TL;DR
Australia's Department of Home Affairs has proposed significant amendments to the Critical Infrastructure Risk Management Program (CIRMP) Rules under the Security of Critical Infrastructure (SOCI) Act. The changes introduce more explicit expectations around material risks and more prescriptive obligations across cyber, supply chain, and personnel security domains. For responsible entities, now is the time to assess and prepare your risk management program for the proposed changes.
Australia's critical infrastructure operators are facing a material uplift in their regulatory obligations. The proposed amendments to the CIRMP Rules signal a shift from baseline compliance to continuous, evidence-driven risk management — and the consequences of non-compliance under the SOCI Act remain significant.
If your organisation is a responsible entity under the SOCI Act, here is what the amendments mean for your risk program and how to prepare.
Australia's SOCI Act has been the cornerstone of the nation's critical infrastructure protection regime since 2018. The requirement to adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP) — a structured, documented approach to identifying and managing material risks — has applied to responsible entities for regulated critical infrastructure assets since 2023.
"In December 2025, the Department of Home Affairs released a consultation paper on proposed enhancements to the CIRMP Rules, with submissions closing in February 2026. Following that process, an Exposure Draft of the amended Rules was released on 25 March 2026 for a second round of consultation.
The proposed changes span multiple areas, including the introduction of government-issued risk advice, expanded expectations for material risk identification, and more prescriptive obligations across cyber, supply chain, and personnel security.
This is not a minor update. For operators of designated high-risk asset classes — including critical electricity assets, critical gas assets, critical liquid fuel assets, critical water assets, critical broadcasting assets, critical domain name system assets, and critical freight services and freight infrastructure assets — the proposed changes represent a step-change in both the scope of risks that must be managed and the level of evidence required to demonstrate effective risk management.
The draft amendments propose a series of targeted reforms that would strengthen how responsible entities identify, assess, and manage risks across their CIRMPs). Rather than introducing a new framework, the changes expand expectations and introduce more prescriptive requirements across key risk domains.
More explicit expectations for identifying ‘material risks’
While the current CIRMP Rules already adopt an all-hazards approach, the proposed changes introduce more explicit expectations around the types of risks that must be considered.
This includes a stronger focus on areas such as foreign ownership, control and influence (FOCI), supply chain dependencies, cyber threats, and personnel-related risks. Entities would be expected to take a more structured and comprehensive approach to identifying and documenting how these risks impact the availability and function of their critical infrastructure assets.
As a result, organisations may need to revisit how they scope their risk registers and assess whether their current risk identification methodologies remain sufficient under the proposed rules.
Mandatory consideration of government-issued risk advice
A significant proposed addition is the introduction of “specified risk advice”. Under this measure, the Department of Home Affairs would be able to issue formal, intelligence-informed risk advisories applicable to specific sectors or asset classes.
Responsible entities operating high-risk asset classes would be required to assess whether the identified risks are relevant to their assets and take steps to minimise or eliminate them, as far as reasonably practicable, within defined timeframes.
This introduces a more dynamic model of risk management, where CIRMPs must continuously adapt to emerging threats rather than relying solely on periodic internal assessments.
More prescriptive cybersecurity requirements
The draft amendments introduce a substantial uplift in cyber security expectations for high-risk asset classes.
Key proposed changes include:
These changes reflect a shift from baseline cyber compliance towards a more resilient and threat-informed security posture.
Enhanced supply chain risk management
The amendments introduce more structured obligations around supply chain risk.
Responsible entities operating high-risk asset classes would be required to:
This recognises the growing role of supply chain compromise as a primary attack vector for critical infrastructure.
Strengthened personnel security requirements
Expectations around personnel-related risks have also been expanded.
Proposed measures include:
These changes reflect a broader shift towards managing insider and workforce-related risks as a core component of CIRMPs.
Centralised physical security management
The amendments also introduce obligations around physical security.
Responsible entities operating high-risk asset classes would be required to:
maintain a process or system to centrally manage physical security and natural hazards, including maintaining records of the location, ownership, and sensitive data associated with the asset.
Clearer expectations for maintaining and evidencing CIRMP effectiveness
Across all domains, the draft amendments reinforce that CIRMPs must be actively maintained and operationalised.
Responsible entities would be expected to:
This marks a clear move away from static, document-based compliance towards continuous, evidence-driven assurance.
Increased regulatory scrutiny and enforcement risk
While the amendments are still in draft form, they signal a continued shift towards stronger regulatory oversight under the SOCI Act.
The Department of Home Affairs retains the power to issue directions and take enforcement action where obligations are not met. As expectations become more prescriptive, organisations that treat CIRMP compliance as a one-time exercise may face increased regulatory and financial risk.
To prepare for the proposed amendments, organisations should take a proactive, structured approach to assessing and uplifting their CIRMP:
Start by mapping your current risk management program against the draft changes. Focus on how well your CIRMP addresses the expanded expectations across key areas, including material risk identification, cyber security maturity, supply chain dependencies, and personnel security.
This includes assessing whether your current approach:
Gaps identified at this stage will form the foundation of your uplift plan.
The proposed amendments reinforce that CIRMPs must be actively maintained and operationalised. Responsible entities will need to demonstrate that risks are being identified, assessed, and managed on an ongoing basis.
This means moving beyond static documentation to:
If your current approach relies on manual processes or disconnected systems, the gap between what exists and what may be required under the proposed rules could be significant.
Several of the proposed changes introduce more detailed and technical requirements across key risk domains.
Responsible entities operating high-risk asset classes should begin preparing for:
These are not minor adjustments and may require coordination across security, IT, procurement, and HR functions.
The introduction of “specified risk advice” means CIRMPs will need to adapt to externally issued, intelligence-informed guidance.
Organisations should consider how they will:
This represents a shift towards a more dynamic, continuously updated risk management model.
The consultation on the Exposure Draft closed on 1 May 2026. Organisations that did not participate should monitor the Department of Home Affairs for the final amended Rules and begin preparing for implementation.
For critical infrastructure operators, the proposed CIRMP amendments raise the bar for how risk management programs are designed, implemented, and maintained. Organisations will need to manage a broader set of risks across cyber, supply chain, and personnel domains, while demonstrating that these risks are actively identified, assessed, and mitigated over time.
This creates a significant operational challenge, particularly for organisations managing multiple assets, operating across jurisdictions, or working within constrained operational technology (OT) environments.
6clicks is purpose-built for exactly this level of complexity.
Our platform enables responsible entities to design, implement, and maintain a structured CIRMP aligned to SOCI Act requirements. With automated risk registers, multi-framework mapping, and evidence collection, 6clicks streamlines compliance with SOCI Act and other requirements such as Essential Eight, C2M2, AESCSF, and more, reducing manual burden. Hailey, our AI engine, can accelerate the identification of risks, map them to relevant controls, and surface gaps in your program before they become findings.
For organisations operating in restricted or air-gapped environments — a common reality in critical infrastructure — 6clicks supports sovereign and on-premises deployment options that keep your data inside your environment. The platform is designed to work where cloud-first GRC tools can't.
Finally, 6clicks' purpose-built Hub & Spoke architecture enables central oversight across multiple assets or entities while allowing local teams to manage risks independently. As CIRMP expectations become more dynamic — including the need to respond to government-issued risk advice — this model ensures consistency without sacrificing flexibility.
With continuous evidence collection embedded into workflows, organisations can demonstrate that their CIRMP is actively maintained and operational — turning compliance from a periodic exercise into a continuous, evidence-driven process.
Join our upcoming webinar — GRC that works where others can't — to hear how critical infrastructure organisations are building sovereign, audit-ready GRC programs that can stand up to the SOCI Act's amended CIRMP requirements. Register now.