Reports and publications

Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.

View reports and publications

Insights

The aim of audit insights is to communicate lessons from our audit work to make it easier for people working within the Australian public sector to apply those lessons.

View ANAO Insights

Work program

The ANAO work program outlines potential and in-progress work across financial statement and performance audit.

View the work program

Careers

Our staff add value to public sector effectiveness and the independent assurance of public sector administration and accountability, applying our professional and technical leadership to have a real impact on real issues.

View Careers

About us

The Australian National Audit Office (ANAO) is a specialist public sector practice providing a range of audit and assurance services to the Parliament and Commonwealth entities.

About Us

The Auditor-General responded on 1 July 2021 to correspondence from the Hon Brendan O'Connor MP and Mr Tim Watts MP dated 5 June 2021, requesting that the Auditor-General consider initiating a performance audit into the use of provisional ICT accreditation within Defence. 

Auditor-General's response

1 July 2021

The Hon Brendan O'Connor MP
Shadow Minister for Defence

Mr Tim Watts MP
Shadow Assistant Minister for Cyber Security

By email: 
brendan.oconnor.mp@aph.gov.au
tim.watts.mp@aph.gov.au

 

Dear Mr O’Connor and Mr Watts

Request for audit of Defence’s use of Provisional ICT Accreditations

I am writing in response to your joint letter of 5 June 2021 drawing my attention to evidence provided to the Parliament by the Chief of the Defence Force and the Department of Defence’s Chief Information Officer on 2 June 2021. Specifically, you have referred to evidence regarding the Battle Management System (BMS) of Elbit Systems of Australia and the use of Provisional ICT Accreditations (PICTA) within the Department of Defence. You have also outlined specific concerns about the ICT security capacity within Defence, the prevalence of the use of PICTAs and the acceptance of associated risks.

In response to your concerns, my officials met with the Department of Defence to discuss the use of PICTAs and have reviewed relevant policy guidance in the Defence Security Principles Framework (DSPF). Defence describes the DSPF as providing governance, principles, policy, process and guidance to enable Defence personnel to make security decisions in accordance with risk. It is available here: https://www1.defence.gov.au/sites/default/files/2020-12/DSPF-OFFICIAL.pdf.

My officials have been advised by Defence that applications used by Defence must be accredited. The DSPF defines accreditation as the procedure by which an authoritative body (an Accreditation Authority) gives formal recognition, approval and acceptance of the risk(s) to an ICT system. It defines certification as the process of identifying, assessing and reporting on the risk that an ICT system presents to an information environment.

The DSPF includes ‘Principle 23: ICT Certification and Accreditation’ which sets out that the certification and accreditation process: (a) enables Defence to understand and manage security risks to classified information, security-protected assets and infrastructure; and (b) provides assurance that sufficient security measures are in place or, that deficiencies and their associated risks have been mitigated or accepted.

If the application is in operational use, it must have either a full ICT accreditation (known as an ICTA) or a provisional ICT accreditation (PICTA). The DSPF defines PICTA as a type of accreditation issued where the Accreditation Authority has requested further controls and/or risk mitigation activities to be undertaken during the provisional accreditation period. A PICTA is used where there is a need to place limitations on the use of the application, such as, accreditation duration and controls, when the application is being used during build or development activities.

To support decision-making regarding accreditation, the DSPF sets out a two-step process (a certification process and an accreditation process) for issuing an accreditation. The flowchart included in the DSPF in respect to Principle 23 (which can be found at page 303 of the DSPF) indicates that the outcome of the certification assessment will be a recommendation for either a PICTA or an ICTA to be issued. The various roles and responsibilities that support governance of the certification and accreditation processes, including the consideration and acceptance of associated risks, are also set out in the context of Principle 23.

Likewise, Principle 23 sets out the conditions that trigger reaccreditation. These conditions include, for example, policy changes, new and emerging threats and the expiration of the accreditation.

At this point I have not included an audit of Defence’s management of ICT certification and accreditation in the Australian National Audit Office’s 2021–22 Annual Audit Work Program, on the basis that Provisional ICT Accreditation is a documented process in the Defence Security Principles Framework. Further, the ANAO has audited the Land 200 program relatively recently, in Report No.40 of 2018–19 Modernising Army Command and Control — the Land 200 Program, which was presented for tabling in mid-2019.

I will however continue to review Defence’s activities and consider including such an audit in the 2022–23 Annual Audit Work Program. The work program is designed to inform the Parliament, the public and government entities of planned audit coverage to commence in the relevant year.

Yours sincerely

Grant Hehir
Auditor-General

Correspondence from the Hon Brendan O'Connor MP and Mr Tim Watts MP

5 June 2021

Mr Grant Hehir
Auditor-General
By email: grant.hehir@anao.gov.au

Dear Auditor-General,

We write concerning evidence given in Senate Estimates by the Chief of the Defence Force and Department of Defence Chief Information Officer Stephen Pearson on 2 June 2021 regarding the Battle Management System (BMS) by Elbit Systems and the use of Provisional ICT Accreditation (PICTA) within the Department of Defence.

A PICTA is outlined in the Defence Security Principles Framework which is a Department of Defence implementation of its requirements under the Protective Security Policy Framework (PSPF).

The evidence in response to questioning by Labor Senators and Senator Patrick confirmed media reporting that the $1.4 billion BMS has been "paused" following a security review of the technology, with no indication of when or if it will continue.

The decision to pause version 7.1 of the BMS related to concerns with a potential backdoor written into the system, with Army confirming there were concerns with "who could access the system". It was also confirmed that Defence's Capability Acquisition and Sustainment Group raised concerns about version 7.1 of the software.

Mr Pearson confirmed that version 7.1 of the Elbit BMS was operating under provisional ICT accreditation. Evidence given at the 2 June Foreign Affairs, Defence and Trade estimates hearings (attached) also suggested that previous versions of the BMS were operating under provisional ICT accreditation.

In response to QON154 the Department initially refused to disclose the number of systems operating under a PICTA. However, at this Estimates hearing Mr Pearson suggested it was "up to 100".

This evidence raises serious concerns about the ICT security capacity within Defence, the prevalence of the use of PICTAs rather than final accreditations, and the acceptance of the associated risks.

In the context of the ANAO's past work examining the cyber resilience of commonwealth entities, we request that you consider initiating a performance audit into the use of Provisional ICT Accreditation within Defence.

Yours sincerely

Brendan O'Connor MP
Shadow Minister for Defence

Tim Watts MP
Shadow Assistant Minister for Cyber Security