The Australian Cyber and Infrastructure Security Centre (CISC) reminded responsible entities of the final week of the reporting period for the Critical Infrastructure Risk Management Program (CIRMP) Annual Report for the 2023-24 financial year. It called upon these organizations to submit the report any time during the period July 1 2024 to Sept. 28, 2024, using the Responsible Entity RMP Annual Report form.
The agency disclosed that as of Aug. 31, 2024, it received 53 annual reports from eight sectors covering 137 assets. It expects an influx of submissions in the final week leading up to Sept. 28. These deadlines work to come as the Australian organizations enter the final week of the reporting period for the CIRMP Annual Report for the 2023-24 financial year, they are meticulously finalizing their assessments and compliance documentation to ensure robust risk management and adherence to regulatory standards, safeguarding national infrastructure integrity.
Out of the 53 reports received by the CISC, 21 have included an attachment. “In May 2024 we updated the form to include an attachments section. This addition was in response to feedback received on the 2022-23 voluntary report submissions. The inclusion of this section allows for greater flexibility in a responsible entity’s reporting.”
The CISC encourages entities to include attachments where they assure that obligations are being met. “For example, some entities have included the documents that were provided to the board, as well as the board attestation, or third-party audit results. This provides confirmation of compliance with legislation. It also reduces the likelihood that we will have to request more information, or consider auditing the entity at a later date.”
However, CISC said that there is no requirement for entities to provide attachments. As long as entities complete the form and provide the relevant board-approved information they will have met their legislative obligation for annual reporting.
The energy and health sectors have provided the majority of the annual reports at this stage. Mandatory Risk Management Program (RMP) annual report submissions by sector are at energy 47 percent; health 19 percent; data storage or processing 15 percent; transport seven percent; water six percent; communications, financial, and food and grocery recorded two percent each. The data has been adjusted to remove non-SOCI regulated reports from the total.
Mandatory RMP notifications at the end of August were the total number of significant impacts identified – 6; the total number of risk management plans received – 53; and the total number of assets covered – 137.
“The information we have received about security frameworks and cyber security frameworks that are in use by industry is helping to inform government’s understanding about frameworks in use by industry, and industry maturity against those frameworks,” the CISC said in a media statement. “Currently, the most used cyber security framework is the 2020-21 AESCSF Framework Core, followed by the Essential Eight Maturity Model. The reports received as at 31 August 2024 raise three key takeaways.”
The agency disclosed that the feedback it received from some industry entities on the annual report form earlier in the year indicated that the questions were not specific enough. “To make the form more user friendly, and meet our regulatory needs, we updated the form to include more specific questions. We focused particularly on questions about cyber security frameworks and security frameworks.”
“Since the change, the information we have received from industry now provides a better picture of security frameworks in use, and the maturity of industry against those frameworks,” CISC said. “This enables government to stay informed on what frameworks are in use and the maturity of entities against these frameworks. This can help inform potential changes in the mandated frameworks and maturity ratings in the future.”
Additionally, the CISC has received feedback indicating the wording of questions around ‘security frameworks’ could be clearer. It received several inquiries around this question and as a result, has addressed the query through several platforms. This makes it clear that the wording of questions is critical. Moving forward the agency said that it will seek to test questions with industry through the Trusted Information Sharing Network (TISN).
CISC also received feedback that the industry would like more and earlier consultation, particularly regarding changes to web forms.”In 2022-23 financial year we encouraged industry to provide voluntary annual reports through a web form. Those who submitted a voluntary report were also requested to provide feedback to help improve the process in light of the mandatory submissions.”
Based on this feedback, the agency made some changes to the CIRMP Form in May 2024. These changes included providing more clarity about the attestation process, clarifying the information being sought regarding cyber security and other risk management frameworks, and ensuring the web form allows attachments to be added. These changes made a meaningful difference to submissions and improved user experience. It has also received feedback since this date that the industry would like more consultation before form changes.
In March, the Australian CISC unveiled an enhanced self-assessment tool, the Organisational Resilience HealthCheck Tool. The tool is designed based on modern organizational resilience methodologies to strengthen organizational resilience against various threats. Users can evaluate and rate their organization across 13 resilience indicators using this tool.