This audit would assess the effectiveness of the Department of Defence’s (Defence’s) management of cyber security risks associated with Australian Defence Force mission critical ICT systems.

The 2020 Defence Strategic Update outlined the role of cyber capabilities in the deteriorating nature of Australia’s strategic environment. The 2022 Defence Cyber Security Strategy noted that ‘cyber has emerged as a recognised warfighting domain and cyber warfare will be a critical component of future conflict’. Under the Protective Security Policy Framework (PSPF), all entities are required to develop their own protective security policies and procedures. The Defence Security Principles Framework was designed to give effect to the PSPF and provides for regular assessments, performed against emerging cyber threats through a certification and accreditation process, to ensure associated ICT risks are considered, mitigated, and/or accepted as necessary. If the application is in operational use, it must have either a full ICT accreditation (known as an ICTA) or a provisional ICT accreditation (PICTA).