The federal government is taking its first steps towards a zero trust commitment by defining what it wants to see uplifted in how departments and agencies treat cyber security.
This takes the form of five “guiding principles” outlined in a consultation paper [pdf] released by Home Affairs.
The idea of embedding a whole-of-government zero trust culture across federal operations came out of the 2023 cyber security strategy.
The principles ask agencies and departments to elevate their treatment of cyber security from “the responsibility of the CISO” to “an enterprise-level concern”.
It also pushes for entities to define roles and responsibilities clearly; to understand the “business criticality” of IT assets; to move the needle on upskilling from cyber literacy to “fluency”; to have appropriate strategies; and to embrace zero trust concepts.
The principles, in their final form, will be reflected in updates to several cyber security frameworks used by the federal government.
These include the now annually reviewed protective security policy framework or PSPF, alongside the hosting certification framework and resilient digital infrastructure framework, all of which are to be reviewed and amended next year.
The consultation closes at the end of February 2025.