This section outlines some common security requirements for participating in Australian Government procurement processes, responding to an Approach to Market (ATM), and entering into contracts with the Australian Government. It is intended to complement the information available under:
The Commonwealth Procurement Rules require Australian Government organisations to consider and manage security risks associated with their procurements, including cyber security risk, in accordance with the Australian Government's Protective Security Policy Framework (PSPF).
The PSPF sets out the Australian Government’s protective security policy, and supports Australian Government organisations (specifically, non-corporate Commonwealth entities) to implement the policy in terms of:
Under the PSPF, each Australian Government organisation is accountable for the security risks associated with its procurement of goods and services.
This means that Australian Government organisations are required to establish robust governance and assurance processes to ensure that suppliers they enter into contracts with implement appropriate protective security requirements for the work being undertaken.
Australian Government organisations must:
Details of the full requirements are outlined in PSPF Policy 6 – Security governance for contracted goods and service providers.
Depending on the work being undertaken in the contract, this can include applying arrangements such as:
Further information on some common security requirements is outlined below:
If you are working with information resources provided by an Australian Government organisation, you are generally required to protect these resources in the same manner as the Australian Government organisation.
The Australian Cyber Security Centre produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats.
This includes providing guidance, including some mandatory controls, to help Australian Government organisations ensure that suppliers meet designated information security standards for the electronic processing, storage, transmission and disposal of official and security classified information.
This means that if you are interested in selling ICT solutions to Australian Government organisations, you will usually need to demonstrate that you meet certain expectations, which are outlined in the ISM. There may be additional requirements, depending on the Australian Government organisations you are intending to target. For example, information around requirements when working with the Department of Defence is available on the Defence Industry Security Program website.
Some common expectations, drawn from the Guidelines for Procurement and Outsourcing sections of the ISM, are outlined below:
For detailed guidance on managing your cyber security, you can refer to information available on cyber.gov.au. This includes resources such as:
When working with the Australian Government, your business, or personnel, may need to access personal or confidential information provided by the Australian Government organisation as part of delivering the required goods and services.
In this context:
The Australian Government organisation will also be required to protect personal and confidential information provided by the supplier.
To protect this information, contracts will generally require suppliers to:
This will be alongside any specific security provisions included in the contract.
You do not need to hold a security clearance to respond to tenders for Australian Government work.
There are many opportunities to work with Australian Government organisations that do not have any particular personnel security requirements.
However, under the Australian Government Protective Security Policy Framework (PSPF), personnel that need ongoing access to security classified resources must hold a security clearance at the appropriate level. Depending on the nature of work being tendered for, this framework may apply to personnel delivering services to the Australian Government on behalf of your business.
These personnel may be required to hold and maintain an appropriate security clearance as a condition of engagement.
There are many services that may require personnel to apply for and maintain a security clearance. For example:
ATM documentation should clearly outline if any security clearances will be required to successfully deliver the contract. In responding, you will typically be required to demonstrate if any specified personnel have the appropriate security clearance or are able to hold and maintain the appropriate security clearance.
Potential suppliers do not have an advantage in tendering for work if their staff already hold security clearances. If security clearances are required to undertake work under an awarded contract, and specified personnel do not already hold security clearances, the contracting Australian Government organisation may sponsor the security clearances for relevant personnel, enabling them to apply for security clearances through the Australian Government Security Vetting Agency (AGSVA).
There are costs associated with applying for a security clearance. These costs may be borne by the supplier, rather than the sponsoring Australian Government organisation, and are published on the AGSVA website. Security clearances also take time to process. The AGSVA website provides guidance on processing timeframes.
If you are responding to an ATM, and have specified personnel that would be participating in a project who do not hold security clearances, you should reach out to the contact officer outlined in the ATM documentation to clarify any expectations and requirements.
For more information on security clearances, refer to the Australian Government Security Vetting Agency website.
The Defence Industry Security Program, managed by the Department of Defence, supports Australian businesses to understand and meet their security obligations when engaging in Defence projects, contracts and tenders.
To find out more, refer to the Defence Industry Security Program page on the Department of Defence website.