The Service Provider will contribute to the protection of Australia’s most important critical infrastructure assets – Systems of National Significance (SoNS) – by supporting the development of an Enhanced Cyber Security Obligations (ECSO) Assurance and Review framework.

As critical infrastructure become more and more interdependent, the cyber resilience of those critical assets is paramount to the nation’s prosperity and national security. To date, more than 200 critical infrastructure assets have been declared as SoNS under s 52B of the SOCI Act, covering the following sectors: communications, transport, energy, food and grocery, financial services and markets and data storage or processing.

Systems of National Significance can be subject to Enhanced Cyber Security Obligations, which include requirements to:

• adopt, comply with, review and update an incident response plan to prepare for
• a cyber security incident;
• undertake a cyber security exercise to build cyber preparedness;
• undertake vulnerability assessments to identify vulnerabilities for remediation; and
• Provide system information to develop and maintain a near-real time threat picture.

Most SoNS entities are subject to at least one of these obligations and are required to provide documentation to the Department in line with the regulatory requirements.

The ECSO Assurance and Review framework is comprised of a number of tools, including publicly issued guidance materials to help guide SoNS on best practice. The framework seeks to use this guidance material as a benchmark to inform the Government’s understanding of the cyber security maturity of SoNS and tailor education on cyber uplift.

The Service Provider will work alongside the ECSO team within the SoNS Branch to evaluate this ECSO Assurance and Review framework against industry standards and best practices in quality assurance.

This RFQ is specifically focused on the Assurance and Review process with regards to Incident Response Plan, Cyber Security Exercise and Vulnerability Assessment obligations.

As part of this work, the Service Provider will:

a. Review standard operating procedures, the Assurance and Review project plan, assessment tools, draft internal analysis reports and reporting templates.

b. Consider the Assurance and Review framework in consultation with the Cyber and Infrastructure Security Centre Compliance and Enforcement Strategy, and the guidance materials such as ECSO Guidance - Incident Response Planning, ECSO Guidance - Cyber Security Exercises and Enhanced Cyber Security Obligations Guidance – Vulnerability Assessments.

c. Identify any gaps or areas for improvement in the Assurance and Review framework and offer solutions.

d. Consider opportunities to further align the framework with auditing and quality assurance standards.

e. Identify appropriate external training options, and review internal training material to assist in upskilling staff.

f. Consider how the SoNS Branch can use the Assurance and Review findings to deliver advice and services to support SoNS entities.

g. Note: The Service Provider will not have access to any ECSO documentation provided by SoNS entities as part of their regulatory obligations, such as incident response plans or cyber security exercise reports. This work is focussed on reviewing the framework and methodology used by Home Affairs staff to assess the ECSOs documents.

The key deliverable is a final Report that summarises the review and evaluation of the ECSO Assurance and Review framework. The report should identify any gaps or areas for improvement in the existing framework and offer solutions. The report should also provide advice on conducting analysis of ECSOs documents and translating this data into general cyber uplift advice to communicate to SoNS, and other critical infrastructure entities, on cyber preparedness.

The Report should include all findings, recommendations and specific actions related (but not limited) to:

• the Assurance and Review framework and processes
• the assessment tool and report templates for analysis of Incident Response Plans, Cyber Security Exercise Reports and Vulnerability Assessments Reports
• effective and efficient assurance processes including assessment design, analysis, implementation and reporting
• alignment with relevant auditing and quality assurance standards
• options, if applicable, to varying audit methods based on audit benchmarking objectives
• If applicable, methods to manage data for feedback and improvement purposes, including comparative evaluation of legislative compliance requirements with assurance findings.

The report will directly influence the establishment of the Assurance and Review function as a long-term capability to assure compliance and inform engagement with SONS entities.

The Service Provider must complete and deliver the final Report by 17 June 2025.