In brief

  • The Department of Finance recently released draft cyber security clauses to include in contracts with its technology service providers.
  • Once implemented, technology vendors seeking to provide services to Federal government bodies will be contractually obliged to comply with the security requirements contained in these ‘model clauses’.

Renewed focus on cyber security on government data

Since 2010 Federal government agencies have been required to implement general security procedures imposed on them under the Protective Security Policy Framework1 (PSPF) and specific technical measures under the Information Security Manual2 (ISM) to protect sensitive government information from cyber-attack. In May 2013 the ABC’s Four Corners television program reported that classified blueprints of the Australian Security Intelligence Organisation (ASIO) headquarters in Canberra had been stolen in an offshore cyber-attack on Australian government data.3 These allegations have not been officially confirmed or denied by the Federal government. Whether or not the reported attack did occur, the Federal government certainly appears to have increased its focus on cyber security in recent times.

Last year the Commonwealth enacted the Public Governance, Performance and Accountability Act 2013 (Cth) which expressly requires Commonwealth entities to establish and maintain systems of risk oversight and management relating in respect of their networks, systems and information.4 The Department of Finance has expanded on this requirement and set out a number of model contractual clauses relating to cyber security for Federal government agencies to include in its technology supply contracts.

The model cyber security clauses

Under the PSPF, every government agency is required to implement control measures based on business owner requirements for controlling access to information and communications technology (ICT) systems and related networks and infrastructure.5 The Department of Finance in consultation with the Attorney General’s Department and the Department of Defence set out in greater detail what methods of cyber risk management will be required under Australian government service contracts, including technology related contracts where the services involve access, transmission or storage of Australian government information in circumstances where there may be cyber-security risks involved. If approved, these clauses are likely to be included in the Source IT Model Contracts and the Commonwealth Contracting Suite for procurements under $200,000 which includes a suite of precedent contracts for use in low risk scenarios.

While the clauses are not compulsory and amendments may be negotiated on a case by case basis, it is clear that the Australian government is serious about taking measures to ensure that its contractors employ necessary steps to employ cyber security protections in line with accepted industry standards.

The model clauses include the following obligations:

  1. Overarching obligation to protect ‘Customer Data’ from unauthorised access - Clause X.2(a) of the model clauses sets out a broad obligation on contractors to do “all things that a reasonable and prudent entity would do to ensure that all Customer (i.e. government agency) Data is protected at all times from unauthorised access or use by a third party or misuse, damage or destruction by any person”.
  2. Commonwealth Data Protection Plan (CDPP) - Clause X.2(d) requires contractors to develop and propose a detailed CDPP for acceptance by the Customer unless the service provider is specifically exempted. 
  3. Notification requirements for “cyber incidents” - Clause X.3 requires that a contractor on becoming aware of an actual or suspected “Cyber Incident” must notify the government agency in writing within 12 hours of becoming aware of that incident. A Cyber Incident is defined as “any actual or suspected action taken through the use of computer networks that result in an actual or potentially adverse effect on the contractor’s information system and/or Customer Data residing on that system.” The contractor must comply with any directions issued relating to the Cyber Incident including obtaining evidence about how, when and by whom the information system and/or Customer Data has been compromised.

The Australian Information Industry Association (AIIA) in its response to the proposed clauses has expressed concern with the broad definition of cyber incident. The AIIA notes that large ICT providers learn of, track and address hundreds of security incidents in any given week and that may simply be impractical to report, in writing, every actual or suspected Cyber Incident within the 12 hour time frame.

  1. Insurance requirement - Model clause X.4 states that if specified in the contract, a contractor must take out and maintain insurance to protect against the risks of a Cyber Incident, and in respect of that insurance, comply with the general insurance clause of the contract.

What does this mean for contractors?

Under the PSPF, all procurement business cases for ICT enabled proposals to the Australian government must already identify how cyber security risks will be managed and how the proposal will comply with the relevant government cyber security policies. The Department of Finance’s model cyber security contract clauses detail what is required from contracting service providers including a general obligation to do “all things that a reasonable and prudent entity would do to ensure that all Customer Data is protected at all times.” Moving forward, contracting services providers should understand that the Federal government is under an increasing obligation to contractually secure its data in the online environment. Contracting service providers will need to develop appropriate compliance processes to ensure that are able to meet such obligations in order to commence or continue providing technology services to Federal government bodies.

Georgina Hoy