2.1
This chapter sets out the Committee’s findings in relation to the implementation of recommendations from the Australian National Audit Office (ANAO) Report No. 38 (2017-18), Mitigating Insider Threats through Personnel Security. It comprises the following sections:
Committee conclusions and recommendations
Committee conclusions and recommendations
2.2
The Australian Government’s Protective Security Policy Framework (PSPF) outlines a suite of requirements and recommendations to assist government entities to protect their people, information and assets. Personnel security, a component of the PSPF, aims to provide a level of assurance as to the eligibility and suitability of individuals accessing government resources. This is achieved through measures such as conducting employment screening and security vetting, managing the ongoing suitability of personnel and taking appropriate actions when personnel leave.
2.3
In 2014, the Attorney-General announced reforms to the PSPF to mitigate insider threats by requiring more active management of personnel risks and greater information sharing between entities. Further PSPF reforms were being considered by the Australian Government at the time of the audit.
2.4
The Australian Government Security Vetting Agency (AGSVA) was established within the Department of Defence (Defence) in October 2010 to administer security vetting on behalf of most government entities. Centralised vetting was expected to result in:
a single security clearance for each employee or contractor, recognised across government entities;
a more efficient and cost-effective vetting service; and
cost savings of $5.3 million per year.
2.5
A previous audit (ANAO Audit Report No.45 of 2014-15 Central Administration of Security Vetting) concluded that the performance of centralised vetting had been mixed and expectations of improved efficiency and cost effectiveness had not been realised.
2.6
The ANAO chose to undertake this audit in 2017-18 because effective personnel security arrangements underpin the protection of the Australian Government’s people, information and assets, and the previous audit had identified deficiencies in AGSVA’s performance. In addition, the Audit Report explains that the 2014 personnel security reforms occurred after fieldwork for the previous audit had been completed, so there was an opportunity to review the implementation of these reforms by AGSVA and other government entities.
Entity compliance with personnel security requirements
2.7
The Audit Report found that four of the five entities examined had plans, policies and procedures in place for personnel security. However, in some cases these documents had not been updated to reflect 2014 revisions to PSPF personnel security requirements. In addition, the Audit Report found that there was limited evidence of entities undertaking personnel security risk assessments to inform their plans, policies and procedures.
2.8
Table 3.1 of the Audit Report provided a compelling visual summary of the performance of the five entities against the PSPF requirements and recommended practices, with a focus on whether entities are effectively planning, developing policies and procedures and undertaking risk assessment for personnel security. The table is reproduced as Table 2.1 over the page.
2.9
The Committee was disappointed to learn that the Department of Home Affairs, a larger operational agency with almost 14,000 employees across the country and overseas, had fully met only two of the six criteria.
2.10
The Committee was equally disappointed to learn that the agency with the lead in development of protective security policy, the Attorney-General’s Department (AGD), had met none of the six criteria (having mostly met three criteria and partly met three criteria).
Immediate action
2.11
Table 3.1 of the Audit Report showed that the Digital Transformation Agency (DTA) had not met four criteria and had only partly met two criteria. The Committee was concerned that the DTA, admittedly a relatively new entity established in June 2015, had not finalised a protective security plan, policies or a risk assessment. The Audit Report recommended that immediate action be taken by the DTA to comply with the PSPF requirements.
2.12
Source: Reproduction of Table 3.1, ANAO Report No.38 (2017-18) Mitigating Insider Threats through Personnel Security, p. 49.
2.13
As per usual ANAO processes, each entity was provided the opportunity to comment on and respond to recommendations in the draft Audit Report prior to its publication.
2.14
In March 2018, the DTA informed the Auditor-General that the agency agreed with the five proposed recommendations, which were subsequently published in the Audit Report in May. DTA made a commitment to have the recommendations implemented by 31 July. At the Committee’s public hearing for the inquiry on 17 August, the DTA representative informed the Committee that the agency is now compliant with the PSPF.
2.15
The Committee was concerned as to what state the DTA would be in, regarding PSPF compliance, if it were not subject to the audit.
2.16
The Committee understands that the five entities examined during the audit were selected to provide coverage of a variety of entity functions, locations and sizes. The Audit Report points out that AGSVA conducts security vetting services for more than 150 Australian Government entities, as well as state and territory entities. The Committee is concerned that the poor compliance results of the five entities subject to the audit may be indicative of poor compliance throughout other government entities or agencies.
2.17
The Committee is cognisant of the fact that auditing every agency is not possible or practical; however, the Committee considers that additional scrutiny of a larger proportion of Australian Government entities may be required to test if broad scale PSPF compliance is being achieved.
2.18
The Committee recommends that the Auditor-General consider conducting a number of additional audits of Australian Government entities focusing on their performance against Protective Security Policy Framework requirements and recommended practices.
2.19
Each of the five entities examined during the audit reported their progress in meeting the Audit Report recommendations through submissions to the inquiry, and through evidence at the public hearing.
2.20
Progress was mixed, with some entities yet to complete significant tasks.
2.21
The DTA representative reported that the agency was now compliant with all five recommendations, explaining that although the agency was behind schedule, the security personnel and overall security plan were endorsed and signed off on 14 August 2018, three days prior to the public hearing.
2.22
The AGD representative stated that recommendation seven was complete and recommendations six and eight were well advanced with completion expected by December 2018.
2.23
The ASIC representative reported that recommendations seven and eight were complete, with recommendation six to be complete by December 2018.
2.24
The ARPANSA representative reported that recommendation seven had been met and that compliance with recommendation eight would be met by the end of 2018.
2.25
The Department of Home Affairs representative reported that addressing recommendations six and eight was well advanced and should be complete by November 2018.
2.26
The Committee expects each entity to implement all recommendations in a timely fashion.
2.27
The Committee recommends that each of the five entities scrutinised in Audit Report 38 (2017-18) provide a progress report to the Committee, within three months and with an update every twelve months, on their implementation of the recommendations from the Audit Report and the status of their compliance with the Protective Security Policy Framework.
Information control
Information and communications technology (ICT)
2.28
The Audit Report found that AGSVA’s information systems do not meet its business needs, resulting in inefficient processes, poor data quality, and integrity issues. ANAO Audit Report No.45 (2014-15) also identified shortcomings in AGSVA’s ICT systems.
2.29
Issues identified in the existing vetting case management system include:
significant data quality issues;
completion of all vetting tasks is not enforced;
lack of ability to measure performance;
vetting service contractors do not have access; and
potentially sensitive information is communicated outside of Defence’s secure ICT environment.
2.30
Defence has commenced the ICT2270 Vetting Transformation project to develop a replacement system. The project is currently in the initial scoping and approval stages. Information provided in the Audit Report stated that delivery of an initial operating capability was expected in late 2020, however the system would not be fully operational until 2023.
2.31
The Defence representative stated that, ‘in terms of the case management and the foundational system being more secure, more digitised and more automated, the plan is to deliver that capability in late 2020’.
2.32
The Committee is of the opinion that the development and implementation of the replacement ICT system to significantly reduce or eliminate vetting process flaws should be a very high priority for the Department of Defence.
2.33
The Committee recommends that the Department of Defence expedite the ICT2270 Vetting Transformation project and provide to the Committee a progress report and updated timeline on implementation of the replacement ICT system.
Handling of documentation
2.34
Security clearance records are currently communicated via both mail and email, with contractors accumulating a considerable volume of hard-copy and electronic information, over which AGSVA has limited oversight.
2.35
AGSVA’s Industry Vetting Panel deed requires contractors to comply with Defence’s information security policies. However, AGSVA’s internal quality assurance reviews of contractors have identified that these requirements were frequently not adhered to. The risks of non-compliance and costs of monitoring compliance are exacerbated by the nature of Defence’s outsourcing arrangements which now have 22 individual contractors undertaking 85 per cent of all clearances including an increasing number of the positive vetting. This complexity is exacerbated by the deficient IT system which contractors cannot access.
2.36
The Committee noted that the positive vetting process deals with very detailed and highly personal information that typically covers a long history for the individuals concerned.
2.37
Despite questioning, the Committee remains unclear as to what information is being kept by the IVP companies after 90 days and is concerned about the risk of remaining disaggregated information being reconstructed in the event of a cyber attack.
2.38
The Committee also raised concerns about the handling of sensitive documents via email, mail and courier services during the clearance process. Despite reassurances from Defence, the Committee remains concerned about the safe handling of sensitive documents prior to the establishment of the new case management system.
Contractor assurance
2.39
The Committee was concerned about the foreign ownership and control of some of the vetting entities contracted by Defence.
2.40
Defence explained that any vetting entity employee that is conducting security clearances, as well as any non-vetting staff that handle or access any official material, must hold an Australian Government security clearance. Defence noted that this was a requirement as part of the Foreign Ownership, Control and Influence (FOCI) assessment which all members of the Defence Industry Security Program (DISP) are required to undergo.
2.41
Defence stated that all industry vetting officers working on positive vetting clearances are Australian citizens, and confirmed that, at the time of the second public hearing, there were no vetting officers working under a citizenship eligibility waiver. Defence also confirmed that only ‘one company providing positive vetting services for Defence had a UK-national, Australian resident Director’, and that ‘no other companies providing positive vetting services list foreign directors’.
2.42
Despite this assurance, the Committee is concerned that some vetting entities may have managers or company owners that are not Australian citizens who may have access to any some or all data handled by that entity.
2.43
The Committee recommends that the Department of Defence establish extra safeguards and quality control measures to ensure that no incidents of sensitive data loss occur prior to operational capability of the new vetting case management system.
Costs and benefits of the current approach
2.44
The Committee notes that 85 per cent of all clearances are now undertaken by ‘industry partners’ – private contractors – as a result of rapid outsourcing. The Department of Defence advised that all procurement is managed in accordance with Defence and Commonwealth Procurement Rules.
2.45
During the public inquiry questions were raised regarding the costs, benefits and risks arising as a result of the outsourcing that has now occurred. Committee members were interested to understand if a cost-benefit evaluation has been prepared to consider all of the business issues, costs, benefits and risks and assess options such as employing more in-house staff to reduce some of the risks and management costs arising from the current extent of contracting of this critical and sensitive national security function.
2.46
In response, Defence advised that this work has not been undertaken and that ‘the business case that you’ve outlined is something that we haven’t done as a foundational first principles review.’
2.47
Defence did not provide the Committee with any evidence to demonstrate that it fully considered different service delivery models, including if it could utilise a smaller number of contractors, or if Defence could undertake a greater share of work itself. The Committee was unable to further explore these issues with a senior witness in a third public hearing as Defence was unavailable.
2.48
The Committee considers it would be good practice to fully and transparently assess various delivery options so Defence is able to demonstrate the optimal delivery arrangement, taking account of all of the associated costs and risks.
2.49
The Committee recommends that the Department of Defence prepare a full business case to consider the current and alternative service delivery models, taking account of projected future demand for vetting, the costs, benefits and risks of various approaches, and provide the findings of this to the Committee within 12 months.
Giving evidence
2.50
It is a key requirement of officials coming before the Joint Committee of Public Accounts and Audit to not only answer questions but to provide members of the Committee with the highest level of confidence that their concerns are being addressed.
2.51
It became clear at the Committee’s second public hearing that Defence was not able to provide the level of confidence or assurance the Committee required. An attempt was made to hold a third public hearing, however the Committee was advised that Defence witnesses were unavailable.
2.52
As a guiding principle, the Committee emphasises that departments should ensure all witnesses giving evidence before the JCPAA are adequately briefed on all matters relating to the Committee’s inquiry. In addition, departments should place careful consideration on the selection of witnesses to ensure they are in a position to answer the Committee’s questions in full.
2.53
Questions taken on notice during public hearings, and additional questions provided in writing, must be returned to the Committee in a timely fashion with careful and considered attention paid to the information provided.
2.54
As was the case for this inquiry, failure to provide the Committee with accurate and detailed answers to questions can necessitate the need for an additional public hearing and cause delays to the process of the inquiry.
2.55
The significant delays in receiving answers from Defence during this inquiry were unacceptable and could be considered disrespectful to the parliamentary committee process.
Review of evidence
Previous ANAO report
2.56
The ANAO previously reviewed the performance of AGSVA in ANAO Audit Report No.45 of 2014-15 Central Administration of Security Vetting, tabled in Parliament in June 2015. The ANAO concluded that the performance of centralised vetting had been mixed and expectations of improved efficiency and cost-effectiveness had not been realised. The ANAO found AGSVA had consistently failed to meet its clearance processing benchmark timeframes, had accumulated a backlog of over 13,000 clearances overdue for revalidation, and had inadequacies with its quality assurance processes, information systems and performance framework. The audit report recommended that Defence:
implement a targeted audit program to assess Industry Vetting Panel contractors’ operations;
introduce a program of internal peer review supplemented by periodic independent quality assurance of delegate decisions; and
develop a clear pathway to achieve agreed timeframes for processing and revalidating security clearances.
2.57
In addition, the audit outlined a number of suggestions to improve the effectiveness of AGSVA’s operations, including that AGSVA:
investigate the underlying causes of increasing numbers of clearance subjects cancelling clearances during the vetting process (which peaked at 34 per cent in 2015–16);
strengthen its controls for managing sensitive personal information captured as part of the vetting process (including details of personnel medical and criminal records);
improve the quality of its performance measurement and reporting; and
consider how best to provide feedback to client entities on security concerns identified during vetting, to facilitate those entities’ monitoring of affected personnel.
Clearance rates
2.58
The Audit Report stated that timeframes for positive vetting clearances had deteriorated significantly since the previous audit. However, for other security levels, the percentage of cases completed within benchmark timeframes had improved.
2.59
The positive vetting clearance backlog was discussed extensively during the public hearing for the inquiry. The Defence representative, Mr Daniel Fortune, explained how the backlog was being dealt with:
We commenced the remediation program in 2016. It is achieving really good results. We've cleared the initial backlog for new cases, which was 1,200 about this time last year. That is now down to 50 or in the dozens. We've increased capacity to meet current demand and planned future demand. While the time frames for new clearances are still higher than we'd like, we're on a trajectory to return to our benchmark time frame by June of next year.
2.60
Mr Fortune also provided some performance figures on clearances:
We've increased completions in the last three years by 250 per cent. That's from 701 at the end of 2014-15, which was the backlog crisis point. We completed over 2,450 completions in the last financial year.
2.61
However, during that period, the backlog grew as demand remained.
2.62
Mr Fortune provided details on the priorities for completing clearances:
… we're focused on new clearances—we call them 'initials' and 'upgrades'—so we can get people into the workforce. Our priority there has been to support capabilities for the national intelligence community, particularly the Signals Directorate's transformation into a statutory agency. So it's a really positive story and the backlog for initial clearances has been removed.
2.63
In response to Committee questioning, Mr Fortune discussed upscaling of resources and responsiveness in meeting anticipated demands:
We've increased our internal capacity of vetting officers to grow capacity, and, importantly, we've increased our engagement with industry. Industry do about 85 per cent of all of our clearances and an increasing number of the positive vetting. As an example, two years ago they did 150 clearances; at the end of this financial year just finished, they did over 1,600… We're also doing business reform to drive those time frames down. We completed over 3,000 recommendations in the last financial year. We've increased our understanding of what the demand looks like. We work closely with the intelligence agencies and our colleagues across government to understand what they're demanding... So we're confident that—as I outlined—our capacity now meets planned and increased demand. Our focus is to do them faster, and to continue to calibrate demand and our capacity as required.
2.64
During the public inquiry questions were raised regarding the costs, benefits and risks arising as a result of the outsourcing that has now occurred. Committee members were interested to understand if a cost-benefit evaluation has been prepared where all of the business issues and costs and benefits of employing more in-house staff and reducing some of the risks of contracting out to industry partners.
2.65
In response, Mr Fortune advised that this work had not been undertaken and that ‘the business case that you’ve outlined is something that we haven’t done as a foundational first principles review.’
ICT and documentation issues
The current case management system
2.66
AGSVA’s current case management system, PSAMS2, supports vetting officers to manage clearances by providing workflow guidance. The system automatically generates tasks for completion by AGSVA vetting officers and delegates. Those tasks may include reviewing a file, undertaking an external check, or making an assessment decision.
2.67
However, PSAMS2 does not enforce completion of all tasks, even when such tasks are required to issue a clearance. For example, during the audit, the ANAO identified three recent cases relating to PV clearances that had progressed to a vetting decision without an ASIO check being completed.
2.68
Due to concerns about system stability, AGSVA has not been able to provide its vetting services contractors with access to PSAMS2. This results in clearance records being communicated via both mail and email, with contractors accumulating a substantial volume of hard-copy and electronic information. Potentially sensitive information is communicated outside of Defence’s secure ICT environment.
2.69
The existing system also suffers from substantial data quality issues. The Audit Report identified errors and discrepancies in biographical data of clearance holders. For example, there were clearance holders over the age of 100, under the age of 10 and a small number with a birthdate in the future. There were also many cases of primary clearances with revalidation dates more than five years in the past. The ANAO suggested that AGSVA take a more proactive approach to identifying, preventing and resolving anomalous data.
2.70
Defence acknowledge that the current systems is inadequate and noted that improvements should be evident from late 2020 with an ICT transformation project scheduled for full operational capacity in 2023: At the public hearing for the inquiry, the Defence representative, Mr Fortune, discussed the development of a new case management system and the timeframe for its establishment:
Clearly, [PSAMS 2] is not fit for purpose, and Defence has a significant investment in the new ICT transformation project, which will become capable, initially, in 2020. So in the time from 2023, with full operational capability, it talks about some really sophisticated continuous assessment. But in terms of the case management and the foundational system being more secure, more digitised and more automated, the plan is to deliver that capability in late 2020.
Handling of documentation
2.71
During the public hearings for the inquiry, the Committee questioned Defence extensively regarding the safe handling of sensitive and classified documentation.
2.72
Currently, vetting contractors cannot interact with the existing case management system. Information is largely transferred in paper form:
… primarily, the e-pack that we receive through the Defence environment is managed through hard copy printing and then safe-handed couriered to the industry providers once it's printed out. It's largely a paper based system, managing what we call the 'protective security' file, or the 'personal security' file, where the sensitive data is held in hard copy. There is email exchange, but the information is classified 'sensitive: personal'; it's not classified in a security sense. Therefore, in relation to the cyber risks around that, as I said, it's best practice—we audit that, we look to support whitelisting and how those ICT systems and email connectivities are managed.
2.73
When asked by the Committee about the transfer of ‘hard copy’ files, Defence stated that ‘AGSVA uses the national Defence contract for courier services, including classified 'safe hand'. At the time of the second public hearing currently only TOLL Group,’ a member of the Defence Industry Security Program (DISP) was used by AGSVA and the IVP companies to transfer files. Defence told the Committee that ‘AGSVA has a strict security protocol for movement of personal security files by TOLL, which includes double-sealed packaging inside tamper-evident containers’.
2.74
When asked what happens in the event of a misaddress, Defence stated:
AGSVA has identified only one example of a consignment of Personnel Security Files misaddressed to an Industry Vetting Panel (IVP) company in the past five years. This was not a positive vetting case. In this instance, the Defence approved courier, Toll, was unable to deliver the consignment to an industry vetting company as it had been misaddressed to one of the company's regional offices. It is a requirement of AGSVA that consignments are signed for. As there was no one present to sign for the consignment, Toll returned the consignment to AGSVA the following day.
The consignment was then readdressed to the IVP company's correct regional office and successfully delivered the following day.
2.75
The Committee asked Defence to provide further information on the management of risks associated with the transfer of sensitive information via commercial courier services. Mr Fortune explained:
We understand there are challenges in managing the information exchange. That's why there is significant investment in the new platform that we are working to deliver. In the meantime we are working with the arrangements that we are overseeing and assuring to deliver the capabilities that we need to drive the time frames down and to generate the clearances required for the workforce … We've got a system of oversight to ensure that the risks are managed and to satisfy ourselves through a program of audits that our partners are aware of those risks and manage their ICT. We advise them and support them in achieving their compliance.
2.76
When asked if contracted vetting service providers were currently compliant with the Essential Eight (a list of mitigation strategies to assist organisations in protecting their systems against a range of cyber threats), the Defence response to the question taken on notice stated that compliance is not mandatory. However, Defence explained that achievement of non-mandatory elements of the Essential Eight is managed through an ongoing process of information, communication and technology review and audit.
2.77
Defence further discussed its external review and auditing program:
Defence requires that all companies handling sensitive or classified information be members of the Defence Industry Security Program (DISP) and meet all Defence security requirements. All members of the Industry Vetting Panel (IVP) are members of the DISP. Information provided to the IVP providers is handled in accordance with Defence security requirements, which includes mandatory information, communication and technology controls. The 14 IVP companies currently assigned to complete positive vetting cases are accredited against the Australian Signals Directorate Top Four cyber security requirements. This is a mandatory compliance under the DISP.
Foreign ownership and contractor assurance
2.78
The Committee pursued information on the Industry Vetting Panel (IVP) companies that currently conduct vetting for government agencies, seeking assurance that those entities do not have international ownership or work for other countries.
2.79
Defence told the Committee that all IVP companies are required to be members of the Defence Industry Security Program (DISP) in which each company must pass a Foreign Ownership, Control and Influence (FOCI) assessment prior to receiving their accreditation. Defence explained:
Defence requires companies applying for DISP membership to provide a detailed declaration outlining their foreign engagement. This includes: holdings by foreign people, corporations or governments; key position holders' links to foreign people or countries; contracts or other arrangements with foreign people or countries; revenue streams from foreign people, corporations or countries; and any other foreign control or influence indicators. A FOCI assessment then reviews the company's FOCI declaration against an international FOCI standard, set by the Multi-National Industrial Security Working Group (MISWG).
2.80
Defence noted that ‘in undertaking FOCI assessments, a range of open source, commercial and intelligence sources may be reviewed to verify FOCI information supplied and to assess risks’.
2.81
Defence also explained that further security assurance is provided by AGSVA's contractual arrangements (Deed of Agreement) with vetting companies:
… which specifies that no classified information or official material furnished or generated under the Deed of Agreement can be disclosed to any third party. Under the Deed of Agreement, companies must comply with all relevant Defence policy, including Defence security policy and declaring any actual, potential and perceived conflict of interest. No company has advised of any conflict of interest.
2.82
The Department of Defence also confirmed that at the point of the February public hearing, ‘one company providing positive vetting services for Defence has one UK-national, Australian resident Director’, and that ‘no other companies providing positive vetting services list foreign directors’.
2.83
The Committee questioned Defence on the impact of the change in management to AIM Screening, one of its current contractors.
2.84
Defence explained that AIM Screening (trading as RISQ Group) does not provide positive vetting services for Defence, but was an IVP, and current member of the DISP. At the time of the February public hearing, Defence noted that AIM Screening was up to date with its FOCI reporting obligations under the DISP.
2.85
When questioned about the ability of the 14 IVP companies to conduct work for foreign governments, Defence told the Committee that it was unable to prevent IVP companies or their personnel from undertaking work for foreign governments ‘as there is no specific restraint of trade restriction under the Conditions of the Deed of Standing Offer’. Defence noted that the Deed did include strict security requirements for an IVP company to comply with Defence’s ‘security policies and processes, including maintaining membership of the DISP and complying with the Defence Security Principles Framework.’
2.86
The Committee questioned Defence as to the clearance requirements of vetting staff employed by the companies that currently conduct vetting for government agencies. Defence responded:
The FOCI assessment considers the company, Directors/officers, and key personnel. Industry Vetting Panel staff who are designated as specified personnel (this includes vetting officers as well as any non vetting staff that handle or access any official material) are required to hold an Australian Government security clearance.
DISP members, as part of ongoing reporting requirements, must update their FOCI information whenever there are any changes to their FOCI status.
2.87
Defence further confirmed that all industry vetting officers working on positive vetting (PV) clearances are Australian citizens, and stated that ‘there are there are no officers working under a waiver’.
Retention of sensitive or classified information
2.88
The Committee was concerned that sensitive or classified material, or indeed any identifying information, remained with a security vetting contractor, in hard copy or in digital form, after the completion of the vetting process.
2.89
Defence stated that security-related information provided to IVP companies is handled in accordance with defence industry security requirements. Defence further explained:
IVP companies ensure all documentation relating to a clearance process is attached to the appropriate Personal Security File (PSF) and returned to AGSVA when a case is completed. When the PSF is returned to AGSVA, companies immediately destroy any hard copy duplicates of information that was included in the PSF.
2.90
Defence also explained that electronic documentation can be kept on an ICT certified system for up to 90 days after the PSF is returned to AGSVA, which allows AGSVA to obtain further or missing documentation, if required, during the decision making stages.
2.91
However, during the public hearings, Defence noted that ‘disaggregated’ information is retained on contractors’ systems beyond 90 days. The example given was of a record of the fact that there had been an interview conducted and a named referee contacted.
2.92
While Defence told the Committee that it had written to the required IVP companies to reinforce the requirement to delete all information after 90 days, the Committee was not able to ascertain from Defence what process are in place to ensure the requirement is currently being met.
2.93
Defence noted that ‘all 14 IVP companies currently assigned to complete positive vetting cases are accredited against the Australian Signals Directorate (ASD) Top 4’, which is ‘a mandatory compliance under the DISP’. However, Defence advised the Committee that compliance with the ASD Essential Eight is not mandatory.
2.94
Defence confirmed to the Committee that all 14 IVP companies currently assigned to complete positive vetting cases are compliant with the Information Security manual and the DISP Top 4 for cybersecurity.
2.95
Defence stated that IVP companies are subject to random checks of ICT storage systems as part of AGSVA audit processes and performance review meetings.
2.96
The Committee questioned Defence on who was responsible for conducting the audits and how they are verified, but was unable to ascertain a clear answer from Defence. Defence gave the Committee assurances that the companies were reporting that they are cyber resilient, but was unable to explain what compliance mechanisms were in place to verify the reporting is accurate and meets the mandated standards.