³Ô¹ÏÍøÕ¾

Updates to Secure Internet Gateway

DTA

Joint statement between Digital Transformation Agency (DTA) and Australian Signals Directorate (ASD)

The Australian Government is further strengthening the ICT systems of Government entities by enhancing its (SIG) policy and through the . The Digital Transformation Agency (DTA) is working on these initiatives with the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC).

Secure Internet Gateways (SIGs) provide organisations with cyber security protection at the perimeter between their networks and the internet. SIGs play an important role in a layered cyber security defence, and can be shared between multiple organisations, providing the benefits of a common suite of cyber security defences.

Cyber Hubs

Under the Government’s strategy to strengthen the defences of government networks, Cyber Hubs will centralise the management and operations of Commonwealth entities for cyber monitoring, detection, and response capabilities.

It is envisioned that the future Cyber Hubs operating model – informed by a recently launched pilot – will see Cyber Hubs providing a range of cyber security services, including SIG services, to non-corporate Commonwealth entities. As such, consideration is being given to how SIG services should integrate with a future Cyber Hubs model.

DTA will provide timely advice to Commonwealth entities, Cyber Hub providers and industry during the Government’s development of Cyber Hubs subject to Government Approval.

SIG Policy Changes

SIG policy is being modernised so that it is consistent with and supports the implementation of Cyber Hubs, and so that Commonwealth entities, using existing SIGs, can readily adopt new technologies and capabilities.

SIG policy changes will also include ASD ceasing its certification authority role for commercial or government SIGs. This will better enable and encourage the adoption of emerging cyber security technologies and capabilities by entities. Commonwealth entities will be empowered to adopt a new risk-based authorisation model, consistent with the consideration of other cyber architecture such as the adoption of cloud environments.

Security guidance, co-designed by ACSC with government and industry from key stakeholder groups, will be developed through consultative forums to support the policy enhancements.

ASD’s Certification Authority role

ASD will no longer progress re‑certification activities for SIG. Existing ASD-Certified Gateways will remain certified until its Certification Authority role ceases on 1 July 2022.

This model aligns with core Information Security Manual (ISM) principles and is consistent with other risk-based models used currently by Commonwealth entities such as when considering cloud environments.

DTA will also work with the Attorney-General’s Department and the ACSC to ensure alignment of the updated SIG Policy and ISM with the Protective Security Policy Framework (PSPF).

In the interim, entities will continue to meet their SIG requirements in line with the PSPF obligations, and existing Industry partners will continue to provide services in line with current arrangements.

/Public Release. View in full .