Model Cyber Security Clauses

Mundi Tomlinson

The Department of Finance Archive

The content on this page and other Finance archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.


In consultation with Attorney General’s Department and Department of Defence, Finance has drafted cyber security model clauses. The objectives of the model cyber security clauses are to:

  • define service providers’ responsibilities in order to manage cyber security risks;
  • provide clear contractual arrangements for safeguarding government data;
  • increase the visibility of cyber incidents; and
  • require subcontractors to comply with the same obligations.

These clauses are intended to be included in the SourceIT Model Contracts and a short form version may be included in the Commonwealth Contracting Suite for procurements under $200,000.

The Commonwealth needs to have a way of managing cyber security risks that acknowledges the role of suppliers and subcontractors. These model clauses outline the Australian Government’s preferred position.

I am interested in your feedback and comments about how these will work for industry and Entities. You can either leave a comment on the blog, or if you would prefer, reply via email to Comments are open until Friday, 19 September 2014.

Finance reserves the right to consider or set aside any comments it receives in response to this post.

Comments (3)

Firstly, I applaud the introduction of cyber security clauses... the disclosure and acknowledgement of breaches,and providing clear contractual obligations will immediately provide guidance and manageable parameters to those at the coal face. I read an article where industry input was welcomed in developing this initiative. Is there a contact point to further these opportunities?

Hi Al,

Thanks for your comments and interest. My team regularly posts initiatives on this Blog for industry feedback so keep an eye out on the blog or perhaps subscribe to our RSS feed to keep track of new initiatives as they are announced. You are also welcome to email if you have specific questions.


Thank you for the opportunity to comment on the proposed security clauses and their impact on Industry.

The proposed changes will undoubtedly drive up the cost of solutions provided to Government. Suppliers will not only have to manage the increased costs of doing business by developing the compliance processes and documentation but also to cover the additional risk to their businesses. It is important that the Government understand the cost impacts of this significant policy change and not avoid those costs by passing them on to Industry.

The Federal Government should ensure that appropriate insurances are affordably available in a competitive marketplace before mandating their inclusion in contracts.

The proposed changes will have the most significant impact on the costs of doing business for SME’s, on the risks to their businesses and potentially narrow the pool of eligible suppliers and the delivery of innovative, nimble solutions to Government agencies.

The Department of Finance could mitigate against these negative effects by providing tools that reduce the burden on SME’s.

The new rules require contractors to develop a Commonwealth Data Protection Plan (CDPP) to offer services to Australian government customers, unless specifically exempted. The department could develop a template for such a plan which would be acceptable to both Contactor and Customer to obviate the need for such a document to be developed from scratch for each opportunity.

Further support could be provided by the preparation of a “check list” which Contractors could use in the development of this plan. This check list could be derived from those used by Agencies to ensure their data is protected against such incidents.

Without a definition of a “Cyber Incident” within the draft documentation it is difficult to have a considered view of the impact of a breach or suspected breach. The obligations on the Contractor and sub-contractors are potentially quite massive when you consider that they are required to provide “evidence about how, when and by whom the Contractor's information system and/or the Customer Data has or may have been compromised”

The definition of a cyber incident should be made clear in the draft documentation to allow a proper assessment of the business impacts.

Last updated: 24 August 2016