Security Risk Assessments

Defence Housing Australia (DHA) is an Australian Government Business Enterprise (GBE), that supplies housing and related services to Australian Defence Force members and their families.

The Business Solutions & Technology group are responsible for delivering all ICT functions to DHA.

As part of DHA’s Cyber Program, DHA regularly perform Security Risk Assessments across a range of medium to complex systems.

The preferred Seller must have experience to undertake Risk Assessments in an Australian Government Setting, performing non-complex and complex risk assessments across DHA internal systems, integrations, web applications and Cloud products.

DHA is seeking to enter into a new arrangement for the delivery of Security Risk Assessment services, for a duration of twelve (12) months, with an estimated starting date on 2 March 2026 or sooner once the Agreement has been executed by both parties.

The preferred Seller(s) will be onboarded for the duration of the contract to conduct Security Risk Assessments as required, without delays to DHA project requirements and business expectations.

Requirements

Risk Assessments must include an assessment against the ACSC Essential 8 and ISM/PSPF guidelines.

1. A rate card must be provided for each level of complexity (non-complex and complex) for the following activities:

1. Conduct security risk assessments on new and/or existing systems that may be introduced into DHA’s operating environment.
2. Produce System Security Plans (SSP) with recommendations as per ISM guidelines.
3. Produce Security Risk Management Plans (SRMP).
4. Present assessment summary and documentation to key stakeholders.
5. Liaise with DHA and third-party vendors to conduct discovery sessions, requirements, and assessment complexity. This includes:

1. 1. Timeframes to conduct non-complex and complex assessments.

2. Current controls to meet DHA acceptable risk tolerance, and

3. Where possible, include future roadmap features from vendors to remediate current associated risks.

2 Scoping sessions to understand DHA’s operating environment, current controls and maturity will be undertaken as part of the onboarding process.

Conditions for Participation

1. Respondent must provide pricing for each activity as outlined in The Requirement and be in Australian Dollars inclusive of GST.
2. Respondents must have demonstrated experience in providing security risk assessments to government agencies.
3. DHA will not accept partial or incomplete submissions and will be considered as non-compliant.
4. DHA advises joint tenders, and sub-contracting proposals will not be accepted.