The Australian Cyber and Infrastructure Security Centre (CISC) recently announced that the Critical Infrastructure Risk Management Program (CIRMP) obligation had entered into effect. The Minister for Home Affairs, the Hon Clare O’Neil, signed the CIRMP Rules as the final part (Section 61) of the Security of Critical Infrastructure Act 2018 (SOCI Act) on 17 February 2023, effective immediately.
The Critical Infrastructure Risk Management Program (CIRMP) obligation requires responsible entities to develop and maintain a program that “identifies and manages material risks of hazards that could have a relevant impact” on critical infrastructure assets (CI assets).
The CIRMP Rules don’t necessarily apply to only critical infrastructure organisations — the Rules apply to all “responsible entities” that manage any critical infrastructure assets. As such, the CIRMP Rules regulate any entity that manages the following CI asset classes: Critical broadcasting assets Critical data storage or processing assets Critical domain name systems (DNS) Critical electricity assets Critical energy market operator assets Critical financial market infrastructure assets used in connection with the operation of a payment system Critical food and grocery assets Critical freight infrastructure assets (listed assets will be critical to the transportation of goods between states or territories, as defined in the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021) Critical freight services assets Critical gas assets Certain critical hospitals (listed in the CIRMP rules) Critical liquid fuel assets Critical water assets