Twelve-hour security breach countdown for govt IT contractors

A draft document released by the Australian Department of Finance outlines requirements for government IT contractors to notify customers within 12 hours once they become aware of actual or suspected security incidents.

The Australian Department of Finance is calling for industry and stakeholder feedback on a draft list of model security clauses for outsourced IT contracts.

The clauses are intended for use in Australian government services contracts, including information and communications technology contracts, where the services involve access, transmission, or storage of government information in circumstances where there may be security risks involved.

The Draft Cyber Security Clauses document (PDF) outlines a number of contractual measures designed to hold IT contractors to account in the event of certain IT security "incidents".

One of the draft clauses stipulates that contractors must "notify a customer in writing immediately and no longer than 12 hours after becoming aware of the cyber incident or other incident".

These incidents include action taken through the use of computer networks resulting in an "actual or potentially" adverse effect on the contractor's information system, or customer data residing on the system in question, along with any other unauthorised access or use by a third party, or misuse, damage, and destruction by any person.

If a contractor becomes aware of a security incident, that contractor would also need to comply with any directions issued by a customer in relation to notifying the Australian Cyber Security Centre, along with any other relevant body, obtaining evidence about how, when, and by whom the contractor's system may have been compromised, and implementing any mitigation strategies to reduce the impact of the incident.

Additionally, if a customer requests it, a contractor is required to take out and maintain insurance to protect against the risks of a "cyber incident".

Contractors are also compelled to ensure that subcontractors and other supply chain arrangements, which allow or result in access to customer data, adhere to the same obligations outlined in the draft document.

The Department of Finance drew up the draft security model clauses in consultation with the Attorney-General's Department and the Department of Defence.

The department said that the objectives of the clauses are to define service providers' responsibilities to manage IT security risks, provide clear contractual arrangements for safeguarding government data, increase the visibility of cyber incidents, and require subcontractors to comply with these obligations.

The draft clauses are intended to be included in the SourceIT Model Contracts, and a short-form version may be included in the Commonwealth Contracting Suite for procurements under AU$200,000.

"The Commonwealth needs to have a way of managing cybersecurity risks that acknowledges the role of suppliers and subcontractors," the Department of Finance said in a statement. "These model clauses outline the Australian Government's preferred position."

The draft document comes as the federal government rolls back the dual ministerial approval process that had previously been required for agencies to move their cloud IT infrastructure offshore.

According to the Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including cloud) document (PDF), government departments need to only seek the authorisation of their own agency head in order to offshore their cloud services.

The Department of Finance is currently calling for feedback and comments about how the draft clauses will work for members of the industry. Comments opened last Friday, and will close on Friday, September 19.