New foreign interference and cyber risk requirements for buying and managing Commonwealth technology

Robert Dearn, Angie Freeman, Brenton Steenkamp, TJ Koekemoer, Alexandra Smith
10 Jul 2024
3 minutes

The Secretary of the Department of Home Affairs has introduced three mandatory Directions under the Protective Security Policy Framework (PSPF) to apply to all Commonwealth Government entities. The measures are designed to improve cyber security and tackle the growing threat of foreign interference.

The new Directions will impact the way that Commonwealth entities procure and manage technology assets and services.

This is only the second time the Commonwealth Government has issued this type of binding directive, the first being the ban on TikTok use on Commonwealth-issued devices.

The new Directions will require Government entities to:

  • identify and manage Foreign Ownership, Control or Influence (FOCI) risks in technology procurements
  • conduct a stocktake of all internet-facing technology assets
  • share cyber threat intelligence with the Australian Signals Directorate (ASD)

Direction 1 – Managing Foreign Ownership, Control or Influence Risks in Technology Assets

PSPF Direction 001-2024 requires Government entities to identify indicators of FOCI risk in the procurement and maintenance of technology assets, and to appropriately manage and report those risks.

Direction 1 explains foreign interference occurs when “activity carried out by, or on behalf of, a foreign power, is coercive, corrupting, deceptive or clandestine, and contrary to Australia’s sovereignty, values and national interests”.

The Direction is a response to growing concerns about foreign influence and vulnerabilities in government supply chains. It also follows an audit in 2023 which uncovered over 900 Chinese Government-linked surveillance devices installed on buildings occupied by almost every Australian Government department.

By June 2025, each Commonwealth agency must implement a process to identify and manage FOCI risk when procuring technology. This will require agencies to develop procurement processes that respond to FOCI and are tailored to the agency’s specific risk environment and profile.

The Direction does not provide guidance as to how FOCI risks should be specifically identified or assessed when carrying out procurement processes. However, it does reference the PSPF Policy 3: Security Planning and Risk Management, which contains guidance when identifying and assessing security risks more broadly.

In addition, the Department of Defence has developed guidelines and requires participants in the Defence Industry Security Program (DISP) to complete a FOCI assessment (where FOCI is defined as being “where a foreign interest has direct or indirect power, whether or not exercised, to direct or decide matters affecting the management or operations of the company”). Foreign interference risks are also a well-established consideration for Treasury’s Foreign Investment and Review Board.

Commonwealth agencies will need to update their procurement documentation to address and identify FOCI risks. This could include seeking and assessing information from tenderers about their non-Australian directors, foreign shareholders and foreign revenue and investments.

Direction 2 – Technology Asset Stocktake

PSPF Direction 002-2024 requires Australian Government entities to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities.

By June 2025, all Commonwealth Government entities must have conducted a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity. The stocktake must capture all manufacturers, suppliers and providers and any “outsourced manager”. This includes any hardware, software, information system, platform, mobile application or as-a-service offering, that stores, processes, transmits or transforms official or security classified information for the Australian Government.

This stocktake is only required for internet-facing systems and services, which can be directly accessed by untrusted or unknown entities over the internet. It will not apply to services or systems accessed solely through a Government agency’s internal network.

In addition, entities must develop a Technology Security Risk Management Plan for all internet-facing systems or services. This plan will form part of the entity’s overall Security Plan and should include technology lifecycle management practices, controls to mitigate cyber security vulnerabilities, FOCI risks in technology supply chains, and processes to maintain continuous visibility and monitoring of the entity’s resource and technology footprint.

Direction 3 – Supporting Visibility of the Cyber Threat

PSPF Direction 003-2024 requires Australian Government entities to participate in the Australian Signals Directorate’s Cyber Security Partnership Program and for those using threat intelligence sharing platforms, to share cyber threat information with the Australian Signals Directorate.

By July 2024, all agencies subject to the PSPF must advise the ASD of any "cyber threat hunting" capabilities held by the agency. Agencies will also be required to connect to the ASD’s Cyber Threat Intelligence Sharing platform (which enables government and industry partners to receive and share information about malicious cyber activity).

Implementing the Directions

These Directions will require each Government entity to take proactive measures to identify and mitigate risks around cyber threats and foreign interference, particularly in the context of technology procurements and technology supply chain management. The implementation of these Directions will likely differ across agencies, reflecting their unique risk profiles and technology supply chains.

To be successful, Government entities should assemble a multidisciplinary team with the required skills and experience to implement the various components of the Directions, many of which are interrelated. These skills include conducting a Technology Asset Stocktake and develop Technology Security Risk Management Plans.

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.