The Department of Home Affairs has released a consultation paper to the Australian public, requesting feedback on implementing a ‘zero trust culture’ into the Commonwealth cyber security policy.
Feedback received on the paper, titled Guiding Principles to embed Zero Trust Culture, will inform the future direction of the Commonwealth’s cyber security strategy and whole-of-government resilience against threats to be actioned through Prospective Security Policy Framework (PSPF) Release 25.
The paper highlighted the Government’s five guiding principles, developed in association with the Australian Signal Directorate’s Australian Cyber Security Centre (ASD’s ACSC), to implement a zero trust culture across all Commonwealth department and agency activity, including:
- Identify and manage cyber security risk at an enterprise level
- Understand accountabilities and responsibilities at all levels
- Know and understand your most critical and sensitive technology assets
- Maintain resiliency through a comprehensive cyber strategy and uplift plans
- Go beyond incident planning
The paper confirmed that these principles were developed from existing “best practice and frameworks” and suggested areas that need to be “strengthened to ensure our successful adoption of core paradigms”.
“These Guiding Principles provide direction on the development of the policy uplift activities required to embed a zero trust culture across the Commonwealth,” the paper said.
“The success of these initiatives, such as developing a whole-of-government zero trust culture, relies on an aligned, collaborative approach with all impacted stakeholders. As the Department considers the application of zero trust practices to Commonwealth entities through the PSPF 2025 update, we are eager to ensure a common understanding and closer engagement with industry.
“These Guiding Principles are the first instalment of a coordinated consultation agenda facilitated by the Department of Home Affairs. As we move towards the adoption of practices such as zero trust, we also need to consider updates to existing publications, such as the Australian Government Gateway Policy, to support these changes.
“The success of implementing zero trust practices cannot be achieved solely through a technology based approach. It requires organisational transformation to embed a ‘zero trust culture’ across an entity. Embedding zero trust culture does not mean we are promoting a lack of trust in our employees.
“An effective zero trust experience will empower employees through a clear understanding of roles and responsibilities, as well as providing a consistent experience across different IT platforms.
“Embedding a zero trust culture allows opportunities to better combat the current and emergent risks stemming from a rapidly evolving cyber threat landscape and expansion of the digital attack surface, by shifting from a traditional strong perimeter protection focus to a zero trust architecture, rooted in the core principle of “never trust, always verify”.
“Additional consultation packages to support Commonwealth cyber security uplift initiatives, including the Hosting Certification Framework, will be released over the coming months.”
The department emphasised that while consultation is open to all members of the Australian public, it was looking for feedback in particular from past, current and future Commonwealth providers; cyber security subject matter experts; and organisations that are planning, or who have commenced, similar cyber resilience uplift programs.
The consultation period closes on 28 February 2025.