Australia’s Cyber and Infrastructure Security Centre has issued a reminder that it is the final week of the reporting period for the Critical Infrastructure Risk Management Program (CIRMP) annual report for the 2023-24 Australian financial year.
The agency says that of August 31, 2024, it had received 53 annual reports from eight different sectors covering 137 assets. They expect an influx of submissions towards the end of September.
The energy and health sectors have provided most of the annual reports at this stage. Mandatory risk management program (RMP) annual report submissions by sector are as follows: energy (47%), health (19%), data storage or processing (15%), transport (7%), water (6%), communications (2%), financial (2%), and food and grocery (2%).
“The information we have received about security frameworks and cyber security frameworks that are in use by industry is helping to inform government’s understanding about frameworks in use by industry, and industry maturity against those frameworks,” a CISC statement reads. “Currently, the most used cyber security framework is the 2020-21 AESCSF Framework Core, followed by the Essential Eight Maturity Model.”
The received reports raised three key points.
More and earlier consultation
Industry would like more and earlier consultation, particularly regarding changes to web forms. In 2022-23 financial year, the CISC encouraged industry to provide voluntary annual reports through a web form. Those who submitted a voluntary report were also requested to provide feedback to help improve the process in light of the mandatory submissions.
Based on the feedback, the CISC made a several changes to the CIRMP Form in May 2024. These changes included:
- Providing more clarity about the attestation process;
- Clarifying the information being sought regarding cyber security and other risk management frameworks; and
- Ensuring the web form allows attachments to be added.
The agency says these changes made a meaningful difference to submissions and improved on user experience. The CISC have received feedback since this date that industry would like more consultation prior to form changes.
For future changes to web forms, the agency will aim to host information sessions through the Trusted Information Sharing Network (TISN) to inform industry of any changes, get early feedback and ensure a wide array of perspectives are considered.
Clear and specific questions in the forms
The feedback the CISC received from some industry entities on the annual report form indicated that the questions were not specific enough. To make the form more user-friendly, and meet our regulatory needs, the agency updated the form to include more specific questions. The CISC focused particularly on questions about cyber security frameworks and security frameworks.
Since the change, the information received from industry now provides a better picture of security frameworks in use and the maturity of industry against those frameworks. This enables government to stay informed on what frameworks are in use, and the maturity of entities against these frameworks. This can help inform potential changes in the mandated frameworks and maturity ratings in the future.
The CISC also received feedback indicating the wording of questions around ‘security frameworks’ could be clearer. The agency had received several enquiries around this question and as a result have addressed the query through a number of platforms. This makes it clear that the wording of questions is critical. Moving forward, the CISC says it will seek to test questions with industry through TISN.
Use of attachments in the RMP annual report
Twenty-one of the 53 reports received have included an attachment. In May 2024, the CISC updated the form to include an attachments section. This addition was in response to feedback received on the 2022-23 voluntary report submissions. The inclusion of this section allows for greater flexibility in a responsible entity’s reporting.
The CISC encourages entities to include attachments where they provide assurance that obligations are being met. For example, some entities have included the documents that were provided to the board, as well as the board attestation or third-party audit results. This provides confirmation of compliance with legislation. It also reduces the likelihood that reporting entities will be asked for more information or face auditing at a later date.
However, the CISC says there is no requirement for entities to provide attachments. As long as entities complete the form and provide the relevant board-approved information they will have met their legislative obligation for annual reporting.
