Closed

APSC2638 - Delivery of cyber-security assessment and development of security artefacts to achieve an Authority to Operate for a SaaS solution.

Tender ID: 607008

Tender Details

Organisation:
Australian Public Service Commission
Tender #:
PCS-03601  
Status:
Closed
Publish Date:
25 February 2026
Closing Date:
2 March 2026
Closing Time:
11:59 PM (Australia/ACT)

Tender Description

⁠⁠⁠The APSC is seeking an experienced vendor to establish an ATO for the Case Management System. This requires the completion of security governance, risk assessment, control implementation and assurance activities necessary to enable the APSC’s Chief Security Officer to make an informed risk-based decision around the operation of the system.

The vendor will be responsible for delivering a complete ATO artefact suite and providing specialist advise to support accreditation decision-making.

 An IRAP assessment has already been undertaken by the system vendor, which can be shared with the successful candidate to assess and assure that the controls are implemented and operating as intended.

We require that the assessment be conducted by an ACSC-certified IRAP assessor and for it to be sufficient to support security authorisation at the PROTECTED level and that deliverables at a minimum must include:

 A Security Risk Management Plan (SRMP) aligned to PSPF requirements

  • An assessment of control effectiveness mapped to applicable ISM controls within the system boundary
  • Identification of residual risks and recommended treatments
  • An executive‑level summary suitable for use by the Authorising Officer in making a security authorisation decision
  • A complete set of artefacts sufficient to enable an ATO (or equivalent) to be issued, should the AO decide to do so, and;

 Any additional documentation or artefacts required to support the ATO.

Deliverables for this work include the following:

 A consolidated ATO submission artefact pack that includes the below deliverables and any other documentation identified as being required as part of this engagement. Including:

A Security Risk Management Plan that:

  • Identifies systems specific threats, vulnerabilities and impacts
  • Assesses and rates security risks in accordance with PSPF and ISM requirements
  • Documents risk owners, treatment options and residual risk.
  • A Security System register aligned to identified risks, controls and remediation actions.

A complete and current System Security Plan that:

  • Describes the system, architecture, hosting environment and integrations.
  • Documents security controls implemented across the system
  • Maps implemented controls to applicable ISM requirements
  • Clearly identifies control gaps or limitations

An ISM control assessment documenting:

  • Control implementation status
  • Control effectiveness and assurance approach
  • Identified gaps or deficiencies

Any supporting evidence artefacts that demonstrate control implementation, which may include:

  • Procedures, configurations or technical summaries
  • Architecture and security diagrams

Security Operations documentation as required to support an ATO, including:

  • Incident response procedures
  • Security monitoring and logging arrangements
  •  Escalation and reporting processes

A risk treatment and remediation plan that:

  • Prioritises remediation activities based on risk
  • Identifies dependencies, assumptions and constraints
  • Supports conditional or time-bound ATO decisions, where applicable

A high-level executive security summary suitable for Authorising Officer review, including:

  • Overview of the system and operating context
  • Summary of key security risks and impacts
  • Risk treatment approach and residual risk position
  • Any recommended conditions on limitations on operation 

Location

Western Australia   :   Gascoyne   :   Goldfields/Esperance   :   Great Southern   :   Kimberley   :   Mid West   :   Peel   :   Perth Metropolitan   :   Pilbara   :   South West   :   Wheatbelt  
New South Wales   :   Central West   :   Far North Coast   :   Far West   :   Hunter   :   Illawarra   :   Mid North Coast   :   Murray   :   New England   :   Orana   :   Riverina   :   Southern Highlands   :   Sydney  
Queensland   :   Cairns & Far North Queensland   :   Gladstone   :   Mackay Whitsunday Region   :   Mount Isa & North West Region   :   Rockhampton   :   South East Queensland   :   South West & Darling Downs   :   The Central West   :   Townsville   :   Wide Bay Burnett  
Victoria   :   Barwon South West   :   Gippsland   :   Grampians   :   Hume   :   Loddon Mallee   :   Melbourne  
South Australia   :   Adelaide   :   Eyre & Western   :   Far North   :   Fleurieu & Kangaroo Island   :   Limestone Coast   :   Murray & Mallee   :   York & Mid North  
Northern Territory   :   Barkly   :   Big Rivers   :   Central Australia   :   East Arnhem   :   Greater Darwin   :   Top End  
Australian Capital Territory  
Tasmania  

Category

Information & Communication Technology   :   IT Security Services