Australia's Critical Infrastructure Security Act and Software Supply Chain Risk

Australia's Security of Critical Infrastructure Act 2018 (SOCI Act), significantly amended in 2022, has created one of the more assertive regulatory frameworks for cybersecurity in the Asia-Pacific region. The amendments expanded the scope from four to eleven critical infrastructure sectors and introduced mandatory cyber incident reporting, risk management programs, and government intervention powers.

For software vendors and developers whose products touch Australian critical infrastructure, the SOCI Act creates real obligations—even if you're based outside Australia.

What the SOCI Act Covers

The 2022 amendments expanded the Act to cover eleven sectors:

• Communications
• Data storage or processing
• Defence
• Education, research, and innovation
• Energy
• Financial services and markets
• Food and grocery
• Healthcare and medical
• Space technology
• Transport
• Water and sewerage

If your software runs in any of these sectors in Australia, you're operating within the SOCI Act's scope. This includes cloud services, SaaS platforms, embedded systems, and operational technology software.

Critical Infrastructure Risk Management Programs

The most operationally significant requirement is the Critical Infrastructure Risk Management Program (CIRMP). Responsible entities must establish, maintain, and comply with a written risk management program that addresses:

Cyber and Information Security

This is where software supply chain security enters the picture. CIRMPs must address cybersecurity hazards, which include:

• Unauthorized access to systems and data
• Exploitation of vulnerabilities in software and hardware
• Supply chain compromise
• Insider threats

The CIRMP rules reference several frameworks that responsible entities can use to structure their programs:

• Australian Government ISM (Information Security Manual)
• NIST Cybersecurity Framework
• ISO 27001
• Essential Eight (ACSC's baseline security controls)

Supply Chain Risk

The CIRMP explicitly requires organizations to manage risks from their supply chain, including:

• Identifying critical suppliers and dependencies
• Assessing the security posture of key suppliers
• Managing the risk of compromise through upstream suppliers
• Planning for supply chain disruption

For software supply chains specifically, this means critical infrastructure operators need to know what software they're running, where it comes from, and what components make it up.

Mandatory Incident Reporting

The SOCI Act requires reporting of cybersecurity incidents that affect critical infrastructure assets:

• Critical incidents (significant or serious impact): reported within 12 hours
• Other cyber security incidents: reported within 72 hours

Reports go to the Australian Cyber Security Centre (ACSC). For supply chain incidents—such as a compromised dependency or a vendor breach—the reporting obligation applies if the incident has or could have a relevant impact on the critical infrastructure asset.

The 12-hour timeline for critical incidents is aggressive. Organizations need pre-established processes for detecting, assessing, and reporting incidents. This includes supply chain incidents where the initial compromise happens upstream but the impact reaches the critical infrastructure operator.

Government Intervention Powers

One of the more controversial aspects of the SOCI Act is the government's power to intervene directly in cybersecurity incidents. The Act provides three levels of assistance:

1. Information gathering — the government can request information about the incident
2. Action directions — the government can direct the entity to take specific actions
3. Direct intervention — in the most severe cases, the government can take direct action on the entity's systems

These powers are designed as a last resort, but they exist. The practical implication is that organizations need to maintain their systems and documentation in a state where they can respond to government requests quickly and completely.

Implications for Software Vendors

If you supply software to Australian critical infrastructure operators, expect increasing security demands:

SBOM requirements. Critical infrastructure operators need to understand their software supply chain. They will increasingly ask vendors for SBOMs, vulnerability data, and evidence of secure development practices.

Vulnerability disclosure and remediation. Operators need to know about vulnerabilities in your software quickly so they can assess the impact on their CIRMP obligations. Delays in vulnerability disclosure create compliance risk for your customers.

Incident notification. If your product experiences a security incident that could affect an Australian critical infrastructure customer, they need to know fast—potentially within hours, given their 12-hour reporting obligation.

Security assessments. Expect requests for security assessments, penetration test results, and evidence of secure development practices. These requests are driven by CIRMP requirements to assess supply chain risk.

Contractual obligations. Security requirements will increasingly appear in procurement contracts, including requirements for SBOMs, vulnerability management, incident notification, and ongoing security monitoring.

The Essential Eight Connection

Australia's Essential Eight maturity model, developed by the ACSC, provides a practical framework for baseline cybersecurity. While not mandatory for all organizations, it's widely used in government and critical infrastructure. The eight strategies include:

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups

For software supply chain security, "Patch applications" is directly relevant—organizations need to maintain visibility into their software dependencies to patch promptly. This requires knowing what components are in use, which is where SBOMs become essential.

Practical Steps for Compliance

For organizations operating within the SOCI Act's scope:

1. Identify your critical infrastructure assets. Understand which of your systems, data stores, and software fall under the Act's definitions.

2. Build your CIRMP. Develop a risk management program that explicitly addresses software supply chain risk. Reference one of the approved frameworks.

3. Inventory your software supply chain. Maintain SBOMs for all critical software. Track dependencies, know what versions are deployed, and monitor for vulnerabilities.

4. Establish incident response processes. Ensure you can detect, assess, and report incidents within the required timelines. Include supply chain scenarios in your incident response planning.

5. Engage your suppliers. Communicate your security requirements to software vendors. Request SBOMs, vulnerability notifications, and evidence of secure development.

How Safeguard.sh Helps

Safeguard.sh provides Australian critical infrastructure operators and their software suppliers with the supply chain visibility the SOCI Act demands. The platform generates comprehensive SBOMs, continuously monitors dependencies for vulnerabilities, and provides real-time alerting that supports the 12-hour incident reporting timeline. Safeguard.sh's policy gates help organizations enforce the security baselines required by CIRMPs, while compliance dashboards map directly to frameworks like ISO 27001 and the NIST CSF—giving both operators and regulators confidence in supply chain risk management.