Government cyber incident reporting via ASD ACSC
Federal entities + critical infrastructure report cyber incidents to ASD ACSC.
Who must comply
Federal agencies + critical infrastructure entities.
What triggers it
Cyber incident with potential impact.
When due
ASAP; statutory 12-72h for SOCI.
Evidence required
ASD ACSC incident report; internal investigation record.
Max penalty
Statutory requirement under SOCI for CI; PSPF compliance for agencies
Summary
Federal agencies + Commonwealth-funded entities report cyber incidents to ASD's Australian Cyber Security Centre (ACSC). Mandatory for critical infrastructure under SOCI; voluntary but expected for others. Information sharing supports national threat intelligence.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHReport cyber security incidents to ASD (SOCI)Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- CWLTHComply with SOCI Positive Security Obligation (PSO) per sectorSector-specific cyber + risk obligations under SOCI Part 2.
- CWLTHAdopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
- CWLTHComply with APRA CPS 234 (Information Security)APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- CWLTHReport serious NDIS incidents to the NDIS CommissionDeath, serious injury, abuse, neglect, unauthorised restrictive practices, and sexual misconduct must be notified.
- CWLTHAdopt Essential Eight Maturity Level 2 (federal subcontractors)Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
Frequently asked questions
- Who must comply with Government cyber incident reporting via ASD ACSC?
- Federal agencies + critical infrastructure entities.
- What triggers Government cyber incident reporting via ASD ACSC?
- Cyber incident with potential impact.
- When is Government cyber incident reporting via ASD ACSC due?
- ASAP; statutory 12-72h for SOCI.
- What is the maximum penalty for Government cyber incident reporting via ASD ACSC?
- Statutory requirement under SOCI for CI; PSPF compliance for agencies
- What evidence is required for Government cyber incident reporting via ASD ACSC?
- ASD ACSC incident report; internal investigation record.
Source: https://www.cyber.gov.au/report. Rules Mate is not a law firm. Always verify against the live regulator source before acting.