Episode Summary

In this episode, Cole Cornford is joined by cybersecurity experts and IRAP assessors, Kat McCrabb and Toby Amodio, to unpack the latest updates to the Protective Security Policy Framework (PSPF) for 2024. They explore the significant changes introduced in the PSPF, such as the heightened emphasis on IRAP assessments, the potential strain on resources due to increased demand for assessors, and the impact on government agencies' compliance efforts. The discussion delves into the restructuring of the PSPF domains, including the separation of information and technology, and the challenges this presents for reporting and governance. They also address issues with self-attestation in agencies, insights from ANAO reports, and the critical importance of managing legacy IT systems. Kat and Toby offer valuable perspectives and practical advice for organisations navigating these new requirements, highlighting the need for proactive planning and adaptation in the evolving cybersecurity landscape.

Timestamps

01:27 - What is the PSPF? Toby explains the framework

03:07 - Kat discusses the biggest changes in the PSPF 2024 updates

04:20 - Challenges with IRAP assessments: time, cost, and limited assessors

06:18 - When are IRAP assessments required? Clarifications

08:13 - Changes in PSPF domains: splitting information and technology

10:08 - Implications of the changes for reporting and governance

12:15 - Comparison with NIST framework and governance considerations

13:38 - Issues with self-attestation and insights from ANAO reports

15:09 - Strategies for improving reporting and assessments in agencies

17:36 - Managing legacy IT systems under the new PSPF requirements

18:52 - Key takeaways and final thoughts from Kat and Toby

Mentioned in this episode:

Call for Feedback

Hi, I'm Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. And we're here of a very special episode. We're going to be talking about the PSPF updates for 2024. So I'm joined by Kat McCrabb and Toby Amodio. So Kat, would you like to introduce yourself quickly?

Yeah, sure. So I'm Kat McCrabb. I spent 12 years with federal government across governance risk compliance, which of course included the PSPF and the ISM. I'm now the director of Flame Tree Cyber, where I do GRC for a range of organizations including federal government, and I'm a certified [inaudible 00:00:46].

Cool. And we've got Toby Amodio. Tell us a bit about yourself, sir.

My name's Toby Amodio. I'm the director and lead for cyber strategy at Fujitsu Cyber Security Services and I've got a 20-year career in cyber security holding roles as head of cyber security for Parliament House and the tax office in that journey. And so I have lived the life of the PSPF.

See, I wanted to bring on two people who actually understand this domain significantly better. Because there's no part of the PSPF, from what I can tell, that says "software security." So that's why I've got you two here. But for a lot of my listeners, they may not actually know what a PSPF is. So maybe Toby, could you just start with that? Just give the audience a background?

A hundred percent. So the protective security policy framework or the PSPF, is the overarching framework for how security is done for all government assets. It's mandated that every government agency as a responsible entity under the Public Governance and Accountability Act, they're given money. As part of the responsibilities for managing that money, their accountable authority or the head of that agency has to manage risks to its environment and the PSPF articulates how they manage the risks of security.

And you say, "The risks of security, what does that mean?" The risk of security is not just cyber, even though I would love to say that we are the most important thing in the world. But it's cyber physical and personnel security. And there's a lot of nuance in there because the new update breaks that out in a new and robust way. But ostensibly, it tells the agency heads how they have to govern and implement security across their physical assets, their people, and their IT, and manage that on an annual basis. So it is effectively that framework. Now, the reason why it's relevant to everyone is, it is being updated on a regular basis to keep alignment with the threats that we face. But a lot of the requirements that are in the PSPF are cascading down into the Secure and Critical Infrastructure Act. The other obligations in different fields like ASIC and other entities are cascading the PSPF requirements into those obligations. And so you'll see that many of the findings there are replicated into responsibilities across the Australian economy.

So Kat, that's been a really good introduction to tell you about the PSPF means. I wanted to just probably ask you, what do you think are the biggest couple of changes you've seen in this latest update and why are they important to you?

The biggest change I've noticed is the greater security around the third party risk and foreign entities. There's also a bit more clarity around our app assessment and what's required in that space.

I know that one of the things that was mentioned is about IRAP assessments and I assume there's a period of time that an IRAP assessment expires. I don't know what the previous one is, but I've heard that they've definitely accelerated how long an assessment is valid for now. So do you think what are the implications are going to come from? We're probably requiring more frequent IRAP assessments.

It takes roughly three months to do an IRAP assessment and that the ACSC recommends that organizations allocate a minimum of three months for an IRAP assessment to be completed. That can be quite the cost and time imposed on anyone who wants to have one undertaken. There's not a great number of IRAP assessors. There's 361 on the list and I think 270 something who are listed as available. So when you've got the volume of systems requiring assessment, the time that it takes to undertake an assessment and the cost, I think we might see a bit of pressure on that system.

To that end, Cole, if you don't mind me cutting in, but...

Yeah.

And when we talk about the volume of assessments, depending on how an agency breaks up its resources, I know that some agencies have up to 65,000 IT assets as a combination of servers and desktops. And depending on how you chunk that pie, you can end up with hundreds of assessments. And so suddenly it may seem like a large number, like 300 assessors gets consumed by one agency. And then where do we go from there? It also requires those assessors to be independent, and a number of the assessors already working in fields close to those entities, which will exclude them from being able to work on those entities. And so you can get into this position really quickly where it sounds like a really achievable with the numbers that we've got. And then the reality is actually a big gap in capability and availability.

But surely this is just basic supply and demand, right? How come the federal government, like the ASD, surely they would've foreseen that there's a limitation on the amount of assessors and assessments that could have been completed. Are they trying to drive towards only assessing things that are meant to be higher risk? Or are they trying to say, "Hey, let's just get a lot more people with the right security qualifications out to do these assessments?" I don't know. Is this like the housing crisis in Australia again?

Possibly. I think when you look at their responsibility, it's to design a framework and a set of controls that address cybersecurity risk. They're not necessarily concerned with the resourcing of that. That their primary concern is putting in place a set of controls, which they can say, "Hand on heart, if you do this, you've mitigated most of the risk."

So I guess boom industry, right? So everyone on this call except me is an IRAP assessor. So you've got bright futures ahead of you two, according to the PSPF.

And I will say as well, the PSPF does define the instances where you are mandated to have an IRAP assessor. And it does tell you where you don't necessarily have to have an IRAP assessor that you could do an internal assessment against the ISM. And so it does help guide that framework. And the ACSC has expanded the number of IRAP assessors significantly. I think it's increased by over a hundred percent in the last three years.

And so they are trying to invest in that piece, but there is still more work to be done in that space as you're calling out. So it will be interesting to see how this gets implemented and how the rubber hits the road. An interesting piece, one of the new requirements, is that any agency that provides services for another agency must provide that IRAP assessment to those sub-agencies. And so that opening the kimono about saying, "Hey, this is how we're managing the service on your behalf," will be a mandated transparency. And I think that that increase in requirement will lead to a number of urgent assessments, but also some more frank conversations between the service providing agencies and their consuming entities.

I think that transparency piece is really important because if you're going to a external service provider and request an IRAP, evidence of having undergone an IRAP assessment, they will provide it. If government departments don't have that same obligation, it almost puts them at a bit of a disadvantage.

Yeah, correct. You can't compare apples for apples. If you're a consuming agent, the consuming entity, you can't go, "Oh, I could go with vendor X or department A." You can't compare the security profile. So I feel like that control has been really good to increase that transparency and enable a consuming entity to then do the like-for-like comparison.

I know one thing that we talked about in the pre-show was that there's a really big change to the domains in the PSPF. My understanding previously was that you had personnel, physical, and they've kind of rolled up cyber and IT assets into two principles. How has it changed and what do you think the implications of that are, Toby?

So there used to be four pillars, which was governance, information, personnel, and physical. I always used to joke that I loved getting into cyber because the locks don't change every three months, so I should have got into physical. But what they've done is they've actually split out information, which was the old cyber, into information, and then technology. And the technology effectively is the life cycle of an IT system and the assurance of that life cycle and the essential aid. And then information is more around understanding what your information assets are and how you identify, label them, and handle them throughout the information lifecycle.

And they've also broken out governance into governance and risk. And the interesting thing, and if again can go look at the PSPF on a page, it shows them as the six pillars next to each other. But they're really information technology, physical, personnel, with governance and risk as cross-domain capabilities that apply throughout the lifecycle of the others. Because the governance in that context is how you govern the fact that you're doing security cohesively across all of the pillars. And the risk is about how you manage the risks across the pillars cohesively.

And so it's a good change. It adds more detail, but the thing that I'm concerned about is it will also mean that there's going to be more who's doing what? So conversations about responsibilities within entities. And then it's also going to change the way that they do reporting every year from the traditional structure, which means the first year there's going to be chaos in government agencies on how do we report? What does this look like? How do we use this new terminology? How do we assess it? How do we do this in a consistent way? So I think that churn and change will cause pain upfront and then hopefully be better in the long run.

What do you think, Kat?

I agree around the reporting piece. I think that could be... Determining roles and responsibilities will likely be a challenge, and then the reporting will have a long tail. On that reporting, I do find it interesting that entities have a self-attestation form of reporting. I was reading last year's assessment report and 99% of agencies have stated that they meet maturity level two of the PSPF or higher. But then when you go and read some ANAO reports, quite often they have a finding that the agency which has been reviewed doesn't meet the PSPF. So I think that's compelling evidence that that self-attestation system isn't the most effective. I'll be very interested to see if future iterations of the PSPF mandate a different form of compliance reporting. Maybe that'll make IRAP assessors even busier.

There's a great ANAO report that was released about a month ago into a certain agency's approach to assessing their systems against the ISM, and they had only assessed 2.5% of their systems against the ISM, or had a valid authorization for 2.5% of their systems against the ISM. And as Kat mentioned, I'm sure that their reporting, if you look at the stats, was that they were a level two, which would've meant that they had a hundred percent done. So yeah, there is a definite gap between the self-attestation and the reality. And making sure that they can close that gap is really critical to me and is part and parcel of that governance pillar in the PSPF is making sure that when we are reporting, sorry, when government entities are reporting, they're doing it in a consistent way.

It's like parallels to the NIST one where they recently redid the CSF and they have that governance yellow, I remember the yellow circle in the middle now. So look at me. I'm a governance professional, right? So I like my yellow circle that underpins all the other ones. So I think that you imagine that they would've taken some inspiration from NIST and brought it into Australia.

And I think one of the other things that, just another piece of evidence that the self-attestations aren't appropriate is something like 86% of agencies had an incident response plan. That's vastly different to 99% of agencies having maturity level two or greater compliance against PSPF.

So I want to talk about that, then. So if self-assessment is not going to work, and we know that we have the ANAO -- for people who don't know, it's the Australian National Audit Agency. Or office? Office, not agency, yep.

Office. Yep.

They go around and they say, "We're going to go check against a specific audit outcome." They're effectively external audit for federal agencies, right? They're obviously going to get swamped if all they have to do is just check IT qualities constantly. So do we have to beef up ANAO to do more frequent audits if self-assessment's not going to work? Or do we... Because I wouldn't trust the private sector to be doing that anywhere near as effectively as ANAO.

I think there's a couple of mechanisms. One is we use ANAO. Another is we again leverage the IRAP assessment network, which we already feel might become overburdened. Or we look at some other frameworks. So there's those Essential Eight assessment courses that TAFE is offering, and then it's been co-designed with ASD. Perhaps there's another option. And we have an extended version of that Essential Eight course that covers a bit more of the PSPF. And that's a format of reporting.

And I think that there's two main pieces to it. You'll not get annual independent assessment against the posture of the entire entity against all pillars. I don't think that's scalable. It won't happen on a frequency basis. Maybe for, we talk about IRAP, and IRAP is specifically the independent assessors for ICT systems. It won't cover the physical and personnel sides. And so we're not going to get an annual independent assessment, but what we need to be doing is making the reporting and assessment of the governance more consistent of agencies. So the home affairs capability can inform entities. If you're self-assessing, these are the evidence metrics that you need to hit. And then I think as well to, I love ANAO and you can leverage auditors to drive outcomes. If you're not doing that, then you're not a good sizer. But complementing that, home affairs as the body that oversees the PSPF can look to then do spot checks itself to make sure that the people who are assessing inside agencies are doing it in line with their guidance on what evidence should be required.

And if they can do those health checks for, "Hey, you own governance of security within your org, this is the level of evidence you should be gathering for these kind of controls." If they can mandate that and then spot check that it should drive over time the alignment of that reporting with reality.

But the one caveat I'll put on all of this is the PSPF reporting is required to go to the minister, and that's one of the controls. And not a lot of people like sending bad news up to the boss. And so for me, there's going to have to be a way for people to share transparently without fear of blowback, and be able to contextualize that. And that's half the job of all cyber professionals, which is telling your boss how ugly their baby is and how you can fix it. And so for me, that's the other flip side to this, which is how do you manage breaking bad news? And to me, it's not bad news. Because we're constantly trying to hit a moving bar so people won't be static throughout the life cycle of the PSPF. It's constantly moving away from us, so we're constantly trying to chase it. I know I've jumped through a few concepts there, but that's front and center for me.

I suppose one other thing we could consider in this context is this new Department of State requirement, which if you are a Department of State or head agency, you are now responsible for supporting portfolio entities to achieve and maintain compliance. Perhaps those entities will start undertaking assessments of their portfolio entities and using that for their attestations.

Yeah, correct. And I think that there's a great opportunity there. And there was a concept of cyber hubs where we could centralize cybersecurity into a few entities, but this is that by stealth in the sense that we're just trying to achieve the economies of scale by going, "Hey, you are accountable for best practice in your realm. How do you promote that best practice?" And I totally agree, Kat, that whether they do assessments themselves or whether they provide sub-entities with a framework for doing the assessments, so that way it's all done consistent, then you should see a consistency of self-attestation from portfolios. Which again, over time should drive towards a more accurate reporting posture in the organizations.

I think the two I'm kind of keen on is that whole technology and information assets split. Because now instead of bundling it all together and saying that cybersecurity systems need to be managed, you have to be accountable for the life cycle and operationalization of a system. And also then, if that system is no longer fit for purpose and can't meet the needs of the PSPF need a way to deprecate it or ring-fence it or do whatever. And that's quite separate to the assets and classification of the data that's held on the system, too. And so I think by splitting them apart, you can have a pathway to take the data out of that system and have it accountable to someone else and manage in a different way. Whereas before it was all co-mingled and really challenging to say who's responsible for what. So I like that as an AppSec professional, because it means... I'm all about just, all of these systems that suck and we need to get rid of them. They're all nuclear waste. Let's do it.

I couldn't agree more. And one of the spiciest controls in there is a little known beast that talks about the requirement for temporary mitigations for legacy IT, to manage the risks of legacy IT. And honestly, it's a little throwaway. It's just tucked in there. But I can tell you that legacy IT is the biggest threat across not just government, but every organization. Everyone's focusing on the sexy new toy, not the thing that's been running in the background for months and months and months. And so there is now that formalized requirement to manage that technical debt that you carry. And Cole, we've discussed it on many a forum, that technical debt, whether it be on infrastructure, technology in the AppStack or into the coding base. And the libraries you deal with is such a pressing risk for the whole of the Australian technology economy.

We're coming close to time. So Kat, I'd like to just throw to you, what's the one thing that people should pay attention to from this update? That they should take as a takeaway? What is the most important thing to look at?

I'm going to go with ARAP assessment. I think the heightened awareness of that and the time taken to complete and resource it means that it should be given a bit of attention early on.

Right. And how about yourself, Toby? What do you think is the number one thing that we need to be watching out for?

My number one piece would be the PSPF used to be 16 individual documents that you had to scan through. Now it's one cohesive document. I can't thank them enough for that. I would kiss whoever did that because it makes life much easier. Obviously, the change then has led to different things to think about. But it's ostensibly the same as it was previously in the sense that you have to know what your assets are, know what controls are around those assets, know how effective those controls are, and know how to respond when those controls fail. And you mentioned before about NIST. It's the same principles and management throughout NIST, throughout the ISM principles, throughout PSPF. And if you're undertaking that, then your 90% of the way there.

So realistically, just understand how you're assuring your piece, what you're protecting, and how you're protecting it. If you can do that, then you're 90% of the way there. And again, a big thank you to the PSPF people. Because even though we've spoken about some of the spicy takes and hard things to deal with in this, consolidating it to one picture will make everyone's life much, much easier.

Thank you Kat and Toby for coming on to this special episode of Secured. It's been an absolute pleasure to have you both on.

Thank you.

Thank you.

Thanks a lot for listening to this episode of Secured. If you've got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.