JCPAA calls for Commonwealth entities to be cyber assessed annually by ANAO

Joint Committee of Public Accounts and Audit has called for more reviews of cyber posture and culture, but also added that the amount of publicly available information should not be increased.
Written by Chris Duckett, Contributor

The Joint Committee of Public Accounts and Audit (JCPAA) has called for federal government entities to be assessed on cyber resilience each year by the Australian National Audit Office (ANAO), however, even if the government accepted the recommendation, it acknowledged that this was unlikely to lead to a better informed public.

"The committee recognises the concerns raised in evidence to the inquiry highlighted that individual vulnerabilities within Commonwealth entities could exacerbate existing cybersecurity risks," the report reviewing a pair of recent ANAO reports said.

"In light of this, the committee proposes that published limited assurance reviews provide no more granular public information than is published in existing ANAO cyber resilience audits. The published report can also provide advice on identified impediments to agencies implementing the 13 behaviours and practices and the Essential Eight mitigation strategies, noting that the provision exists for confidential reporting to ministers and the JCPAA where required."

Historically, public reports from the ANAO typically place agencies on a chart that measures compliance with mitigation strategies on one axis, and maturity in access and change management on the other. The agencies are then measured as being in one of four quadrants that are either: Vulnerable, internally resilient, externally resilient, or cyber resilient.

Australian agencies remain highly averse to any public acknowledgement of their security posture.

Earlier this week, the Office of National Intelligence (ONI) simultaneously said its posture was highly mature, but then declined to say whether it had a DMARC record, citing national security.

Anyone can easily use command-line tools or sites to find out whether ONI is fully compliant with DMARC, since it is a DNS record and viewable publicly over the internet.

Shadow Assistant Minister for Cyber Security Tim Watts said the report was a "damning indictment" on the government.

"This failure is so bad that the committee found that a new and unprecedented oversight regime is needed to ensure our vital government services and the data of Australian citizens they hold are appropriately protected at a time of dramatically increasing cyber threats," Watts said in a statement with deputy chair Julian Hill.

"It comes after years of staggeringly high rates of non-compliance from the Commonwealth government with its own cybersecurity framework.

"The Morrison Government has had seven years of reports from the ANAO and JCPAA to fix this."

The opposition has previously said it would like to name and shame entities that have a low cyber score.

In its other recommendations, JCPAA said the Attorney-General's Department should provide an update on getting external parties to verify self-reported compliance from entities; and the department should also provide an update on the cyber maturity of government entities and whether it was feasible to mandate the Essential Eight, a call the committee made in October 2017, as well as report back on why any entities have yet to implement the Top Four mandated in April 2013.

It added that the Protective Security Policy Framework should be updated to align with the ANAO's 13 behaviours and practices for cyber resilience, and Australian Post and the Australian Digital Health Agency provide updates on how they are implementing the recommendations from prior ANAO reports.

Related Coverage

Editorial standards