Government
Government technology is a high-value target. Most agencies are still not meeting the baseline.
ASD’s Australian Cyber Security Centre responded to 408 cyber security incidents reported by government entities in 2024–25 — representing 33 per cent of all incidents handled nationally. Despite a mandatory requirement for non-corporate Commonwealth entities to reach Essential Eight Maturity Level 2, the proportion achieving that standard has declined. State-sponsored actors are targeting Australian government networks for espionage and pre-positioning for future disruption. The gap between compliance intent and operational reality has never been more consequential.
Orro works with Commonwealth, state/territory and local government to build the network foundations, cybersecurity capability and operational resilience that modern government service delivery demands — with Australian-owned governance, IRAP-aligned architecture and 24/7 managed services.
of all ASD-responded cyber incidents in 2024–25 involved government entities
government cyber security incidents responded to by ASD in 2024–25 — an increase from 406 the prior year
of all notifiable data breaches reported to OAIC in 2024 involved Australian Government agencies
increase in ASD proactive notifications to entities of potentially malicious activity in 2024–25
The cyber and operational reality facing Australian government
Australian government at all levels — Commonwealth, state, territory and local — faces a cyber threat environment that is more active, more targeted and more consequential than at any previous point. The ASD’s Annual Cyber Threat Report 2024–25 confirms that government entities collectively accounted for one in three of all cyber incidents ASD responded to nationally, with 408 incidents reported in the financial year to June 2025. These are not opportunistic low-level events: state-sponsored actors are deliberately targeting government networks for espionage, data theft, and what ASD describes as “pre-positioning” — establishing persistent access that can be activated for disruptive purposes at a time of geopolitical advantage.
Why government is targeted:
Government agencies hold a concentration of high-value data that is difficult to replicate: tax records, social security information, law enforcement intelligence, health identifiers, defence supply chain details, infrastructure mapping and the personal records of millions of Australians. For state-sponsored actors — primarily those aligned with China, Russia and affiliated groups — this data has both immediate intelligence value and long-term leverage. Chinese state-sponsored group RedNovember (tracked by Microsoft as Storm-2077) was identified in 2025 as actively targeting government and private sector organisations in Australia and the Pacific, exploiting vulnerabilities in perimeter devices from major vendors to establish persistent access. BianLian, a Russia-based ransomware and extortion group, has targeted Australian critical infrastructure sectors, using credential theft and data exfiltration to demand payment rather than deploying traditional encrypting ransomware. Evil Corp, whose senior members were sanctioned by the Australian Government, targeted national infrastructure and government alongside health systems.
Beyond state-sponsored actors, cybercriminal groups are increasingly drawn to government for a different reason: the operational disruption value of an attack creates pressure to pay. Government services — welfare payments, health records access, regulatory approvals, emergency coordination — cannot simply be taken offline for days or weeks during incident response. That dependency is leverage.
The structural vulnerability problem:
Government technology environments carry a legacy burden that most private sector CIOs would not recognise. Core systems in many Commonwealth and state agencies were built in decades when network architecture was simpler, threat actors were less sophisticated and digital service delivery was a secondary function. ASD has specifically flagged legacy IT as “a significant and enduring risk” to government cyber security posture, noting that remediating a cyber incident in legacy environments involves substantially higher financial and operational costs. The challenge is compounded by procurement complexity — government IT decisions often require lengthy approval cycles, whole-of-government panel arrangements and ministerial sign-off for major changes — meaning even well-led technology teams can struggle to move at the pace the threat requires.
The distributed nature of government creates further complexity. A large Commonwealth department may operate dozens of sites across every state and territory, plus remote offices, ministerial offices and field operations. A state government agency may connect hundreds of local offices, service centres and shared services hubs to a central network. Local councils increasingly depend on internet connectivity for rate processing, development applications and community service delivery. Each connection point is an exposure, and each third-party system integration — there are thousands across government — is a supply chain risk. ASD’s own data shows that third-party and supply chain incidents have materially increased across the NSW Government, with third-party-linked cyber incidents quadrupling in two years to 17 incidents in 2023–24.
The compliance maturity gap:
The regulatory requirement for Essential Eight Maturity Level 2 across all non-corporate Commonwealth entities has been mandatory since July 2022 under PSPF Policy 10. The ASD’s Commonwealth Cyber Security Posture in 2024 found that the proportion of government entities reaching overall Maturity Level 2 has declined — a finding that sits uncomfortably alongside a sustained escalation in threat activity. The self-assessment model, combined with resourcing constraints and legacy technical debt, has produced a sector where compliance intent frequently outpaces operational capability. Organisations that are meeting Essential Eight requirements on paper may have significant exposure gaps in practice: unpatched edge devices, inconsistent multi-factor authentication coverage, insufficient event logging, and application environments that are catalogued but not adequately controlled.
Regulatory and compliance obligations for Australian government
Information Security Manual (ISM)
Governing body
Australian Signals Directorate (ASD) — cyber.gov.au
What it requires
The ISM sets technical controls across 17 domains covering system hardening, access management, event logging, incident response, cryptography and secure configuration. Commonwealth entities must apply ISM controls in conjunction with the Essential Eight under PSPF Policy 11. Controls are classified by maturity and risk profile; agencies must assess which ISM controls apply to their systems and document their implementation or risk acceptance.
Applies to
All non-corporate Commonwealth entities as a mandatory baseline under the PSPF. Corporate Commonwealth entities and state/territory agencies are strongly encouraged to align; several jurisdictions embed ISM as a de facto requirement for state agency systems.
Consequence of non-compliance
Adverse findings in ANAO audits and PSPF Assessment Reports tabled in Parliament; increased exposure in the event of a breach; reputational and accountability consequences for agency leadership.
Protective Security Policy Framework (PSPF)
Governing body
Department of Home Affairs — homeaffairs.gov.au
What it requires
The PSPF sets the overarching security obligations for Australian Government entities across governance, personnel, physical and information security. Policy 10 mandates implementation of the Essential Eight to Maturity Level 2 for all non-corporate Commonwealth entities (mandatory since 1 July 2022), with an obligation to consider whether Maturity Level 3 is warranted given the entity’s threat environment. Policy 11 requires ICT systems to be protected in accordance with ISM principles. Entities must self-report annually against all PSPF policies; the PSPF Assessment Report is tabled in Parliament each year. The 2025 PSPF release introduced updated policy requirements that agencies must review and action.
Applies to
All non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability (PGPA) Act. Corporate Commonwealth entities and companies are encouraged to comply.
Consequence of non-compliance
Adverse findings in the annual PSPF Assessment Report and ANAO audits; parliamentary scrutiny; potential direction from the Secretary of Home Affairs; reputational and governance consequences for senior agency leadership.
ASD Essential Eight
Governing body
Australian Signals Directorate (ASD) — cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight
What it requires
Eight prioritised mitigation strategies — application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication and regular backups. Non-corporate Commonwealth entities must achieve Maturity Level 2 across all eight strategies under PSPF Policy 10. Entities must assess whether their threat environment warrants Maturity Level 3. ASD conducts an annual survey of Commonwealth entities to assess self-reported maturity, and ANAO periodically audits a subset to validate those assessments.
Applies to
Mandatory for all non-corporate Commonwealth entities subject to the PGPA Act. Strongly recommended for all other organisations; increasingly required by cyber insurers and government procurement frameworks across the private sector.
Consequence of non-compliance
Consequence of non-compliance: Adverse PSPF and ANAO audit findings; parliamentary scrutiny; increased regulatory and insurance exposure; material risk that unmitigated vulnerabilities are exploited by the threat actors actively targeting government networks.
Cyber Security Act 2024
Governing body
Department of Home Affairs / Australian Signals Directorate — homeaffairs.gov.au
What it requires
Mandatory ransomware payment reporting for all entities with annual turnover exceeding $3 million and for critical infrastructure operators. Reports must be made to ASD within 72 hours of a ransom payment being made or becoming known. Reports must include details of the incident, the payment, communications with the extorting party, and any known vulnerabilities exploited. The Act also establishes the National Cyber Security Coordinator’s powers and the Cyber Incident Review Board (CIRB) framework for post-incident review of nationally significant events.
Who it applies to
All Australian organisations with annual turnover exceeding $3 million, and all entities responsible for critical infrastructure assets. Commonwealth and state government entities are covered; obligations sit alongside existing PSPF and SOCI incident reporting requirements.
Consequence of non-compliance
Civil penalties for failure to report; regulatory enforcement by the Department of Home Affairs; potential adverse findings in post-incident CIRB reviews; reputational consequences in the event of a publicly disclosed breach.
Privacy Act 1988 / Notifiable Data Breaches (NDB) Scheme
Governing body
Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
What it requires
Entities covered by the Privacy Act must notify the OAIC and affected individuals of eligible data breaches — those that are likely to result in serious harm to any individual whose information is involved. Notification must be made as soon as practicable after the entity becomes aware of an eligible breach. The 2024 Privacy Act amendments introduced a statutory tort for serious invasions of privacy, creating individual rights of action in addition to OAIC enforcement. Government agencies accounted for 17% of all notifiable data breaches reported in 2024.
Who it applies to
All Commonwealth government agencies (mandatory); state and territory government agencies subject to mirror Privacy Act legislation; private sector entities with annual turnover exceeding $3 million.
Consequence of non-compliance
Civil penalties up to $50 million AUD for serious or repeated breaches (post-2023 amendments); OAIC investigation and enforcement action; individual rights of action under the new statutory tort; significant reputational damage and public accountability consequences for government agencies.
Security of Critical Infrastructure (SOCI) Act 2018 (amended 2022)
Governing body
Cyber and Infrastructure Security Centre (CISC), Department of Home Affairs — cisc.gov.au
What it requires
Responsible entities for critical infrastructure assets must register those assets with the CISC, maintain a Critical Infrastructure Risk Management Program (CIRMP) addressing cybersecurity, physical security, personnel security and supply chain hazards, and report significant cyber incidents to the ACSC within 12 hours of awareness. Board-approved annual CIRMP reports must be submitted to the Department of Home Affairs within 90 days of the financial year end. Assets designated as Systems of National Significance face enhanced obligations including mandatory cyber exercises and the potential requirement to provide network telemetry to ASD.
Who it applies to
Owners and operators of critical infrastructure assets across 11 regulated sectors — including data storage and processing, communications, transport, energy and water. Commonwealth and state government agencies that own or operate critical infrastructure assets in these sectors are subject to SOCI obligations as responsible entities.
Consequence of non-compliance
Civil penalties up to $660,000 AUD per day for failure to comply with CIRMP obligations; government direction and intervention powers in the event of a national security threat; reputational and procurement consequences.
Australian Government Cloud Policy
Governing body
Department of Finance — finance.gov.au
What it requires
Commonwealth entities must assess cloud services against a risk framework before adoption, including classification of data to be stored or processed, IRAP assessment requirements for providers handling PROTECTED or higher-classified data, and restrictions on offshore processing of sensitive data. Agencies handling data classified at PROTECTED level must use IRAP-assessed cloud platforms. The policy intersects with ISM and PSPF in setting the architecture and assurance requirements for government cloud deployments.
Who it applies to
All Commonwealth entities procuring or using cloud services. IRAP assessment requirements apply most strictly to agencies handling PROTECTED-level data; all agencies are required to conduct risk-based assessments before adopting cloud services regardless of data classification.
Consequence of non-compliance
Regulatory findings in ANAO and PSPF audits; data sovereignty breaches with national security implications; potential for personal liability for accountable authorities where cloud adoption has not been appropriately risk-assessed and authorised.
"Most government technology teams we work with are not short on awareness of the threat environment — the ASD reporting, the ANAO audits, the Essential Eight obligations are well understood. The gap is operational: translating that awareness into continuous security visibility across a distributed, legacy-laden estate, often with a team that is stretched across digital transformation priorities at the same time. What we see in the organisations genuinely improving their posture is an acceptance that point-in-time compliance assessments are insufficient. The move to continuous exposure monitoring — understanding what is actually exposed across your environment on an ongoing basis, not just at audit time — is the defining shift for government security teams right now. The question is not whether your Essential Eight maturity is reported as Level 2. The question is what an adversary with persistent access to your edge devices can reach."
Chief Technology Officer – Orro
How Orro supports Australian government
1. Secure, High-Performance Government Connectivity
Government networks have a structural complexity problem that most enterprise connectivity conversations do not fully account for. A Commonwealth department may operate a main campus, multiple ministerial offices, regional service delivery points, and data centre interconnects — all requiring consistent performance, strict access segmentation and resilience against both technical failure and physical events. At the state level, large agencies managing transport infrastructure, land titles, health services or public safety functions require networks that are simultaneously available, auditable and resistant to lateral movement.
Orro designs and manages SD-WAN and SASE architectures specifically suited to the distributed footprint and security requirements of government. SD-WAN enables centralised policy management across geographically dispersed sites while supporting traffic prioritisation for mission-critical applications — important in environments where citizen-facing services and back-end administrative systems share the same network infrastructure. SASE extends security controls to the network edge, enforcing identity-verified access and zero-trust policies for remote workers and regional offices without requiring traffic hairpinning through centralised data centres.
For agencies operating remote or regional sites — particularly in utilities, parks management, emergency services and regional service delivery — Orro’s private LTE capability provides an alternative to public carrier dependency. Orro holds private spectrum, one of only a small number of organisations in Australia to do so, enabling dedicated wireless connectivity for environments where carrier coverage is unreliable or insufficient for government-grade availability requirements.
Outcome: Sovereign-aligned, resilient government network infrastructure that supports the delivery of public services across metropolitan, regional and remote locations — with unified visibility through Orro’s One Touch Control platform.
2. Cybersecurity and CTEM for Government Environments
Government agencies face an obligation to demonstrate Essential Eight compliance — but compliance is not the same as security. ASD’s own reporting notes that many entities self-assessing at Maturity Level 2 may have material gaps in practice, particularly around edge device patching, application hardening and event logging. The challenge is not a lack of frameworks; it is the difficulty of maintaining continuous visibility across a large, heterogeneous, partly-legacy estate, with a threat actor community that includes both well-resourced state-sponsored groups and opportunistic cybercriminals.
Orro’s National Cyber Defence Centre provides 24/7 threat monitoring and response for government environments, with Australian-operated and Australian-owned oversight. For government clients handling PROTECTED or sensitive data, the domestic operational basis of Orro’s SOC capability is relevant to both PSPF requirements and data sovereignty obligations. The National Cyber Defence Centre integrates threat intelligence from government and commercial sources, enabling correlation of indicators of compromise relevant to the specific threat actors known to target Australian government networks.
Orro’s CTEM (Continuous Threat Exposure Management) service addresses the structural gap between point-in-time compliance assessments and the continuous exposure visibility government environments require. Rather than periodic vulnerability scans, CTEM provides an ongoing programme of exposure identification, prioritised remediation, and validated risk reduction — mapped against the actual threat profile facing government networks. This includes external attack surface management, asset discovery across distributed environments, and risk-prioritised remediation guidance that enables constrained internal teams to focus effort where exposure is greatest. For government clients working to close the gap between reported Essential Eight maturity and actual security posture, CTEM provides the operational foundation.
Orro’s capability extends to compliance assurance for ISM, Essential Eight and PSPF requirements — supporting agencies in both the technical implementation of controls and the evidence collection needed for internal audit and ASD reporting obligations.
Outcome: Continuous exposure visibility and 24/7 threat detection for government environments, aligned to ISM, Essential Eight and PSPF obligations — with the operational rigour to close the gap between compliance reporting and real-world security posture.
3. Cloud and Application Performance for Government
Cloud migration in government is not a straightforward lift-and-shift exercise. The Australian Government Cloud Policy, combined with PSPF and ISM requirements, sets specific obligations around data classification, offshore processing restrictions and IRAP assessment of cloud providers. For agencies handling PROTECTED-level data, the choice of cloud platform, the architecture of the tenancy, and the security controls applied to data in transit and at rest are all governed by these frameworks — and the consequences of misconfiguration extend beyond service disruption to regulatory sanction and public accountability.
Orro designs and manages cloud environments for government clients with sovereignty and security built in from the architecture layer. This includes sovereign cloud design using IRAP-assessed platforms, hybrid cloud architectures that allow sensitive workloads to remain on-premises while enabling cloud-native delivery for appropriate applications, and multi-cloud management for agencies operating across multiple platforms. Orro’s managed cloud capability includes application performance management, ensuring that the digital government services citizens depend on — online forms, payment portals, licensing systems, service enquiry platforms — perform consistently under variable load conditions.
Business continuity and disaster recovery planning for government requires a different risk calculus than the private sector. When a government payment system is unavailable, constituents do not simply go to a competitor — they are unable to access services they have a right to. Orro’s government-focused business continuity design accounts for the specific availability requirements, recovery time objectives and data classification constraints that apply to critical government workloads.
Outcome: Compliant, performant cloud environments for government workloads — built to IRAP-aligned architecture, with managed continuity and application performance ensuring consistent delivery of citizen-facing services.
4. Connected Government Technology and IT/OT Enablement
Modern government operations extend well beyond conventional IT environments. Facilities management systems, building automation, physical access control, public safety communications, CCTV infrastructure, traffic management systems and environmental monitoring platforms are all increasingly networked — and increasingly exposed to the same threat actors targeting traditional government IT. The convergence of IT and operational technology in government is not a future consideration; it is already the infrastructure reality in most large Commonwealth agencies, state government campuses, and major public facilities.
Orro provides the network and security foundations that enable government’s connected operational infrastructure to function securely. This includes network segmentation that isolates operational technology systems from administrative IT environments while maintaining the monitoring visibility needed for security operations; zero-trust network access frameworks that enforce identity verification for personnel and systems accessing OT environments; and integration of OT monitoring into Orro’s National Cyber Defence Centre for unified threat detection across the full government technology estate.
For government agencies subject to SOCI Act obligations — particularly those operating or overseeing infrastructure in transport, utilities, communications or data storage sectors — Orro’s OT security capability supports both the technical controls and the risk management programme obligations the Act requires. SOCI’s enhanced obligation categories for systems of national significance place specific demands on incident detection, reporting and response capability that must be demonstrably met, not simply attested.
Outcome: Secure, unified network and security foundations across government IT and OT environments — with 24/7 monitoring through the National Cyber Defence Centre and architecture aligned to SOCI obligations for critical infrastructure operators.
5. Operational Excellence and Managed Services for Government
Government technology teams are consistently stretched between the demands of digital transformation programmes, compliance obligations, incident response and day-to-day operational support — typically with headcount that does not scale commensurately with the complexity of the environment. Managed services for government must therefore do more than provide monitoring: they must give internal teams the operational confidence that their environment is continuously managed, that emerging issues are identified and escalated before they become incidents, and that the evidence trail for audit and compliance purposes is maintained automatically.
Orro’s managed services model for government is built around One Touch Control, Orro’s proprietary network management platform. One Touch Control provides unified multi-vendor, multi-carrier visibility across the full network estate — including hybrid environments that combine legacy systems, cloud-connected infrastructure and modern SD-WAN deployments. For government network managers responsible for dozens or hundreds of sites, One Touch Control replaces the fragmented visibility typical of legacy multi-vendor environments with a single operational view, enabling faster root cause identification, proactive fault resolution and consistent reporting for agency governance purposes.
The Australia Post case study is instructive for government network operators: managing 4,000+ sites nationally, Orro’s managed network services delivered a 70% reduction in outages, 4x faster connections and proactive management of 80% of tickets — avoiding 44,000 business impact hours. The operational scale and distributed complexity of that environment is directly analogous to large government agencies with national footprints. Orro’s model is built for complexity at scale — not for simple single-site environments.
Orro is an Australian-owned partner with Australian-based account management and support escalation, and 24/7 global operations capability. For government clients with data sovereignty and supply chain security requirements, the ownership structure and operational governance of a managed services provider is a procurement consideration, not a formality.
Outcome: Continuous operational visibility, proactive managed services and verified uptime across government network and security environments — with the governance transparency, audit trail and Australian-based accountability that government clients require.
Proven across Australian government
Orro has worked with Australian government at every level — Commonwealth, state and local — delivering managed cybersecurity, network infrastructure, critical infrastructure protection and OT security across a range of agencies and councils. The breadth of that work spans managed SOC services aligned to Essential Eight obligations, SCADA vulnerability assessments for council water infrastructure, IoT and smart city architecture for regional councils, attack simulation for public transport operators, and the design and delivery of mission-critical network infrastructure for major government events. Some of that work — particularly Orro’s engagement with federal government through its specialist capability — is not for public discussion. What can be said is that Orro operates at the pointy end of government security requirements, including work that demands the highest levels of discretion, clearance and operational security maturity.
Townsville City Council — Managed cybersecurity and SOC Queensland’s largest regional council (200,000 residents) engaged Orro to deliver a new managed cybersecurity service on the Splunk platform. Outcomes: approximately 85% faster threat hunting, 65% reduction in SIEM operating costs, and 24/7 security visibility replacing a manual approach that left critical threats undetected. Orro’s National Cyber Defence Centre now provides TCC with automated threat correlation, compliance-ready logging and audit support, and escalation of critical incidents as they occur.
QLD Government Agency — Managed security services A Queensland state government department engaged Orro to address core components of its Security Improvement Program: visibility, detection and response, aligned to ASD Essential Eight and state government compliance standards. Orro implemented a managed visibility and response service that improved security maturity while maintaining the flexibility and agility the department required.
QLD Regional Council — SCADA vulnerability assessment and penetration testing A Queensland regional council undertaking Smart City digitisation initiatives engaged Orro to assess the cyber security of its SCADA water reticulation and treatment infrastructure. Orro performed a full vulnerability assessment and penetration test across the SCADA environment, identified exploitable vulnerabilities and their potential paths back into the corporate network, and delivered prioritised remediation recommendations. A phishing campaign was also run concurrently to baseline and improve user awareness.
Regional Council — IoT and smart city network architecture A large regional council exploring Smart City IoT initiatives — smart water metering, sound sensors, environmental monitoring, CCTV — engaged Orro to develop a secure IoT network architecture strategy. Orro designed a modular network and security architecture that accounted for the council’s IT/OT transition and migration work, ran a structured Smart Water Metering pilot, and provided a target-state architecture that prevented siloed solutions from creating compounded security exposure.
Commonwealth Games — Intelligent Traffic System Orro was awarded the contract to design, build and support the Intelligent Traffic System (ITS) network for the South Coast Region of Queensland for the 2018 Commonwealth Games. The Transport Coordination Centre integrated agencies including Police, Ambulance, Fire, Light Rail, Roads, City Councils and QLD Rail. Orro delivered a managed threat intelligence service with honeypots deployed pre, during and post-event — providing real-time threat detection across the ITS network during a nationally significant event.
Australian Public Transport Provider — Advanced attack simulation A major Australian public transport provider engaged Orro to stress-test its mature security environment through advanced attack simulation. Using real-world attack sequences against physical locations and corporate IT infrastructure, Orro identified security weaknesses the provider had not factored as attack vectors — exploiting both physical and technical vulnerabilities — and delivered prioritised remediation recommendations alongside improved awareness of social engineering exposure.
Frequently Asked Questions
Is Essential Eight compliance mandatory for my government agency?
For non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability (PGPA) Act, the Essential Eight at Maturity Level 2 is mandatory under PSPF Policy 10, which has been in effect since 1 July 2022. Corporate Commonwealth entities and companies are not directly subject to PSPF but are strongly encouraged to align to Essential Eight. State and territory requirements vary: NSW mandates Essential Eight at Maturity Level 1 under its Cyber Security Policy; Victoria, Queensland and Western Australia have their own frameworks that reference or incorporate Essential Eight. Local government is generally not subject to the Commonwealth mandate but may be required to align by state policy or contract.
Our agency self-assessed as Essential Eight Maturity Level 2 at last audit. Are we adequately protected?
Not necessarily. ASD’s own Commonwealth Cyber Security Posture reports have flagged that self-assessed maturity levels do not always reflect operational reality — and that the proportion of entities achieving Maturity Level 2 has declined despite mandatory requirements. Self-assessment gaps are most commonly found in multi-factor authentication coverage, application control completeness, patch currency across legacy applications, and event logging depth. Essential Eight compliance provides a meaningful baseline; it does not substitute for continuous exposure monitoring. CTEM (Continuous Threat Exposure Management) is designed to bridge the gap between point-in-time compliance assessment and genuine ongoing security visibility.
What does PSPF Policy 10 actually require us to do, and how is it assessed?
PSPF Policy 10 requires all non-corporate Commonwealth entities to implement all eight strategies of the ASD Essential Eight to Maturity Level 2, and to consider whether their threat environment warrants Maturity Level 3. Assessment is conducted through ASD’s annual survey process, with entities self-reporting their maturity against each of the eight strategies. ANAO periodically audits a subset of entities to validate self-assessments. Non-compliance generates findings in PSPF Assessment Reports presented to Parliament. Beyond the annual survey, entities are encouraged to conduct more frequent internal assessments — and to integrate continuous monitoring tooling that provides ongoing evidence of control effectiveness rather than point-in-time attestation.
How does the SOCI Act apply to government agencies?
SOCI applies to owners and operators of critical infrastructure assets across 11 sectors — not exclusively to private operators. Commonwealth and state agencies that own or operate critical infrastructure assets (including certain data storage or processing facilities, communications infrastructure, water systems, energy networks and transport infrastructure) are subject to SOCI obligations. These include mandatory reporting of critical cyber security incidents to ASD within 12 hours, and to Home Affairs within 72 hours; a risk management programme obligation (RMAP) requiring documented management of risks to asset availability, integrity and confidentiality; and potential government direction powers in response to serious national security threats. Assets designated as systems of national significance (SONS) carry enhanced obligations including incident response plan requirements and mandated exercises.
What does the Cyber Security Act 2024 mean for government agencies?
The Cyber Security Act 2024, which came into effect progressively through 2024–25, introduces mandatory ransomware payment reporting for entities with annual turnover exceeding $3 million and critical infrastructure operators. Reports must be made to ASD within 72 hours of a payment being made. For government agencies, this obligation sits alongside existing PSPF incident reporting requirements. The Act also provides the legislative basis for the National Cyber Security Coordinator’s powers and the CIRB (Cyber Incident Review Board) framework. Agencies should ensure incident response plans specifically address the ransomware reporting timeline alongside existing mandatory notification obligations under PSPF and the Privacy Act.
How should our agency approach the legacy IT problem?
Legacy IT is one of the most commonly cited barriers to Essential Eight compliance and security uplift across government. The practical approach is not wholesale replacement — budget and procurement timelines rarely support that — but structured risk management. ASD’s 2024 guidance on Managing the Risks of Legacy IT outlines compensating controls that can reduce exposure from unpatched or unsupportable systems. From a network architecture perspective, segmentation is the most effective near-term control: isolating legacy systems from internet-accessible infrastructure and limiting lateral movement paths significantly reduces the blast radius of a compromise. CTEM’s continuous attack surface monitoring helps identify which legacy systems are creating the most material exposure, allowing investment prioritisation based on actual risk rather than asset age alone.
What does IT/OT convergence mean for government, and what are our security obligations?
Many government agencies operate IT/OT convergent environments without formally recognising them as such: building management systems, physical access control, environmental monitoring, CCTV, public safety communications and traffic management are all networked operational technology. The security implications are significant — OT systems often run outdated firmware and operating systems, rarely receive security patches, and were not designed for internet-connected environments. Where these systems are networked to administrative IT, they can provide lateral movement paths for attackers. For agencies operating critical infrastructure assets under SOCI, OT systems may fall within scope of RMAP and incident reporting obligations. Network segmentation, zero-trust access controls for OT environments and integration of OT monitoring into your security operations capability are the foundational controls.
What should we tell the board or minister about our current cyber risk exposure?
The most useful framing for board or ministerial-level discussion is not a compliance status report — it is an exposure statement. What are the three to five highest-priority risks in the current environment, what is the consequence if those risks materialise, and what is the organisation doing to reduce them? ASD’s threat intelligence is unambiguous: government is consistently the most reported sector for cyber incidents, state-sponsored actors are targeting Australian government networks for strategic purposes, and the gap between compliance maturity and operational security posture is material across the sector. A board that understands this context can make informed risk decisions; a board presented only with Essential Eight maturity scores cannot. CTEM provides the continuous evidence base to underpin that executive-level conversation with operational data rather than periodic audit outcomes.
How does SD-WAN or SASE help government agencies meet their security and availability obligations?
SD-WAN provides centralised network policy management, traffic prioritisation and segmentation for distributed government environments — enabling consistent security controls across metropolitan and regional sites without requiring hardware-heavy deployments at each location. SASE extends those controls to the network edge, applying zero-trust access principles to remote workers, contractors and regional offices regardless of physical location. For government agencies with significant hybrid working arrangements, distributed service delivery networks or complex third-party connectivity requirements, SASE provides a security architecture that aligns with both ISM access control requirements and the operational reality of how government networks are actually used. The combination of SD-WAN and SASE also improves network visibility — a key requirement for event logging compliance under the Essential Eight.
Can Orro support both cloud migration and Essential Eight compliance in the same engagement?
Yes. Cloud migration and Essential Eight compliance are interdependent for government — the security architecture of a cloud environment directly affects whether controls like application control, MFA coverage and event logging are achievable at the required maturity level. Orro’s approach to government cloud migration begins with the security architecture requirements set by the ISM, PSPF and Essential Eight, and designs the cloud environment to enable compliance rather than retrofit it. This includes IRAP-aligned platform selection for workloads requiring PROTECTED classification, hybrid architecture design for environments with mixed classification requirements, and configuration management that supports the evidence collection needs of Essential Eight assessment and ASD annual reporting.
Why Orro for Australian government
Essential Eight and ISM alignment
Orro's cybersecurity capability is built to support government compliance obligations — from Essential Eight technical implementation to ISM control alignment and PSPF Policy 10 evidence requirements. We understand the compliance framework, not just the technology.
National Cyber Defence Centre
Orro's Australian-operated SOC provides 24/7 threat monitoring, detection and response with Australian-owned oversight — relevant to government data sovereignty requirements and PSPF expectations for security operations.
CTEM for continuous exposure visibility
Orro's CTEM service moves beyond point-in-time assessments to provide continuous attack surface monitoring and risk-prioritised remediation, directly addressing the gap between compliance reporting and operational security posture.
Deep government experience across all tiers
Orro works with Commonwealth, state/territory and local government across network, cybersecurity, cloud and critical infrastructure — from managed SOC services for state agencies under the QLD Government panel, to SCADA security assessments for councils, to specialist security capability for the federal government that operates at the highest levels of discretion.
Proven at national scale
Orro manages Australia Post's network across 4,000+ sites with verified outcomes including 70% fewer outages and 44,000 business impact hours avoided — demonstrating operational capability at the scale and complexity of major government network environments.
SD-WAN and SASE expertise
Orro designs and manages SD-WAN and SASE architectures for distributed government environments, supporting the connectivity, segmentation and zero-trust access control requirements of both metropolitan agency networks and regional service delivery.
OT security capability
For government agencies operating IT/OT convergent environments or critical infrastructure assets, Orro has genuine operational technology security expertise — network segmentation, OT monitoring and SOCI-aligned risk management support.
Private spectrum
Orro holds private spectrum — one of only a small number of organisations in Australia to do so — providing dedicated wireless connectivity options for government campuses, remote operations or environments where public carrier dependency is a risk.
One Touch Control
Orro's proprietary network management platform provides unified multi-vendor, multi-carrier visibility and management for complex government network estates, supporting the operational governance and reporting that government environments require.
Australian ownership and escalation
Orro is an Australian-owned partner with Australian-based account management and support escalation. For government clients with supply chain security requirements and sovereignty considerations, ownership structure is a procurement factor, not an afterthought.
Related Resources
- Government Technology Blueprint
- Managed Cyber Security for Townsville City Council — Case study: 24/7 managed security, 85% faster threat hunting, 65% SIEM cost reduction
- Managed Security Services for a QLD Government Agency — Case study: Essential Eight-aligned security visibility and response programme
- SCADA Vulnerability Assessment & Penetration Testing — Case study: Council water infrastructure SCADA security assessment
- IoT Network Architecture Strategy for a Regional Council — Case study: Smart City IoT and IT/OT architecture
- Intelligent Traffic System for the Commonwealth Games — Case study: Multi-agency ITS network and threat intelligence
- Strengthening Security Posture with Attack Simulation — Case study: Advanced attack simulation for a public transport provider
- Orro Insights: Cybersecurity and managed services
Ready to strengthen your government technology posture?
Our accreditations
Explore our Resources
Education Technology Blueprint
Healthcare Technology Blueprint
Experience-First Networking: Why User Experience Is the New KPI for Modern Networks
