Some key compliance dates approach for responsible entities of critical infrastructure assets under the Security of Critical Infrastructure Act (SOCI Act).
First, from 17 August 2024 responsible entities required to have in place a Critical Infrastructure Risk Management Program (CIRMP) must comply with one of the following cyber security frameworks:
- ISO 27001;
- Essential Eight maturity level one;
- NIST’s Framework for Improving Critical Infrastructure Cybersecurity;
- Maturity Indicator Level 1 of the US Department of Energy’s Cybersecurity Capability Maturity Model;
- Security Profile 1 of the 2020-21 AESCSF Framework Core; or
- an equivalent framework.
Second, by 28 September 2024 responsible entities must submit mandatory annual reports on CIRMPs that operated in the 2023/24 financial year. Previously, annual reports were not mandatory but could be voluntarily submitted, with CISC receiving 27 reports last year.
Responsible entities are not required to submit their CIRMPs, however, annual reports should include an overview and the Department of Home Affairs may request to see a responsible entity’s CIRMP as part of its auditing efforts. Notwithstanding the cyber security framework requirement was not required to have been implemented in the 2023/24 financial year, the Department is asking responsible entities to include in their annual reports this year whether they have met the cyber security framework requirement.
In the past, the Department has taken a “carrot” approach and encouraged buy-in to the Security of Critical Infrastructure regime. However, for this financial year, the Department has signalled it will take a “stick” approach and require compliance. Indeed, failure to submit an annual report may result in a fine of up to $234,750.
Responsible entities exempted from preparing a CIRMP by virtue of holding a certificate of hosting certification must nonetheless submit an annual report explaining their exemption status or else similarly risk a fine of up to $234,750.