Intent of the guidance The gateway security guidance package is designed to assist organisations to make informed risk-based decisions when designing, procuring, operating, maintaining or disposing of gateway services and captures contemporary better practices. As gateway security functions are becoming readily available in cloud service offerings, gateway architectures are evolving. Hybrid and cloud-native gateways, combined with new ways of working, means that gateway architectures will look different in the future. This guidance package outlines how organisations should approach cyber security challenges to make their gateways more secure, flexible and adaptive to different architectures and delivery models. The Australian Cyber Security Centre (ACSC), within the Australian Signals Directorate (ASD), has co-designed this guidance with key industry and government stakeholders through a consultative process. Why is this guidance needed? The changes to the Australian Government’s gateway policy aims to create a risk-based authorisation model. The gateway policy update includes changes to the Protective Security Policy Framework (PSPF) that aligns the process for gateways with the existing Authorisation to Operate (ATO) process, outlined in Policy 11, replacing the previous Certification Authority role performed by ASD. This empowers non-corporate Commonwealth entities (NCEs) to adopt a risk-based approach to gateways, and the flexibility to adopt the gateway solutions which best suit their security requirements. NCEs should gain assurance and inform themselves of the risks relating to designing, procuring, operating, maintaining and disposing of gateways through this guidance as well as the Infosec Registered Assessor Program (IRAP). As of 29 July 2022, the ASD Certified Gateways List has been replaced by this guidance. Intended audience This is the Gateway Security Guidance Overview. This guidance is one part of a package that forms the gateway security guidance package written for audiences responsible for the design, procurement, operation, maintenance and disposal of gateways. When designing, procuring, operating, maintaining or disposing of a gateway, it is important to consider all the documents from the gateway security guidance package at different stages of governance, design and implementation. The Gateway Security Guidance Overview document is intended to explain the structure of the gateway security guidance package and is suitable for all audiences. The Executive Guidance document is intended for decision-makers at an organisation’s executive level. The Gateway Security Principles document is intended for senior executives, architecture teams and engineering teams. The Gateway Operations and Management document is intended for gateway operators. The Gateway Technology Guides document is intended for architecture teams, engineering teams and gateway operators. While this guidance is primarily intended for Australian Government gateway consumers and their service providers, it can be used by any organisation designing, procuring, operating, maintaining or disposing of a gateway. In this Gateway Security Guidance package, the terms organisation, consumer, and provider are used throughout the guidance for general use. Australian Government non-corporate Commonwealth entity (NCE) is only used where there may be explicit requirements under the PSPF or other policy. Policy and other considerations The Gateway Security Guidance package should not be considered government policy or a checklist. ASD recommends organisations assess their gateways against their obligations under the PSPF, specifically as they relate to risk management (ISO 31000), ICT risk management (ISO 27001), the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the Commonwealth Procurement Rules, and the guidance within the Information Security Manual (ISM) and the Attorney-General’s Department, Protective Security Policy Framework, especially Policy 11. NCEs should use the results of gateway IRAP assessments to inform their authorisation to operate decisions. Entities must also refer to the Digital Transformation Agencies (DTA’s) gateway policy when procuring internet-facing gateway services. Commonwealth entities seeking to procure gateway services must consider the DTA’s Hosting Certification Framework (HCF) and ensure all sensitive and classified government data and associated infrastructure is hosted by a certified provider. The framework provides a process for government customers to attest to the risks of using a service. Contact details If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371). Gateway Security Guidance Package: Executive Guidance The purpose of this guidance is to inform decision-makers at the executive level of their responsibilities, the appropriate considerations needed to make informed risk-based decisions, and to meet policy obligations when leading the design or consumption of their organisation’s gateway services. Gateway Security Guidance Package: Gateway Security Principles This guidance is one part of a package of documents that forms the Australian Signals Directorate (ASD)’s gateway security guidance package written for audiences responsible for the procurement, operation and management of gateways. Gateway Security Guidance Package: Gateway Operations and Management This guidance is one part of a package of documents that forms the Australian Signals Directorate (ASD)’s gateway security guidance package written for audiences responsible for the operation and management of gateways. Gateway Security Guidance Package: Gateway Technology Guides This guidance is one part of a package of documents that forms the gateway security guidance package. When designing, procuring, operating, maintaining or disposing of a gateway, it is important to consider all the documents from the gateway security guidance package at different stages of governance, design and implementation, and not to consume this guidance in isolation.