Secure Internet Gateways (SIGs) provide organisations with cyber security protection at the perimeter between their networks and the internet. SIGs play an important role in a layered cyber security defence, and can be shared between multiple organisations, providing the benefits of a common suite of cyber security defences.
Under the Government’s strategy to strengthen the defences of government networks, Cyber Hubs will centralise the management and operations of Commonwealth entities for cyber monitoring, detection, and response capabilities.
It is envisioned that the future Cyber Hubs operating model – informed by a recently launched pilot - will see Cyber Hubs providing a range of cyber security services, including SIG services, to non-corporate Commonwealth entities. As such, consideration is being given to how SIG services should integrate with a future Cyber Hubs model.
DTA will provide timely advice to Commonwealth entities, Cyber Hub providers and industry during the Government’s development of Cyber Hubs subject to Government Approval.
SIG Policy Changes
SIG policy is being modernised so that it is consistent with and supports the implementation of Cyber Hubs, and so that Commonwealth entities, using existing SIGs, can readily adopt new technologies and capabilities.
SIG policy changes will also include ASD ceasing its certification authority role for commercial or government SIGs. This will better enable and encourage the adoption of emerging cyber security technologies and capabilities by entities. Commonwealth entities will be empowered to adopt a new risk-based authorisation model, consistent with the consideration of other cyber architecture such as the adoption of cloud environments.
Security guidance, co-designed by Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) with government and industry from key stakeholder groups, will be developed through consultative forums to support the policy enhancements.
ASD’s Certification Authority role
ASD will no longer progress re‑certification activities for SIG. Existing ASD – Certified Gateways will remain certified until its Certification Authority role ceases in July 2022.
This model aligns with core Information Security Manual (ISM) principles and is consistent with other risk-based models used currently by Commonwealth entities such as when considering cloud environments.
DTA will also work with the Attorney-General’s Department and the ASD’s ACSC to ensure alignment of the updated SIG Policy and ISM with the Protective Security Policy Framework (PSPF).
In the interim, entities will continue to meet their SIG requirements in line with the PSPF obligations, and existing Industry partners will continue to provide services in line with current arrangements.
Any enquiries regarding these changes can be directed to the DTA at HGIT@dta.gov.au