Defence has established the Defence Security Principles Framework (DSPF) to support compliance with the requirements of the PSPF. DSPF Principle 23, which is supported by Control 23.1 ICT Certification and Accreditation, outlines Defence’s requirements for ICT assessment and authorisation including that:
- all Defence ICT systems must be authorised prior to processing, storing or communicating official information;
- the authorising officer is based on the level of assessed system risk; and
- ICT systems are to be re-authorised under various conditions including when: new or emerging threats are identified; a cyber security incident occurs; changes to the certified system architecture occur; or the system’s authorisation expires.
The DSPF is supported by directives and instructions issued by Defence’s Services and Groups
https://www.anao.gov.au/sites/default/files/2024-09/Auditor-General_Report_2024-25_2.pdf
- https://www.defence.gov.au/sites/default/files/2024-09/Defence-Security-Principles-Framework-Redacted-27SEPTEMBER2024.pdf
- https://www.defence.gov.au/business-industry/industry-governance/industry-regulators/defence-industry-security-program