Australia's Enhanced CIRMP Rules: what critical infrastructure operators need to know

To further strengthen the security and resilience of critical infrastructure, the Australian Government introduced the Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 (the Enhanced CIRMP Rules). The rules were registered on 9 June 2026 by the Minister for Home Affairs and Minister for Cyber Security, Tony Burke, under section 61 of the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act).

For responsible entities of critical infrastructure assets falling within the nine affected asset classes, the Enhanced CIRMP Rules represent a material step-change in risk management planning requirements.

While CIRMPs have, to date, operated as principles-based risk management programs, the amended Rules introduce more prescriptive expectations around how key categories of risk must be identified, assessed and managed.

This article highlights the key features of the Enhanced CIRMP Rules, the regulatory context, what comes next, and the practical implications for affected entities.

Why now: an evolving threat environment generates regulatory reform

The existing rules establish a set of baseline considerations that responsible entities must address in their critical infrastructure risk management program (CIRMP), spanning four specific hazard categories – cyber and information security, personnel, supply chain and physical security. The framework is principles-based: plans are required to identify and reflect processes or systems for mitigating "material risks" across those categories, which in practice requires proactive risk management, robust recovery procedures and effective governance.

The Enhanced CIRMP Rules expand the categories of risks that must be considered beyond the existing baseline, and require additional risk factors to be considered at a holistic level.  This reflects the Government’s assessment that responsible entities for Australia's most critical asset classes need to do more to address the interconnected risks of cyber intrusion, insider threats, supply chain vulnerability, foreign influence, and physical and natural hazards.  This is consistent with findings emerging from Dr Jill Slay's independent review of the SOCI Act published earlier this year, which noted that "the threat environment continues to evolve, as infrastructure systems become more interconnected and complex, and as new sectors and technologies emerge as nationally significant, the framework will require continuous refinement".

The cyber security elements of the Enhanced CIRMP Rules also align with the objectives of the Commonwealth's 2023–2030 Australian Cyber Security Strategy Horizon 2 Action Plan, including by strengthening logging and monitoring standards and preparing critical infrastructure to manage emerging technology risks such as artificial intelligence and quantum computing.

The Enhanced CIRMP Rules - who is affected

The Enhanced CIRMP Rules introduce an additional tier of requirements that must be met in developing a CIRMP for the following types of critical infrastructure assets:

• critical broadcasting assets;

• critical domain name systems;

• critical electricity assets;

• critical energy market operator assets;

• critical freight infrastructure assets;

• critical freight services assets;

• critical gas assets;

• critical liquid fuel assets; and

• critical water assets.

The additional risks and categories of hazards that CIRMPs for these assets must address are set out below.

Additional material risks

At an overarching level, responsible entities for affected critical infrastructure assets will need to ensure their CIRMP contains processes or systems to guard against the following additional risks:

• the impairment of the asset's functions that could prejudice Australia's national security, or social or economic stability;

• compromise arising from foreign ownership, control or influence (FOCI); and

• offshore or remote access to critical components (essentially, components which if absent, damaged or compromised would prevent proper functioning of the asset or cause it significant damage) or business critical data (essentially, large databases of personal information or information related to R&D or business continuity for the asset or needed to operate it or systems on which it depends).

These reflect growing concerns regarding the risk posed by the current global geopolitical environment and Australia's exposure to global supply chain risk.

Additional cyber and information security considerations

The Enhanced CIRMP Rules introduce new categories of cyber and information security hazards which CIRMPs for affected assets must address.  CIRMPs for affected assets will now need to :

• address specifically the risks arising from unpatched systems, legacy technology, and the deployment or hostile use of advanced, novel or emerging technology (including AI) (core cyber risks);

• require the responsible entity's processes and systems to align with more stringent information security requirements (e.g. higher maturity levels under existing prescribed frameworks, or compliance with the latest ISO 27001 standard);

• implement phishing-resistant multi-factor authentication with central logging and monitoring to address the risk of credential compromise; and

• implement network segregation of critical systems to address the lateral movement hazards (i.e. risks posed by the use of computers across multiple critical systems or critical infrastructure assets), including a requirement that critical systems remain operational for at least three months while other systems are restored.

In particular, the three-month operational resilience threshold represents a significant new requirement, mandating that entities design their network architecture so that critical systems can continue to function independently during incident response and recovery operations.

Additional personnel security considerations

The Enhanced CIRMP Rules significantly strengthen the personnel security requirements that need to be taken into account.  In addition to baseline requirements, the CIRMP for affected assets will also need to address risks associated with:

• unauthorised or unsupervised access to critical components;

• compromise or misuse of credentials and privileged access used by individuals;

• access to the CI asset by persons other than critical workers; and

• incoming and outgoing critical workers,

(collectively, access management risks). 

In particular, the Enhanced CIRMP Rules require critical workers to undergo an AusCheck background check or hold a Negative Vetting 1 (or higher) security clearance to be deemed suitable for access to critical components of an asset, and require proactive monitoring of any changes that may affect the ongoing suitability of the person to have that access.  AusCheck background checks (and a reassessment of suitability) are required at least every five years for individuals with continued access to critical components.

Additional supply chain considerations

Responsible entities for affected assets must map their supply chain for major suppliers and critical components, identify associated risks to critical components and business-critical data, determine acceptable outage thresholds, and implement measures to minimise risks or mitigate outages. Mitigation may include supplier diversification, redundancy planning, and recovery processes. 

In addition, vendor assessments must be undertaken for each major supplier, including FOCI risks, legal requirements, sanctions, and the supplier's access or influence over the CI asset. They must evaluate potential material risks or outages and implement measures to minimise or mitigate impacts.

Physical & natural security

The Enhanced CIRMP Rules require a more holistic approach to physical security requires central management of physical security and natural hazards, and for consideration of the physical security consequences arising from all hazard types (including cyber and supply chain hazards), site documentation, and physical access controls with continuous monitoring to be considered.

In particular, physical access controls for workers, visitors and the public must be considered, including the maintenance of security and alarm systems and continuous monitoring.

Transitional Grace Periods

The Enhanced CIRMP Rules provide transitional grace periods for compliance with the enhanced requirements, mapped to the new risks and hazard categories as follows:

What happens next

The Department of Home Affairs will host a virtual town hall on 25 June 2026 to provide an overview of the Enhanced CIRMP Rules and answer stakeholder questions.

Concurrently with the Enhanced CIRMP Rules, the Department also consulted on proposed amendments to Ministerial Directions Powers in Part 3 of the SOCI Act: a package of five targeted measures to enhance the Minister's ability to manage serious national security risks to critical infrastructure with greater flexibility and precision, while maintaining safeguards and accountability. That consultation received 50 submissions and the Department has published a Consultation and Feedback Summary. These Directions Powers reforms, if legislated, would complement the Enhanced CIRMP Rules by providing the Government with more agile intervention tools where critical infrastructure faces acute national security threats.

Practical implications

The Enhanced CIRMP Rules have direct implications for compliance planning and operational readiness for critical infrastructure operators:

• Gap analysis and CIRMP updates. Responsible entities will need to review and substantially update their CIRMPs within the applicable grace periods. This will require identifying where existing programmes fall short, particularly in phishing-resistant MFA, network segregation, AusCheck-based personnel vetting, and structured supply chain mapping.

• Cyber security investment. The uplift from maturity level one to maturity level two across multiple frameworks, together with new MFA and network segregation requirements (including a three-month operational resilience threshold), will require significant investment in cyber security capabilities.  Information security teams will need to review their security settings carefully to ensure alignment with the enhanced requirements. 

• Physical security assessment.  Assessments should be made of the adequacy of existing physical security mechanisms and, importantly, the monitoring of physical access to affected assets.  This may involve a combination of uplifts in access control and monitoring systems as well as workforce augmentation.

• Personnel vetting. The mandatory requirement for AusCheck background checks or NV1-level security clearances for all critical workers has workforce planning implications, including the operational impact of mandatory five-yearly re-checks and management of clearance expiry.  HR managers will need to ensure hiring practices and employment terms facilitate these requirements, in particular the requirement for critical workers to submit to periodic suitability assessments.

• Supply chain due diligence. The new vendor assessment obligations, particularly the requirement to assess FOCI risks, jurisdictional impediments, and supplier access and control, will require entities to develop or significantly enhance their third-party risk management frameworks and critically assess dependencies on offshore suppliers.

• FOCI exposure. The new requirements to consider FOCI and offshore access to critical components and data will be of particular relevance to entities with foreign ownership structures, offshore operations, or internationally distributed supply chains.

• Contractual and procurement arrangements. The supply chain requirements may necessitate amendments to existing supplier contracts and procurement processes to ensure entities can meet their new mapping, risk assessment, and FOCI due diligence obligations.  The extent to which these requirements may need to be flowed through to suppliers of components or services supporting critical infrastructure should be considered.