Winning Australian government tenders demands more than offering value for money – it requires alignment with security standards. The Information Security Registered Assessors Program (IRAP) has become a cornerstone for organisations aiming to secure government contracts, particularly following the latest updates to the Protective Security Policy Framework (PSPF).

In this blog, we’ll explain the importance of IRAP assessments, highlight the PSPF updates that emphasise its necessity, and provide actionable steps to align your systems for tender success.

The role of IRAP Assessments in government tenders:

IRAP is a framework managed by the Australian Cyber Security Centre (ACSC) to assess systems for their alignment to government security standards. This is especially important for cloud and outsourced services.

Why IRAP accreditation matters:

• Alignment with government standards: It ensures alignment with the Australian Government Information Security Manual (ISM) and PSPF.
• Competitive advantage: Demonstrates that your organisation is secure and trustworthy.
• Risk reduction for agencies: Reduces the likelihood of cyber incidents and data breaches in government supply chains.

Impact of PSPF updates on IRAP:

The PSPF’s latest release mandates IRAP assessments for cloud and outsourced services. Agencies are no longer permitted to rely solely on internal assessments; they must use IRAP assessors.

The PSPF updates introduced:

1. Mandatory IRAP assessments for external services
   • All outsourced and cloud services must undergo an IRAP assessment.
   • Internal or entity-specific assessments are no longer sufficient.
2. Alignment with ASD’s cloud authorisation process
   • IRAP assessments must align with the Australian Signals Directorate’s Cloud Assessment and Authorisation (CAA) framework, ensuring a unified approach to securing cloud services.
3. Enhanced third-party risk management
   • Emphasises mitigating risks introduced by foreign-owned or operated service providers through IRAP-assessed systems.
4. Increased accountability
   • Government agencies now require IRAP-assessed solutions for any service handling sensitive information, ensuring all providers adhere to uniform standards.

These updates strengthen the role of IRAP in the tendering process, making it a prerequisite rather than an optional credential.

Steps to achieve and leverage IRAP Assessments

To position your organisation as a strong contender for government tenders, follow these steps:

1. Assess your current systems
   • Perform a gap analysis against IRAP requirements, focusing on alignment with the ISM and PSPF.
2. Engage an IRAP assessor
   • Work with an assessor to evaluate your systems.
   • Address identified weaknesses, such as insufficient encryption or inadequate incident response measures.
3. Build compliance into your processes
   • Implement the Essential Eight to uplift cyber maturity.
   • Ensure data access is restricted based on roles and responsibilities.
4. Highlight accreditation in tender submissions
   • Clearly articulate your IRAP assessment, explaining its relevance to the tender’s requirements.
5. Regularly maintain and update your assessment
   • PSPF and ISM standards evolve, so ensure continuous compliance through periodic reviews and updates.

IRAP is not optional for organisations seeking Australian government tenders for digital services. The PSPF’s 2024 updates have made it a mandatory requirement for outsourced and cloud services. By achieving and maintaining IRAP, your organisation demonstrates compliance, enhances trust, and secures a competitive advantage in the tendering process.

Is your organisation ready for an IRAP assessment? Contact us for guidance and assessment, or share your experiences in the comments below!