Deadline Approaching for Submission of Critical Infrastructure Risk Management Reports
The Critical Infrastructure Risk Management Program (CIRMP) has seen significant improvements in its annual reporting process, with the energy and health sectors leading the way in submissions. As of August 31, 2024, the Australia's Cyber and Infrastructure Security Centre (CISC) has received 53 annual reports from eight different sectors, covering 137 assets.
In response to the feedback received, the CISC made several changes to the CIRMP Form in May 2024. These changes included providing more clarity about the attestation process, clarifying the information being sought regarding cyber security and other risk management frameworks, and ensuring the web form allows attachments to be added. The updated form also includes a section for attachments, allowing for greater flexibility in reporting.
Entities are encouraged to include attachments that provide assurance of compliance with legislation. Twenty-one out of the 53 reports received have included an attachment. Including attachments can reduce the likelihood of entities being asked for more information or facing auditing at a later date.
The CISC has stated that these changes made a meaningful difference to submissions and improved on user experience. The updated form provides a better picture of security frameworks in use and the maturity of industry against those frameworks. The most used cyber security framework, as reported in the received reports, is the 2020-21 AESCSF Framework Core, followed by the Essential Eight Maturity Model.
Looking ahead, the CISC expects an influx of submissions towards the end of September. To ensure continuous improvement, the CISC plans to seek feedback on questions through the Trusted Information Sharing Network (TISN) for future changes to the web forms. The organization that will be informed in the future through information recommendations about changes to web forms as part of the Critical Infrastructure Risk Management Program to obtain early feedback from industry and consider a wide range of perspectives is not explicitly named in the provided search results.
In response to feedback, the CISC understands the industry's desire for more and earlier consultation, particularly regarding changes to web forms. The CISC acknowledges the need for clearer wording around 'security frameworks' and is addressing this issue through multiple platforms.
The CISC encourages all entities to adhere to their legislative obligation for annual reporting, but providing attachments is not a requirement for compliance. Mandatory risk management program (RMP) annual report submissions by sector are: energy (47%), health (19%), data storage or processing (15%), transport (7%), water (6%), communications (2%), financial (2%), and food and grocery (2%).
As the CIRMP continues to evolve, the CISC remains committed to fostering a secure and resilient critical infrastructure for Australia.
Read also:
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Updated Framework for NIST Cybersecurity: Comprehensive Insight into the Latest Version
- Insecure coding practices permeate numerous businesses, potentially leading to significant future difficulties in ensuring system safety.
- Artificial Intelligence application by Gigamon, titled Agentic AI, debuts, aiming at enhancing IT efficiency.
