SOCI Act consultation: What the proposed changes to the CIRMP Rules might mean for you
19 December 2025
What you need to know
- The Department of Home Affairs (the Department) is seeking feedback on a series of proposed amendments to the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules).
- Responsible entities for "high-risk asset classes" may be subject to the enhanced CIRMP Rules. At present, the Department considers energy market operators, electricity, gas, liquid fuel, water, broadcasting, domain name systems, freight services or freight infrastructure assets to be "high-risk asset classes".
- Key changes to the CIRMP Rules set out in the Department's Consultation Paper include requiring responsible entities for high-risk asset classes to: comply with level 2 of their chosen cyber maturity framework; and identify, consider and document (in their CIRMP) any material risks posed by foreign ownership, control and influence across all aspects of their asset (including vendors in the supply chain). The Department would also be empowered to issue advice which must be considered by responsible entities for high-risk assets.
- Submissions on the proposed changes to the CIRMP Rules are due by 13 February 2026.
What you need to do
- Consider if the proposed enhancements impact you.
- Engage in consultation, noting the Department's 27 January 2026 townhall, and that submissions are due by 13 February 2026.
- Monitor the progress of the proposed changes to the CIRMP Rules – if these changes are passed they will in some cases require significant work from impacted responsible entities to address.
Proposed amendments to the CIRMP Rules for high-risk asset classes
The existing CIRMP Rules under the Security of Critical Infrastructure Act 2018 (Cth) require responsible entities to manage material risks across all-hazards, including cyber and information security, physical, personnel and supply chain hazards, and to minimise or eliminate those hazards as far as reasonably practicable.
As it presently stands, the Department considers that responsible entities' CIRMP Rule obligations are a "baseline" security requirement. As we have seen recently in the media, business disruptions are now a matter of “when” rather than “if”. The organisations that fare best are those that have prepared for known risks. When preparation is lacking, the consequences can be swift and wide-ranging—responsible entities may face regulatory scrutiny, disputes, and adverse impacts to its customers, employees, reputation, financial performance and consumer trust.
In its Consultation Paper, the Department has set out a series of proposed uplifts to the CIRMP Rules which are intended to keep pace with the evolving threat landscape, and which are intended to align with assessments conducted by the National Intelligence Community. These changes appear to reflect a change in mindset by the Department, as it wants organisations to think more broadly about their operational resilience. In our experience, a defensible position, in response to a threat or hazard, requires a significant level of preparedness so that the organisation can withstand, respond to and recover from the disruption without materially impacting its customers and stakeholders. Requiring this work to be done as part of compliance with the enhanced CIRMP Rules will, in effect, force some organisations to do work that they might otherwise have been delaying or not prioritising.
It is important to note that the enhanced CIRMP Rules are intended to only apply to high-risk asset classes. At this stage, the Department considers high-risk asset classes to be energy market operators, electricity, gas, liquid fuel, water, broadcasting, domain name systems, freight services or freight infrastructure assets. However, the scope of their application may become broader or narrower, depending on the outcome of the consultation process.
Key uplift areas
The areas identified by the Department for enhancement are as follows:
- Specific Risk Advice: To ensure the CIRMP Rules remain fit-for-purpose and address all hazards and threats, the Department would be empowered to "specify" (or designate) risk advice as relevant to specific sectors or asset classes, or which is broadly applicable to all high-risk asset classes. From the date it is specified or designated as relevant by the Department, responsible entities would have 12 months to have considered the advice, and have identified whether it poses a material risk to the availability or function of their asset, and to have minimised or eliminated the material risks arising from that advice, as far as reasonably practicable.
- Foreign Ownership, Control & Influence: Responsible entities would be required to consider all material risks associated with foreign ownership, control and influence, across all aspects of their asset. This will extend to minimising or eliminating all risks arising out of foreign ownership, control or influence of the asset as far as reasonably practicable, and considering the impacts to the availability, integrity, and confidentiality of the asset that could prejudice the social or economic stability, or national security of Australia, arising from, but not limited to dependence on foreign owned, controlled, or influenced vendors, major suppliers, managed service providers, components, systems, or software which are critical to the operation of the asset. The deadline for considering, minimising or eliminating all material risks associated with foreign ownership, control or influence will be 6 months from the commencement of the enhanced CIRMP Rules.
- Vendors of Concern: In addition to the above, the Department considers that foreign ownership of, or control or influence of vendors within a critical asset's supply chain presents a material security risk. Responsible entities would be expected to develop and maintain a documented process within their CIRMP to identify and manage material risks posed by these vendors of concern, with explicit consideration to be given to foreign owned, controlled or influenced vendors. This will include identifying the risks posed by certain vendors, consideration of those risks, their impact if realised, and risk-based treatments and controls. To the extent responsible entities make an adverse assessment against a certain vendor, they must implement additional security measures to manage any ongoing risks as a result of engaging that vendor.
- Cyber Security Framework Uplift: Under the enhanced CIRMP Rules, responsible entities for high-risk asset classes would be required to comply with maturity level 2 of their chosen cyber maturity framework. If a responsible entity has selected a framework which does not contain maturity levels, their CIRMP must outline the steps taken to make their cyber program equivalent to maturity level 2 of an appropriate cyber maturity framework (such as C2M2 or AESCSF). The Department proposes to give responsible entities until 30 June 2028 to achieve compliance with maturity level 2 (or equivalent) of their chosen cyber framework and to attest to compliance in the July-September 2028 attestation period.
- Networks and Multi-Factor Authentication: By 30 June 2028, responsible entities must ensure their CIRMP documents how they have implemented the greatest practical level of segregation between their asset’s critical systems, and other connected (or less secure components) that could result in the compromise of, substantive loss of access to, or deliberate or accidental manipulation of a critical system. The "greatest practical level of segregation" could include consistently reviewing access logs for communication paths between critical systems and other networks, as well as maintaining an inventory of critical systems important to the delivery of the function of the asset. By the same date (and where not already required by their chosen cyber security framework), responsible entities must ensure their CIRMP details how they have used multi-factor authentication to authenticate users to their online and internet facing networks, privileged (and not privileged users) of critical systems, and remote access to networks and systems.
- Supply Chain Hazards: Building on the existing obligations under the CIRMP Rules, entities will be required to map their supply chain for major suppliers and critical systems across their physical and cyber supply chains by 30 June 2028. In completing this exercise, responsible entities should outline supply chain vulnerabilities and the controls in place to mitigate them. Where feasible, the mapping should also address supplier diversification and redundancy planning.
- Personnel Security Hazards: The proposed amendments would require responsible entities to implement a personnel security plan that consolidates existing obligations under the CIRMP Rules and establishes a documented framework to identify, minimise and, where practicable, eliminate risks relating to critical assets, personnel travel and exposure of both physical and digital critical assets from visiting officials and delegations. More broadly, the Department plans to require responsible entities to include personnel hazard-specific risks in their CIRMP and to minimise or eliminate those risks so far as reasonably practicable. This focuses on the threat from trusted insiders and third parties with privileged access to the asset, such as major suppliers, critical workers, and managed service providers whose unauthorised use or misuse could compromise the integrity, availability, and security of critical assets.
What is this likely to mean for entities with "high risk assets"?
Since their introduction, the CIRMP Rules have had the difficult task of applying a one-size-fits-all security approach for a wide range of sectors and assets, with extremely varied levels of capability, resourcing and maturity. Inevitably, such an approach must cater for the lowest common denominator so as not to over burden smaller or less mature entities, but this can result in the bar being set too low for more critical or mature entities.
In defining a "high-risk" class of assets, government is acknowledging that certain asset classes are acutely critical to Australia's national security and require more robust security controls.
Ideally, high risk entities should already be exceeding the current CIRMP requirements, but commercial constraints, optimism bias, and a failure to plan ahead has meant that many are not and will need to undertake significant work to uplift their policies, practices and controls to comply with the proposed changes.
Two changes in particular stand out as particularly impactful; cyber framework uplift and management of foreign ownership and control risks. Moving up from a baseline maturity level for frameworks such as the AESCSF and C2M2 is a non-trivial task and entities should conduct a thorough gap analysis to identify where uplift and effort will be required.
The interconnectedness of critical infrastructure supply chains and foreign ownership within them present a risk multiplier, and identifying and managing foreign ownership and control risks will require a rigorous and holistic mapping exercise that considers all aspects of an asset and its supply chain. Entities will be required to establish a process to identify every vendor, supplier and managed service provider involved in providing, supporting or controlling the technology, consumables, capability and components critical to the operation of the asset, before teasing out the foreign ownership or control risks within this complex ecosystem and establishing controls to minimise or eliminate them. This is will be a challenging task for all entities, particularly those with complex or opaque supply chains.
Our advice is to start planning now and get ahead of the changes; regardless of whether they are ratified, the proposed changes constitute better practice that all high risk critical entities should consider as part of their continuous improvement.
Consultation & Next Steps
Submissions on the Consultation Paper opened on 9 December 2025, and are due by 13 February 2026.
The Department is also hosting town halls to support consultation, with the next town hall scheduled for 27 January 2025 between 1:00pm – 2:00pm AEDT. You can register for the townhall here.
