Proposed CIRMP Enhancements for Critical Infrastructure
Australia’s regulatory environment for critical infrastructure is changing significantly.
At the end of 2025, the Department of Home Affairs released a consultation paper proposing material enhancements to the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules).
If your organisation operates critical infrastructure assets, these changes will directly affect your compliance obligations, and the clock is already ticking.
Are These Changes Relevant to Your Organisation?
The proposed enhancements apply to a subset of asset classes designated by the Department as high risk. If your organisation is a responsible entity in any of the following sectors, you need to act:
- Critical electricity assets
- Critical gas assets
- Critical water and sewerage assets
- Critical ports
- Critical domain name systems
- Critical data storage and processing assets
- Critical financial market infrastructure
- Critical hospitals
- Critical communication networks
- Critical food and grocery
- Critical transport
Some asset classes, such as critical aviation and maritime assets, remain subject to separate sector-specific frameworks and are not captured by these proposed changes.
Why Is This Happening Now?
The proposed changes reflect an escalating and increasingly hostile global threat environment, with foreign state actors targeting critical infrastructure at a growing scale and sophistication.
The Department’s stated objective is to strengthen the resilience of Australia’s critical infrastructure in light of these emerging threats, particularly in four key risk domains: foreign ownership, control, and influence (FOCI); cybersecurity; supply chain management; and personnel security.
What Changes Are Being Proposed?
The proposed enhancements introduce 11 new specific risk obligations across four hazard categories. Here’s what your organisation needs to know:
All-Hazard Obligations
Your organisation will be required to respond to risk advisories issued by the Department and minimise or eliminate any material risk identified, as far as reasonably practicable, within 12 months of each advisory being issued. You must build ongoing monitoring processes and contractual flexibility into your operations to respond quickly when new risks are notified.
Responsible entities must consider material FOCI risks across all aspects of their asset, including dependence on foreign-owned vendors, major suppliers, managed service providers, and critical components or software. This obligation takes effect within six months of the enhanced CIRMP Rules commencing, making it the most urgent compliance priority for many organisations.
Cybersecurity Obligations
Cybersecurity framework uplift to Maturity Level 2 by 30 June 2028, with attestation in the July–September 2028 period. If your organisation has only recently achieved Maturity Level 1, a new uplift program needs to begin now.
Your CIRMP must document how you have implemented the greatest practical level of segregation between critical systems and other internet-connected or less secure components. As remote access has increasingly bridged Operational Technology and IT systems, many organisations will need to reassess and address segregation gaps, including those involving third-party operators managing on-site networking.
MFA must be implemented across all online and internet-facing networks, critical systems and remote access, supported by a central authentication log that is regularly reviewed. Compliance is required by 30 June 2028, with a documented plan required in earlier attestation periods.
Your CIRMP must address risks arising from advanced and emerging technologies (including AI and large language models), offshore remote access to critical systems, and failure to replace unsupported or legacy software and hardware. Your organisation must assess not only its own internal processes but also the visibility and control it has over third parties who may use offshore services or deploy new technologies without notification.
Supply Chain Obligations
By 30 June 2028, your organisation must establish and maintain a system to map its supply chain for major suppliers and critical systems, across both physical and cyber supply chains, including vulnerabilities, mitigating controls, and diversification and redundancy planning, which is an ongoing obligation, not a one-off exercise.
Your organisation must develop and maintain a system to manage material risks posed by vendors presenting a FOCI exposure, including identifying risks, assessing their potential impact, and documenting risk-based treatments and controls. Where diversification is not possible, contractual mitigations, such as restrictions on offshoring, access limitations and step-in clauses, will be essential.
Personnel Security Obligations
Responsible entities must establish and maintain a personnel security plan covering unauthorised or privileged access to critical assets, compromised credentials arising from personnel travel, and risks posed by visiting officials and delegations by 30 June 2028.
All critical workers must be identified, and onshore critical workers must undergo AusCheck background checks as part of pre-employment screening (unless they hold an Australian Government security clearance of Negative Vetting 1 or above). Revalidation is required at least every 5 years. For offshore critical workers, your CIRMP must document how material risks are identified and mitigated.
Your CIRMP must address specific personnel risks, including the potential for trusted insiders, such as major suppliers, critical workers, or managed service providers, to compromise the integrity or availability of critical systems through the misuse of privileged access.
What Does This Mean for Your Board and Executive Team?
These are not just operational or technical compliance matters. They carry direct governance obligations for boards and executives of responsible entities. Your organisation will need to:
– Review and uplift your existing CIRMP and internal risk management processes across all four risk domains
– Assess the depth of visibility and control your organisation has over its entire supply chain, including vendors, contractors and managed service providers
– Build genuine flexibility into risk management programmes and commercial contracts to enable a timely response to specified risks
– Ensure your cybersecurity uplift program has sufficient runway to achieve Maturity Level 2 by 30 June 2028
– Review procurement and contracting approaches for critical suppliers with FOCI exposure
– Ensure personnel security processes are fit for the more prescriptive requirements ahead
The Department has acknowledged that fully eliminating FOCI risk or diversifying away from vendors of concern will not always be possible, which makes proactive risk management, documented mitigation strategies and contractual protections all the more important.
For contractors and suppliers who present FOCI risk to responsible entities, now is the time to proactively develop and offer mitigation options, rather than waiting for customers to impose potentially inconsistent requirements.
Key Compliance Deadlines at a Glance
- FOCI all-hazard obligation: Six months from commencement of the enhanced CIRMP Rules
- SRA response obligation: 12 months from the issuance of each advisory
- Cybersecurity, supply chain and personnel-specific risk obligations: 30 June 2028, with attestation in July–September 2028
Note that the independent review of the operation of the SOCI Act by Dr Jill Slay AM (under section 60A of the SOCI Act) is currently underway and may further shape the regulatory landscape.
How Ikara Helps You Stay Ahead of Your CIRMP Obligations
Meeting these enhanced obligations requires more than updated policies and plans, and it requires real-time visibility, automated monitoring and the ability to demonstrate continuous compliance across your entire digital supply chain.
Ikara is purpose-built to help enterprise organisations, service providers and governments operationalise compliance, security, governance and performance across entire digital supply chains.
Supply Chain Visibility Becomes Mandatory
Ikara provides structured supplier classification, risk frameworks, and governance models that support this uplift, giving your organisation the visibility it needs to meet both the supply chain mapping and vendors-of-concern obligations.
Cyber Maturity Moves to the Fore
Ikara helps translate these requirements into measurable, auditable operational controls, supporting your organisation’s pathway to Maturity Level 2 and beyond.
Personnel and Insider Risk Governance Expands
Ikara enables consistent, ecosystem-wide governance of insider risk, ensuring your organisation can meet these obligations across its entire workforce and supply chain.
FOCI Becomes a Cross-Cutting Obligation
Ikara’s early investment in FOCI-aware governance positions your organisation for both compliance and long-term resilience, across all dimensions of the enhanced CIRMP framework.
A Governance Partner for a More Demanding Era
As regulatory expectations rise, organisations need integrated, defensible and adaptable governance capabilities. Ikara’s mission aligns directly with this new landscape, making the platform more relevant than ever for responsible entities as they navigate the enhanced CIRMP.
The question is no longer whether your organisation needs to uplift its critical infrastructure risk management program. The question is whether you have the right platform to do it at scale, with the evidence trail your board and regulator will require.
The regulatory direction is clear, and the compliance timeline is running. The organisations that respond now, before the exposure draft is finalised, will be far better positioned than those who wait.