Gateways provide cyber security protections to organisations between security domains. This policy covers Australian Government gateways and the boundary between the internet and government networks.
What is a gateway?
A gateway is a collection of capabilities that reside at the boundary between different security domains. A common example of this is between an organisation’s internal network and the internet. It is designed to protect entities from malicious cyber-attacks, through the enforcement of an organisation’s security policy.
The gateway policy is designed to ensure that, unless an appropriate exemption is granted:
- Government entities defend their perimeters using better practice principles for gateways during the transition to the Cyber Hubs.
- The lead agency gateway model continues to operate, in line with the list of lead agency gateways, reducing proliferation of gateways across government.
- Government assets are not created in a way that creates inefficiencies or in conflict with the transition to Cyber Hubs or other approach to shared infrastructure.
- That the DTA will be notified of all new gateway arrangements, including the extension of existing arrangements. The DTA must be notified at firstname.lastname@example.org in line with the gateway policy requirements below.
Gateway policy requirements
Until such time as a decision is made on Cyber Hubs taking on gateway services, the existing lead agency gateway model for gateways will continue. Throughout this transition period, agencies must adhere to the policy requirements below:
- Gateway lead agencies must maintain responsibility for coordinating agency gateways and any associated contractual arrangements until gateway arrangements under Cyber Hubs are implemented.
- The DTA must be notified of all new gateway arrangements, including the extension of existing arrangements.
- Any change to entity gateway’s must be discussed with the DTA.
- Where an entity currently operating under a lead entity gateway wants to move to a new gateway, an exemption is required from the DTA. To notify the DTA of a request for an exemption, or request an exemption form, please contact email@example.com.
- New contracts and extensions to existing contracts for gateway services must:
- not exceed two years, with up to an additional one-year extension
- include clear, robust, and actionable release provisions to support transition to Cyber Hubs, if they proceed
- include provisions for data, including logs, managed by a Gateway to be provided to the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) as well as provisions for a future move to Cyber Hubs.
- Where an agency wants to source outside of these conditions, a formal exemption from the DTA is required. Any proposed exemptions should be for systems which undergo an Australian Signals Directorate’s (ASD) Infosec Registered Assessors Program (IRAP) assessment. To notify the DTA, or request an exemption form, please contact firstname.lastname@example.org.
Lead agency gateways
As of July 2022, the current lead gateway agencies are:
- Australian Federal Police
- Department of Agriculture, Fisheries and Forestry
- Department of Defence
- Department of Education
- Department of Home Affairs
- Services Australia
The current gateway model has not evolved for several years. With the increased adoption of new technologies and capabilities by the Australian Government, there is a need to modernise gateways to manage the evolving threat landscape.
In 2021, the DTA released a Joint Statement alongside ASD outlining the changes planned for gateways. We foresee that the changes will enable entities to access more contemporary services from the provider market ahead of the transition to Cyber Hubs in the future.
ASD’s Certified Gateways list ceased on 29 July 2022. The Protective Security Policy Framework (PSPF) was reviewed, and updates have been made to support these changes in Policy 11 on the Protective Security website.
ASD has also developed security guidance to assist entities in making informed risk-based decisions when consuming gateway services.