High Risk, Higher Standards: What the Enhanced CIRMP Rules Mean for You
The existing CIRMP Rules under the SOCI Act require responsible entities to manage material risks across all-hazards, including cyber and information security, physical, personnel and supply chain hazards, and to minimise or eliminate those hazards as far as reasonably practicable.
The Department of Home Affairs considers that obligations under the baseline CIRMP Rules set minimum expectations for security requirements for responsible entities. As we have seen recently in the media, business disruptions are now a matter of "when" rather than "if". The organisations that fare best are those that are prepared for known risks. When preparation is lacking, the consequences can be swift and wide-ranging – responsible entities may face regulatory scrutiny, disputes, and adverse impacts to their customers, employees, reputation, financial performance and consumer trust.
Following an extensive consultation process, including an initial Consultation Paper in late 2025, industry submissions, public town halls and sector-specific impact analysis sessions, and an Exposure Draft consultation in early 2026, the Enhanced CIRMP Rules have now been finalised and are in force. The amendments are intended to keep pace with the evolving threat landscape and align with assessments conducted by the National Intelligence Community. These changes appear to reflect a change in mindset by the Department, as it wants organisations to think more broadly about their operational resilience. In our experience, a defensible position, in response to a threat or hazard, requires a significant level of preparedness so that the organisation can withstand, respond to and recover from the disruption without materially impacting its customers and stakeholders. Requiring this work to be done as part of compliance with the Enhanced CIRMP Rules will, in effect, force entities to do the work they may otherwise have been delaying or not prioritising.
The areas addressed by the Enhanced CIRMP Rules and their corresponding grace periods for compliance are as follows:
| Uplift area | Description | Grace period |
| Additional material risks – enhanced requirements (s6A) | Responsible entities must establish and maintain a process or system in their CIRMP to, as far as reasonably practicable, minimise or eliminate a set of specified additional material risks. These are:
| 10 June 2027 (12 months) |
| Cyber and Information Security Hazards – enhanced requirements (s8A) | Responsible entities must establish and maintain a process or system in their CIRMP to, as far as reasonably practicable, minimise or eliminate the following material risks:
| 10 June 2027 (12 months) |
| Responsible entities are required to comply with maturity level 2 of their chosen cyber maturity framework. If a responsible entity has selected a framework which is not listed in the CIRMP Rules, their CIRMP must outline the steps taken to make their cyber program equivalent to one of those frameworks (including the conditions governing the maturity level). | 10 June 2028 (24 months) | |
| Credential Compromise Hazards (s8B) | This standalone provision applies where the responsible entity's chosen cyber framework does not already require phishing-resistant multi-factor authentication (MFA). The responsible entity must identify the systems and networks for which phishing-resistant MFA is required, minimise or eliminate the risk of a credential compromise hazard occurring, mitigate any relevant impact on the CI asset, implement phishing-resistant MFA for those systems, and centrally log, monitor and review authentication attempts. If the entity cannot practically implement these measures, it should still include a process or system in its CIRMP containing reasonable steps to minimise or eliminate the relevant material risks. | 10 June 2028 (24 months) |
| Lateral Movement Hazards (s8C) | This provision addresses the risk of users moving between computer systems and critical systems in a way that could compromise the availability, integrity, reliability or confidentiality of the asset. Responsible entities must identify and maintain an inventory of critical systems and their connections with other critical systems, recover and restore critical systems after an incident, ensure continued availability while rebuilding or restoring critical systems and minimise or eliminate lateral movement risks so far as reasonably practicable. Network segregation is deemed to satisfy the obligations where it meets the specified requirements, including segregation between critical systems, operational independence from other internet-connected computers, at least three months of continued operation while other computers are in restoration or recovery, logical access controls, central logging and monitoring of communication paths between critical systems and other networks, and implementation of least privilege principles. | 10 June 2028 (24 months) |
| Personnel Hazards – enhanced requirements (s9A) | Responsible entities must establish and maintain a process or system in their CIRMP to, as far as reasonably practicable, minimise or eliminate the material risks associated with:
| 10 June 2027 (12 months) |
| The baseline CIRMP covers suitability assessments and ongoing monitoring of critical workers. The distinction between "onshore" and "offshore" critical workers included in the Exposure Draft has been removed in favour of a unified framework. Critical workers must be assessed as suitable through either an AusCheck background check or by holding a relevant security clearance (defined as Negative Vetting 1 level or higher). Where a critical worker is unable to meet those requirements, the entity must document the associated risk and the steps being taken to address it. Additionally, for persons with ongoing access to critical components, background checks must be renewed at minimum every five years (for AusCheck) or revalidation (before the NV1 clearance lapses or expires), and entities must proactively monitor for developments that may affect a critical worker's ongoing suitability. | 10 June 2028 (24 months) | |
| Supply Chain Hazards – enhanced requirements (s10A) | The supply chain provisions remain broadly consistent with the Consultation Paper. Entities must map their supply chain for major suppliers and critical components identifying risks to the availability, integrity, reliability or confidentiality of those components and determining the maximum acceptable outage for the asset arising from supply chain disruption. A separate vendor assessment process must also be maintained for existing and proposed major suppliers, requiring entities to evaluate each major supplier against a range of factors including FOCI-related legal requirements, jurisdictional restrictions and sanctions, and the supplier's access, influence and control over the asset, material risk, maximum acceptable outage, and mitigation steps. | 10 June 2028 (24 months) |
| Physical Security and Natural Hazards – enhanced requirements (s11A) | The physical security provisions retain the same general structure but shift in focus. Rather than requiring entities to "minimise or eliminate the risk associated with" physical security consequences, the revised framework requires entities to "outline and consider the physical security consequences arising from the occurrence of all hazards". This broader framing encompasses cyber and information hazards, credential compromise hazards, lateral movement, and other physical and natural hazards. Responsible entities must outline the location, ownership and nature of the site, physical critical components, and areas holding business-critical data or containing critical components (including critical systems). | 10 June 2028 (24 months) |
Since their introduction, the CIRMP Rules have had the difficult task of applying a one-size-fits-all security approach for a wide range of sectors and assets, with extremely varied levels of capability, resourcing and maturity. Inevitably, such an approach must cater for the lowest common denominator so as not to over-burden smaller or less mature entities, but this can result in the bar being set too low for more critical or mature entities.
In defining a "high-risk" class of assets, government has acknowledged that certain asset classes are acutely critical to Australia's national security and require stronger security controls.
Ideally, high-risk entities should already be exceeding the current CIRMP requirements, but commercial constraints, optimism bias, and a failure to plan ahead has meant that many are not and will need to undertake significant work to uplift their policies, practices and controls to comply with the Enhanced CIRMP Rules.
Three changes stand out as particularly impactful - (1) cyber framework uplift, (2) management of foreign ownership and control risks and (3) compliance with the enhanced critical worker obligations.
Moving up from a baseline maturity level for frameworks such as the AESCSF and Cybersecurity Capability Maturity Model is a non-trivial task, and entities should conduct a thorough gap analysis to identify where uplift is required. The dedicated sections for credential compromise hazards and lateral movement hazards reflects the Department's heightened focus on these specific areas of threat. The three-month operational independence requirement for critical systems during network restoration may be challenging for many entities.
The interconnectedness of critical infrastructure supply chains and foreign ownership within them present a risk multiplier. The Enhanced CIRMP Rules address FOCI risks as an additional material risk under section 6A, as part of the vendor assessment process under section 10A; and through the broader supply chain mapping obligations. Identifying and managing these risks will require a rigorous mapping exercise that considers all aspects of an asset and its supply chain. Entities will be required to establish a process to identify vendors, suppliers and managed service providers involved in providing, supporting or controlling the technology, consumables, capability and components critical to the asset, before teasing out the foreign ownership or control risks within this complex ecosystem and establishing controls to minimise or eliminate them. This will be a challenging task for all entities with complex or opaque supply chains.
And finally we expect that the enhanced critical worker obligations will require organisations to revisit their terms of employment to understand if they can mandate the additional checks required in order to allow critical workers to access critical components and how they can require employees, or contractors who provide critical workers, to proactively inform them if their suitability to be a critical worker changes over time.
As the Enhanced CIRMP Rules are now in force, our advice for responsible entities for high-risk assets is to act promptly to assess their current state of compliance against the enhanced requirements and develop and execute on implementation plans to meet the applicable grace period deadlines.
Other authors: John Moore, Director, Risk Advisory; Sanjay Vinoharan, Director, Risk Advisory; Sanjam Bajwa, Lawyer.
This publication is a joint publication from Ashurst Perkins Coie Australia and Ashurst Perkins Coie Risk Advisory Pty Ltd, which are part of the Ashurst Perkins Coie Group.
Ashurst Perkins Coie Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.
Ashurst Perkins Coie Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.
The Ashurst Perkins Coie Group comprises Ashurst Perkins Coie UK LLP, Ashurst Perkins Coie US LLP, Ashurst Perkins Coie Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst Perkins Coie" or describe themselves as being affiliated with Ashurst Perkins Coie. Some members of the Ashurst Perkins Coie Group are limited liability entities. Some members of the Ashurst Perkins Coie Group provide legal services and some provide non-legal services. Different legal entities in the group may operate in the same jurisdictions. Information about which Ashurst Perkins Coie Group entity operates in any country can be found on our website at www.ashurstperkinscoie.com.
The services provided by Ashurst Perkins Coie Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
This material is current as at July 8 2026 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst Perkins Coie. We accept no liability for use of these materials and reliance upon it by any person.
© 2026. Ashurst Perkins Coie Group. All rights reserved.