

2.34 The instruction requires that Air Force information systems are assessed and authorised in accordance with the ISM and DSPF. The instruction also states that:

Where a system is to be force assigned³⁴ without or with partial certification, risks and limitations are to … be recorded as part of the certification.

2.35 This statement is not aligned with the DSPF requirement that all Defence ICT be authorised prior to processing, storing or communicating official information. This statement is also not in accordance with Chief of Joint Capabilities Directive 07-20 ADF Cyberworthiness Governance Framework, issued in December 2020, which states that Capability Managers ‘are to ensure that only certified and accredited mission systems are force assigned to operations, and that this status is verified during pre-deployment’. The directive outlines that the ADF Cyberworthiness Governance Framework is for ‘implementation across the Services to ensure cyberworthiness efforts are streamlined, consistent and effective.’

2.36 A further Air Force instruction, AC SI(OPS) 05-50 Cyberworthiness of Air Force Command, Control, Communication, Computers and Intelligence Systems, issued in May 2022, also outlines assessment and authorisation requirements. The instruction notes that:

a Provisional ICT Accreditation (PICTA) is awarded where the Accreditation Authority has requested further controls and/or risk mitigation activities to be undertaken during the provisional accreditation period …

A PICTA achieves efficiencies through reduced rework of C&A [Certification and Accreditation] activities. Ref D [AFSI (OPS) 05-02 – Cyberworthiness, Certification and Accreditation] identifies that a PICTA may be upgraded to an ICTA without undertaking a full re-certification activity.

2.37 AFSI (OPS) 05-02 does not address the issuing of provisional authorisations and the DSPF does not provide for provisionally authorised systems to be re-authorised without undertaking a full re-assessment activity.

2.38 The Deputy Chief of Air Force approved an updated version of AFSI (OPS) 05-02 in June 2024. The 2024 instruction does not refer to provisional authorisation and requires all Air Force systems to be authorised prior to operation. The 2024 instruction provides for moderate and low risk systems to be authorised by personnel below Senior Executive Service (SES) 1 or 1 Star officer level. This does not accord with the updated May 2024 DSPF Control 23.1, which requires SES 1 or 1 Star authorisation of these systems.

Defence ICT Certification and Accreditation Framework

2.39 The Defence ICT Certification and Accreditation Framework (DICAF) was developed by the ICT Security Branch (now DCIAB) to ‘ensure that Certification and Accreditation activities are conducted in a repeatable and consistent manner across [Defence]’ and applies to all Defence ICT systems that process, store or communicate official, sensitive or classified information.

2.40 The DICAF has been in draft since December 2015 and was last updated in December 2016.

2.41 The DICAF provides a high-level overview of Defence’s assessment and authorisation requirements. It outlines which systems are subject to the assessment and authorisation requirements and defines the roles and responsibilities of personnel involved in the system authorisation process. A section outlining the detailed process for system assessment and authorisation was to be developed and included with a supporting annex to the DICAF. At July 2024, the process section and the supporting annex had not been developed.

2.42 A draft February 2017 ICT Security report³⁵ provided a progress update on the development of the DICAF and stated that:

Progress is being made to update the draft DICAF based on feedback received from the DICAF Working Group and other stakeholders. It is anticipated that the DICAF will be in releasable format by mid-2017.

2.43 The 2018–19 DSPF Control Owner report for DSPF Control 23.1³⁶ provided an update on the DICAF in July 2019, stating that:

ICTSB [now DCIAB] is currently reviewing the extant Cyberspace Security Governance Framework³⁷ with the intention for the new Framework to become a charter to improve stakeholder investment. It is intended that it will absorb the Defence ICT Certification and Accreditation Framework (DICAF) to align cybersecurity governance roles and responsibilities.

2.44 This statement was repeated in the 2019–20 control owner report in July 2020.

2.45 Defence’s Cyberspace Security Governance Framework (CSGF) was last reviewed in November 2016 (as at July 2024). The CSGF states that the DICAF forms part of the ‘related documents and legislation’ for the CSGF. Defence advised the ANAO in March 2024 that:

The Cyberspace Security and Governance Framework (CSGF) is a legacy left over from the original establishment of, and appointments … of the Defence CISO and ITSA in 2015-16 … The decision to delay its revision (as specified in the Control Owners Reports 2018-2019 & 2019-20) was largely because events had overtaken matters with responsibilities of the Cyber Security Governance Board (CSGB) moving across to the enterprise governance committee structures (such as the Defence Security Committee), [which] had achieved improvements to the oversight and control of cyber security related matters. This along with the anticipated changes in cyber security governance expected through the design and delivery of the Defence Cyber Security Strategy and the changes scheduled through [the ICT Security Program] (including the A&A [Authorisation and Assessment] framework) became the primary focus of effort.³⁸

2.46 Defence’s May 2020 internal audit into Certification and Accreditation of Defence ICT Networks identified ‘risks within the existing certification and accreditation process for ICT networks and systems which are not being controlled effectively by the Department.’ The report found that there were inconsistencies in the authorisation processes being applied across Defence, and that the DICAF did not provide sufficient guidance for identifying what systems require authorisation and ensuring a risk-based approach is applied during system assessments.³⁹

2.47 The internal audit recommended that ‘CIOG should re-assess the design of its current Certification and Accreditation Framework, including (as relevant) the policy setting and detailed processes and procedures adopted for the certification and accreditation of ICT networks and systems.’⁴⁰

2.48 In February 2021, DCIAB’s Directorate of Integrated Risk Management (now the Directorate of Cyber Security Assessments and Authorisation) held a meeting to discuss the development of the DICAF in response to the internal audit findings. The meeting presentation noted that:

There is no authoritative source that defines the “framework”. Previous draft iterations of the Defence ICT Certification and Accreditation Framework (DICAF) did not provide adequate coverage in terms of end to end processes.

2.49 In December 2021, Defence’s Head of ICT Operations (HICTO)⁴¹ signed a minute recommending the internal audit recommendation be closed, and outlining action taken to address the findings, including the development of ‘a modernised Certification and Accreditation Framework, known as the Defence Authorisation and Assessment Framework.’

2.50 The framework remained in draft until a final version was approved by the CISO in February 2024 and released in May 2024.

2.51 The framework: outlines roles and responsibilities for assessment and authorisation; defines the systems to which the framework applies; and outlines Defence’s process requirements against each step of the ISM’s six-step process. The framework does not mandate the inspection and validation of control implementation as part of the assessment and authorisation process for all systems. This is not consistent with Step 4 of the six-step process (see Figure 1.1) which requires entities to validate security controls to determine they have been correctly implemented and are operating as intended.

Has Defence developed fit-for-purpose guidance to support the implementation of its framework?

2.52 In September 2021, an assessment and authorisation process was published on the Defence intranet. Documentation developed and issued by Army, Navy and Air Force (see paragraphs 2.26–2.38) refers to the assessment and authorisation process, and stipulates additional requirements and templates, discussed further in the context of the Defence process below.⁴²

Defence’s assessment and authorisation process

2.53 Defence’s assessment and authorisation intranet process sets out four steps: ‘lodge certification and accreditation request’; ‘conduct certification assessment’; ‘review certification assessment’; and ‘finalise certification and accreditation’. A responsibility assignment matrix is documented at each step, outlining responsibilities for key tasks and links to the ISM and DSPF.

2.54 While the intranet process was published on Defence’s intranet after PSPF Policy 11 was amended in August 2020, the process does not reflect the updated language in PSPF Policy 11.⁴³ The process also does not fully reflect the ISM’s six-step process for system assessment and authorisation.⁴⁴ At July 2024, the assessment and authorisation process was no longer accessible on Defence’s intranet. Defence advised the ANAO in July 2024 that this was due to the intranet page no longer being supported internally and that the content would be made accessible ‘as resourcing allows’.

2.55 A summary of Defence’s assessment and authorisation process is shown in Figure 2.2.

Lodge certification and accreditation request

2.56 Requests for the assessment and authorisation of ICT systems are lodged by System Owners or their delegates through Defence’s ICT intranet job portal. The portal requires System Owners to provide key information, including the required operating date for the system, urgency of the request and system classification level. The request is then assessed by a ‘Security Analyst’ to ensure that sufficient information has been provided and to confirm the priority of the request.

2.57 The System Owner is also required to enter system information into Defence’s ICT authorisation management system⁴⁵, including the assessed Business Impact Level⁴⁶, and system threats and risks. The System Owner is also required to provide a System Security Plan (SSP) and System Risk Score document.

2.58 Defence’s System Risk Score document enables DCIAB to assess the overall system risk and allocate a risk score, based on the System Owner’s Business Impact Level assessment, system characteristics and potential security management controls. The System Risk Score template is a mandatory document under the assessment and authorisation process. As at July 2024, the October 2013 template had not been updated to reflect Essential Eight requirements.⁴⁷ The document does not have a stipulated period for review.⁴⁸

2.59 Defence’s SSP template outlines the information on the system to be authorised, description of system threats and safeguards, compliance with Essential Eight requirements, and processes for detecting and responding to cyber security incidents. The SSP requires executive sign-off and approval prior to being submitted, however neither the assessment and authorisation process nor the linked SSP template identifies the appropriate authority for sign-off.

2.60 Defence advised the ANAO in March 2024 that:

Under the DSPF … System Owners are responsible for developing relevant security artefacts for their systems. If the sign-off/approval requirement is not well understood by the System Owner and/or team, the Certification Consultant will clarify this. However, there is currently no formal or specific guidance advising that the System Owner is the one who signs off on the SSP. This potential ambiguity is being resolved in the latest A&A [Assessment and Authorisation] framework release.

2.61 The Assessment and Authorisation Framework, released in May 2024, did not include any requirements in relation to a SSP sign-off. In June 2024, Defence provided the ANAO with an updated SSP template from March 2024 (which was available on the Cyber Security Assessment and Authorisation intranet page).⁴⁹ Guidance within the template states that the SSP should be approved by the System Owner.

2.62 Defence’s assessment and authorisation process lists other documentation that ‘may be required depending on the nature and complexity of the system’ including: the SSP Essential Eight Annex⁵⁰; Security Risk Management Plan (SRMP)⁵¹; Defence Logging and Monitoring Guide; Defence Continuous Monitoring Guide; Standard Operating Procedures (SOPs)⁵²; and Incident Response Plan (IRP).⁵³ As at June 2024, the templates for the Defence Logging and Monitoring Guide, Defence Continuous Monitoring Guide, and IRP were all listed as ‘pending’ in the process. Defence advised the ANAO in June 2024 that these templates remain under development and are expected to be finalised by August 2024.

2.63 Step 5 of the ISM six-step assessment and authorisation process states that:

Before a system can be granted authorisation to operate, sufficient information should be provided to the authorising officer in order for them to make an informed risk-based decision as to whether the security risks associated with its operation are acceptable or not. This information should take the form of an authorisation package that includes the system’s system security plan, cyber security incident response plan, continuous monitoring plan, security assessment report, and plan of action and milestones.

2.64 Defence advised the ANAO in February 2024 that there is no formal guidance to assist in making the judgement as to whether these additional documents are required as part of the assessment and authorisation process, and that ‘the need for additional documents … will be identified during the certification process and communicated to system delegates’.⁵⁴

2.65 Following the submission of information and documentation by the System Owner, a Security Assessor (Certification Consultant) and Peer Reviewer are assigned to the task through Defence’s ICT authorisation management system.

Conduct certification assessment

2.66 The Security Assessor reviews the security documentation provided to ensure that documentation is complete and engages with the System Owner if further information is required.⁵⁵ Once the Security Assessor has sufficient information, they conduct a ‘Stage 1 Assessment’ which includes: a detailed analysis of the system design to assess risks; a determination as to whether appropriate security controls have been implemented; and a review of all relevant controls specified in the ISM and DSPF.

2.67 The Security Assessor also determines whether a cyber assessment is required, based on risk appetite, security requirements, and threat data.⁵⁶ A ‘Stage 2 assessment’ may also be conducted if the system is a high profile, high risk, or highly complex system and involves cross-checking system inspection findings against documentation to verify the implementation of security controls.⁵⁷

2.68 Following the assessment, the Security Assessor prepares a Risk Assessment and Decision Brief outlining the security posture of the system, the assessed residual risk, and any suggested remediation actions. If further actions are required, a Remediation Plan may be developed by the Security Assessor and sent to the System Owner.

Review certification assessment

2.69 The Risk Assessment and Decision Brief are reviewed by a peer reviewer. The peer reviewer is a Security Assessor within DCIAB’s Certification Management team⁵⁸ who conducts a quality assurance check of the Risk Assessment and Decision Brief to assess accuracy and completeness, and determine that the correct approvers have been identified. The report is also reviewed by the System Owner, and any caveats or recommendations, as well as the proposed authorisation outcome are agreed on.

2.70 Once the System Owner has agreed to the Risk Assessment and Decision Brief, the Risk Assessment is signed by the Security Assessor and submitted to the Assistant Director or Director of DCIAB’s Cyber Security Assessments and Authorisation (CSAA) Directorate for final review and sign-off before progressing to the Assessment (or Certification) Authority.

Finalise certification and accreditation

2.71 The Risk Assessment and Decision Brief then proceed to the Assessment Authority (which is the CISO for all Defence systems except for Air Force) for approval. The Decision Brief is supported by the CSAA Directorate approved Risk Assessment, which is included as an attachment to the brief. Once approved by the Assessment Authority, the assessment and brief are then sent to the Authorising Officer for further approval, noting acceptance of the residual risk in operating the system.⁵⁹ The System Owner is required to be advised of any caveats on the authorisation, and documentation is to be filed to Defence’s records management system, Objective.

Has Defence developed fit-for-purpose training and other support for personnel responsible for implementing its framework?

2.74 Specific training requirements in relation to ICT system assessment and authorisation have not been established in the DSPF. Prior to the DSPF being introduced in July 2018, the Defence Security Manual (DSM) required that Security Assessment Authorities and Authorising Officers, as well as external service providers engaged to perform assessment and authorisation activities, successfully complete an approved course of training.⁶⁰

2.75 Specific system authorisation training requirements have been established by Army. High-level training requirements have also been established by Navy.⁶¹ Deputy Chief of Army Directive 01/20 Army ICT Security Plan (see paragraphs 2.27–2.30) requires that Information Technology Security Managers (ITSMs) and Information Technology Security Officers (ITSOs)⁶² complete courses including: cyber security awareness⁶³; ICT certification and accreditation; and an ITSO/ITSM course.

Information Technology Security Officer/Manager course

2.76 The ITSO/ITSM course includes assessment and authorisation content such as: roles and responsibilities throughout the assessment and authorisation process; Army’s assurance arrangements, which include assessing the authorisation status of systems (see paragraphs 3.33–3.34); and stipulating that changes to an ICT system may require re-authorisation.⁶⁴

2.77 Defence advised the ANAO in February 2024 that:

an updated [Army] ICT Security Plan is currently awaiting DCA [Deputy Chief of Army] approval. A substantial change in the updated plan is the decoupling of system owner responsibilities from a unit’s cyber security management responsibilities. It was agreed that a unit cannot be a system owner … and as such generally does not get involved in C&A [Certification and Accreditation] activities. Therefore, the requirement to undertake targeted C&A training has been removed from the ITSO duty statement. However, ITSOs are still required to be aware of C&A at a high level, which is contained within the updated Army ITSO Course.⁶⁵

ICT Certification and Accreditation Campus course

2.78 Between 2010 and 2020, Defence offered an ICT Certification and Accreditation Course through one of its online e-learning and training platforms, Campus. In May 2020, DCIAB advised Defence’s Security and Vetting Service that:

the ICT Certification and Accreditation Course is no longer required on Campus as the content is out of date and now obsolete.

Comprehensive information regarding the ICT Certification and Accreditation process is now available within ICT Security Integrated Risk Management Portal.⁶⁶

2.79 Defence advised the ANAO in February 2024 that it did not retain the course content and therefore could not provide it. Defence was unable to provide data on course completion.

ICT Certification and Accreditation Roadshow

2.80 DCIAB has developed an ICT assessment and authorisation presentation which outlines the assessment and authorisation process, responsibilities of System Owners, triggers for re-authorisation, and the use of contracted assessors and associated conflicts of interest responsibilities.⁶⁷

2.81 The presentation outlines that System Owners have an obligation to request an emanation threat assessment from the Australia Signals Directorate (ASD). Emanation Security relates to the protection of signals, which, if intercepted and analysed, could disclose classified information. The slides further note that ‘[w]hether the assessment is required or not is up to ASD to make that determination. Regardless, the system owner is obligated to request one prior to submitting their system for assessment. This should be done whilst completing the security documentation suite so it can be captured and articulated within the documents for the assessor’. Neither the DSPF nor Defence’s assessment and authorisation process outline this requirement.⁶⁸

2.82 Defence advised the ANAO in June 2024 that ‘[n]o records are available of when and to whom this roadshow presentation was delivered.’

ICT authorisation management system training

2.83 In 2019, DCIAB developed training courses for System Owners, Security Assessors and Authorising Officers using Defence’s ICT authorisation management system. The training includes process-oriented guidance for completing Business Impact Level assessments, completing key fields, uploading supporting documentation, and reviewing authorisation approvals or rejections.⁶⁹

2.84 In weekly DCIAB reporting to the CISO (see paragraph 3.66) between January 2023 and June 2024, one instance was identified where completion of these courses was included in the reporting.

Security Assessor training

2.85 DSPF Control 23.1 states that a Security Assessor (Certification Consultant) must be ‘suitably qualified’ and is responsible for:

• providing advice and guidance to the System Owner on the assessment process; and
• providing advice and guidance on mitigation strategies and controls to reduce risk within an acceptable risk tolerance throughout all phases of system development.

2.86 The Cyber Security Assessment and Authorisation (CSAA) Directorate within DCIAB has developed a ‘New Starter Information Pack’ which includes an induction checklist for new staff, including familiarisation with Defence’s ICT authorisation management system and supporting SOPs, the completion of mandatory training⁷⁰, links relating to the assessment and authorisation process, and an outline of the process for generating a Risk Assessment. The information pack’s contents page also includes a reference to ‘Annex B – Certification and Accreditation Process’, however the annex is not present in the document. The new starter pack is dated August 2021, but formal approval has not been recorded in the document. Defence does not record or report on the completion of training for Security Assessors.

2.87 Since its release in 2009, the ISM has been regularly updated. Since December 2021, the ISM has been updated quarterly, including changes to ISM controls. Defence does not have a structured process in place to ensure that Security Assessors are aware of changes to ISM control requirements. Defence advised the ANAO in February 2024 that the System Security Plan Essential Eight Annex is ‘routinely updated to reflect changes to ISM controls’⁷¹ and that:

Any deficiencies in knowledge that result in inadequate risk identification and control coverage is identified within the peer review process, and failing that, at Certification Authority review.⁷²

2.88 The absence of a formalised training approach to support the effective implementation of DSPF requirements for the assessment and authorisation of ICT systems increases the risk that systems are not being authorised as intended. Defence data on the authorisation status of ICT systems (discussed at paragraphs 3.15–3.26) shows that 47 per cent of systems recorded in Defence’s ICT authorisation management system have a status of either ‘Expired’ or ‘No accreditation’. A September 2019 Air Force brief (see paragraph 3.44) identified that there was a lack of awareness of authorisation responsibilities, and Defence advised the ANAO in June 2024 that further improvements were required to assist System Owners in meeting their authorisation obligations (see paragraph 3.31).

Defence Cyber Security Strategy Action Plan

2.91 As discussed at paragraph 1.4, the Defence Cyber Security Strategy noted that one of Defence’s most critical risks is cyber security. One objective of Defence’s Cyber Security Strategy is to ‘build awareness of cyber security threats and individual accountabilities, and uplift cyber security capability across the Defence workforce’.

2.92 To address this objective, Defence stated in its Cyber Security Strategy Action Plan, that ‘An enterprise-wide cyber security training program will be established to deliver uplift across the enterprise’ including:

• additional tiered training programs to address differing requirements based on position, and access to classified information and critical capabilities;
• development programs for all personnel involved in the design, management and security of Defence’s cyber terrain; and
• training programs for senior executives to improve their understanding of, and ability to manage, cyber security risks.

2.93 Defence advised the ANAO in May 2024 that ‘the training program under development within the Cyber Security Strategy Action Plan does not cover specific training for ICT Security Assessment and Authorisation’.

3.1 Fit-for-purpose governance, monitoring, and reporting arrangements support Defence to demonstrate the effective implementation of its ICT assessment and authorisation framework. Sound arrangements: are commensurate with the scale, scope, and risk of the activity; consider the available sources of data; and are responsive to the outcomes and findings from previous review activities.

3.2 In September 2021, Defence commenced an ICT inventory project to develop a ‘comprehensive knowledge base of all current Defence Portfolio ICT systems, networks, applications and services’. In this context, Defence’s governance and organisational arrangements should be geared to providing senior leadership with comprehensive oversight of the status of Defence’s ICT security authorisations across all systems, including at the enterprise level.

Has Defence established fit-for-purpose governance, monitoring and reporting arrangements to oversee implementation of its framework and compliance with requirements?

3.3 Protective Security Policy Framework (PSPF) Policy 11 Robust ICT systems requires that a decision to authorise a system must be based on the Information Security Manual’s (ISM) six-step risk-based approach to cyber security. Step six of the ISM’s approach outlines the requirement for entities to monitor authorised systems, including regular reviews of security controls to ensure they remain fit-for-purpose, and to undertake re-authorisation where required.

3.4 Defence Security Principles Framework (DSPF) Control 23.1 ICT Certification and Accreditation establishes the responsibility for System Owners in ‘obtaining and maintaining’ the authorisation of their systems. It also outlines a requirement for systems to be re-authorised when specific conditions are met, including when new or emerging threats are detected, security measures are not operating as planned, and when the system’s authorisation expires.⁷³ Defence’s assessment and authorisation process (discussed at paragraphs 2.53–2.73) does not mandate any specific processes for ongoing monitoring of ICT systems after authorisation.⁷⁴

System authorisation data

3.5 Defence’s May 2020 internal audit into the Certification and Accreditation of Defence ICT Networks found that 44 per cent of ICT systems recorded by the Defence Cyber and Information Assurance Branch (DCIAB) had an expired authorisation status.⁷⁵ The audit recommended, among other things:

• better ongoing management of networks and systems using the capability of Defence’s ICT authorisation management system to ensure the accuracy and currency of data;
• obtaining visibility of active systems across Defence to determine whether they have been authorised, and enable proactive management of re-authorisation, where required;
• requesting reporting from the Defence Finance Group (DFG) on Group and Service ICT procurement as a means to identify systems which have not been authorised⁷⁶; and
• obtaining regular confirmation from System Owners that there have been no changes that would trigger a need for a re-authorisation. ⁷⁷

3.6 Defence agreed to the recommendations and proposed to address them partly through conducting an inventory of Defence ICT systems and the introduction of an updated ICT authorisation management system.⁷⁸

Inventory of Defence ICT systems

3.7 Throughout 2019–20, concerns regarding Defence’s use of unauthorised systems were raised in at least three internal committee meetings as follows.

• In July 2019, the Defence Audit and Risk Committee (DARC) discussed ICT issues identified in an internal audit report⁷⁹ including a ‘lack of control over systems and applications that are not managed by the CIO Group’. The DARC noted that it is ‘the unknown risk that [these systems] may pose for Defence that is of concern’. The DARC requested that the Chief Information Officer Group (CIOG) conduct a stocktake of ICT systems to establish the number and types of these systems, who is responsible for them and identify any risks that they may pose to Defence.⁸⁰
• At a Defence Committee meeting in September 2019⁸¹, the minister was advised of a lack of awareness of unapproved systems within Defence and the vulnerabilities that unapproved systems create. The minister requested that Defence include a metric on the reduction of unapproved ICT systems in an ‘ICT reform stream report’. The Defence Committee recorded this request as an action item for the Chief Information Officer to include a metric on the reduction of unapproved systems in ‘ICT stream reporting’. Defence advised the ANAO in August 2024 that this action item was consolidated with the other requests from committees outlined in paragraph 3.7, resulting in Defence undertaking an inventory of Defence ICT systems (see paragraph 3.8). There is no evidence that the reporting metrics requested as per the original action item were implemented, or that the action item was closed through the Defence Committee.
• In January 2020, the Enterprise Business Committee (EBC) requested CIOG advice on ‘the entities outside of CIOG that have management responsibilities for any aspect of the Defence ICT network, their scope, risks and major actions underway’.

3.8 In September 2021, Defence’s Head of ICT Operations (HICTO) directed work to commence on an inventory of Defence ICT systems as a means to:

• develop a ‘comprehensive knowledge base of all current Defence Portfolio ICT systems, networks, applications and services’ including their authorisation status and authorisation expiry date;
• identify any risks that may exist across the system portfolio; and
• enable the ongoing effective governance and management of Defence Portfolio ICT systems.⁸²

3.9 The inventory project has identified and recorded a range of ICT systems across the Defence portfolio.⁸³ Systems have been categorised and recorded under three broad definitions:

• Information Technology (IT) — ‘Systems that manage the creation, processing, presentation and storage of information’;
• Operational Technology (OT) — ‘Systems that exist with the main purpose of aiding an effort that accomplishes a physical task’; and
• Other — ‘Any other ICT system that can’t be placed in a category’.

3.10 The definition adopted by the inventory project for ‘IT systems’ aligns with the DSPF requirement for systems that process, store, or communicate official information to be authorised.⁸⁴ 48 per cent of systems recorded in the inventory list were classified as ‘IT systems’. Of these, 89 per cent did not have a recorded authorisation status. Of the systems that had an authorisation status recorded, 73 per cent were recorded as ‘Active’; 9 per cent were recorded as ‘No accreditation’; 9 per cent were recorded as ‘Expired’; 6 per cent were recorded as ‘New in progress; 2 per cent were recorded as ‘In re-accreditation’; and 2 per cent were recorded as ‘Not required’.⁸⁵

3.11 In April 2023, a brief was provided to the Chief Information Security Officer (CISO) noting that the inventory system was ‘experiencing user reticence through a native user interface that is unintuitive and provides information inconveniently.’ The brief outlined options for migrating inventory data to Defence’s ICT authorisation management system to reduce the risk of poor stakeholder adoption and to improve integration with the management system’s data. Defence migrated the inventory data into Defence’s ICT authorisation management system in July 2024.⁸⁶

Defence’s ICT authorisation management system

3.12 Defence’s system for progressing, recording and managing ICT system assessments and authorisations was introduced in August 2019, as part of Tranche 1 of the Governance, Risk and Compliance (GRC) project. The GRC project fell under a broader ‘multiyear Security Enhancement program’ that commenced in 2017.⁸⁷ The system was upgraded as part of Tranche 2 of the GRC project in March 2022.⁸⁸ Defence advised the assistant minister in October 2022 that the GRC initiative had been delivered.

3.13 Defence’s ICT authorisation management system includes fields to record key system information including: system authorisation status and authorisation date; authorisation expiration date; residual risk rating⁸⁹; Business Impact Level (BIL); Authorising Officer; Group/Service; and System Owner. The system also allows for key supporting documentation, such as the System Security Plan (SSP), to be uploaded as part of the system record.⁹⁰

3.14 As noted in paragraph 3.10, approximately 48 per cent of the systems identified through Defence’s inventory project are IT systems that ‘manage the creation, processing, presentation and storage of information’. Of these IT systems, 5 per cent had been recorded in Defence’s ICT authorisation management system (as at June 2024).

Data quality

3.15 ANAO analysis of Defence’s ICT authorisation management system data identified data quality issues, indicating weaknesses in the processes established to ensure that complete and accurate data is recorded in the system. Not all data fields have been consistently populated. Responsibility for completing these fields is allocated across multiple roles, including the System Owner, Security Analyst and Security Assessor, throughout the assessment and authorisation process. Table 3.1 outlines key fields and the extent to which data has been recorded against those fields for the systems that have been documented in Defence’s ICT authorisation management system.

Table 3.1: Completeness of fields across the IT systems recorded in Defence’s ICT authorisation management system, as at 30 July 2024

Note a: Of these systems, 1 per cent had an authorisation date that was prior to the recorded Risk Assessment date. As discussed at paragraph 2.71, a Risk Assessment is provided to the Authorising Officer prior to an authorisation decision being made. Four per cent of systems had an authorisation date of 30 June 2099. For the 4 per cent of systems with authorisation dates of 30 June 2099, Defence advised the ANAO in May 2024 that, prior to the implementation of the upgraded ICT authorisation management system, the authorisation date was a mandatory field once a system had been assigned for assessment, and that ‘Cancelling the system after this required entering a value’. Defence further advised that ‘None of the … systems with accreditation dates falling in 2099 represent current accreditations.’

Note b: Of these systems, 0.4 per cent had authorisation expiry dates more than 75 years into the future. Authorisations for 0.3 per cent of systems (all granted in 2017) were for 4.01 years, exceeding the three-year maximum authorisation period available under the Defence Security Manual (DSM), which was in effect at the time. The DSM stated that ‘Accreditation certificates must [emphasis in original] expire after three years.’

Note c: Of these systems, 90 per cent had a Business Impact Level rating of ‘Unknown’.

Note d: Of these systems, 7 per cent had recorded the Authorising Officer as the ‘Chief Technology Officer / Chief Information Security Officer’. For 18 per cent of those systems the CISO was also the Assessment (Certification) Authority. Under the DSPF, Assessment Authority responsibilities include providing recommendations to the Authorising Officer.

Note e: The May 2020 internal audit, Certification and Accreditation of Defence ICT Networks, assessed a sample of five Defence systems and found that the System Overview Document (which was superseded by the System Security Plan in January 2023) was missing for three systems.

Source: ANAO analysis of Defence data.

3.16 Defence’s data suggests that the number of system authorisations it conducts annually has been progressively increasing (by an average of 50 per cent each year).

• The number of Defence systems authorised in 2023 was 744 per cent higher than the number authorised in 2012.
• The average number of Defence systems authorised each year from 2012 to 2023 equates to 0.2 per cent of the total number of ‘IT systems’ identified through Defence’s ICT inventory project.
• The number of systems authorised by Defence in 2023 was equivalent to 0.3 per cent of the ‘IT systems’ identified in the inventory project.

System authorisation status

3.17 Many of the ICT systems recorded did not have an ‘Active’ authorisation status.⁹¹ Of the systems recorded in Defence’s ICT authorisation management system as at 30 July 2024, the authorisation statuses were: ‘Expired’ (26 per cent); ‘No accreditation’ (21 per cent); ‘Active’ (12 per cent); ‘New in progress’ (27 per cent); and ‘In re-accreditation’ (14 per cent). Of those systems with an ‘Active’ authorisation status, 30 per cent had an authorisation expiry date that had passed (at the system report date of 30 July 2024).

3.18 Air Force Standing Instruction 05-02 Cyberworthiness, Certification and Accreditation requires the Air Force to maintain a register of Air Force systems and their assessment and authorisation status. Of the systems identified on the Air Force list as at February 2024: 72 per cent were not authorised; 20 per cent were either fully or provisionally authorised; 5 per cent had authorisations in progress; and 3 per cent had no authorisation status recorded. Of the systems that were recorded as either fully or provisionally authorised, the authorisation expiry date had passed for 55 per cent (as at 30 April 2024). Defence advised the ANAO in August 2024 that ‘work to consolidate [Air Force] accreditation status data with [Defence’s ICT authorisation management system data] is yet to be planned and resourced.’

3.19 Defence’s ICT authorisation management system data (see Appendix 3) shows that, for systems with a risk rating of ‘low’ to ‘significant’, the most common authorisation status is ‘Expired’. Of the 0.09 per cent of systems with a residual risk rating of ‘Extreme’, half of those had an authorisation status of ‘No accreditation’ and the other half had a status of ‘Expired’. Of the systems recorded in Defence’s ICT authorisation management system, 37 per cent had been allocated a residual risk status of ‘Unknown’.

3.20 As noted at paragraph 3.17, 47 per cent of systems were recorded with a status of either ‘Expired’ or ‘No accreditation’. For these systems, the ‘System Operation Status’ was recorded as: blank (85 per cent); ‘operational’ (8 per cent); ‘development’ (5 per cent); ‘retired’ (2 per cent); and ‘commissioned’ (1 per cent).⁹² Due to the number of blank fields, the extent to which unauthorised systems remain operational is unclear. The ISM six-step process includes requirements for the decommissioning of systems once they are no longer operational.

3.21 The ICT authorisation system records for systems with a ‘New in progress’ status had not been updated for an average of 388 days as at 30 July 2024, indicating that the assessment and authorisation process had not progressed on Defence’s ICT authorisation management system during that time. Of the systems with a ‘New in Progress’ status, 34 per cent had not been updated in over 600 days, including 5 per cent that had not been updated for 1,035 days.⁹³ Defence analysis conducted in 2021 found that requests for assessment and authorisation took an average of 285 days to be completed during the 12 months up to September 2021.

3.22 In September 2020, DCIAB conducted a review of its staffing levels in response to an internal audit into Defence’s assessment and authorisation arrangements. The review found that ‘on average the team is operating above 100 per cent utilisation’, resulting in delays to system assessments, responding to enquiries, and project engagement, as well as impacting staff wellbeing. Defence advised internal audit in December 2021 that ‘The proposed solution was assessed internally and, due to CIOG ASL [Chief Information Officer Group Average Staffing Level] pressures and limitations, plus in the interest of expediency, the Defence CISO elected to address the staffing deficiency with a contracted workforce.’

System re-authorisation

3.23 Defence’s intranet states that non-urgent authorisation requests may take up to 180 days. Defence’s intranet also states that:

if Certification Management (DCIAB) has been engaged and a current task exists to commence a re-Certification/Accreditation activity, the existing Accreditation will remain valid until the activity is completed and a decision received from the appropriate Accreditation Authority on the re-Accreditation request.

3.24 At 30 July 2024, 14 per cent of systems in Defence’s ICT authorisation management system had a status of ‘In re-accreditation’. On average, the records for these systems had not been updated for 255 days. Three per cent of the systems with a status of ‘In re-accreditation’ had not been updated for 1035 days.⁹⁴ This indicates that the re-authorisation process had not progressed on Defence’s ICT authorisation management system during that time. Further, 68 per cent of the systems undergoing re-authorisation had passed their authorisation expiry date as at 30 July 2024. One of these was Defence’s ICT authorisation management system itself which, as at 9 August 2024, had an authorisation status of ‘In re-accreditation’. The system’s authorisation expired on 2 March 2023.⁹⁵

Control 23.1 assurance arrangements

3.27 The DSPF states that DSPF Control Owners are responsible for managing, monitoring and reporting on the implementation of their controls across Defence. Control Owners may establish ‘assurance frameworks’ to delegate the responsibility for control implementation and control reporting to Group Heads, Service Chiefs, Commanders and Managers of business units.⁹⁶ Defence advised the ANAO in January 2024, that ‘there has been no specific assurance framework established with the Control Implementers to measure the effectiveness of DSPF Control 23.1.’

3.28 Internal audits in 2019 and 2020 (see paragraph 3.5) found deficiencies in the design of Defence’s assessment and authorisation process, including that there were no arrangements in place to: assess the effectiveness of system security controls; ensure system owners implement recommendations made through the assessment process; and ensure changes that trigger re-authorisation requirements are identified and actioned by system owners.⁹⁷

3.29 In September 2020, the Defence Security Committee (discussed further at paragraphs 3.52–3.65) was advised that:

Control Owner awareness of their responsibilities and accountabilities under the DSPF, and their engagement with the implementation of their Control is not sufficient to assure that Defence is adequately managing security risks. In this reporting period [2019–20], Control Owners reported they do not have sufficient oversight of their DSPF Control to adequately govern the implementation of their policy.

3.30 Consistent with this advice, an internal Defence review in 2022 found that Control Owners do not have sufficient information to make ‘measurable improvements to their existing controls’ and that it was ‘difficult for Defence to make broad judgements about the extent to which the DSPF is providing sufficient mitigation.’⁹⁸

3.31 Defence advised the ANAO in June 2024 that:

Responsibility to monitor the triggers for reauthorisation rests largely with the System Owner’s organisation via normal system and business management practices … Defence understands this is currently an area for improvements as there are insufficient automated facilities to assist the System Owner (and Accreditation Authority) to meet their obligations.

Integrated Continuous Assurance (ICA) functionality originally scoped for [Tranche 2 of the GRC project] was expected to enable a large portion of this functionality however it was de-scoped out of [Tranche 2]. As such, [Defence] is presently pursuing this functionality as part of its monitoring improvement strategy.

Service level assurance and monitoring arrangements

3.32 As discussed at paragraph 2.26, Army, Navy and Air Force have each issued policies, instructions or directives to support compliance with DSPF Principle 23 and Control 23.1. These documents include assurance and monitoring requirements for ICT system assessment and authorisation.

Army

3.33 The Chief of Army issued the Army Standing Instruction (Protective Security) in August 2021 (updated November 2023), which requires units to conduct annual cyber self-assessments to ‘normalise the conduct of cyber security within units and provide a means to monitor the maturity of unit cyber security.’⁹⁹ The self-assessments include checking that: authorisation documentation is in place; authorisation is current; and whether any changes to the system may impact the system’s authorisation status.

3.34 Army provided the ANAO with examples of four completed self-assessment reports from 2022 and 2023. These reports contained a number of incomplete fields or issues. For example: one report did not confirm that authorisation documentation was in place for all relevant systems¹⁰⁰; two indicated that relevant authorisations had expired; two had not documented whether an assessment of system changes (that could impact authorisations) had occurred; and two reports had not been signed by all required officers.¹⁰¹ Defence advised the ANAO in June 2024, that ‘[n]o specific follow-up activities were conducted in response to issues raised within the reports.’

Navy

3.35 The Navy Cyberworthiness Policy, released in August 2022, requires that a Cyberworthiness Department Managed Audit (DMA) is conducted prior to a capability being released following a period of maintenance, and at least every two years thereafter. The DMA includes assessing whether authorisation documentation is available and recorded in the Configuration Status Account (CSA) ‘as proof … ICT systems are certified and accredited’. Navy provided the ANAO with seven audit reports completed over 2022 and 2023.

3.36 All seven reports found deficiencies in authorisation documentation and five reports identified systems that had not been authorised. The reports’ findings included that ‘lack of certification and accreditation is beyond the ability of [Navy] to address’; ‘it is almost impossible for [Navy] to be compliant and have a robust system when Cyberworthiness is yet to be achieved for the entire Group’; and ‘until the Navy Cyberworthiness is in a more mature state all requirements of the Cyber DMA will not be possible to be met.’ Three reports stated that release of the capability should not be delayed or prevented.

3.37 The reports’ findings are consistent with advice to senior Navy personnel between October 2021 and June 2022, which identified a lack of authorisation of Navy systems in accordance with the DSPF. The advice noted that Navy considered it ‘unreasonable’ to authorise all systems in the short-term, however authorisation of all systems remained Navy’s long-term goal.

3.38 The advice included a list of ‘priority’ unauthorised systems, each with a Business Impact Level (BIL) of ‘Extreme’ and requested agreement from Navy to ‘initiate the certification and accreditation process as soon as possible.’

3.39 The relevant senior personnel responded to the advice in June 2022 agreeing the need to authorise the identified systems. The response also stated that the relevant business area did not ‘have required skillsets, expertise and capacity to initiate and manage the accreditation process requirements for all the systems outlined’. The response proposed that the matter be raised at the relevant Navy Review Board. The review board referred the issue to the relevant Governance Board in July 2023, which decided that an ‘enterprise approach to cyberworthiness needs to be adopted, resourced and funded appropriately’, and appointed the Director General of Navy Intelligence and Information Warfare (Director General NIW) to take the lead with this initiative.

3.40 A minute provided to the Director General NIW in October 2023 outlined the board’s decisions and stated that ‘[o]f the … Navy owned ICT and OT maritime materiel and support systems, installed … less than 1 per cent have achieved accreditation or have an extant system CwMP [Cyberworthiness Management Plan]’.

3.41 In March 2024, the Director General NIW advised the Navy Review Board that a cyber evaluation and management tool was being developed to support the assessment and authorisation of Navy platforms. The board was advised that the tool will be trialled to assess the cyber risk, current controls and mitigation strategies of a Navy capability, in order for the capability to be considered for authorisation in November 2024.

3.42 Defence advised the ANAO in June 2024 that the systems identified in the Navy advice had not been authorised and that six of the seven capabilities subject to the DMA were released for operational use prior to their ICT systems being authorised. This is not consistent with PSPF Policy 11 which requires that entities must only process, store or communicate information and data on an ICT system that has been authorised to operate.

Air Force

3.43 Air Force instruction AC SI(OPS) 05-50 Cyberworthiness of Air Force Command, Control, Communications, Computers and Intelligence Systems requires the audit and oversight of ‘cyber practices, systems compliance and [Air Force security module] reporting on behalf of the Air Commander.’ Air Force provided a list of Air Force ICT systems (see paragraph 3.18) which included analysis of the number, risk level and authorisation status of the systems.¹⁰² The documents provided did not include evidence of auditing or oversight of assessment and authorisation requirements.

3.44 Briefings to the Air Commander Australia¹⁰³ between January 2018 and September 2019 identified that:

• approximately 3 per cent of Air Force systems had achieved authorisation, and that meeting a CDF direction for all systems to be authorised by September 2018 was ‘unrealistic’;
• there was a ‘lack of awareness of accreditation responsibilities in Air Command’ and an approved Air Force instruction outlining authorisation requirements; and
• the Air Commander provided approval for the operation of an Air Force training system without ICT authorisation for the period 11 March 2019 to 29 March 2019, for the purposes of operational testing and evaluation.

PSPF self-assessments

3.47 Under the PSPF, all non-corporate Commonwealth entities must report on their self-assessed level of maturity against PSPF requirements to their portfolio minister and the Department of Home Affairs each financial year. The DSPF outlines Defence’s obligation for annual reporting to government on PSPF compliance, and establishes supporting governance and reporting arrangements for DSPF Controls, including Control 23.1, through regular Control Owner reporting.

3.48 PSPF Policy 5 requires entities to conduct their self-assessment of each PSPF policy against a four-point rating scale: Maturity Level 1 – Maturity Level 4. These maturity levels are assigned descriptors: ‘partial’, ‘substantial’, ‘full’ and ‘superior’ respectively. Prior to October 2022, these maturity levels were called: ‘ad hoc’, ‘developing’, ‘managing’ and ‘embedded’, with descriptors ‘partial’, ‘substantial’, ‘full’ and ‘excelled’ respectively.

3.49 The PSPF self-assessment report includes a section to outline the rationale for the selected maturity level for each policy, as well as a detailed assessment section with questions regarding compliance against key aspects of each PSPF policy. For PSPF Policy 11, question 11.2 of the detailed assessment asks entities to assess their implementation of the requirement that:

Before processing, storing or communicating sensitive or classified information on an entity ICT system, the determining authority (or their delegate) has authorised the system to operate based on the acceptance of the residual security risks to the system and information in accordance with the Australian Government Information Security Manual.

3.50 Defence’s self-assessment results for PSPF Policy 11, including extracts of relevant sections of the rationale, are outlined in Table 3.2.

Table 3.2: Defence PSPF Policy 11 maturity self-assessments

Note a: The definition of ‘Developing’ is ‘Security measures are substantially in place for ICT system development. Certification and accreditation of ICT systems in accordance with ISM technical standards is, in the majority of cases, managed when operationalised’.

Note b: As discussed at paragraphs 2.13–2.16, Authorisation Officer roles had not been fully defined for most Defence Services and Groups in the DSPF.

Note c: The definition of ‘Substantial’ is ‘Requirement is largely implemented but may not be fully effective or integrated into business practices.’

Note d: The definition of ‘Managing’ is ‘Security measures are applied during all stages of ICT system development. ICT systems are assessed and authorised (previously certified and accredited) in accordance with ISM technical standards when operationalised’.

Note e: The definition of ‘Excelled’ is ‘Requirement and relevant better-practice guidance are proactively implemented in accordance with the entity’s risk environment, are effective in mitigating security risk and are systematically integrated into business practices.’

Note f: The definition of ‘Full’ is ‘Requirement is fully implemented and effective and is integrated, as applicable, into business practices.’

Source: ANAO analysis of Defence PSPF annual reports.

3.51 Table 3.2 shows that, since 2018–19, Defence has assessed that it has achieved Maturity Levels 2–3 for the requirement to authorise ICT systems before processing, storing or communicating sensitive or classified information. Table 3.2 also shows that, since 2020–21, Defence has reported that it ‘applies a rigorous certification process to all ICT systems … that process, store and/or communicate sensitive and classified Defence information’.¹⁰⁴

Control Owner reporting

3.52 To develop an enterprise-wide security risk view, and support PSPF annual reporting, the DSPF requires Control Owners to ‘report to the DSC [Defence Security Committee] on each DSPF Principle and Expected Outcome’ to provide assurance that DSPF controls are being implemented and highlight any serious security incidents, risks or events.

3.53 The DSC charter states that it is ‘responsible for supporting the Chief Security Officer in implementing the requirements of the Protective Security Policy Framework’ and ‘provides oversight on security risk management, specifically, an annual cycle of strategic security risk management planning, reporting and quality assurance’.¹⁰⁵

3.54 Prior to February 2023, DSPF Control Owners were required to provide a report to the DSC on an annual basis. For the 2019–20 and 2020–21 reporting periods, Control Owner reports were completed but were not submitted individually to the DSC. Instead, the Defence Security Division ‘collated Control Owner Reports into a single annual summary brief for the DSC’.¹⁰⁶ Neither an individual Control Owner report for Control 23.1 nor an annual summary was provided to the DSC for the 2018–19 reporting year.

3.55 In May 2022, the Chief Security Officer provided a paper to the DSC, proposing a rolling program of Control Owner reporting ‘to re-align Control Owner reporting with the governance provisions of the DSPF’. As part of the rolling program, Control Owners would ‘provide an annual report to the DSC on each DSPF Principle and Expected Outcome they have responsibility for’ in accordance with the requirement stipulated in the DSPF.¹⁰⁷ The DSC agreed to the proposal.

3.56 In February 2023, the DSC endorsed a further recommendation to change the frequency of Control Owner reporting from annually to once every two years.¹⁰⁸ Defence advised the ANAO in June 2024 that this was to provide ‘sufficient time for Control Owners to produce quality and meaningful reporting; and ensuring [there was] sufficient time in DSC meeting[s] to meaningfully review and discuss Control Owner reports.’ The ‘Governance and Executive Guidance section’ of the DSPF was updated in March 2024 to reflect this change.

3.57 To support Control Owner reporting, Defence has developed a template that Control Owners are required to use for reporting to the Defence Security Committee.¹⁰⁹ The template requires Control Owners to assess Defence’s implementation of DSPF Principles and assign an overall maturity rating based on the PSPF four-point scale (see paragraph 3.48). Other sections of the template instruct the Control Owner to provide information about security incidents, risk and assurance activities related to the Control.

3.58 In Control Owner reporting for DSPF Control 23.1 between 2018–19 and 2020–21, the implementation of DSPF Principle 23 was assigned an overall maturity rating of ‘Managing’, which was accompanied by the following description:

the DSPF Principle is implemented, integrated into business practices and effectively disseminated across Defence. Defence meets all DSPF Expected Outcomes, with only occasional and minor lapses.

3.59 Further commentary in the 2018–19 and 2019–20 reports noted that:

Assurance processes, ensuring appropriate protections for unofficial, official, sensitive or classified Defence information during processing, storage and communication, are applied to all Information Communications and Technology (ICT) systems and capabilities prior to their operational use. The Certification and Accreditation process ensures risks to ICT systems are identified, mitigated and/or accepted as necessary.

3.60 The Control Owner report for 2020–21 stated that:

Defence’s Information Assurance processes (ICT System Certification and Accreditation) is considered effective in ensuring appropriate protections are in place on Defence ICT systems prior to authorisation to process, store and/or communicate operational sensitive and classified information. The Certification and Accreditation process ensures risks to ICT systems are identified, mitigated and/or accepted as necessary.

…

DSPF Principle 23 and Control 23.1 outlines governance and functional appointments in terms of responsibility for the conduct of ICT systems certification and accreditation across Defence.¹¹⁰

The Certification and Accreditation process incorporates checks and balances to ensure assessments remain relevant and considers emerging cyber threats.¹¹¹

3.61 In May 2024, a Control Owner report for Control 23.1 was provided to the DSC. The maturity of Defence’s implementation of DSPF Principle 23 was assessed as ‘developing’, with the report outlining deficiencies including that: assessment and authorisation policy was not current; Defence’s ICT authorisation management system did not sufficiently support an enterprise-wide view of ICT risks; and the volume of Defence ICT systems outweighs available resources for assessment and authorisation activities.¹¹² As outlined at paragraph 3.16, on average, 0.2 per cent of the total number of Defence systems identified through Defence’s ICT inventory project that ‘manage the creation, processing, presentation and storage of information’ are authorised each year.

3.62 DCIAB internal reviews of the draft 2024 Control Owner report, prior to it being presented to DSC, suggested on at least two occasions that the number of systems that had not been through the assessment and authorisation process should be included in the Control Owner report. The final version did not include those numbers. Defence advised the ANAO in June 2024 that ‘[a]t the time of preparing the Control Owner report, the statistics available could not be summarised into a cohesive and confident set of annualised statistics and this was therefore dropped from inclusion so as not to misrepresent or mislead the current state to the DSC.’

3.63 For the period of reporting examined by this audit, (2018–19 to 2023–24), neither Defence’s PSPF self-assessment nor Control Owner reporting has included information on the authorisation status of Defence systems at an enterprise level. This information is a key indicator of compliance against the PSPF Policy 11 (and DSPF Control 23.1) requirement that entities ‘only process, store or communicate information and data on an ICT system that the determining authority (or their delegate) has authorised to operate’.

3.64 Defence’s reporting on its compliance with this requirement contrasts with information available in other Defence documentation, including:

• the findings of internal audits conducted in 2019 and 2020 (see paragraph 3.5);
• ICT system authorisation data (see paragraphs 3.17–3.24) which indicates that 47 per cent of systems recorded had an authorisation status of either ‘Expired’ or ‘No accreditation’;
• the findings of service-level assurance activities (see paragraphs 3.32–3.44); and
• records from various Defence committees (see paragraph 3.7) outlining concerns raised in relation to Defence’s use of unauthorised ICT systems.

3.65 The lack of alignment between the information in Defence’s other documentation and its PSPF and Control Owner reporting since 2018–19 raises issues around the accuracy and transparency of Defence’s reporting to its accountable authority and senior leadership. Under Section 25 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), officials are required to perform their functions and discharge their duties with reasonable care and diligence. Section 26 of the PGPA Act sets out that officials are to exercise powers, perform functions and discharge their duties honestly, in good faith and for a proper purpose.¹¹³

DCIAB reporting

3.66 DCIAB produces weekly reports providing summaries of key issues across the branch, including updates on the assessment and authorisation status of specific ICT systems. Since DCIAB’s transition from CIOG to Cyber Command in January 2024, these reports have been provided to the Commander of Cyber Command. Prior to January 2024, these reports were provided to Defence’s Head of ICT Operations (HICTO). There have been no instances where this reporting included the number of systems that were authorised or unauthorised across Defence.

Reporting to the Minister for Defence

3.69 In January 2024, Defence advised the ANAO that:

no specific briefings have been provided to the Defence Minister on either Certification and Accreditation (C&A) or Assessment and Authorisation (A&A) in the last three years.

3.70 Defence has provided the minister with annual briefings in relation to its PSPF self-assessments. None of the briefings prepared during the period examined by this audit (since 2018–19) have contained any information about the authorisation status of Defence ICT systems.¹¹⁴

3.71 As noted at paragraphs 3.47–3.68, deficiencies were identified in Defence’s PSPF and DSPF reporting, including not disclosing the extent of recorded unauthorised systems across Defence (a key indicator of compliance against the requirements of PSPF Policy 11). This same information, and the risks it poses to the Department, has also not been reported to the minister. This raises questions as to whether the minister has been kept sufficiently informed of key issues in relation to assessment and authorisation. Under Section 19 of the PGPA Act, the accountable authority of a Commonwealth entity is required to keep the responsible minister informed of the activities of the entity, including any ‘significant issues’ that may affect the entity.

Have selected Defence ICT systems been authorised and monitored in accordance with the framework?

3.74 Defence’s policy and procedural requirements for ICT system authorisation are set out in the DSPF and Defence’s assessment and authorisation process. To examine Defence’s application of relevant requirements, the ANAO selected five Defence ICT systems for case study analysis. These systems were selected from the Defence ICT inventory project list. One system was selected from each Service (Army, Navy, and Air Force), Defence’s Joint Capabilities Group (JCG) and the Chief Information Officer Group (CIOG), based on the highest recorded procurement cost¹¹⁵ and the most recently completed authorisation process.¹¹⁶ The five systems selected by the ANAO are outlined in Table 3.3.

3.75 For the each of the five systems in Table 3.3, ANAO reviewed Defence’s most recent authorisation process for that system against relevant requirements of the July 2020 DSPF Principle 23 and Control 23.1 and the four steps of Defence’s assessment and authorisation process: lodge certification and accreditation request; conduct certification assessment; review certification assessment; and finalise certification and accreditation.

Table 3.3: Case study summary

Note a: This system was assigned to Army in the Defence ICT inventory list. However, the system has multiple versions that operate across different Services and Groups, including Army, Navy, and Air Force. Defence advised the ANAO in February 2024 that the relevant task for this system in Defence’s ICT authorisation management system ‘superseded the individual Service and Joint Operations Command implementations of … a capability-level accreditation’. ANAO review of this case study is limited to the system used by Army (see Army Case Study).

Note b: This system was allocated a residual risk rating of ‘Low’ in the Defence ICT inventory list. The Decision Brief for this system notes a residual risk of ‘Moderate’. The same brief also notes in the overall assessment that, ‘Based on its inherent risk and implemented controls, ICTSB [now DCIAB] has assessed the residual risk of the system to be LOW.’

Source: ANAO analysis.

Lodge certification and accreditation request

3.76 As discussed at paragraphs 2.56–2.57, Defence’s assessment and authorisation process states that the lodgement of a request for system authorisation is done by the System Owner or their delegate through Defence’s ICT intranet job portal. The process also requires System Owners to: provide detailed information to support the authorisation process, including entering system data (such as design information, threats and risks, and details of relevant personnel and business units) into Defence’s ICT authorisation management system; conduct a Business Impact Level (BIL) assessment; and provide a System Risk Score document and a System Security Plan (SSP).

3.77 The five selected systems were assessed against these requirements and the results are outlined in Table 3.4.

Table 3.4: Lodgement of supporting information with ICT assessment and authorisation requests

Key: ○ Not met ◑ Partly met ● Fully met

Source: ANAO analysis of Defence documents.

3.78 Defence did not consistently apply its assessment and authorisation process in the following respects.

• For all five systems examined, complete data had not been entered in Defence’s ICT authorisation management system, despite this information often being available in supporting security documents.
• For two systems, a BIL assessment had not been conducted. For one further system, a BIL rating had been assigned in supporting documentation, but the basis for this rating was not documented in a BIL assessment.
• For three systems, a System Risk Score document was not completed.¹¹⁷ For the two remaining systems, the system characteristics and controls sections of the Security Risk Score document had been completed, but the responses had not been assessed or scored by DCIAB.¹¹⁸ In one of the documents not assessed by DCIAB, the System Owner had not assessed their system as being compliant with the ‘ASD Top 4’.¹¹⁹
• For four systems, the correct SSP template had not been completed. For these systems, alternative documentation was submitted instead, including Standard Operating Procedures (SOPs)¹²⁰, unsigned System Overview Documents, and a custom SSP.¹²¹ For the one system where the correct SSP template had been completed, the SSP had not received executive sign-off and approval as required by the template.

Note a: The Army system was initially introduced and authorised for use by Navy in December 2008. As part of an upgrade, system functionality was extended for use by Army in January 2011. Historical documentation for this system indicates that the system was granted authorisations in January 2011, July 2013 and September 2013. Subsequent authorisations are discussed in the Army case study.

Note b: Deficiencies identified included poor password security, sharing of administrator credentials, and uncontrolled changes being made to the system. The vulnerability assessment also noted that ‘it is likely that the findings included in this report relate to all [system] environments’.

Note c: The Security Remediation Plan was released in November 2016 and outlined actions to be taken including: implementing policies and procedures for logging and monitoring in line with ISM requirements; resetting of account passwords and disabling of shared accounts; updating documentation to reflect current system configuration; and implementation of a change management process.

Note d: The Risk Assessment did not detail what specific remediation action had been undertaken from the Security Remediation Plan.

Note e: Conversely, it was stated elsewhere in the Risk Assessment that ‘ICTSB has assessed that the current implementation [of the system and controls] does not address security concerns identified during the development and certification process and does not meet the requirements for effective security.’

Note f: The heightened risks for this system were reflected in a July 2016 System Risk Score document for the Army and Air Force instances of the system. All 11 ‘potential security management controls’ listed as part of the System Risk Score template were identified as applicable to and selected for implementation for the system (including an annual review of the Security Risk Management Plan, and vulnerability assessments/scans conducted on a sample basis at least every two years). 
A risk score of ‘Excellent’ was allocated to the system in the July 2016 System Risk Score document, despite many controls being assessed as either not applicable or not implemented. DCIAB referenced the 2016 Vulnerability Assessment when documenting the basis for this score in the System Risk Score document but did not address how it had arrived at a result that differed from the Extreme risk in the Vulnerability Assessment. DCIAB noted that the System Risk Score document would not be used for the assessment and authorisation process, instead relying on the Vulnerability Assessment.

Note g: One control had been amended to note that server infrastructure previously managed by CIOG had been transitioned to an IT company, Leidos.

Note h: Minutes from a meeting of the system’s Executive Board in May 2018 stated that ‘A security assessment and certification is currently underway by ICTSB [now DCIAB] and is expected to conclude in early June 2018. The review will determine if all 2016 recommendations have been remediated’.

Note i: A briefing to the system’s Executive Board in July 2019 noted that DCIAB recommended the creation of an SRMP for each instance of the system. The single SRMP uploaded to Defence’s ICT authorisation management system refers to the Army, Navy and Air Force instances of the system.

Note j: A SOD for the Navy instance of the system was filed in Defence’s electronic document and records management system, Objective, and was last reviewed in June 2016. Defence advised the ANAO in June 2024 that the SOD for the Navy instance was used as the basis for the whole-of-Defence implementation of the system as the Navy instance represented ‘the greatest complexity due to its needs to operate in a disconnected state while offshore.’

Conduct certification assessment

3.79 As discussed at paragraph 2.66, once the security documentation is submitted by the System Owner, it is reviewed by the Security Assessor (Certification Consultant) ‘for accuracy, completeness, and to ensure sufficient information is provided to carry out the assessment’.¹²² Once the Security Assessor has all required information, a ‘Stage 1 Assessment’ is conducted, which includes: a detailed analysis of the system design to assess risks; a determination as to whether appropriate security controls have been implemented; and a review of all relevant controls specified in the ISM and DSPF.

3.80 The five selected systems were assessed against these requirements and the results are outlined in Table 3.5.

Table 3.5: Conduct of certification assessments

Key: ○ Not met ◑ Partly met ● Fully met

Source: ANAO analysis of Defence documents.

3.81 Defence did not consistently apply its assessment and authorisation process in the following respects.

• As noted in Table 3.4, at least some of the mandatory security documents to support system authorisation were missing for all five systems. This was not addressed prior to the system authorisation process commencing. There was no evidence of the Certification Consultant reviewing the sufficiency of documentation or requesting missing documentation from the System Owner for the five case studies.¹²³
• For four systems, deficiencies were identified in the analysis of system design, including:
  • one system where no system-specific risks had been identified either in supporting security documentation, or as part of the assessment process¹²⁴;
  • two systems where the supporting security documentation identified connections to unauthorised systems. Neither the system documentation nor the assessment process outlined the risks associated with these connections¹²⁵; and
  • one system where the assessment was based on out-of-date documentation (see Army Case Study).
• For all five systems, there were deficiencies in Defence’s review of ISM and DSPF controls. There was no evidence that DSPF controls were reviewed across the five systems, and there was no evidence that ISM controls were reviewed across two systems.¹²⁶

3.82 For all five systems examined, the Risk Assessments included statements by DCIAB that the system security assessment was based on an assessment of ‘current system implementation’. Defence was unable to provide evidence that system security controls for each case study were assessed as to whether they had been correctly implemented and operating as intended, as required under Step 4 of the ISM six-step process.

Review certification assessment and finalise accreditation

3.83 As discussed at paragraphs 2.69–2.71, Defence’s process requires that the drafted Risk Assessment is reviewed by a peer reviewer, agreed to by the System Owner, and then signed by the Security Assessor and endorsed by the Assistant Director or Director of DCIAB’s Integrated Risk Management (IRM) directorate (now the Directorate of Cyber Security Assessment and Authorisation). The Decision Brief (which includes the approved Risk Assessment) then proceeds to the Assessment Authority and Authorising Officer for approval.

3.84 The five selected systems were assessed against these requirements and the results are outlined in Table 3.6.

Table 3.6: Implementation of assessment and authorisation

Key: ○ Not met ◑ Partly met ● Fully met

Note a: The Authorising Officer for this system was the Director General Navy Intelligence and Information Warfare (DGNIW), however, the system was allocated to the Capability Acquisition and Sustainment Group (CASG) in Defence’s ICT authorisation management system. Defence advised the ANAO in June 2024 that the allocation of the system to CASG in the authorisation management system was an error.

Source: ANAO analysis of Defence documents.

3.85 There was evidence that the assigned peer reviewer reviewed the Risk Assessments for all of the case studies. Those peer review processes did not identify:

• that key required documents were missing for each of the case study systems¹²⁷;
• inaccuracies in Risk Assessments for three systems, including:
  • a statement in the Risk Assessment for the Navy system that the system had ‘fulfilled all PICTA recommendations’, despite some conditions of the provisional authorisation not being met (see Navy case study);
  • conflicting statements in the Risk Assessment for the Joint Capabilities Group system, which stated that DCIAB ‘has no additional security proposals’ for the system while the subsequent paragraph, referring to the same assessment and authorisation process, stated that DCIAB had ‘recommended controls … for maintaining the current security posture’; and
  • conflicting residual risk ratings in the Risk Assessment for the Chief Information Officer Group system (see Table 3.3, Note b); and
• deficiencies in the Risk Assessment for the Air Force system, which did not identify that the system had previously been granted provisional authorisation and did not outline whether the conditions of the provisional authorisation had been addressed (see Air Force case study).

3.86 For all five systems, Defence had documented the System Owner’s (or their delegate’s) acceptance of the proposed authorisation recommendations and the Risk Assessment was signed by the Security Assessor.¹²⁸ For all five systems, the Decision Brief was signed by the relevant Assessment Authority and Authorising Officer as outlined in the DSPF.¹²⁹

Operational impact of system authorisations

3.87 For four systems, the Decision Briefs outlined the ‘impact to operations’ if the systems were not authorised. For one of these systems (see Air Force case study), the assessed residual risk and authorisation decision changed over a three-month period, following the identification of operational impacts.

3.88 PSPF Policy 11 requires that the CSO or CISO ‘checks that due consideration has been paid to risk, security, functionality and business requirements’ as part of the assessment process. A variation of this requirement is outlined for Authorising Officers. The policy requires Authorising Officers to authorise systems to operate ‘based on the acceptance of the security risks associated with its operation’ (see Figure 1.1).

3.89 While the inclusion of operational impacts in the briefs may provide important context for the Authorising Officer, there is no evidence regarding the extent to which operational impacts have been factored into the decision for authorisation for the four systems.

System monitoring

3.91 As discussed at paragraph 3.4, the DSPF establishes the responsibility for System Owners to obtain and maintain authorisation of their systems and requires ICT systems to be re-authorised when one or more of the conditions outlined in Box 1 are met.

Note: Defence’s Assessment and Authorisation Framework, released in May 2024, includes an additional re-authorisation trigger: ‘actions identified in a system’s Remediation Plan are not implemented’. DSPF Control 23.1, updated in May 2024, states that ‘systems are Re-Assessed and Re-Authorised throughout the system’s lifecycle in line with re-assessment triggers and timeframes set by the Authorising Delegate’.

Source: Defence Security Principles Framework.

Re-authorisation due to authorisation expiry

3.92 Of the five systems examined, four have undergone multiple authorisation processes due to authorisation expiry. ANAO reviewed these four systems to assess whether re-authorisation was sought upon authorisation expiry, and found that there were gaps in the authorisation periods for some systems as follows:

• authorisation for the Army system expired on 30 March 2018, but the system was not re-authorised until 11 December 2018 (see Army case study);
• authorisation for the Navy system expired on 26 April 2021, but the system was not re-authorised until 20 October 2021 (see Navy case study)¹³⁰; and
• authorisation for the Air Force system expired on 6 November 2020, but the request for re-authorisation was not submitted until April 2021, and the system was not re-authorised until 1 November 2022 (see Air Force case study).

3.93 These systems remained operational during the period their authorisations had lapsed.

3.94 A system operating under four consecutive provisional authorisations between January 2018 and September 2020 is discussed in the Air Force case study.¹³¹

Note a: A subsequent paragraph in the Decision Brief rated this option as having an ‘Extreme’ risk.

Note b: The Risk Assessment which accompanied the Decision Brief identified the primary sources of system risk including insufficient detail regarding security controls in security documentation and vulnerabilities identified through a vulnerability assessment that required remediation.

Note c: Further, DCIAB had noted that work to address some of the primary sources of system risk identified in the original Risk Assessment (see Note b) had not been finalised.

Note d: The brief stated that ‘The Commander of Air Combat Group [CACG] is responsible for the acceptance of risks relating to the compromise of sovereign data from this system. Whilst controls identified … will contribute to managing these risks, they are interim measures … CACG will provide a brief to HICTO formally accepting this risk.’ CACG approved a brief in December 2019 accepting an assessed risk of ‘Moderate’. Defence advised the ANAO in August 2024 that it was ‘unable to identify evidence that this brief was provided to HICTO.’

Note e: The ISM six-step process requires an assessment of control implementation to be done before granting authorisation (see Figure 1.1).

Note f: The May 2020 internal audit report into Certification and Accreditation of Defence ICT Networks found that there was ‘limited management and oversight where a Provisional ICT Accreditation (PICTA) had been issued, presenting a risk that networks and systems continue to operate where they have been deemed too high-risk to achieve full accreditation’.
DCIAB conducted a review of the draft Risk Assessment in July 2021, suggesting minor editorial amendments. However, further feedback from DCIAB in November 2021 noted that ‘the [Risk Assessment] was difficult to read’ and suggested further changes, including providing more detail on the nature of the system. Further feedback from DCIAB in April 2022 included similar comments. A final revised Risk Assessment was submitted in October 2022.

Note g: The May 2018 and September 2019 Decision Briefs identified that the system required authorisation from three Authorising Officers due to ‘system connectivity and information ownership’. These officers were HICTO, the Chief of Joint Operations, and the CISO. At the time of these authorisations, the CISO and the Assistant Secretary ICT Services Branch (who is the Assessment (Certification) Authority for Defence systems under the DSPF), were different officers. The November 2022 Decision Brief was only signed off by the HICTO. Defence advised the ANAO in June 2024 that ‘[f]ollowing transfer of the CISO role to Assistant Secretary ICT Security Branch, that position already had complete visibility of system authorisations as the Certification Authority, and the extra authority was not required’. Defence did not provide an explanation for why authorisation was no longer required from the Chief of Joint Operations.

Re-authorisation due to Commonwealth or Defence policy changes

3.95 As noted in paragraphs 1.7–1.10, PSPF Policy 10 and 11 were updated in February 2022 and August 2020 respectively. Notable policy changes prior to this include the initial release of PSPF Policy 10 and 11 in September 2018. Under the DSPF, these changes are triggers for re-authorisation (see Box 1).

3.96 Of the five systems examined by ANAO: two systems were operational when the revised PSPF was introduced in September 2018 and when PSPF Policy 11 was updated in August 2020; and four systems were operational when PSPF Policy 10 was updated in February 2022. The documentation for these systems did not identify any references to the PSPF updates.

Re-authorisation due to system changes

3.97 Across the five case studies, there were three instances where re-authorisation had been sought with reference to system changes:

• a Decision Brief was approved in June 2018 for the Air Force system noting that ‘the system functionality has been extended’;
• the Army system was re-authorised in January 2011 due to the system being extended for use by Army; and
• the Army system was re-authorised in July 2013 due to changes to the system’s operating location.

Appendix 1 Department of Defence response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• As noted at paragraph 2.6, Defence Security Principles Framework (DSPF) Principle 23 and Control 23.1 were approved by the Chief Information Security Officer on 10 May 2024.
• As noted at paragraph 2.9, the Chief Information Security Officer has been appointed as the Control Owner in the May 2024 DSPF Control 23.1.
• As noted at footnote 65, Defence advised the ANAO in April 2024 that the Army ICT Security Plan directive had been updated and was awaiting delegate approval.
• As noted in paragraph 2.38, a new version of Air Force instruction AFSI (OPS) 05-02 was published in June 2024 and requires all Air Force ICT systems to be authorised prior to operation.
• As noted at footnote 42, in March 2024, Air Force’s 462 Squadron (which is responsible for system assessment activities within Air Force) transitioned to the Joint Capabilities Group.
• As noted at paragraph 2.50, in February and May 2024, the Defence Chief Information Security Officer approved and released the Assessment and Authorisation Framework.
• As noted at footnote 76, Defence advised the ANAO in January 2024 that it had decided to revisit the need to request reporting from the Defence Finance Group to identify systems which have not been authorised.
• As noted at footnote 82, Defence advised the ANAO in June 2024 that the ICT inventory project ‘is due to be finalised for system owners to access and update their information by mid-July 2024. The team will work to transition the [inventory system] into sustainment by November 2024’.
• As noted at paragraph 3.56, the DSPF was updated in March 2024 to reflect changes to the frequency of Control Owner reporting to the Defence Security Committee.
• As noted at paragraph 3.61, in May 2024, Defence commenced providing Control Owner reports directly to the Defence Security Committee, in accordance with the requirements of the Defence Security Principles Framework (DSPF). The report provided to the Defence Security Committee in May 2024 included information not available in previous reports, outlining deficiencies in relation to Control 23.1, including that: assessment and authorisation policy was not current; Defence’s ICT authorisation management system did not sufficiently support an enterprise-wide view of ICT risks; and the volume of Defence ICT systems outweighs available resources for assessment and authorisation activities.

Appendix 3 System accreditation status by residual risk rating

Source: ANAO analysis of Defence’s ICT authorisation management system.