Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (33 of 2022)

Schedule 1   Amendments

Security of Critical Infrastructure Act 2018

49   After Part 2

Insert:

Part 2A - Critical infrastructure risk management programs

30AA Simplified outline of this Part

• The responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program (unless an exemption applies).

• The purpose of a critical infrastructure risk management program is to do the following for each of those assets:

(a) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;

(b) so far as it is reasonably practicable to do so - minimise or eliminate any material risk of such a hazard occurring;

(c) so far as it is reasonably practicable to do so - mitigate the relevant impact of such a hazard on the asset.

• A responsible entity must give an annual report relating to its critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.

Note: See also section 30AB (application of this Part).

30AB Application of this Part

(1) This Part applies to a critical infrastructure asset if:

(a) the asset is specified in the rules; or

(b) both:

(i) the asset is the subject of a declaration under section 51; and

(ii) the declaration determines that this Part applies to the asset.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(2) Subsection (1) has effect subject to subsections (3), (4), (5) and (6).

Exemptions

(3) The rules may provide that, if an asset becomes a critical infrastructure asset, this Part does not apply to the asset during the period:

(a) beginning when the asset became a critical infrastructure asset; and

(b) ending at a time ascertained in accordance with the rules.

(4) If:

(a) an entity holds a certificate of hosting certification (strategic level) that relates to one or more services; and

(b) the certificate was issued under the scheme that is:

(i) administered by the Commonwealth; and

(ii) known as the hosting certification framework; and

(c) a critical infrastructure asset, or a part of a critical infrastructure asset, is used in connection with the provision of any of those services; and

(d) the entity is the responsible entity for the asset;

this Part does not apply to the asset.

Note: For reporting obligations, see Part 2AA.

(5) If:

(a) an entity is covered by a provision of a law of the Commonwealth, a State or a Territory; and

(b) the provision is specified in the rules; and

(c) the entity is the responsible entity for a critical infrastructure asset;

this Part does not apply to the asset.

Note: For reporting obligations, see Part 2AA.

(6) If:

(a) a critical infrastructure asset is covered by a provision of a law of the Commonwealth, a State or a Territory; and

(b) the provision is specified in the rules;

this Part does not apply to the asset.

Note: For reporting obligations, see Part 2AA.

30ABA Consultation - rules

Scope

(1) This section applies to rules made for the purposes of section 30AB.

Consultation

(2) Before making or amending the rules, the Minister must:

(a) cause to be published on the Department's website a notice:

(i) setting out the draft rules or amendments; and

(ii) inviting persons to make submissions to the Minister about the draft rules or amendments withinthe period specified in the notice; and

(b) give a copy of the notice to each First Minister; and

(c) consider any submissions received within the period mentioned in paragraph (a).

(3) The period specified in the notice must not be shorter than 28 days.

30AC Responsible entity must have a critical infrastructure risk management program

If an entity is the responsible entity for one or more critical infrastructure assets, the entity must:

(a) adopt; and

(b) maintain;

a critical infrastructure risk management program that applies to the entity.

Civil penalty: 200 penalty units.

30AD Compliance with critical infrastructure risk management program

If:

(a) an entity is the responsible entity for one or more critical infrastructure assets; and

(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;

the entity must comply with:

(c) the critical infrastructure risk management program; or

(d) if the program has been varied on one or more occasions - the program as varied.

Civil penalty: 200 penalty units.

30AE Review of critical infrastructure risk management program

If:

(a) an entity is the responsible entity for one or more critical infrastructure assets; and

(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;

the entity must review the program on a regular basis.

Civil penalty: 200 penalty units.

30AF Update of critical infrastructure risk management program

If:

(a) an entity is the responsible entity for one or more critical infrastructure assets; and

(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;

the entity must take all reasonable steps to ensure that the program is up to date.

Civil penalty: 200 penalty units.

30AG Responsible entity must submit annual report

Scope

(1) This section applies if, during a period (the relevant period ) that consists of the whole or a part of a financial year:

(a) an entity was the responsible entity for one or more critical infrastructure assets; and

(b) the entity had a critical infrastructure risk management program that applied to the entity.

Annual report

(2) The entity must, within 90 days after the end of the financial year, give:

(a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets - the relevant Commonwealth regulator; or

(b) in any other case - the Secretary;

a report that:

(c) if the entity had the program at the end of the financial year - includes whichever of the following statements is applicable:

(i) if the program was up to date at the end of the financial year - a statement to that effect;

(ii) if the program was not up to date at the end of the financial year - a statement to that effect; and

(d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period - includes a statement that:

(i) identifies the hazard; and

(ii) evaluates the effectiveness of the program in mitigating the significant relevant impact of the hazard on the assets concerned; and

(iii) if the program was varied during the financial year as a result of the occurrence of the hazard - outlines the variation; and

(e) is in the approved form; and

(f) if the entity has a board, council or other governing body - is approved by the board, council or other governing body, as the case requires.

Civil penalty: 150 penalty units.

(3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act.

30AH Critical infrastructure risk management program

(1) A critical infrastructure risk management program is a written program:

(a) that applies to a particular entity that is the responsible entity for one or more critical infrastructure assets; and

(b) the purpose of which is to do the following for each of those assets:

(i) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;

(ii) so far as it is reasonably practicable to do so - minimise or eliminate any material risk of such a hazard occurring;

(iii) so far as it is reasonably practicable to do so - mitigate the relevant impact of such a hazard on the asset; and

(c) that complies with such requirements (if any) as are specified in the rules.

(2) Requirements specified under paragraph (1)(c):

(a) may be of general application; or

(b) may relate to one or more specified critical infrastructure assets.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of theActs Interpretation Act 1901.

(4) Rules made for the purposes of paragraph (1)(c) may require that a critical infrastructure risk management program include one or more provisions that:

(a) permit a background check of an individual to be conducted under the AusCheck scheme; and

(b) provide that such a background check must include assessment of information relating to one or more of the matters mentioned in paragraphs 5(a), (b), (c) and (d) of theAusCheck Act 2007, as specified in the rules; and

(c) provide that, if such a background check includes an assessment of information relating to the matter mentioned in paragraph 5(a) of theAusCheck Act 2007, the criteria against which that information must be assessed are the criteria specified in the rules; and

(d) provide that, if such a background check includes assessment of information relating to the matter mentioned in paragraph 5(d) of theAusCheck Act 2007, the assessment must consist of whichever of the following is specified in the rules:

(i) an electronic identity verification check;

(ii) an in person identity verification check;

(iii) both an electronic identity verification check and an in person identity verification check.

(5) Subsection (4) does not limit paragraph (1)(c).

(6) In specifying requirements in rules made for the purposes of paragraph (1)(c), the Minister must have regard to the following matters:

(a) any existing regulatory system of the Commonwealth, a State or a Territory that imposes obligations on responsible entities;

(b) the costs that are likely to be incurred by responsible entities in complying with those rules;

(c) the reasonableness and proportionality of the requirements in relation to the purpose referred to in paragraph (1)(b);

(d) such other matters (if any) as the Minister considers relevant.

(7) For the purposes of this section, in determining whether a risk is a material risk, regard must be had to:

(a) the likelihood of the hazard occurring; and

(b) the relevant impact of the hazard on the asset if the hazard were to occur.

(8) The rules may provide that a specified risk is taken to be a material risk for the purposes of this section.

(9) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(10) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(11) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(12) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

30AJ Variation of critical infrastructure risk management program

A critical infrastructure risk management program may be varied, so long as the varied program is a critical infrastructure risk management program.

30AK Revocation of adoption of critical infrastructure risk management program

If an entity has adopted a critical infrastructure risk management program that applies to the entity, this Part does not prevent the entity from:

(a) revoking that adoption; and

(b) adopting another critical infrastructure risk management program that applies to the entity.

30AKA Responsible entity must have regard to certain matters in deciding whether to adopt or vary critical infrastructure risk management program etc.

Adoption of program

(1) If an entity is the responsible entity for one or more critical infrastructure assets, then, in deciding whether to adopt a critical infrastructure risk management program, the entity must have regard to such matters (if any) as are set out in the rules.

Civil penalty: 200 penalty units.

(2) Subsection (1) does not limit the matters to which the responsible entity may have regard.

Review of program

(3) If:

(a) an entity is the responsible entity for one or more critical infrastructure assets; and

(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;

then, in reviewing the program in accordance with section 30AE, the entity must have regard to such matters (if any) as are set out in the rules.

Civil penalty: 200 penalty units.

(4) Subsection (3) does not limit the matters to which the responsible entity may have regard.

Variation of program

(5) If:

(a) an entity is the responsible entity for one or more critical infrastructure assets; and

(b) the entity has adopted a critical infrastructure risk management program that applies to the entity;

then, in deciding whether to vary the program, the entity must have regard to such matters (if any) as are set out in the rules.

Civil penalty: 200 penalty units.

(6) Subsection (5) does not limit the matters to which the responsible entity may have regard.

Rules

(7) Rules made for the purposes of subsection (1), (3) or (5):

(a) may be of general application; or

(b) may relate to one or more specified critical infrastructure assets.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(8) Subsection (7) of this section does not, by implication, limit subsection 33(3A) of theActs Interpretation Act 1901.

30AL Consultation - rules made for the purposes of section 30AH or 30AKA

Scope

(1) This section applies to rules made for the purposes of section 30AH or 30AKA.

Consultation

(2) Before making or amending the rules, the Minister must:

(a) cause to be published on the Department's website a notice:

(i) setting out the draft rules or amendments; and

(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and

(b) give a copy of the notice to each First Minister; and

(c) consider any submissions received within the period mentioned in paragraph (a).

(3) The period specified in the notice must not be shorter than 28 days.

(4) Subsection (2) does not apply if:

(a) the Minister is satisfied that there is an imminent threat that a hazard will have a significant relevant impact on a critical infrastructure asset; or

(b) the Minister is satisfied that a hazard has had, or is having, a significant relevant impact on a critical infrastructure asset.

Note: See also section 30AM (review of rules).

30AM Review of rules

Scope

(1) This section applies if, because of subsection 30AL(4), subsection 30AL(2) did not apply to the making of:

(a) rules; or

(b) amendments.

Review of rules

(2) The Secretary must:

(a) if paragraph (1)(a) applies - review the operation, effectiveness and implications of the rules; and

(b) if paragraph (1)(b) applies - review the operation, effectiveness and implications of the amendments; and

(c) without limiting paragraph (a) or (b), consider whether any amendments should be made; and

(d) give the Minister:

(i) a report of the review; and

(ii) a statement setting out the Secretary's findings.

(3) For the purposes of the review, the Secretary must:

(a) cause to be published on the Department's website a notice:

(i) setting out the rules or amendments concerned; and

(ii) inviting persons to make submissions to the Secretary about the rules or amendments concerned within the period specified in the notice; and

(b) give a copy of the notice to each First Minister; and

(c) consider any submissions received within the period mentioned in paragraph (a).

(4) The period specified in the notice must not be shorter than 28 days.

(5) The Secretary must complete the review within 60 days after the commencement of the rules or amendments concerned.

Minister to table statement of findings

(6) The Minister must cause a copy of the statement of findings to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives it.

30AN Application, adoption or incorporation of a law of a State or Territory etc.

Scope

(1) This section applies to rules made for the purposes of section 30AH or 30AKA.

Application, adoption or incorporation of a law of a State or Territory

(2) Despite subsection 14(2) of theLegislation Act 2003, the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a law of a State or Territory as in force or existing from time to time.

Application, adoption or incorporation of a standard

(3) Despite subsection 14(2) of theLegislation Act 2003, the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a standard proposed or approved by Standards Australia as in force or existing from time to time.

Note: The expression Standards Australia is defined in section 2B of theActs Interpretation Act 1901.

30ANA Application, adoption or incorporation of certain documents

Application, adoption or incorporation of a relevant document

(1) Despite subsection 14(2) of theLegislation Act 2003, rules made for the purposes of section 30AH or 30AKA of this Act may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in a relevant document as in force or existing from time to time.

Relevant document

(2) For the purposes of this section, relevant document means:

(a) the document titledEssential Eight Maturity Model and published by the Australian Signals Directorate; or

(b) the document titledFramework for Improving Critical Infrastructure Cybersecurity and published by the National Institute of Standards and Technology of the United States of America; or

(c) the document titledCybersecurity Capability Maturity Model and published by the Department of Energy of the United States of America; or

(d) the document titledThe 2020-21 AESCSF Framework Core and published by Australian Energy Market Operator Limited (ACN 072 010 327); or

(e) the document titledCyber Supply Chain Risk Management and published by the Australian Signals Directorate; or

(f) a document specified in the rules.

(3) Subsection 13(3) of theLegislation Act 2003 does not apply to paragraph (2)(f) of this section.

30ANB Consultation - rules made for the purposes of paragraph 30ANA(2)(f)

Scope

(1) This section applies to rules made for the purposes of paragraph 30ANA(2)(f).

Consultation

(2) Before making or amending the rules, the Minister must:

(a) cause to be published on the Department's website a notice:

(i) setting out the draft rules or amendments; and

(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice; and

(b) give a copy of the notice to each First Minister; and

(c) consider any submissions received within the period mentioned in paragraph (a).

(3) The period specified in the notice must not be shorter than 28 days.

30ANC Disallowance of rules

Scope

(1) This section applies to rules made for the purposes of paragraph 30ANA(2)(f).

Disallowance

(2) Either House of the Parliament may, following a motion upon notice, pass a resolution disallowing the rules. For the resolution to be effective:

(a) the notice must be given in that House within 15 sitting days of that House after the copy of the rules was tabled in that House under section 38 of theLegislation Act 2003; and

(b) the resolution must be passed, in pursuance of the motion, within 15 sitting days of that House after the giving of that notice.

(3) If neither House passes such a resolution, the rules take effect on the day immediately after the last day upon which such a resolution could have been passed if it were assumed that notice of a motion to disallow the rules was given in each House on the last day of the 15 sitting day period of that House mentioned in paragraph (2)(a).

(4) If:

(a) notice of a motion to disallow the rules is given in a House of the Parliament within 15 sitting days of that House after the copy of the rules was tabled in that House under section 38 of theLegislation Act 2003; and

(b) at the end of 15 sitting days of that House after the giving of that notice of motion:

(i) the notice has not been withdrawn and the motion has not been called on; or

(ii) the motion has been called on, moved and (where relevant) seconded and has not been withdrawn or otherwise disposed of;

the rules are then taken to have been disallowed, and subsection (3) does not apply to the rules.

(5) Section 42 (disallowance) of theLegislation Act 2003 does not apply to the rules.

Note 1: The 15 sitting day notice period mentioned in paragraph (2)(a) of this section is the same as the 15 sitting day notice period mentioned in paragraph 42(1)(a) of theLegislation Act 2003.

Note 2: The 15 sitting day disallowance period mentioned in paragraph (2)(b) of this section is the same as the 15 sitting day disallowance period mentioned in paragraph 42(1)(b) of theLegislation Act 2003.

Part 2AA - Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program

30AP Simplified outline of this Part

• A responsible entity must give an annual report relating to certain assets that are not covered by a critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.

30AQ Reporting obligations relating to certain assets that are not covered by a critical infrastructure risk management program

Scope

(1) This section applies if, during a period (the relevant period ) that consists of the whole or a part of a financial year, an entity was the responsible entity for one or more critical infrastructure assets that are covered by subsection 30AB(4), (5) or (6).

Annual report

(2) The entity must, within 90 days after the end of the financial year, give:

(a) if there is a relevant Commonwealth regulator that has functions relating to the security of those assets - the relevant Commonwealth regulator; or

(b) in any other case - the Secretary;

a report that:

(c) sets out the reason why those assets are covered by subsection 30AB(4), (5) or (6); and

(d) if a hazard had a significant relevant impact on one or more of those assets during the relevant period - includes a statement that:

(i) identifies the hazard; and

(ii) evaluates the effectiveness of the action (if any) taken by the entity for the purposes of mitigating the significant relevant impact of the hazard on the assets concerned; and

(e) is in the approved form; and

(f) if the entity has a board, council or other governing body - is approved by the board, council or other governing body, as the case requires.

Civil penalty: 150 penalty units.

(3) A report given by an entity under subsection (2) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act.


Copyright notice

© Australian Taxation Office for the Commonwealth of Australia

You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).