SOCI Critical Infrastructure Risk Management Program (CIRMP) requirements

What the CIRMP is

The Critical Infrastructure Risk Management Program (CIRMP) is a positive risk-management obligation. It is imposed by the Security of Critical Infrastructure Act 2018 (SOCI) on responsible entities for assets in scope. This means entities must actively identify and address potential risks.

Each responsible entity is required to adopt, maintain, and comply with a written CIRMP. This document outlines the entity’s approach to managing risks to their critical infrastructure asset. Reporting of cyber incidents is facilitated through the cyber incident notification tool.

The CIRMP must identify and manage material risks of hazards to the asset. This management is to be conducted using an all-hazards approach, recognising that risks can arise from a variety of sources.

The four hazard domains

The SOCI Critical Infrastructure Risk Management Program (CIRMP) requires entities to address four hazard domains as outlined in the SOCI Risk Management Program Rules. These domains are cyber and information security; personnel; physical security and natural hazards; and supply chain. Each domain presents distinct potential threats that must be considered within the risk management process.

The program mandates a consistent approach across these domains. For each, entities must undertake a process of hazard identification, assessment of material risks, and the application of appropriate risk-management actions. This structured approach ensures a comprehensive evaluation of potential vulnerabilities. Essential Eight maturity check can be a useful tool for cyber security.

Industry-specific guidance and standards are crucial in determining what constitutes ‘reasonable’ risk management practices within each domain. This includes frameworks such as the Essential Eight for cyber security, and analogous frameworks for other domains.

Annual board attestation

The responsible entity for designated systems must provide annual attestation to the Department of Home Affairs. This attestation, signed by the board or governing body, confirms that the Critical Infrastructure Risk Management Program (CIRMP) is current and that the entity has adhered to its requirements.

Alongside the attestation, the responsible entity must submit an annual report. This report details the CIRMP’s operation, any material changes that have occurred, and any incidents that have arisen.

Providing an attestation that is incorrect or false may result in civil penalties for the responsible entity.

Penalties and uplift

Failure to have, maintain, or comply with a Critical Infrastructure Risk Management Program (CIRMP), as well as failing to provide the annual report or attestation, attracts civil penalties. The Department of Home Affairs, acting through the Cyber and Infrastructure Security Centre, has the authority to issue compliance notices and initiate civil penalty proceedings to address these breaches.

The severity of consequences extends beyond financial penalties. The government possesses ‘last resort’ powers under the Security of Critical Infrastructure Act. These powers allow for direct intervention in the operation of a critical infrastructure asset in serious matters, including situations posing an immediate national security risk.

These powers represent a significant escalation in response to non-compliance.

• Direct intervention is a measure reserved for the most critical situations.