A comprehensive audit will be conducted into all internet-facing technology used by Commonwealth agencies. 

A series of formal directives were quietly issued by Home Affairs Secretary Stephanie Foster last week, according to reports, which mandate federal government bodies to identify and mitigate potential cyber risks.

The new instructions should see nearly 200 Commonwealth entities and companies to share cyber threat information with the Australian Signals Directorate (ASD). 

The three Protective Service Policy Framework (PSPF) directives mark only the second instance of these binding powers being used, the first being last year's ban on the Chinese-owned application TikTok from Commonwealth devices.

Under PSPF Direction 001-2024, government entities are reportedly instructed “to identify indicators of Foreign Ownership, Control or Influence (FOCI) risk as they relate to procurement and maintenance of technology assets and appropriately manage and report those risks”. 

Government entities must “implement a process when undertaking procurement of technology assets to identify and manage potential FOCI risks” by June next year.

The second directive requires “a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity”.

Additionally, it instructs Commonwealth entities to “develop a technology security risk management plan for all internet-facing systems or services, as part of the entity's overall security plan”.

According to the third directive, it is now mandatory for all “Australian government entities using threat intelligence sharing platforms to share cyber threat information with the Australian Signals Directorate”.

Details on the funding for these threat mitigation activities have not been disclosed.