Commonwealth Parliament passes the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022
March 31, 2022 |
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed through the Senate on 30 March 2022. This comes hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (NO. 124, 2021). The genesis of the current legislation is the 99 page Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 which was prepared by the Parliamentary Joint Committee on Intelligence and Security and tabled in September 2021.
The USA has critical instructure legislation. Most recently President Biden signed Strengthening American Cybersecurity Act of 2022. Under that legislation critical infrastructure entities must report cyber attacks within 72 hours and report ransom payments within 24 hours.
In short compass what does each Act do?
The Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) amended the Security of Critical Infrastructure Act 2018 (Cth). It increased the critical infrastructure assets from 4 to 11 sectors. Now communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage are included.
The Act increased reporting obligations in the event of an attack on a critical asset. Under the Act the Commonwealth can provide assistance and intervene in cases which constitute a material risk to national security.
Organisations need to provide ownership and operational information to the Secretary of Home Affairs for the Register of Critical Infrastructure Assets as well as needing to:.
- establish and maintain an all-hazards critical infrastructure risk management program; and
- have mandatory reporting of serious cyber security incidents to the Australian Signals Directorate.
The incidents need to have a ‘significant’ impact on the availability of the asset and must be reported within 12 hours. Any relevant impact must be reported within 72 hours.
The Bill that passed into law today require critical infrastructure assets to develop and comply with a critical infrastructure risk management program. Organisations must comply with, review, and update the program and submit an annual report to the Commonwealth.
The legislation creates Enhanced Cyber Security Obligations which may be activated by the Government on organisations. Those obligations are to:
- develop and maintain incident response plans.
- undertake a scenario-based exercise.
- conduct a vulnerability assessment.
- provide access to system information relating to the functioning of a system.
Which systems of national significance is declared will be declared by the Minister.
It is a complex piece of legislation which requires careful consideration. The Minister does not intend to require industries affected by the pandemic to comply before 1 January 2023.
Zdnet has written quite a good summary of the legislation in Australia’s second tranche of cyber laws passes both Houses.
The media release for the Home Affairs Minister provides:
Australia’s critical infrastructure – everything from electricity and water, to healthcare and groceries – will be better protected against cyber attacks and other serious security threats after new legislation passed the Parliament today.
Minister for Home Affairs Karen Andrews said the Security Legislative Amendment (Critical Infrastructure Protection) Bill will boost the security and resilience of Australia’s critical infrastructure to safeguard the essential services all Australians rely on from physical, supply chain, cyber and personnel threats.
“These reforms are a key action item under Australia’s Cyber Security Strategy 2020 and are part of the Morrison Government’s work to strengthen our management and response to security risks across critical infrastructure sectors,” Minister Andrews said.
“The Bill builds on the Morrison Government’s strong support for our national security agencies announced in Tuesday’s Federal Budget, to make Australia stronger and keep Australians safe in an increasingly uncertain world.
“We’re investing $9.9 billion to boost cyber and intelligence capability, and an extra $280 million to boost law enforcement capability.
“Throughout the pandemic, Australia’s critical infrastructure sectors have been regularly targeted by malicious cyber actors seeking to exploit victims for profit, with total disregard for the community and the essential services we all rely on.
“Following Russia’s aggression against Ukraine, it is a sad reality that there is a heightened cyber threat environment globally, and the risk of cyberattacks has increased on Australian networks, either directly or inadvertently.
“This legislation completes a reform package that gives all Australians assurance that our essential services are resilient and protected.”
The reforms passed today include:
-
- Risk Management Program requiring critical infrastructure owners and operators to manage the risk of hazards that affect the delivery of essential services; designed with industry and building on existing regulatory frameworks, where possible.
- The ability to declare Systems of National Significance – the most interconnected and interdependent of our critical infrastructure assets.
- Enhanced Cyber Security Obligations for owners and operators of assets most critical to the nation (the systems of national significance) – centred around a strengthened relationship with government.
- Improved information sharing provisions to make it easier for regulated entities and governments to share information as needed to comply with their obligations.
The Bill follows extensive public consultation, ongoing engagement with critical infrastructure providers and examination by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
This follows the introduction of important amendments by the Morrison Government last year and the passage of these amendments in November 2021.
These reforms build on the Coalition Government’s actions to spearhead several significant cybersecurity improvements – directly benefiting all Australians – including by:
-
- supporting industries to grow online by launching the National Plan to Combat Cybercrime;
- cracking down on the cybercriminals by funding a dedicated AFP-led cybercrime centre;
- making all Australians safer through passage of important legislation to revolutionise the way Australian agencies investigate and prosecute cybercrime;
- ensuring our law enforcement agencies have much needed powers to combat crime on the dark web;
- cracking down and protecting Australians from ransomware through the Ransomware Action Plan;
- facilitating the exchange of digital information with US authorities by signing the CLOUD Act Agreement with the United States; and
- launching a public information campaign to increase Australian’s cyber security.
The Home Affair’s Minister’s Second Reading speech provides:
The Australian government is committed to protecting the essential services that all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver.
Critical infrastructure is increasingly interconnected and interdependent. These interconnections deliver efficiencies and economic benefits to all Australians. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or even inadvertently cause disruption and result in cascading consequences across our economy, our security and our sovereignty.
Threats ranging from natural hazards, such as extreme weather events, through to human induced threats like foreign interference, cyberattacks and trusted insiders all have the potential to significantly disrupt critical infrastructure. Recent incidents such as the December 2021 Log4j vulnerability, compromising systems in Australia and across the globe, as well as the impacts of COVID-19, illustrate that threats to the operation of Australia’s critical infrastructure continue to be significant and far-reaching.
It is a regrettable fact that malicious threat actors continue to target the infrastructure that underpins the provision of essential services that all Australians rely on. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic not just to our economy, security and sovereignty but the Australian way of life.
Following the tabling of the Parliamentary Joint Committee on Intelligence and Security’s advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the statutory review of the Security of Critical Infrastructure Act 2018 in September 2021, the government moved swiftly to respond and introduce government amendments to these critical recommendations.
In the passage of the Security Legislation Amendment (Critical Infrastructure) Act 2021, known as the SLACI Act, the government addressed recommendations 1 through 5, 10 and 14 of the advisory report in order to legislate the measures of highest criticality to protecting the security of Australian critical infrastructure in the shortest possible time. The SLACI Act has implemented key elements of the framework by introducing mandatory cyberincident reporting and government assistance to relevant entities in response to significant cyberattacks that impact Australia’s critical infrastructure assets.
Today, the government is now seeking to legislate the preventative measures to ensure the continued protection of Australian critical infrastructure through the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, known as the SLACIP Bill. The bill is the culmination of over two years of concerted effort of government and industry working in partnership to develop an approach that will safeguard our critical infrastructure from those threats.
The bill sets out two key obligations. Firstly, the requirement to have, comply with, review and update a risk management program. The risk management program asks critical infrastructure entities to identify material risks that could have an impact on the critical infrastructure asset and, as far as reasonably practicable, minimise, eliminate or mitigate the risk from occurring.
The bill proposes that the risk management program is reported to a critical infrastructure assets board, council or governing body. This ensures that the material risks in the functioning of the asset art reported and raised with the most senior levels of critical infrastructure assets.
The risk management program requirement is designed to be incorporated into the existing risk management arrangements. If a critical infrastructure asset looks at and indeed, I hope, exceeds the requirements in the risk management program rules, then this is suitable for fulfilling the obligation. This obligation is meant to be additive to, as well as the least and lightest regulatory impact. Ensuring that there is appropriate risk management in place, such as for cyber and information security, physical and natural hazards, and personnel risks, is increasingly important given the interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security and sovereignty.
In line with recommendations 8 and 9 of the PJCIS’s advisory report, a comprehensive program of consultation has been undertaken with industry to design the rules and definitions that underpin these reforms. From ministerial round tables that I personally conducted to official-level town halls and working groups, the government has spent over 12 months working in partnership with thousands of entities across industry to ensure that these reforms effectively balance security with compliance costs.
Importantly, none of the risk management program requirements will come into force without additional consultation with industry and careful consideration of any issues they raise, including the timing on when the requirements will come into force. Indeed, if passed by the parliament, my intention is to delay the obligation for critical assets impacted by recent supply chain issues—including the freight services and infrastructure, as well as food assets—until 1 January 2023 at the earliest. Additionally, there are a number of assets that already have existing obligations in place, and I don’t intend to apply the risk management program to every critical infrastructure asset. Detail about the coverage of assets is outlined in the explanatory memorandum.
The government understands that the introduction of reforms that impact many businesses across our economy will cause apprehension. The government is committed to ensuring that the requirements remain fit for purpose in a dynamic and evolving space.
Pursuant to the committee’s advisory report recommendation 6, I have written to the Secretary of the Department of Home Affairs to outline my expectations that the Cyber and Infrastructure Security Centre within the Department of Home Affairs provide technical support and advice to industry regarding the functions of the SOCI Act.
Additional guidance on how to meet the requirements of the risk management program will be jointly developed with industry and government partners over the coming weeks and months. Stakeholders have expressed their appreciation of the government’s commitment to working with industry to develop that guidance material.
The Cyber and Infrastructure Security Centre will take a pragmatic, active and engaged regulatory and partnership approach, working in collaboration with industry, as we build the security and resilience of Australia’s critical infrastructure.
Second, there are some critical infrastructure systems and networks that are so vital, interconnected and of such national significance to the functioning of Australian society, defence or security that, if they were subject to a cyber attack, it would cause disproportionate consequences. The bill sets out criteria for the declaration of a system of national significance. The focus is on identifying critical infrastructure assets that are of national significance, noting interdependencies across key sectors in the economy and consequences should the asset be impacted.
These reforms will mean that not only will we be able to respond in times of crisis, we will also have legislation in place that assists in mitigation of the chances of a crisis emerging in the first place. In line with this objective, the SLACIP Bill implements recommendations 7, 8 and 9 of the committee’s advisory report.
I note the exclusion of the portion of recommendation 7 relating to merits review. This recommendation requested that a merits review system of appeal to the Security Division of the AAT be implemented.
The Administrative Review Council’s publication What decisions should be subject to merit review? identified that national security considerations could justify the exclusion of merits review, particularly those decisions that involve consideration of issues of the highest consequence to the government and where that decision-making power is vested in a minister.
Decisions about systems of national significance involve highly sensitive information that, if released to the public record, would have the potential to highlight assets for targeting by malicious actors. The government notes that judicial review remains available for all decisions made under the SOCI Act.
The SLACIP Bill also enables the government to work with industry to strengthen the cyberpreparedness and resilience of entities that operate assets of the highest criticality to Australia’s national interests. These assets of highest criticality are defined as systems of national significance due to the role they serve in the economy and the consequences to the national interest should they be unavailable or inoperable.
The enhanced cybersecurity obligations will support a bespoke outcomes-focused partnership between government and Australia’s most critical infrastructure asset operators, and will build an aggregated threat picture and understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry.
The report also notes the following recommendations of the PJCIS report, that:
Under recommendation 11, subsection 13A(2) of the Intelligence Services Act 2001 be amended to restrict cooperation or assistance provided by an agency under that act to agencies or other bodies by regulation outlined in subsection 13A(1), only to the functions and extent authorised by other Commonwealth legislation. To deliver on this intent, the Minister for Defence has issued a direction to the Australian Signals Directorate to limit the scope of ASD’s assistance to the government assistance measures in the SOCI Act;
Under recommendation 12, the government review the risks to democratic institutions, particularly from foreign originated cyberthreats, with a view to developing the most appropriate mechanism to protect them at federal, state and local levels. The government agrees that it is vital to maintain the availability, reliability and integrity of Australia’s democratic institutions. The government will review the risks to these institutions and assess appropriate mitigation mechanisms with reference to existing initiatives across government, including the work of the Electoral Integrity Assurance Taskforce, which brings together government agencies with capabilities to identify, assess and remediate threats to the electoral process, including the Australian Cyber Security Centre. Consideration of these risks will also factor in existing efforts to uplift cyber- and data security policy settings across government—federal, state and local; and
Under recommendation 13, the government review the processes and protocols for classified briefings for the opposition during caretaker periods in response to serious cyberincidents, and consider the best-practice principles for any public announcement about those incidents. The government will consider the issue.
This bill today demonstrates the government’s commitment to uplifting the security and resilience of Australia’s critical infrastructure. The measures that are outlined in this bill will enable Australia to maintain the availability, integrity and confidentiality of assets and networks critical to our national interest, and secure those assets from further severe shocks—shocks such as those we have seen from the COVID-19 pandemic and natural disasters, malicious actors and other hazards.
The bill underpins the continued growth of the resilience of Australian industry and the ability for businesses to compete in overseas markets. The bill provides a necessary uplift to the security of critical infrastructure so that Australia continues to be a safe and prosperous nation. I commend the bill.
The Bill provides:
1 Subsection 4(1)
Insert:
critical infrastructure risk management program has the same meaning as in the Security of Critical Infrastructure Act 2018 .
2 After paragraph 8(1)(b)
Insert:
(ba) a critical infrastructure risk management program permits a background check of an individual to be conducted under the AusCheck scheme; or
3 Paragraph 476.6(8)(b) of the Criminal Code
Omit “section 22”, substitute “section 4”.
Security of Critical Infrastructure Act 2018
4 After paragraph 3(b)
Insert:
(c) requiring responsible entities for critical infrastructure assets to identify and manage risks relating to those assets; and
(d) imposing enhanced cyber security obligations on relevant entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incidents; and
5 Section 4
After paragraph (a) of the paragraph beginning “The framework consists of the following:”, insert:
(b) requiring the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (unless an exemption applies);
6 Section 4
After paragraph (c) of the paragraph beginning “The framework consists of the following:”, insert:
(d) imposing enhanced cyber security obligations that relate to systems of national significance;
7 Section 4
After the paragraph beginning “The Minister may privately declare”, insert:
The Minister may privately declare a critical infrastructure asset to be a system of national significance.
8 Section 5 (definition of critical education asset )
Repeal the definition, substitute:
critical education asset means an asset that:
(a) is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers; and
(b) is used in connection with undertaking a program of research that is critical to:
(i) a critical infrastructure sector (other than the higher education and research sector); or
(ii) the defence of Australia; or
(iii) national security.
Note: The rules may prescribe that a specified critical education asset is not a critical infrastructure asset (see section 9).
9 Section 5 (paragraph (c) of the definition of critical energy market operator asset )
After “market”, insert “or system”.
10 Section 5
Insert:
critical infrastructure risk management program has the meaning given by section 30AH.
11 Section 5 (definition of critical telecommunications asset )
Repeal the definition, substitute:
critical telecommunications asset means:
(a) a telecommunications network that is:
(i) owned or operated by a carrier or a carriage service provider; and
(ii) used to supply a carriage service; or
(b) a facility (within the meaning of the Telecommunications Act 1997 ) that is:
(i) owned or operated by a carrier or a carriage service provider; and
(ii) used to supply a carriage service.
Note: The rules may prescribe that a specified critical telecommunications asset is not a critical infrastructure asset (see section 9).
12 Section 5
Insert:
custodial or depository service has the same meaning as in the Corporations Act 2001 .
cyber security exercise has the meaning given by section 30CN.
13 Section 5 (definition of data storage or processing service )
Repeal the definition, substitute:
data storage or processing service means:
(a) a service that:
(i) enables end-users to store or back-up data; and
(ii) is provided on a commercial basis; or
(b) a data processing service that:
(i) involves the use of one or more computers; and
(ii) is provided on a commercial basis; or
(c) a service that is specified in the rules.
However, the rules may prescribe that a specified service is not a data storage or processing service.
Note: For prescription by class, see subsection 13(3) of the Legislation Act 2003 .
14 Section 5
Insert:
designated officer has the meaning given by section 30DQ.
evaluation report has the meaning given by section 30CS.
external auditor means a person authorised under section 30CT to be an external auditor for the purposes of this Act.
15 Section 5 (definition of higher education and research sector )
Repeal the definition, substitute:
higher education and research sector means the sector of the Australian economy that involves undertaking a program of research that is:
(a) supported financially (in whole or in part) by the Commonwealth; and
(b) critical to:
(i) a critical infrastructure sector (other than the higher education and research sector); or
(ii) national security; or
(iii) the defence of Australia.
16 Section 5
Insert:
incident response plan has the meaning given by section 30CJ.
17 Section 5 (at the end of the definition of notification provision )
Add:
; or (r) subsection 52B(3); or
(s) subsection 52D(4).
18 Section 5 (after paragraph (b) of the definition of protected information )
Insert:
(ba) records or is the fact that an asset is declared under section 52B to be a system of national significance; or
19 Section 5 (after paragraph (bb) of the definition of protected information )
Insert:
(bc) is, or is included in, a critical infrastructure risk management program that is adopted by an entity in compliance with section 30AC; or
(bd) is, or is included in, a report that is given under section 30AG or 30AQ; or
20 Section 5 (after paragraph (be) of the definition of protected information )
Insert:
(bf) is, or is included in, an incident response plan adopted by an entity in compliance with section 30CD; or
(bg) is, or is included in, an evaluation report prepared under section 30CQ or 30CR; or
(bh) is, or is included in, a vulnerability assessment report prepared under section 30CZ; or
21 Section 5 (definition of registrable superannuation entity )
Repeal the definition.
22 Section 5
Insert:
related company group means a group of 2 or more bodies corporate, where each member of the group is related to each other member of the group. For this purpose, the question whether a body corporate is related to another body corporate is to be determined in the same manner as that question is determined under the Corporations Act 2001 .
23 Section 5
Insert:
RSE licensee has the same meaning as in the Superannuation Industry (Supervision) Act 1993 .
24 Section 5 (paragraph (a) of the definition of security )
Omit “and 12N”, substitute “, 12N, 30AG, 30AQ, 30CB, 30CM, 30CR, 30CU and 30CW”.
25 Section 5 (paragraph (b) of the definition of security )
Omit “and 12N”, substitute “, 12N, 30AG, 30AQ, 30CB, 30CM, 30CR, 30CU and 30CW”.
26 Section 5
Insert:
system information event-based reporting notice means a notice under subsection 30DC(2).
system information periodic reporting notice means a notice under subsection 30DB(2).
system information software notice means a notice under subsection 30DJ(2).
system of national significance has the meaning given by section 52B.
vulnerability assessment has the meaning given by section 30CY.
vulnerability assessment report has the meaning given by section 30DA.
27 Subsection 8(2) (at the end of the heading)
Add “ etc. ”.
28 Paragraphs 8(2)(b) and (c)
Repeal the paragraphs, substitute:
(b) the entity is:
(i) the entity (the first entity ) that entered into the moneylending agreement; or
(ii) a subsidiary or holding entity of the first entity; or
(iii) a person who is (alone or with others) in a position to determine the investments or policy of the first entity; or
(iv) a security trustee who holds or acquires the interest on behalf of the first entity; or
(v) a receiver, or a receiver and manager, appointed by, or appointed on instructions from, a person or entity mentioned in any of subparagraphs (i) to (iv).
29 At the end of section 8
Add:
Exemption for providers of custodial or depository services
(4) Subsection (1) does not apply to an interest in an asset held by an entity if:
(a) the entity is the provider of a custodial or depository service; and
(b) the entity holds the interest in the asset solely in the entity’s capacity as the provider of a custodial or depository service; and
(c) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset.
Exemption for providers of services specified in the rules
(5) Subsection (1) does not apply to an interest in an asset held by an entity if:
(a) the entity is the provider of a service specified in the rules; and
(b) the entity holds the interest in the asset solely in the entity’s capacity as the provider of the service; and
(c) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset.
30 At the end of section 8G
Add:
(3) Each of the following is a relevant impact of a cyber security incident on a system of national significance:
(a) the impact (whether direct or indirect) of the incident on the availability of the system;
(b) the impact (whether direct or indirect) of the incident on the integrity of the system;
(c) the impact (whether direct or indirect) of the incident on the reliability of the system;
(d) the impact (whether direct or indirect) of the incident on the confidentiality of:
(i) information about the system; or
(ii) if information is stored in the system—the information; or
(iii) if the system is computer data—the computer data.
31 After paragraph 12(1)(d)
Insert:
; (e) a control room, or any other asset, that is required to operate a gas transmission pipeline covered by paragraph (d).
32 Paragraph 12F(1)(b)
After “service that”, insert “relates to business critical data and that”.
33 Paragraph 12F(1)(b)
Omit “on a commercial basis”.
34 After paragraph 12F(1)(c)
Insert:
; and (d) the asset is not a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than paragraph 9(1)(d)).
35 Subparagraph 12F(2)(b)(i)
Omit “on a commercial basis”.
36 After paragraph 12F(2)(c)
Insert:
; and (d) the asset is not a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than paragraph 9(1)(d)).
37 Paragraph 12J(1)(a)
Omit “a registrable superannuation entity”, substitute “an RSE licensee”.
38 Paragraph 12J(2)(a)
Omit “registrable superannuation entities”, substitute “RSE licensees”.
39 Paragraph 12J(2)(b)
Omit “a registrable superannuation entity”, substitute “an RSE licensee”.
40 Subparagraph 12K(1)(a)(i)
Before “food”, insert “essential”.
41 Subparagraph 12K(1)(a)(ii)
Before “groceries”, insert “essential”.
42 After paragraph 12KA(1)(b)
Insert:
; and (c) is an asset that, in accordance with subsection (3), is critical to the administration of an Australian domain name system.
43 At the end of section 12KA
Add:
(3) For the purposes of paragraph (1)(c), the rules may prescribe:
(a) specified assets that are critical to the administration of an Australian domain name system; or
(b) requirements for an asset to be critical to the administration of an Australian domain name system.
44 Paragraph 12L(6)(a)
Omit “registrable superannuation entity”, substitute “RSE licensee”.
45 At the end of section 12L
Add:
System of national significance
(25) If a critical infrastructure asset is a system of national significance, the responsible entity for the system of national significance is the responsible entity for the asset.
46 Subparagraph 18AA(2)(a)(ii)
Omit “28 days after the notice is published”, substitute “the period specified in the notice”.
47 Paragraph 18AA(2)(c)
Omit “28-day”.
48 At the end of section 18AA
Add:
(3) The period specified in the notice must not be shorter than 28 days.
49 After Part 2
Insert:
Part 2A — Critical infrastructure risk management programs
30AA Simplified outline of this Part
â?¢ The responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program (unless an exemption applies).
â?¢ The purpose of a critical infrastructure risk management program is to do the following for each of those assets:
(a) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
(b) so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring;
(c) so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset.
â?¢ A responsible entity must give an annual report relating to its critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.
Note: See also section 30AB (application of this Part).
(1) This Part applies to a critical infrastructure asset if:
(a) the asset is specified in the rules; or
(b) both:
(i) the asset is the subject of a declaration under section 51; and
(ii) the declaration determines that this Part applies to the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(2) Subsection (1) has effect subject to subsections (3), (4), (5) and (6).
Exemptions
(3) The rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period:
(a) beginning when the asset became a critical infrastructure asset; and
(b) ending at a time ascertained in accordance with the rules.
(4) If:
(a) an entity holds a certificate of hosting certification (strategic level) that relates to one or more services; and
(b) the certificate was issued under the scheme that is:
(i) administered by the Commonwealth; and
(ii) known as the hosting certification framework; and
(c) a critical infrastructure asset, or a part of a critical infrastructure asset, is used in connection with the provision of any of those services; and
(d) the entity is the responsible entity for the asset;
this Part does not apply to the asset.
Note: For reporting obligations, see Part 2AA.
(5) If:
(a) an entity is covered by a provision of a law of the Commonwealth, a State or a Territory; and
(b) the provision is specified in the rules; and
(c) the entity is the responsible entity for a critical infrastructure asset;
this Part does not apply to the asset.
Note: For reporting obligations, see Part 2AA.
(6) If:
(a) a critical infrastructure asset is covered by a provision of a law of the Commonwealth, a State or a Territory; and
(b) the provision is specified in the rules;
this Part does not apply to the asset.
Note: For reporting obligations, see Part 2AA.
Scope
(1) This section applies to rules made for the purposes of section 30AB.
Consultation
(2) Before making or amending the rules, the Minister must:
(a) cause to be published on the Department’s website a notice:
(i) setting out the draft rules or amendments; and
(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice ; and
(b) give a copy of the notice to each First Minister; and
(c) consider any submissions received within the period mentioned in paragraph (a).
(3) The period specified in the notice must not be shorter than 28 days.
30AC Responsible entity must have a critical infrastructure risk management program
If an entity is the responsible entity for one or more critical infrastructure assets, the entity must:
(a) adopt; and
(b) maintain;
a critical infrastructure risk management program that applies to the entity.
Civil penalty: 200 penalty units.
30AD Compliance with critical infrastructure risk management program
If:
(a) an entity is the responsible entity for one or more critical infrastructure assets; and
(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;
the entity must comply with:
(c) the critical infrastructure risk management program; or
(d) if the program has been varied on one or more occasions—the program as varied.
Civil penalty: 200 penalty units.
30AE Review of critical infrastructure risk management program
If:
(a) an entity is the responsible entity for one or more critical infrastructure assets; and
(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;
the entity must review the program on a regular basis.
Civil penalty: 200 penalty units.
30AF Update of critical infrastructure risk management program
If:
(a) an entity is the responsible entity for one or more critical infrastructure assets; and
(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;
the entity must take all reasonable steps to ensure that the program is up to date.
Civil penalty: 200 penalty units.
30AG Responsible entity must submit annual report
Scope
(1) This section applies if, during a period (the relevant period ) that consists of the whole or a part of a financial year:
(a) an entity was the responsible entity for one or more critical infrastructure assets; and
(b) the entity had a critical infrastructure risk management program that applied to the entity.
Annual report
(2) The entity must, within 90 days after the end of the financial year, give:
(a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets—the relevant Commonwealth regulator; or
(b) in any other case—the Secretary;
a report that:
(c) if the entity had the program at the end of the financial year—includes whichever of the following statements is applicable:
(i) if the program was up to date at the end of the financial year—a statement to that effect;
(ii) if the program was not up to date at the end of the financial year—a statement to that effect; and
(d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period—includes a statement that:
(i) identifies the hazard; and
(ii) evaluates the effectiveness of the program in mitigating the significant relevant impact of the hazard on the assets concerned; and
(iii) if the program was varied during the financial year as a result of the occurrence of the hazard—outlines the variation; and
(e) is in the approved form; and
(f) if the entity has a board, council or other governing body—is approved by the board, council or other governing body, as the case requires.
Civil penalty: 150 penalty units.
(3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act.
30AH Critical infrastructure risk management program
(1) A critical infrastructure risk management program is a written program:
(a) that applies to a particular entity that is the responsible entity for one or more critical infrastructure assets; and
(b) the purpose of which is to do the following for each of those assets:
(i) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
(ii) so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring;
(iii) so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset; and
(c) that complies with such requirements (if any) as are specified in the rules.
(2) Requirements specified under paragraph (1)(c):
(a) may be of general application; or
(b) may relate to one or more specified critical infrastructure assets.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901 .
(4) Rules made for the purposes of paragraph (1)(c) may require that a critical infrastructure risk management program include one or more provisions that:
(a) permit a background check of an individual to be conducted under the AusCheck scheme; and
(b) provide that such a background check must include assessment of information relating to one or more of the matters mentioned in paragraphs 5(a), (b), (c) and (d) of the AusCheck Act 2007 , as specified in the rules; and
(c) provide that, if such a background check includes an assessment of information relating to the matter mentioned in paragraph 5(a) of the AusCheck Act 2007 , the criteria against which that information must be assessed are the criteria specified in the rules; and
(d) provide that, if such a background check includes assessment of information relating to the matter mentioned in paragraph 5(d) of the AusCheck Act 2007 , the assessment must consist of whichever of the following is specified in the rules:
(i) an electronic identity verification check;
(ii) an in person identity verification check;
(iii) both an electronic identity verification check and an in person identity verification check.
(5) Subsection (4) does not limit paragraph (1)(c).
(6) In specifying requirements in rules made for the purposes of paragraph (1)(c), the Minister must have regard to the following matters:
(a) any existing regulatory system of the Commonwealth, a State or a Territory that imposes obligations on responsible entities;
(b) the costs that are likely to be incurred by responsible entities in complying with those rules;
(c) the reasonableness and proportionality of the requirements in relation to the purpose referred to in paragraph (1)(b);
(d) such other matters (if any) as the Minister considers relevant.
(7) For the purposes of this section, in determining whether a risk is a material risk, regard must be had to:
(a) the likelihood of the hazard occurring; and
(b) the relevant impact of the hazard on the asset if the hazard were to occur.
(8) The rules may provide that a specified risk is taken to be a material risk for the purposes of this section.
(9) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(10) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(11) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(12) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
30AJ Variation of critical infrastructure risk management program
A critical infrastructure risk management program may be varied, so long as the varied program is a critical infrastructure risk management program.
30AK Revocation of adoption of critical infrastructure risk management program
If an entity has adopted a critical infrastructure risk management program that applies to the entity, this Part does not prevent the entity from:
(a) revoking that adoption; and
(b) adopting another critical infrastructure risk management program that applies to the entity.
30AKA Responsible entity must have regard to certain matters in deciding whether to adopt or vary critical infrastructure risk management program etc.
Adoption of program
(1) If an entity is the responsible entity for one or more critical infrastructure assets, then, in deciding whether to adopt a critical infrastructure risk management program, the entity must have regard to such matters (if any) as are set out in the rules.
Civil penalty: 200 penalty units.
(2) Subsection (1) does not limit the matters to which the responsible entity may have regard.
Review of program
(3) If:
(a) an entity is the responsible entity for one or more critical infrastructure assets; and
(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;
then, in reviewing the program in accordance with section 30AE, the entity must have regard to such matters (if any) as are set out in the rules.
Civil penalty: 200 penalty units.
(4) Subsection (3) does not limit the matters to which the responsible entity may have regard.
Variation of program
(5) If:
(a) an entity is the responsible entity for one or more critical infrastructure assets; and
(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;
then, in deciding whether to vary the program, the entity must have regard to such matters (if any) as are set out in the rules.
Civil penalty: 200 penalty units.
(6) Subsection (5) does not limit the matters to which the responsible entity may have regard.
Rules
(7) Rules made for the purposes of subsection (1), (3) or (5):
(a) may be of general application; or
(b) may relate to one or more specified critical infrastructure assets.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(8) Subsection (7) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901 .
30AL Consultation—rules made for the purposes of section 30AH or 30AKA
Scope
(1) This section applies to rules made for the purposes of section 30AH or 30AKA.
Consultation
(2) Before making or amending the rules, the Minister must:
(a) cause to be published on the Department’s website a notice:
(i) setting out the draft rules or amendments; and
(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and
(b) give a copy of the notice to each First Minister; and
(c) consider any submissions received within the period mentioned in paragraph (a).
(3) The period specified in the notice must not be shorter than 28 days.
(4) Subsection (2) does not apply if:
(a) the Minister is satisfied that there is an imminent threat that a hazard will have a significant relevant impact on a critical infrastructure asset; or
(b) the Minister is satisfied that a hazard has had, or is having, a significant relevant impact on a critical infrastructure asset.
Note: See also section 30AM (review of rules).
Scope
(1) This section applies if, because of subsection 30AL(4), subsection 30AL(2) did not apply to the making of:
(a) rules; or
(b) amendments.
Review of rules
(2) The Secretary must:
(a) if paragraph (1)(a) applies—review the operation, effectiveness and implications of the rules; and
(b) if paragraph (1)(b) applies—review the operation, effectiveness and implications of the amendments; and
(c) without limiting paragraph (a) or (b), consider whether any amendments should be made; and
(d) give the Minister:
(i) a report of the review; and
(ii) a statement setting out the Secretary’s findings.
(3) For the purposes of the review, the Secretary must:
(a) cause to be published on the Department’s website a notice:
(i) setting out the rules or amendments concerned; and
(ii) inviting persons to make submissions to the Secretary about the rules or amendments concerned within the period specified in the notice; and
(b) give a copy of the notice to each First Minister; and
(c) consider any submissions received within the period mentioned in paragraph (a).
(4) The period specified in the notice must not be shorter than 28 days.
(5) The Secretary must complete the review within 60 days after the commencement of the rules or amendments concerned.
Minister to table statement of findings
(6) The Minister must cause a copy of the statement of findings to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives it.
30AN Application, adoption or incorporation of a law of a State or Territory etc.
Scope
(1) This section applies to rules made for the purposes of section 30AH or 30AKA.
Application, adoption or incorporation of a law of a State or Territory
(2) Despite subsection 14(2) of the Legislation Act 2003 , the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a law of a State or Territory as in force or existing from time to time.
Application, adoption or incorporation of a standard
(3) Despite subsection 14(2) of the Legislation Act 2003 , the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a standard proposed or approved by Standards Australia as in force or existing from time to time.
Note: The expression Standards Australia is defined in section 2B of the Acts Interpretation Act 1901 .
30ANA Application, adoption or incorporation of certain documents
Application, adoption or incorporation of a relevant document
(1) Despite subsection 14(2) of the Legislation Act 2003 , rules made for the purposes of section 30AH or 30AKA of this Act may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a relevant document as in force or existing from time to time.
Relevant document
(2) For the purposes of this section, relevant document means:
(a) the document titled Essential Eight Maturity Model and published by the Australian Signals Directorate; or
(b) the document titled Framework for Improving Critical Infrastructure Cybersecurity and published by the National Institute of Standards and Technology of the United States of America; or
(c) the document titled Cybersecurity Capability Maturity Model and published by the Department of Energy of the United States of America; or
(d) the document titled The 2020-21 AESCSF Framework Core and published by Australian Energy Market Operator Limited (ACN 072 010 327); or
(e) the document titled Cyber Supply Chain Risk Management and published by the Australian Signals Directorate; or
(f) a document specified in the rules.
(3) Subsection 13(3) of the Legislation Act 2003 does not apply to paragraph (2)(f) of this section.
30ANB Consultation—rules made for the purposes of paragraph 30ANA(2)(f)
Scope
(1) This section applies to rules made for the purposes of paragraph 30ANA(2)(f).
Consultation
(2) Before making or amending the rules, the Minister must:
(a) cause to be published on the Department’s website a notice:
(i) setting out the draft rules or amendments; and
(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and
(b) give a copy of the notice to each First Minister; and
(c) consider any submissions received within the period mentioned in paragraph (a).
(3) The period specified in the notice must not be shorter than 28 days.
Scope
(1) This section applies to rules made for the purposes of paragraph 30ANA(2)(f).
Disallowance
(2) Either House of the Parliament may, following a motion upon notice, pass a resolution disallowing the rules. For the resolution to be effective:
(a) the notice must be given in that House within 15 sitting days of that House after the copy of the rules was tabled in that House under section 38 of the Legislation Act 2003 ; and
(b) the resolution must be passed, in pursuance of the motion, within 15 sitting days of that House after the giving of that notice.
(3) If neither House passes such a resolution, the rules take effect on the day immediately after the last day upon which such a resolution could have been passed if it were assumed that notice of a motion to disallow the rules was given in each House on the last day of the 15 sitting day period of that House mentioned in paragraph (2)(a).
(4) If:
(a) notice of a motion to disallow the rules is given in a House of the Parliament within 15 sitting days of that House after the copy of the rules was tabled in that House under section 38 of the Legislation Act 2003 ; and
(b) at the end of 15 sitting days of that House after the giving of that notice of motion:
(i) the notice has not been withdrawn and the motion has not been called on; or
(ii) the motion has been called on, moved and (where relevant) seconded and has not been withdrawn or otherwise disposed of;
the rules are then taken to have been disallowed, and subsection (3) does not apply to the rules.
(5) Section 42 (disallowance) of the Legislation Act 2003 does not apply to the rules.
Note 1: The 15 sitting day notice period mentioned in paragraph (2)(a) of this section is the same as the 15 sitting day notice period mentioned in paragraph 42(1)(a) of the Legislation Act 2003 .
Note 2: The 15 sitting day disallowance period mentioned in paragraph (2)(b) of this section is the same as the 15 sitting day disallowance period mentioned in paragraph 42(1)(b) of the Legislation Act 2003 .
Part 2AA — Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program
30AP Simplified outline of this Part
â?¢ A responsible entity must give an annual report relating to certain assets that are not covered by a critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.
30AQ Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program
Scope
(1) This section applies if, during a period (the relevant period ) that consists of the whole or a part of a financial year, an entity was the responsible entity for one or more critical infrastructure assets that are covered by subsection 30AB(4), (5) or (6).
Annual report
(2) The entity must, within 90 days after the end of the financial year, give:
(a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets—the relevant Commonwealth regulator; or
(b) in any other case—the Secretary;
a report that:
(c) sets out the reason why those assets are covered by subsection 30AB(4), (5) or (6); and
(d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period—includes a statement that:
(i) identifies the hazard; and
(ii) evaluates the effectiveness of the action (if any) taken by the entity for the purposes of mitigating the significant relevant impact of the hazard on the assets concerned; and
(e) is in the approved form; and
(f) if the entity has a board, council or other governing body—is approved by the board, council or other governing body, as the case requires.
Civil penalty: 150 penalty units.
(3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act.
50 Subparagraph 30BBA(2)(a)(ii)
Omit “28 days after the notice is published”, substitute “the period specified in the notice”.
51 Paragraph 30BBA(2)(c)
Omit “28-day”.
52 Subparagraph 30BBA(2)(d)(ii)
Omit “28-day”.
53 At the end of section 30BBA
Add:
(3) The period specified in the notice must not be shorter than 28 days.
54 At the end of subsection 30BE
Add:
(3) If:
(a) an entity is or was subject to a requirement under section 30BC or 30BD; and
(b) the entity is or was a member of a related company group;
then:
(c) another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement; and
(d) an officer, employee or agent of another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement.
(4) If:
(a) an entity (the first entity ) is or was subject to a requirement under section 30BC or 30BD; and
(b) another entity (the contracted service provider ) is or was:
(i) a party to a contract with the first entity; and
(ii) responsible under the contract for the provision of services to the first entity;
then:
(c) the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement; and
(d) an officer, employee or agent of the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement.
55 Paragraph 30BEB(2)(b)
Omit “28 days after the notice is given”, substitute “the period specified in the notice”.
56 Paragraphs 30BEB(2)(c) and (d)
Omit “28-day”.
57 At the end of section 30BEB
Add:
(3) The period specified in the notice must not be shorter than 28 days.
58 After Part 2B
Insert:
Part 2C — Enhanced cyber security obligations
Division 1 — Simplified outline of this Part
30CA Simplified outline of this Part
â?¢ This Part sets out enhanced cyber security obligations that relate to systems of national significance.
â?¢ The responsible entity for a system of national significance may be subject to statutory incident response planning obligations.
â?¢ The responsible entity for a system of national significance may be required to undertake a cyber security exercise.
â?¢ The responsible entity for a system of national significance may be required to undertake a vulnerability assessment.
â?¢ If a computer is a system of national significance, or is needed to operate a system of national significance, a relevant entity for the system may be required to:
(a) give ASD periodic reports of system information; or
(b) give ASD event-based reports of system information; or
(c) install software that transmits system information to ASD.
Note: For a declaration of a system of national significance, see section 52B.
Division 2 — Statutory incident response planning obligations
Subdivision A — Application of statutory incident response planning obligations
30CB Application of statutory incident response planning obligations—determination by the Secretary
(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, determine that the statutory incident response planning obligations apply to the entity in relation to:
(a) the system; and
(b) cyber security incidents.
(2) A determination under this section takes effect at the time specified in the determination.
(3) The specified time must not be earlier than the end of the 30-day period that began when the notice was given.
(4) In deciding whether to give a notice to an entity under this section in relation to a system of national significance, the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with Subdivision B; and
(b) the reasonableness and proportionality of applying the statutory incident response planning obligations to the entity in relation to:
(i) the system; and
(ii) cyber security incidents; and
(c) such other matters (if any) as the Secretary considers relevant.
(5) Before giving a notice to an entity under this section in relation to a system of national significance, the Secretary must consult:
(a) the entity; and
(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator.
(6) A determination under this section is not a legislative instrument.
30CC Revocation of determination
Scope
(1) This section applies if:
(a) a determination is in force under section 30CB; and
(b) notice of the determination was given to a particular entity.
Power to revoke determination
(2) The Secretary may, by written notice given to the entity, revoke the determination.
Application of the Acts Interpretation Act 1901
(3) This section does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901 to an instrument made under a provision of this Act (other than this Division).
Subdivision B — Statutory incident response planning obligations
30CD Responsible entity must have an incident response plan
If:
(a) an entity is the responsible entity for a system of national significance; and
(b) the statutory incident response planning obligations apply to the entity in relation to:
(i) the system; and
(ii) cyber security incidents;
the entity must:
(c) adopt; and
(d) maintain;
an incident response plan that applies to the entity in relation to:
(e) the system; and
(f) cyber security incidents.
Civil penalty: 200 penalty units.
30CE Compliance with incident response plan
If:
(a) an entity is the responsible entity for a system of national significance; and
(b) the entity has adopted an incident response plan that applies to the entity;
the entity must comply with:
(c) the incident response plan; or
(d) if the plan has been varied on one or more occasions—the plan as varied.
Civil penalty: 200 penalty units.
30CF Review of incident response plan
If:
(a) an entity is the responsible entity for a system of national significance; and
(b) the entity has adopted an incident response plan that applies to the entity;
the entity must review the plan on a regular basis.
Civil penalty: 200 penalty units.
30CG Update of incident response plan
If:
(a) an entity is the responsible entity for a system of national significance; and
(b) the entity has adopted an incident response plan that applies to the entity;
the entity must take all reasonable steps to ensure that the plan is up to date.
Civil penalty: 200 penalty units.
30CH Copy of incident response plan must be given to the Secretary
(1) If:
(a) an entity is the responsible entity for a system of national significance; and
(b) the entity adopts an incident response plan that applies to the entity;
the entity must:
(c) provide a copy of the incident response plan to the Secretary; and
(d) do so as soon as practicable after the adoption.
Civil penalty: 200 penalty units.
(2) If:
(a) an entity is the responsible entity for a system of national significance; and
(b) the entity varies an incident response plan that applies to the entity;
the entity must:
(c) provide a copy of the varied incident response plan to the Secretary; and
(d) do so as soon as practicable after the variation.
Civil penalty: 200 penalty units.
(1) An incident response plan is a written plan:
(a) that applies to an entity that is the responsible entity for a system of national significance; and
(b) that relates to the system; and
(c) that relates to cyber security incidents; and
(d) the purpose of which is to plan for responding to cyber security incidents that could have a relevant impact on the system; and
(e) that complies with such requirements (if any) as are specified in the rules.
(2) Requirements specified under paragraph (1)(e):
(a) may be of general application; or
(b) may relate to one or more specified systems of national significance; or
(c) may relate to one or more specified types of cyber security incidents.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901 .
30CK Variation of incident response plan
An incident response plan may be varied, so long as the varied plan is an incident response plan.
30CL Revocation of adoption of incident response plan
If an entity has adopted an incident response plan that applies to the entity, this Division does not prevent the entity from:
(a) revoking that adoption; and
(b) adopting another incident response plan that applies to the entity.
Division 3 — Cyber security exercises
30CM Requirement to undertake cyber security exercise
(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:
(a) undertake a cyber security exercise in relation to:
(i) the system; and
(ii) all types of cyber security incidents; and
(b) do so within the period specified in the notice.
(2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:
(a) undertake a cyber security exercise in relation to:
(i) the system; and
(ii) one or more specified types of cyber security incidents; and
(b) do so within the period specified in the notice.
(3) The period specified in a notice under subsection (1) or (2) must not be earlier than the end of the 30-day period that began when the notice was given.
(4) A notice under subsection (1) or (2) may also require the entity to do any or all of the following things:
(a) allow one or more specified designated officers to observe the cyber security exercise;
(b) provide those designated officers with access to premises for the purposes of observing the cyber security exercise;
(c) provide those designated officers with reasonable assistance and facilities that are reasonably necessary to allow those designated officers to observe the cyber security exercise;
(d) allow those designated officers to make such records as are reasonably necessary for the purposes of monitoring compliance with the notice;
(e) give those designated officers reasonable notice of the time when the cyber security exercise will begin.
(5) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with the notice; and
(b) the reasonableness and proportionality of the requirement in the notice; and
(c) such other matters (if any) as the Secretary considers relevant.
(6) Before giving a notice to an entity under subsection (1) or (2) in relation to a system of national significance, the Secretary must consult:
(a) the entity; and
(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator.
(1) A cyber security exercise is an exercise:
(a) that is undertaken by the responsible entity for a system of national significance; and
(b) that relates to the system; and
(c) that either:
(i) relates to all types of cyber security incidents; or
(ii) relates to one or more specified types of cyber security incidents; and
(d) if the exercise relates to all types of cyber security incidents—the purpose of which is to:
(i) test the entity’s ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
(ii) test the entity’s preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
(iii) test the entity’s ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and
(e) if the exercise relates to one or more specified types of cyber security incidents—the purpose of which is to:
(i) test the entity’s ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and
(ii) test the entity’s preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and
(iii) test the entity’s ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and
(f) that complies with such requirements (if any) as are specified in the rules.
(2) Requirements specified under paragraph (1)(f):
(a) may be of general application; or
(b) may relate to one or more specified systems of national significance; or
(c) may relate to one or more specified types of cyber security incidents.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901 .
30CP Compliance with requirement to undertake cyber security exercise
An entity must comply with a notice given to the entity under section 30CM.
Civil penalty: 200 penalty units.
30CQ Internal evaluation report
(1) If an entity undertakes a cyber security exercise under section 30CM, the entity must:
(a) do both of the following:
(i) prepare an evaluation report relating to the cyber security exercise;
(ii) give a copy of the report to the Secretary; and
(b) do so:
(i) within 30 days after the completion of the exercise; or
(ii) if the Secretary allows a longer period—within that longer period.
Civil penalty: 200 penalty units.
(2) An evaluation report prepared by an entity under subsection (1) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (1) of this section or subsection 30CR(6)).
30CR External evaluation report
Scope
(1) This section applies if an entity has undertaken a cyber security exercise under section 30CM, and:
(a) all of the following conditions are satisfied:
(i) the entity has prepared, or purported to prepare, an evaluation report under section 30CQ relating to the exercise;
(ii) the entity has given a copy of the report to the Secretary;
(iii) the Secretary has reasonable grounds to believe that the report was not prepared appropriately; or
(b) the entity has contravened section 30CQ.
Requirement
(2) The Secretary may, by written notice given to the entity, require the entity to:
(a) appoint an external auditor; and
(b) arrange for the external auditor to prepare an evaluation report (the new evaluation report ) relating to the exercise; and
(c) arrange for the external auditor to give the new evaluation report to the entity; and
(d) give the Secretary a copy of the new evaluation report within:
(i) the period specified in the notice; or
(ii) if the Secretary allows a longer period—that longer period.
(3) The notice must specify:
(a) the matters to be covered by the new evaluation report; and
(b) the form of the new evaluation report and the kinds of details it is to contain.
Consultation
(4) Before giving a notice to an entity under this section in connection with a cyber security exercise that relates to a system of national significance, the Secretary must consult:
(a) the entity; and
(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator.
Eligibility for appointment as an external auditor
(5) An individual is not eligible to be appointed as an external auditor by the entity if the individual is an officer, employee or agent of the entity.
Compliance
(6) An entity must comply with a requirement under subsection (2).
Civil penalty: 200 penalty units.
Immunity
(7) The new evaluation report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (6)).
30CS Meaning of evaluation report
An evaluation report , in relation to a cyber security exercise that was undertaken in relation to a system of national significance, is a written report:
(a) if the exercise relates to all types of cyber security incidents—the purpose of which is to:
(i) evaluate the entity’s ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
(ii) evaluate the entity’s preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
(iii) evaluate the entity’s ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and
(b) if the exercise relates to one or more specified types of cyber security incidents—the purpose of which is to:
(i) evaluate the entity’s ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and
(ii) evaluate the entity’s preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and
(iii) evaluate the entity’s ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and
(c) that complies with such requirements (if any) as are specified in the rules.
(1) The Secretary may, by writing, authorise a specified individual to be an external auditor for the purposes of this Act.
Note: For specification by class, see subsection 33(3AB) of the Acts Interpretation Act 1901 .
(2) An authorisation under subsection (1) is not a legislative instrument.
Division 4 — Vulnerability assessments
30CU Requirement to undertake vulnerability assessment
(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:
(a) undertake, or cause to be undertaken, a vulnerability assessment in relation to:
(i) the system; and
(ii) all types of cyber security incidents; and
(b) do so within the period specified in the notice.
(2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:
(a) undertake, or cause to be undertaken, a vulnerability assessment in relation to:
(i) the system; and
(ii) one or more specified types of cyber security incidents; and
(b) do so within the period specified in the notice.
(3) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with the notice; and
(b) the reasonableness and proportionality of the requirement in the notice; and
(c) such other matters (if any) as the Secretary considers relevant.
(4) Before giving a notice to an entity under subsection (1) or (2) in relation to the system of national significance, the Secretary must consult:
(a) the entity; and
(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator.
30CV Compliance with requirement to undertake a vulnerability assessment
An entity must comply with a notice given to the entity under section 30CU.
Civil penalty: 200 penalty units.
30CW Designated officers may undertake a vulnerability assessment
Scope
(1) This section applies if:
(a) an entity is the responsible entity for a system of national significance; and
(b) either:
(i) the Secretary has reasonable grounds to believe that if the entity were to be given a notice under subsection 30CU(1) or (2), the entity would not be capable of complying with the notice; or
(ii) the entity has not complied with a notice given to the entity under subsection 30CU(1) or (2).
Request
(2) The Secretary may give a designated officer a written request to:
(a) undertake a vulnerability assessment in relation to:
(i) the system; and
(ii) all types of cyber security incidents; and
(b) do so within the period specified in the request.
(3) The Secretary may give a designated officer a written request to:
(a) undertake a vulnerability assessment in relation to:
(i) the system; and
(ii) one or more specified types of cyber security incidents; and
(b) do so within the period specified in the request.
(4) Before giving a request under subsection (2) or (3) in relation to the system of national significance, the Secretary must consult:
(a) the entity; and
(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator.
Requirement
(5) If a request under subsection (2) or (3) is given to a designated officer, the Secretary may, by written notice given to the entity, require the entity to do any or all of the following things:
(a) provide the designated officer with access to premises for the purposes of undertaking the vulnerability assessment;
(b) provide the designated officer with access to computers for the purposes of undertaking the vulnerability assessment;
(c) provide the designated officer with reasonable assistance and facilities that are reasonably necessary to allow the designated officer to undertake the vulnerability assessment.
Notification of request
(6) If a request under subsection (2) or (3) is given to a designated officer, the Secretary must give a copy of the request to the entity.
30CX Compliance with requirement to provide reasonable assistance etc.
An entity must comply with a notice given to the entity under subsection 30CW(5).
Civil penalty: 200 penalty units.
(1) A vulnerability assessment is an assessment:
(a) that relates to a system of national significance; and
(b) that either:
(i) relates to all types of cyber security incidents; or
(ii) relates to one or more specified types of cyber security incidents; and
(c) if the assessment relates to all types of cyber security incidents—the purpose of which is to test the vulnerability of the system to all types of cyber security incidents; and
(d) if the assessment relates to one or more specified types of cyber security incidents—the purpose of which is to test the vulnerability of the system to those types of cyber security incidents; and
(e) that complies with such requirements (if any) as are specified in the rules.
(2) Requirements specified under paragraph (1)(e):
(a) may be of general application; or
(b) may relate to one or more specified systems of national significance; or
(c) may relate to one or more specified types of cyber security incidents.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901 .
30CZ Vulnerability assessment report
(1) If an entity undertakes, or causes to be undertaken, a vulnerability assessment under section 30CU, the entity must:
(a) do both of the following:
(i) prepare, or cause to be prepared, a vulnerability assessment report relating to the assessment;
(ii) give a copy of the report to the Secretary; and
(b) do so:
(i) within 30 days after the completion of the assessment; or
(ii) if the Secretary allows a longer period—within that longer period.
Civil penalty: 200 penalty units.
(2) If a designated officer undertakes a vulnerability assessment in accordance with a request given to the designated officer under section 30CW, the designated officer must:
(a) do both of the following:
(i) prepare a vulnerability assessment report relating to the assessment;
(ii) give a copy of the report to the Secretary; and
(b) do so:
(i) within 30 days after the completion of the assessment; or
(ii) if the Secretary allows a longer period—within that longer period.
(3) If an entity prepares, or causes to be prepared, a report under subsection (1), the report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (1)).
30DA Meaning of vulnerability assessment report
A vulnerability assessment report , in relation to a vulnerability assessment that was undertaken in relation to a system of national significance, is a written report:
(a) if the assessment relates to all types of cyber security incidents—the purpose of which is to assess the vulnerability of the system to all types of cyber security incidents; and
(b) if the assessment relates to one or more specified types of cyber security incidents—the purpose of which is to assess the vulnerability of the system to those types of cyber security incidents; and
(c) that complies with such requirements (if any) as are specified in the rules.
Division 5 — Access to system information
Subdivision A — System information reporting notices
30DB Secretary may require periodic reporting of system information
Scope
(1) This section applies if:
(a) a computer:
(i) is needed to operate a system of national significance; or
(ii) is a system of national significance; and
(b) the Secretary believes on reasonable grounds that a relevant entity for the system of national significance is technically capable of preparing periodic reports consisting of information that:
(i) relates to the operation of the computer; and
(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and
(iii) is not personal information (within the meaning of the Privacy Act 1988 ).
Requirement
(2) The Secretary may, by written notice given to the entity, require the entity to:
(a) prepare periodic reports that:
(i) consist of any such information; and
(ii) relate to such regular intervals as are specified in the notice; and
(b) prepare those periodic reports:
(i) in the manner and form specified in the notice; and
(ii) in accordance with the information technology requirements specified in the notice; and
(c) give each of those periodic reports to ASD within the period ascertained in accordance with the notice in relation to the periodic report concerned.
(3) A notice under subsection (2) is to be known as a system information periodic reporting notice .
(4) In deciding whether to give a system information periodic reporting notice to the entity, the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with the notice; and
(b) the reasonableness and proportionality of the requirements in the notice; and
(c) such other matters (if any) as the Secretary considers relevant.
Matters to be set out in notice
(5) A system information periodic reporting notice must set out the effect of section 30DF.
Other powers not limited
(6) This section does not, by implication, limit a power conferred by another provision of this Act.
30DC Secretary may require event-based reporting of system information
Scope
(1) This section applies if:
(a) a computer:
(i) is needed to operate a system of national significance; or
(ii) is a system of national significance; and
(b) the Secretary believes on reasonable grounds that, each time a particular kind of event occurs, a relevant entity for the system of national significance will be technically capable of preparing a report consisting of information that:
(i) relates to the operation of the computer; and
(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and
(iii) is not personal information (within the meaning of the Privacy Act 1988 ).
Requirement
(2) The Secretary may, by written notice given to the entity, require the entity to do the following things each time an event of that kind occurs:
(a) prepare a report that consists of any such information;
(b) prepare that report:
(i) in the manner and form specified in the notice; and
(ii) in accordance with the information technology requirements specified in the notice;
(c) give that report to ASD as soon as practicable after the event occurs.
(3) A notice under subsection (2) is to be known as a system information event-based reporting notice .
(4) In deciding whether to give a system information event-based reporting notice to the entity, the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with the notice; and
(b) the reasonableness and proportionality of the requirements in the notice; and
(c) such other matters (if any) as the Secretary considers relevant.
Matters to be set out in notice
(5) A system information event-based reporting notice must set out the effect of section 30DF.
Other powers not limited
(6) This section does not, by implication, limit a power conferred by another provision of this Act.
Before giving:
(a) a system information periodic reporting notice; or
(b) a system information event-based reporting notice;
to a relevant entity for a system of national significance, the Secretary must consult:
(c) the relevant entity; and
(d) if the relevant entity is not the responsible entity for the system of national significance—the responsible entity for the system of national significance.
30DE Duration of system information periodic reporting notice or system information event-based reporting notice
(1) A system information periodic reporting notice or a system information event-based reporting notice:
(a) comes into force:
(i) when it is given; or
(ii) if a later time is specified in the notice—at that later time; and
(b) remains in force for the period specified in the notice.
(2) The period specified in the notice must not be longer than 12 months.
(3) If a system information periodic reporting notice (the original notice ) is in force, this Act does not prevent the Secretary from giving a fresh system information periodic reporting notice that:
(a) is in the same, or substantially the same, terms as the original notice; and
(b) comes into force immediately after the expiry of the original notice.
(4) If a system information event-based reporting notice (the original notice ) is in force, this Act does not prevent the Secretary from giving a fresh system information event-based reporting notice that:
(a) is in the same, or substantially the same, terms as the original notice; and
(b) comes into force immediately after the expiry of the original notice.
30DF Compliance with system information periodic reporting notice or system information event-based reporting notice
An entity must comply with:
(a) a system information periodic reporting notice; or
(b) a system information event-based reporting notice;
to the extent that the entity is capable of doing so.
Civil penalty: 200 penalty units.
(1) An entity is not excused from giving a report under section 30DB or 30DC on the ground that the report might tend to incriminate the entity.
(2) If, at general law, an individual would otherwise be able to claim the privilege against self-exposure to a penalty (other than a penalty for an offence) in relation to giving a report under section 30DB or 30DC, the individual is not excused from giving a report under that section on that ground.
Note: A body corporate is not entitled to claim the privilege against self-exposure to a penalty.
30DH Admissibility of report etc.
If a report is given under section 30DB or 30DC:
(a) the report; or
(b) giving the report;
is not admissible in evidence against an entity:
(c) in criminal proceedings other than proceedings for an offence against section 137.2 of the Criminal Code that relates to this Act; or
(d) in civil proceedings other than proceedings for recovery of a penalty in relation to a contravention of section 30DF.
Subdivision B — System information software
30DJ Secretary may require installation of system information software
Scope
(1) This section applies if:
(a) a computer:
(i) is needed to operate a system of national significance; or
(ii) is a system of national significance; and
(b) the Secretary believes on reasonable grounds that a relevant entity for the system of national significance would not be technically capable of preparing reports under section 30DB or 30DC consisting of information that:
(i) relates to the operation of the computer; and
(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and
(iii) is not personal information (within the meaning of the Privacy Act 1988 ).
Requirement
(2) The Secretary may, by written notice given to the entity, require the entity to:
(a) both:
(i) install a specified computer program on the computer; and
(ii) do so within the period specified in the notice; and
(b) maintain the computer program installed in accordance with paragraph (a); and
(c) take all reasonable steps to ensure that the computer is continuously supplied with an internet carriage service that enables the computer program to function.
(3) A notice under subsection (2) is to be known as a system information software notice .
(4) In deciding whether to give a system information software notice to the entity, the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with the notice; and
(b) the reasonableness and proportionality of the requirements in the notice; and
(c) such other matters (if any) as the Secretary considers relevant.
(5) A computer program may only be specified in a system information software notice if the purpose of the computer program is to:
(a) collect and record information that:
(i) relates to the operation of the computer; and
(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and
(iii) is not personal information (within the meaning of the Privacy Act 1988 ); and
(b) cause the information to be transmitted electronically to ASD.
Matters to be set out in notice
(6) A system information software notice must set out the effect of section 30DM.
Other powers not limited
(7) This section does not, by implication, limit a power conferred by another provision of this Act.
Before giving a system information software notice to a relevant entity for a system of national significance, the Secretary must consult:
(a) the relevant entity; and
(b) if the relevant entity is not the responsible entity for the system of national significance—the responsible entity for the system of national significance.
30DL Duration of system information software notice
(1) A system information software notice:
(a) comes into force:
(i) when it is given; or
(ii) if a later time is specified in the notice—at that later time; and
(b) remains in force for the period specified in the notice.
(2) The period specified in the notice must not be longer than 12 months.
(3) If a system information software notice (the original notice ) is in force, this Act does not prevent the Secretary from giving a fresh system information software notice that:
(a) is in the same, or substantially the same, terms as the original notice; and
(b) comes into force immediately after the expiry of the original notice.
30DM Compliance with system information software notice
An entity must comply with a system information software notice to the extent that the entity is capable of doing so.
Civil penalty: 200 penalty units.
(1) An entity is not excused from complying with a system information software notice on the ground that complying with the notice might tend to incriminate the entity.
(2) If, at general law, an individual would otherwise be able to claim the privilege against self-exposure to a penalty (other than a penalty for an offence) in relation to complying with a system information software notice, the individual is not excused from complying with the notice on that ground.
Note: A body corporate is not entitled to claim the privilege against self-exposure to a penalty.
30DP Admissibility of information etc.
If:
(a) a computer program is installed in compliance with a system information software notice; and
(b) information is transmitted to ASD as a result of the operation of the computer program;
the information is not admissible in evidence against an entity:
(c) in criminal proceedings; or
(d) in civil proceedings other than proceedings for recovery of a penalty in relation to a contravention of section 30DM.
Division 6 — Designated officers
(1) A designated officer is an individual appointed by the Secretary, in writing, to be a designated officer for the purposes of this Act.
(2) The Secretary must not appoint an individual under subsection (1) unless:
(a) the individual is a Departmental employee; or
(b) both:
(i) the individual is a staff member of ASD; and
(ii) the Director-General of ASD has agreed to the appointment.
(3) The Secretary may, in writing, declare that each Departmental employee included in a specified class of Departmental employees is a designated officer.
(4) The Secretary may, in writing, declare that each staff member of ASD included in a specified class of staff members of ASD is a designated officer.
(5) The Secretary must not make a declaration under subsection (4) unless the Director-General of ASD has agreed to the declaration.
(6) For the purposes of this section, Departmental employee means an APS employee in the Department.
(7) For the purposes of this section, staff member of ASD has the same meaning as in the Intelligence Services Act 2001 .
(8) A declaration under this section is not a legislative instrument.
59 After section 35
Insert:
35AAA Directions prevail over inconsistent critical infrastructure risk management programs
If a critical infrastructure risk management program is applicable to a critical infrastructure asset, the program has no effect to the extent to which it is inconsistent with a direction under subsection 32(2).
60 At the end of subsection 35AAB
Add:
(3) If:
(a) an entity is or was subject to a direction under subsection 32(2); and
(b) the entity is or was a member of a related company group;
then:
(c) another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction; and
(d) an officer, employee or agent of another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction.
(4) If:
(a) an entity (the first entity ) is or was subject to a direction under subsection 32(2); and
(b) another entity (the contracted service provider ) is or was:
(i) a party to a contract with the first entity; and
(ii) responsible under the contract for the provision of services to the first entity;
then:
(c) the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction; and
(d) an officer, employee or agent of the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction.
61 After section 35AT
Insert:
35AU Directions prevail over inconsistent critical infrastructure risk management programs
If a critical infrastructure risk management program is applicable to an entity, the program has no effect to the extent to which it is inconsistent with a direction given to the entity under section 35AQ.
62 At the end of subsection 35AW
Add:
(3) If:
(a) an entity is or was subject to a direction given under section 35AQ; and
(b) the entity is or was a member of a related company group;
then:
(c) another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction; and
(d) an officer, employee or agent of another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction.
(4) If:
(a) an entity (the first entity ) is or was subject to a direction given under section 35AQ; and
(b) another entity (the contracted service provider ) is or was:
(i) a party to a contract with the first entity; and
(ii) responsible under the contract for the provision of services to the first entity;
then:
(c) the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction; and
(d) an officer, employee or agent of the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the direction.
63 At the end of subsection 35BB
Add:
(6) If:
(a) an entity is or was subject to a requirement under subsection (1); and
(b) the entity is or was a member of a related company group;
then:
(c) another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement; and
(d) an officer, employee or agent of another member of the related company group is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement.
(7) If:
(a) an entity (the first entity ) is or was subject to a requirement under subsection (1); and
(b) another entity (the contracted service provider ) is or was:
(i) a party to a contract with the first entity; and
(ii) responsible under the contract for the provision of services to the first entity;
then:
(c) the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement; and
(d) an officer, employee or agent of the contracted service provider is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith for the purposes of ensuring or facilitating compliance with the requirement.
64 After section 42
Insert:
42A Authorised use and disclosure—development of proposed amendments of this Act etc.
The Secretary may:
(a) disclose protected information to an entity for the purposes of developing or assessing:
(i) proposed amendments of this Act; or
(ii) proposed rules; or
(iii) proposed amendments of the rules; and
(b) make a record of or use protected information for the purpose of that disclosure.
Note: This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles.
65 After section 43
Insert:
43AA Authorised disclosure to Ombudsman official
The Secretary may:
(a) disclose protected information to an Ombudsman official for the purposes of exercising powers, or performing duties or functions, as an Ombudsman official; and
(b) make a record of or use protected information for the purpose of that disclosure.
Note: This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles.
66 After section 43D
Insert:
43E Authorised disclosure of protected information by the entity to whom the information relates
(1) An entity may disclose protected information if:
(a) the entity is the entity to whom the protected information relates; and
(b) the entity discloses the protected information to:
(i) a Minister of the Commonwealth who has responsibility for the regulation or oversight of the relevant critical infrastructure sector to which the protected information relates;
(ii) a Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant critical infrastructure sector to which the protected information relates;
(iii) a person employed as a member of staff of a Minister mentioned in subparagraph (i) or (ii);
(iv) the head of an agency (including a Department) administered by a Minister mentioned in subparagraph (i) or (ii), or an officer or employee of that agency; and
(c) the disclosure to the person mentioned in paragraph (b) is for the purposes of enabling or assisting the person to exercise the person’s powers or perform the person’s functions or duties.
Note: This subsection is an authorisation for the purposes of other laws, including the Australian Privacy Principles.
(2) An entity may disclose protected information if:
(a) the entity is the entity to whom the protected information relates; and
(b) the protected information is covered by:
(i) any of paragraphs (b) to (bl) of the definition of protected information in section 5; or
(ii) paragraph (c) of that definition so far as that definition relates to any of paragraphs (b) to (bl) of that definition; and
(iii) the Secretary has consented, in writing, to the disclosure; and
(iv) if the Secretary’s consent is subject to one or more conditions—those conditions are satisfied.
Note: This subsection is an authorisation for the purposes of other laws, including the Australian Privacy Principles.
(3) An entity may disclose protected information if:
(a) the entity is the entity to whom the protected information relates; and
(b) the protected information is not covered by:
(i) any of paragraphs (b) to (bl) of the definition of protected information in section 5; or
(ii) paragraph (c) of that definition so far as that definition relates to any of paragraphs (b) to (bl) of that definition.
Note: This subsection is an authorisation for the purposes of other laws, including the Australian Privacy Principles.
67 Subsection 46(2)
After “critical infrastructure asset”, insert “or of the fact that an asset is declared under section 52B to be a system of national significance”.
68 Paragraph 46(4)(b)
Repeal the paragraph.
69 After subsection 46(4) (before the note)
Insert:
Disclosure to an Ombudsman official
(5) Section 45 does not apply to an entity to the extent that the entity discloses protected information to an Ombudsman official for the purposes of exercising powers, or performing duties or functions, as an Ombudsman official.
70 After paragraph 51(2A)(a)
Insert:
(b) determine that Part 2A applies to the asset;
71 After Part 6
Insert:
Part 6A — Declaration of systems of national significance by the Minister
Division 1 — Simplified outline of this Part
52A Simplified outline of this Part
The Minister may privately declare a critical infrastructure asset to be a system of national significance.
The Minister must notify each reporting entity for an asset that is a declared system of national significance.
If a reporting entity for an asset that is a declared system of national significance ceases to be such a reporting entity, or becomes aware of another reporting entity for the asset, the entity must notify the Secretary.
Note: It is an offence to disclose that an asset has been declared a system of national significance (see section 45).
Division 2 — Declaration of systems of national significance by the Minister
52B Declaration of systems of national significance by the Minister
(1) The Minister may, in writing, declare a particular asset to be a system of national significance if:
(a) the asset is a critical infrastructure asset; and
(b) the Minister is satisfied that the asset is of national significance.
(2) In determining whether an asset is of national significance for the purposes of subsection (1), the Minister must have regard to:
(a) the consequences that would arise for:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security;
if a hazard were to occur that had a significant relevant impact on the asset; and
(b) if the Minister is aware of one or more interdependencies between the asset and one or more other critical infrastructure assets—the nature and extent of those interdependencies; and
(c) such other matters (if any) as the Minister considers relevant.
(3) The Minister must notify the following of the declaration, in writing, within 30 days after making the declaration in relation to an asset:
(a) each reporting entity for the asset;
(b) if the asset is a tangible asset located (wholly or partly) in a State, the Australian Capital Territory or the Northern Territory—the First Minister of the State, the Australian Capital Territory or the Northern Territory, as the case requires.
(4) A declaration under subsection (1) is not a legislative instrument.
(5) To avoid doubt, an asset may be the subject of a declaration under subsection (1) even if the asset is not a system.
(1) Before making a declaration under section 52B in relation to an asset, the Minister must give the responsible entity for the asset a notice:
(a) setting out the proposed declaration; and
(b) inviting the entity to make submissions to the Minister about the proposed declaration within:
(i) 28 days after the notice is given; or
(ii) if a shorter period is specified in the notice—that shorter period.
(2) The Minister must consider any submissions received within:
(a) the 28-day period mentioned in subparagraph (1)(b)(i); or
(b) if a shorter period is specified in the notice—that shorter period.
(3) The Minister must not specify a shorter period in the notice unless the Minister is satisfied that the shorter period is necessary due to urgent circumstances.
(4) The notice must set out the reasons for making the declaration, unless the Minister is satisfied that doing so would be prejudicial to security.
52D Notification of change to reporting entities for asset
Scope
(1) This section applies if a reporting entity (the first entity ) for an asset declared under subsection 52B(1) to be a system of national significance:
(a) ceases to be a reporting entity for the asset; or
(b) becomes aware of another reporting entity for the asset (whether or not as a result of the first entity ceasing to be a reporting entity).
Notification
(2) The first entity must, within 30 days, notify the Secretary of the following:
(a) the fact in paragraph (1)(a) or (b) (as the case requires);
(b) if another entity is a reporting entity for the asset—the name of each other entity and the address of each other entity’s head office or principal place of business (to the extent known by the first entity).
Civil penalty: 150 penalty units.
(3) The first entity must use the entity’s best endeavours to determine the name and relevant address of any other entity for the purposes of paragraph (2)(b).
(4) If the Secretary is notified of another entity under paragraph (2)(b), the Secretary must notify the other entity of the declaration under subsection 52B(1), in writing, within 30 days after being notified under that paragraph.
Scope
(1) This section applies if an asset is declared under subsection 52B(1) to be a system of national significance.
Request
(2) The responsible entity for the asset may, by written notice given to the Secretary, request the Secretary to review whether the asset is of national significance.
Requirement
(3) The Secretary must, within 60 days after the request is given:
(a) review whether the asset is of national significance; and
(b) give the Minister:
(i) a report of the review; and
(ii) a statement setting out the Secretary’s findings.
(4) The review must be undertaken in consultation with the responsible entity for the asset.
(5) In reviewing whether the asset is of national significance, the Secretary must have regard to:
(a) the consequences that would arise for:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security;
if a hazard were to occur that had a significant relevant impact on the asset; and
(b) if the Secretary is aware of one or more interdependencies between the asset and one or more other critical infrastructure assets—the nature and extent of those interdependencies; and
(c) such other matters (if any) as the Secretary considers relevant.
Limit
(6) The responsible entity for the asset must not make more than one request under subsection (2) in relation to the asset during a 12-month period.
52F Revocation of determination
Scope
(1) This section applies if:
(a) a declaration under subsection 52B(1) is in force in relation to an asset; and
(b) the Minister is no longer satisfied that the asset is of national significance.
Duty to revoke declaration
(2) The Minister must, in writing, revoke the declaration.
Revocation is not a legislative instrument
(3) A revocation of the declaration is not a legislative instrument.
Application of Acts Interpretation Act 1901
(4) This section does not, by implication, affect the application of subsection 33(3) of the Acts Interpretation Act 1901 to an instrument made under a provision of this Act.
72 After paragraph 60(2)(e)
Insert:
(f) the number of annual reports given under section 30AG during the financial year; and
(g) the number of annual reports given under section 30AG during the financial year that included a statement to the effect that a critical infrastructure risk management program was up to date at the end of the financial year; and
(ga) the number of annual reports given under section 30AQ during the financial year; and
73 After paragraph 60(2)(i)
Insert:
(j) the number of notices given to entities under section 30CB during the financial year; and
(k) the number of notices given to entities under section 30CM during the financial year; and
(l) the number of notices given to entities under section 30CU during the financial year; and
(m) the number of notices given to entities under Division 5 of Part 2C during the financial year; and
74 At the end of subsection 60(2)
Add:
; and (r) the number of declarations of assets as systems of national significance that were made under section 52B during the financial year