The SOCI Act, where are we now and how can we help?

Published Oct 17,2022

The Australian government are moving at speed and the next phase of the SOCI Act, and the risk management program (RMP), should be finalised in December 2022 after industry consultation.  


Here’s an overview of the SOCI Act, what’s been passed and what is being worked through.  


Key takeaways: 
▪ SOCI reforms are now in force
▪ Two bills were passed in December 2021 & March 2022
▪ The legislation covers a broad range of assets and a broad range of roles relating to those assets


SLACI Bill  
The SLACI Bill is the first of the two bills to amend the SOCI Act. This was passed on the 2nd December 2021.


It introduced new obligations and expanded the number of sectors and assets under the SOCI act


Two positive security obligations apply: 
▪ Provision of operational and ownership information to the Register of Critical Infrastructure Assets
▪ Mandatory cyber incident reporting

The Governance also have assistance measures now in place.


The Security Legislation Amendment (Critical Infrastructure) Bill 2022 (SLACI Act) was passed in December 2021, expanding the number of sectors and assets under the SOCI act.


Sectors that are now required to follow the SOCI Act are:
• Communications
• Data storage or processing
• Financial services and markets
• Water and sewerage
• Energy
• Health care and medical
• Higher education and research
• Food and groceries
• Transport
• Space technology
• Defence industry


New obligations introduced from the SLACI Act are the register of critical infrastructure assets, mandatory cyber security incident reporting, and government assistance.


Register of Critical Infrastructure Asset 
An organisation must identify who owns and controls critical infrastructure asset.


Mandatory Cyber Security Incident Reporting 
For critical cyber security incidents, the responsible entity must notify the ACSC within 12 hours of being aware of a cyber security incident. For an incident that had, is having, or is likely to have a ‘relevant impact’ on the asset, within 72 hours the responsible entity must report this cyber incident.


Government Assistance 
The government assistance framework is utilised as a last resort as an intervention to respond to an incident towards critical infrastructure. This occurs during an instance when an entity is unwilling or unable to conduct their own incident response.


The SLACIP Bill 

The SLACIP Bill, the second of the bills, passed in March 2022, to address the outstanding elements of the proposed framework including:


◦ Enact a third positive security obligation requiring critical infrastructure entities to develop and comply with a risk management program to protect their Critical Infrastructure assets
◦ The ability to declare systems of national significance (SoNS)
◦ Enhanced cyber security obligations that could be applied to a SoNS


The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) was passed in March 2022, introducing a new obligation to establish and maintain a Risk Management Program, and the ability to declare systems of national ignificance. The risk management program identifies material risks that may affect the availability, integrity, reliability, and confidentiality of their critical infrastructure asset. Other obligations from the SLACIP Bill are identifying systems of national significance (SoNS). This is currently under consultation, due to be completed early December.


The risk management program identifies material risks that may affect the availability, integrity, reliability, and confidentiality of their critical infrastructure asset. The following subheadings are targeting different areas that provide material risk or relevant impact on a critical asset.


Cyber and information security hazards
An organisation must establish and maintain a framework that minimises or eliminate a material risk that could have a relevant impact on an asset. This framework must also mitigate the relevant impact of a hazards to an asset. An organisation can maintain one of the following frameworks and their corresponding conditions:

• ISO/IEC 27001:2015
• Essential Eight Maturity Model
◦ Meet maturity level one
• Framework for Improving Critical Infrastructure Cybersecurity by NIST
• Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America
◦ Meet maturity indicator level one
• 2020-21 AESCSF Framework Core published by Australian Energy Market Operator
◦ Meet security profile one


Personnel hazards 

An organisation must identify, assess, minimise, or eliminate material risks that could affect the functioning of an asset, related to critical workers, negligent employees, malicious insiders or from the off-boarding process. It’s also encouraged that critical worker with access to critical assets, have background checks under the AusCheck scheme at regular intervals.


Supply chain

An organisation must establish and maintain a process or system that mitigate relevant impact and minimise or eliminate material risk related to threats and vulnerabilities stemming from the supply chain. These risks stem from supply chain and high-risk vendors.


Physical security hazards and natural hazards 

An organisation must establish and maintain a process or system that identify critical parts to an asset, mitigating a relevant impact and minimising or eliminating a material risk of a physical security hazard. These risks stem from unauthorised access to a critical site and control access to critical sites, and natural hazard on the asset.


Secolve can help you understand and comply with the SOCI Act legislation. Get in touch with us today to understand more.