Government technology is a high-value target. Most agencies are still not meeting the baseline.

Governing body

Australian Signals Directorate (ASD) — cyber.gov.au

What it requires

The ISM sets technical controls across 17 domains covering system hardening, access management, event logging, incident response, cryptography and secure configuration. Commonwealth entities must apply ISM controls in conjunction with the Essential Eight under PSPF Policy 11. Controls are classified by maturity and risk profile; agencies must assess which ISM controls apply to their systems and document their implementation or risk acceptance.

Applies to

All non-corporate Commonwealth entities as a mandatory baseline under the PSPF. Corporate Commonwealth entities and state/territory agencies are strongly encouraged to align; several jurisdictions embed ISM as a de facto requirement for state agency systems.

Consequence of non-compliance

Adverse findings in ANAO audits and PSPF Assessment Reports tabled in Parliament; increased exposure in the event of a breach; reputational and accountability consequences for agency leadership.

Governing body

Department of Home Affairs — homeaffairs.gov.au

What it requires

The PSPF sets the overarching security obligations for Australian Government entities across governance, personnel, physical and information security. Policy 10 mandates implementation of the Essential Eight to Maturity Level 2 for all non-corporate Commonwealth entities (mandatory since 1 July 2022), with an obligation to consider whether Maturity Level 3 is warranted given the entity’s threat environment. Policy 11 requires ICT systems to be protected in accordance with ISM principles. Entities must self-report annually against all PSPF policies; the PSPF Assessment Report is tabled in Parliament each year. The 2025 PSPF release introduced updated policy requirements that agencies must review and action.

Applies to

All non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability (PGPA) Act. Corporate Commonwealth entities and companies are encouraged to comply.

Consequence of non-compliance

Adverse findings in the annual PSPF Assessment Report and ANAO audits; parliamentary scrutiny; potential direction from the Secretary of Home Affairs; reputational and governance consequences for senior agency leadership.

Governing body

Australian Signals Directorate (ASD) — cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight

What it requires

Eight prioritised mitigation strategies — application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication and regular backups. Non-corporate Commonwealth entities must achieve Maturity Level 2 across all eight strategies under PSPF Policy 10. Entities must assess whether their threat environment warrants Maturity Level 3. ASD conducts an annual survey of Commonwealth entities to assess self-reported maturity, and ANAO periodically audits a subset to validate those assessments.

Applies to

Mandatory for all non-corporate Commonwealth entities subject to the PGPA Act. Strongly recommended for all other organisations; increasingly required by cyber insurers and government procurement frameworks across the private sector.

Consequence of non-compliance

Consequence of non-compliance: Adverse PSPF and ANAO audit findings; parliamentary scrutiny; increased regulatory and insurance exposure; material risk that unmitigated vulnerabilities are exploited by the threat actors actively targeting government networks.

Governing body

Department of Home Affairs / Australian Signals Directorate — homeaffairs.gov.au

What it requires

Mandatory ransomware payment reporting for all entities with annual turnover exceeding $3 million and for critical infrastructure operators. Reports must be made to ASD within 72 hours of a ransom payment being made or becoming known. Reports must include details of the incident, the payment, communications with the extorting party, and any known vulnerabilities exploited. The Act also establishes the National Cyber Security Coordinator’s powers and the Cyber Incident Review Board (CIRB) framework for post-incident review of nationally significant events.

Who it applies to

All Australian organisations with annual turnover exceeding $3 million, and all entities responsible for critical infrastructure assets. Commonwealth and state government entities are covered; obligations sit alongside existing PSPF and SOCI incident reporting requirements.

Consequence of non-compliance

Civil penalties for failure to report; regulatory enforcement by the Department of Home Affairs; potential adverse findings in post-incident CIRB reviews; reputational consequences in the event of a publicly disclosed breach.

Governing body

Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

What it requires

Entities covered by the Privacy Act must notify the OAIC and affected individuals of eligible data breaches — those that are likely to result in serious harm to any individual whose information is involved. Notification must be made as soon as practicable after the entity becomes aware of an eligible breach. The 2024 Privacy Act amendments introduced a statutory tort for serious invasions of privacy, creating individual rights of action in addition to OAIC enforcement. Government agencies accounted for 17% of all notifiable data breaches reported in 2024.

Who it applies to

All Commonwealth government agencies (mandatory); state and territory government agencies subject to mirror Privacy Act legislation; private sector entities with annual turnover exceeding $3 million.

Consequence of non-compliance

Civil penalties up to $50 million AUD for serious or repeated breaches (post-2023 amendments); OAIC investigation and enforcement action; individual rights of action under the new statutory tort; significant reputational damage and public accountability consequences for government agencies.

Governing body

Cyber and Infrastructure Security Centre (CISC), Department of Home Affairs — cisc.gov.au

What it requires

Responsible entities for critical infrastructure assets must register those assets with the CISC, maintain a Critical Infrastructure Risk Management Program (CIRMP) addressing cybersecurity, physical security, personnel security and supply chain hazards, and report significant cyber incidents to the ACSC within 12 hours of awareness. Board-approved annual CIRMP reports must be submitted to the Department of Home Affairs within 90 days of the financial year end. Assets designated as Systems of National Significance face enhanced obligations including mandatory cyber exercises and the potential requirement to provide network telemetry to ASD.

Who it applies to

Owners and operators of critical infrastructure assets across 11 regulated sectors — including data storage and processing, communications, transport, energy and water. Commonwealth and state government agencies that own or operate critical infrastructure assets in these sectors are subject to SOCI obligations as responsible entities.

Consequence of non-compliance

Civil penalties up to $660,000 AUD per day for failure to comply with CIRMP obligations; government direction and intervention powers in the event of a national security threat; reputational and procurement consequences.

Governing body

Department of Finance — finance.gov.au

What it requires

Commonwealth entities must assess cloud services against a risk framework before adoption, including classification of data to be stored or processed, IRAP assessment requirements for providers handling PROTECTED or higher-classified data, and restrictions on offshore processing of sensitive data. Agencies handling data classified at PROTECTED level must use IRAP-assessed cloud platforms. The policy intersects with ISM and PSPF in setting the architecture and assurance requirements for government cloud deployments.

Who it applies to

All Commonwealth entities procuring or using cloud services. IRAP assessment requirements apply most strictly to agencies handling PROTECTED-level data; all agencies are required to conduct risk-based assessments before adopting cloud services regardless of data classification.

Consequence of non-compliance

Regulatory findings in ANAO and PSPF audits; data sovereignty breaches with national security implications; potential for personal liability for accountable authorities where cloud adoption has not been appropriately risk-assessed and authorised.

Government networks have a structural complexity problem that most enterprise connectivity conversations do not fully account for. A Commonwealth department may operate a main campus, multiple ministerial offices, regional service delivery points, and data centre interconnects — all requiring consistent performance, strict access segmentation and resilience against both technical failure and physical events. At the state level, large agencies managing transport infrastructure, land titles, health services or public safety functions require networks that are simultaneously available, auditable and resistant to lateral movement.

Orro designs and manages SD-WAN and SASE architectures specifically suited to the distributed footprint and security requirements of government. SD-WAN enables centralised policy management across geographically dispersed sites while supporting traffic prioritisation for mission-critical applications — important in environments where citizen-facing services and back-end administrative systems share the same network infrastructure. SASE extends security controls to the network edge, enforcing identity-verified access and zero-trust policies for remote workers and regional offices without requiring traffic hairpinning through centralised data centres.

For agencies operating remote or regional sites — particularly in utilities, parks management, emergency services and regional service delivery — Orro’s private LTE capability provides an alternative to public carrier dependency. Orro holds private spectrum, one of only a small number of organisations in Australia to do so, enabling dedicated wireless connectivity for environments where carrier coverage is unreliable or insufficient for government-grade availability requirements.

Outcome: Sovereign-aligned, resilient government network infrastructure that supports the delivery of public services across metropolitan, regional and remote locations — with unified visibility through Orro’s One Touch Control platform.

Government agencies face an obligation to demonstrate Essential Eight compliance — but compliance is not the same as security. ASD’s own reporting notes that many entities self-assessing at Maturity Level 2 may have material gaps in practice, particularly around edge device patching, application hardening and event logging. The challenge is not a lack of frameworks; it is the difficulty of maintaining continuous visibility across a large, heterogeneous, partly-legacy estate, with a threat actor community that includes both well-resourced state-sponsored groups and opportunistic cybercriminals.

Orro’s National Cyber Defence Centre provides 24/7 threat monitoring and response for government environments, with Australian-operated and Australian-owned oversight. For government clients handling PROTECTED or sensitive data, the domestic operational basis of Orro’s SOC capability is relevant to both PSPF requirements and data sovereignty obligations. The National Cyber Defence Centre integrates threat intelligence from government and commercial sources, enabling correlation of indicators of compromise relevant to the specific threat actors known to target Australian government networks.

Orro’s CTEM (Continuous Threat Exposure Management) service addresses the structural gap between point-in-time compliance assessments and the continuous exposure visibility government environments require. Rather than periodic vulnerability scans, CTEM provides an ongoing programme of exposure identification, prioritised remediation, and validated risk reduction — mapped against the actual threat profile facing government networks. This includes external attack surface management, asset discovery across distributed environments, and risk-prioritised remediation guidance that enables constrained internal teams to focus effort where exposure is greatest. For government clients working to close the gap between reported Essential Eight maturity and actual security posture, CTEM provides the operational foundation.

Orro’s capability extends to compliance assurance for ISM, Essential Eight and PSPF requirements — supporting agencies in both the technical implementation of controls and the evidence collection needed for internal audit and ASD reporting obligations.

Outcome: Continuous exposure visibility and 24/7 threat detection for government environments, aligned to ISM, Essential Eight and PSPF obligations — with the operational rigour to close the gap between compliance reporting and real-world security posture.

Cloud migration in government is not a straightforward lift-and-shift exercise. The Australian Government Cloud Policy, combined with PSPF and ISM requirements, sets specific obligations around data classification, offshore processing restrictions and IRAP assessment of cloud providers. For agencies handling PROTECTED-level data, the choice of cloud platform, the architecture of the tenancy, and the security controls applied to data in transit and at rest are all governed by these frameworks — and the consequences of misconfiguration extend beyond service disruption to regulatory sanction and public accountability.

Orro designs and manages cloud environments for government clients with sovereignty and security built in from the architecture layer. This includes sovereign cloud design using IRAP-assessed platforms, hybrid cloud architectures that allow sensitive workloads to remain on-premises while enabling cloud-native delivery for appropriate applications, and multi-cloud management for agencies operating across multiple platforms. Orro’s managed cloud capability includes application performance management, ensuring that the digital government services citizens depend on — online forms, payment portals, licensing systems, service enquiry platforms — perform consistently under variable load conditions.

Business continuity and disaster recovery planning for government requires a different risk calculus than the private sector. When a government payment system is unavailable, constituents do not simply go to a competitor — they are unable to access services they have a right to. Orro’s government-focused business continuity design accounts for the specific availability requirements, recovery time objectives and data classification constraints that apply to critical government workloads.

Outcome: Compliant, performant cloud environments for government workloads — built to IRAP-aligned architecture, with managed continuity and application performance ensuring consistent delivery of citizen-facing services.

Modern government operations extend well beyond conventional IT environments. Facilities management systems, building automation, physical access control, public safety communications, CCTV infrastructure, traffic management systems and environmental monitoring platforms are all increasingly networked — and increasingly exposed to the same threat actors targeting traditional government IT. The convergence of IT and operational technology in government is not a future consideration; it is already the infrastructure reality in most large Commonwealth agencies, state government campuses, and major public facilities.

Orro provides the network and security foundations that enable government’s connected operational infrastructure to function securely. This includes network segmentation that isolates operational technology systems from administrative IT environments while maintaining the monitoring visibility needed for security operations; zero-trust network access frameworks that enforce identity verification for personnel and systems accessing OT environments; and integration of OT monitoring into Orro’s National Cyber Defence Centre for unified threat detection across the full government technology estate.

For government agencies subject to SOCI Act obligations — particularly those operating or overseeing infrastructure in transport, utilities, communications or data storage sectors — Orro’s OT security capability supports both the technical controls and the risk management programme obligations the Act requires. SOCI’s enhanced obligation categories for systems of national significance place specific demands on incident detection, reporting and response capability that must be demonstrably met, not simply attested.

Outcome: Secure, unified network and security foundations across government IT and OT environments — with 24/7 monitoring through the National Cyber Defence Centre and architecture aligned to SOCI obligations for critical infrastructure operators.

Government technology teams are consistently stretched between the demands of digital transformation programmes, compliance obligations, incident response and day-to-day operational support — typically with headcount that does not scale commensurately with the complexity of the environment. Managed services for government must therefore do more than provide monitoring: they must give internal teams the operational confidence that their environment is continuously managed, that emerging issues are identified and escalated before they become incidents, and that the evidence trail for audit and compliance purposes is maintained automatically.

Orro’s managed services model for government is built around One Touch Control, Orro’s proprietary network management platform. One Touch Control provides unified multi-vendor, multi-carrier visibility across the full network estate — including hybrid environments that combine legacy systems, cloud-connected infrastructure and modern SD-WAN deployments. For government network managers responsible for dozens or hundreds of sites, One Touch Control replaces the fragmented visibility typical of legacy multi-vendor environments with a single operational view, enabling faster root cause identification, proactive fault resolution and consistent reporting for agency governance purposes.

The Australia Post case study is instructive for government network operators: managing 4,000+ sites nationally, Orro’s managed network services delivered a 70% reduction in outages, 4x faster connections and proactive management of 80% of tickets — avoiding 44,000 business impact hours. The operational scale and distributed complexity of that environment is directly analogous to large government agencies with national footprints. Orro’s model is built for complexity at scale — not for simple single-site environments.

Orro is an Australian-owned partner with Australian-based account management and support escalation, and 24/7 global operations capability. For government clients with data sovereignty and supply chain security requirements, the ownership structure and operational governance of a managed services provider is a procurement consideration, not a formality.

Outcome: Continuous operational visibility, proactive managed services and verified uptime across government network and security environments — with the governance transparency, audit trail and Australian-based accountability that government clients require.

For non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability (PGPA) Act, the Essential Eight at Maturity Level 2 is mandatory under PSPF Policy 10, which has been in effect since 1 July 2022. Corporate Commonwealth entities and companies are not directly subject to PSPF but are strongly encouraged to align to Essential Eight. State and territory requirements vary: NSW mandates Essential Eight at Maturity Level 1 under its Cyber Security Policy; Victoria, Queensland and Western Australia have their own frameworks that reference or incorporate Essential Eight. Local government is generally not subject to the Commonwealth mandate but may be required to align by state policy or contract.

Not necessarily. ASD’s own Commonwealth Cyber Security Posture reports have flagged that self-assessed maturity levels do not always reflect operational reality — and that the proportion of entities achieving Maturity Level 2 has declined despite mandatory requirements. Self-assessment gaps are most commonly found in multi-factor authentication coverage, application control completeness, patch currency across legacy applications, and event logging depth. Essential Eight compliance provides a meaningful baseline; it does not substitute for continuous exposure monitoring. CTEM (Continuous Threat Exposure Management) is designed to bridge the gap between point-in-time compliance assessment and genuine ongoing security visibility.

PSPF Policy 10 requires all non-corporate Commonwealth entities to implement all eight strategies of the ASD Essential Eight to Maturity Level 2, and to consider whether their threat environment warrants Maturity Level 3. Assessment is conducted through ASD’s annual survey process, with entities self-reporting their maturity against each of the eight strategies. ANAO periodically audits a subset of entities to validate self-assessments. Non-compliance generates findings in PSPF Assessment Reports presented to Parliament. Beyond the annual survey, entities are encouraged to conduct more frequent internal assessments — and to integrate continuous monitoring tooling that provides ongoing evidence of control effectiveness rather than point-in-time attestation.

SOCI applies to owners and operators of critical infrastructure assets across 11 sectors — not exclusively to private operators. Commonwealth and state agencies that own or operate critical infrastructure assets (including certain data storage or processing facilities, communications infrastructure, water systems, energy networks and transport infrastructure) are subject to SOCI obligations. These include mandatory reporting of critical cyber security incidents to ASD within 12 hours, and to Home Affairs within 72 hours; a risk management programme obligation (RMAP) requiring documented management of risks to asset availability, integrity and confidentiality; and potential government direction powers in response to serious national security threats. Assets designated as systems of national significance (SONS) carry enhanced obligations including incident response plan requirements and mandated exercises.

The Cyber Security Act 2024, which came into effect progressively through 2024–25, introduces mandatory ransomware payment reporting for entities with annual turnover exceeding $3 million and critical infrastructure operators. Reports must be made to ASD within 72 hours of a payment being made. For government agencies, this obligation sits alongside existing PSPF incident reporting requirements. The Act also provides the legislative basis for the National Cyber Security Coordinator’s powers and the CIRB (Cyber Incident Review Board) framework. Agencies should ensure incident response plans specifically address the ransomware reporting timeline alongside existing mandatory notification obligations under PSPF and the Privacy Act.

Legacy IT is one of the most commonly cited barriers to Essential Eight compliance and security uplift across government. The practical approach is not wholesale replacement — budget and procurement timelines rarely support that — but structured risk management. ASD’s 2024 guidance on Managing the Risks of Legacy IT outlines compensating controls that can reduce exposure from unpatched or unsupportable systems. From a network architecture perspective, segmentation is the most effective near-term control: isolating legacy systems from internet-accessible infrastructure and limiting lateral movement paths significantly reduces the blast radius of a compromise. CTEM’s continuous attack surface monitoring helps identify which legacy systems are creating the most material exposure, allowing investment prioritisation based on actual risk rather than asset age alone.

Many government agencies operate IT/OT convergent environments without formally recognising them as such: building management systems, physical access control, environmental monitoring, CCTV, public safety communications and traffic management are all networked operational technology. The security implications are significant — OT systems often run outdated firmware and operating systems, rarely receive security patches, and were not designed for internet-connected environments. Where these systems are networked to administrative IT, they can provide lateral movement paths for attackers. For agencies operating critical infrastructure assets under SOCI, OT systems may fall within scope of RMAP and incident reporting obligations. Network segmentation, zero-trust access controls for OT environments and integration of OT monitoring into your security operations capability are the foundational controls.

The most useful framing for board or ministerial-level discussion is not a compliance status report — it is an exposure statement. What are the three to five highest-priority risks in the current environment, what is the consequence if those risks materialise, and what is the organisation doing to reduce them? ASD’s threat intelligence is unambiguous: government is consistently the most reported sector for cyber incidents, state-sponsored actors are targeting Australian government networks for strategic purposes, and the gap between compliance maturity and operational security posture is material across the sector. A board that understands this context can make informed risk decisions; a board presented only with Essential Eight maturity scores cannot. CTEM provides the continuous evidence base to underpin that executive-level conversation with operational data rather than periodic audit outcomes.

SD-WAN provides centralised network policy management, traffic prioritisation and segmentation for distributed government environments — enabling consistent security controls across metropolitan and regional sites without requiring hardware-heavy deployments at each location. SASE extends those controls to the network edge, applying zero-trust access principles to remote workers, contractors and regional offices regardless of physical location. For government agencies with significant hybrid working arrangements, distributed service delivery networks or complex third-party connectivity requirements, SASE provides a security architecture that aligns with both ISM access control requirements and the operational reality of how government networks are actually used. The combination of SD-WAN and SASE also improves network visibility — a key requirement for event logging compliance under the Essential Eight.

Yes. Cloud migration and Essential Eight compliance are interdependent for government — the security architecture of a cloud environment directly affects whether controls like application control, MFA coverage and event logging are achievable at the required maturity level. Orro’s approach to government cloud migration begins with the security architecture requirements set by the ISM, PSPF and Essential Eight, and designs the cloud environment to enable compliance rather than retrofit it. This includes IRAP-aligned platform selection for workloads requiring PROTECTED classification, hybrid architecture design for environments with mixed classification requirements, and configuration management that supports the evidence collection needs of Essential Eight assessment and ASD annual reporting.