This section outlines some common security requirements for participating in Australian Government procurement processes, responding to an Approach to Market (ATM), and entering into contracts with the Australian Government. It is intended to complement the information available under:
- Getting selected to supply to government
- Responding to an approach to market
- Frequently Asked Questions – Minimum requirements
Managing security risks
The Commonwealth Procurement Rules require Australian Government organisations to consider and manage security risks associated with their procurements, including cyber security risk, in accordance with the Australian Government's Protective Security Policy Framework (PSPF).
The PSPF sets out the Australian Government’s protective security policy, and supports Australian Government organisations (specifically, non-corporate Commonwealth entities) to implement the policy in terms of:
- security governance
- information security
- personnel security
- physical security.
Under the PSPF, each Australian Government organisation is accountable for the security risks associated with its procurement of goods and services.
This means that Australian Government organisations are required to establish robust governance and assurance processes to ensure that suppliers they enter into contracts with implement appropriate protective security requirements for the work being undertaken.
Australian Government organisations must:
- ensure that contracts for goods and services include relevant security terms and conditions
- ensure that security controls included in a contract are implemented, operated and maintained by the contracted supplier
- implement appropriate security arrangements at completion or termination of a contract.
Details of the full requirements are outlined in PSPF Policy 6 – Security governance for contracted goods and service providers.
Depending on the work being undertaken in the contract, this can include applying arrangements such as:
- personnel security requirements – such as pre-employment screening and security clearance vetting requirements for supplier staff accessing sensitive or classified information
- information security requirements – such as applying information handling controls and storage arrangements to protect sensitive or classified information, and implementing appropriate cyber security arrangements.
Further information on some common security requirements is outlined below:
- Information and cyber security requirements
- Protecting personal and confidential information
- Security clearances
- Security requirements for the Defence industry.
Information security and cyber security
If you are working with information resources provided by an Australian Government organisation, you are generally required to protect these resources in the same manner as the Australian Government organisation.
The Australian Cyber Security Centre produces the Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats.
This includes providing guidance, including some mandatory controls, to help Australian Government organisations ensure that suppliers meet designated information security standards for the electronic processing, storage, transmission and disposal of official and security classified information.
This means that if you are interested in selling ICT solutions to Australian Government organisations, you will usually need to demonstrate that you meet certain expectations, which are outlined in the ISM. There may be additional requirements, depending on the Australian Government organisations you are intending to target. For example, information around requirements when working with the Department of Defence is available on the Defence Industry Security Program website.
Some common expectations, drawn from the Guidelines for Procurement and Outsourcing sections of the ISM, are outlined below:
- managed service providers, and the services they provide to government, will need to undergo regular security assessments by an Infosec Registered Assessor Program (IRAP) assessor to determine their security posture and security risks associated with their use
- outsourced cloud service providers and their cloud services will need to undergo regular security assessments by an IRAP assessor to determine their security posture and security risks associated with their use
- service providers will need to abide by any contractual security requirements relating to the protection and use of data
- service providers will need to abide by any contractual requirements to manage cyber security around access to an Australian Government organisation’s data and systems.
For detailed guidance on managing your cyber security, you can refer to information available on cyber.gov.au. This includes resources such as:
Protecting personal and confidential information
When working with the Australian Government, your business, or personnel, may need to access personal or confidential information provided by the Australian Government organisation as part of delivering the required goods and services.
In this context:
- personal information refers to information which could identify an individual, as outlined in the Privacy Act 1998
- confidential information refers to any information the Australian Government organisation does not wish to be shared outside those involved in the contract.
The Australian Government organisation will also be required to protect personal and confidential information provided by the supplier.
To protect this information, contracts will generally require suppliers to:
- comply with the Privacy Act 1998 and the Australian Privacy Principles
- comply with Notifiable Data Breach Scheme requirements
- comply with any security and safety requirements requested by the Australian Government organisation when accessing Australian Government facilities
- ensure information, security and property provided by the Australian Government organisation is protected from unauthorised access or use by a third party
- not disclose any confidential information provided by the Australian Government organisation
- acknowledge that unauthorised disclosure of security classified information is an offence.
This will be alongside any specific security provisions included in the contract.
Security clearances
You do not need to hold a security clearance to respond to tenders for Australian Government work.
There are many opportunities to work with Australian Government organisations that do not have any particular personnel security requirements.
However, under the Australian Government Protective Security Policy Framework (PSPF), personnel that need ongoing access to security classified resources must hold a security clearance at the appropriate level. Depending on the nature of work being tendered for, this framework may apply to personnel delivering services to the Australian Government on behalf of your business.
These personnel may be required to hold and maintain an appropriate security clearance as a condition of engagement.
There are many services that may require personnel to apply for and maintain a security clearance. For example:
- cleaners accessing secure physical zones which may have contact with sensitive and classified information
- contractors requiring access to an Australian Government organisations’ ICT systems to deliver work under a contract.
ATM documentation should clearly outline if any security clearances will be required to successfully deliver the contract. In responding, you will typically be required to demonstrate if any specified personnel have the appropriate security clearance or are able to hold and maintain the appropriate security clearance.
Potential suppliers do not have an advantage in tendering for work if their staff already hold security clearances. If security clearances are required to undertake work under an awarded contract, and specified personnel do not already hold security clearances, the contracting Australian Government organisation may sponsor the security clearances for relevant personnel, enabling them to apply for security clearances through the Australian Government Security Vetting Agency (AGSVA).
There are costs associated with applying for a security clearance. These costs may be borne by the supplier, rather than the sponsoring Australian Government organisation, and are published on the AGSVA website. Security clearances also take time to process. The AGSVA website provides guidance on processing timeframes.
If you are responding to an ATM, and have specified personnel that would be participating in a project who do not hold security clearances, you should reach out to the contact officer outlined in the ATM documentation to clarify any expectations and requirements.
For more information on security clearances, refer to the Australian Government Security Vetting Agency website.
Security requirements for the Defence industry
The Defence Industry Security Program, managed by the Department of Defence, supports Australian businesses to understand and meet their security obligations when engaging in Defence projects, contracts and tenders.
To find out more, refer to the Defence Industry Security Program page on the Department of Defence website.