Bill home page
Download Word
Download PDF
2019-2020-2021
The Parliament of the
Commonwealth of Australia
Security Legislation Amendment (Critical Infrastructure) Bill 2020
(Government)
(1) Clause 2, page 2 (table item 2), omit the table item, substitute:
|
2. Schedule 1, Parts 1 and 2 |
The day after this Act receives the Royal Assent. |
|
[commencement]
(2) Clause 2, page 2 (table item 3, column headed “Column 2”), omit “ 2020 ”, substitute “ 2021 ”.
[citation of Act]
(3) Schedule 1, page 4 (line 8), omit the heading.
[critical infrastructure risk management programs]
(4) Schedule 1, items 2 and 3, page 4 (lines 9 to 19), omit the items.
[critical infrastructure risk management programs]
(5) Schedule 1, item 5, page 4 (lines 25 and 26), omit paragraph (c).
[critical infrastructure risk management programs]
(6) Schedule 1, item 5, page 5 (lines 1 to 4), omit paragraph (d).
[enhanced cyber security obligations]
(7) Schedule 1, item 5, page 5 (line 5), before “(e)”, insert “; and”.
[object]
(8) Schedule 1, item 6, page 5 (lines 16 to 18), omit paragraph (b) of the paragraph beginning “The framework consists of the following:” in section 4.
[critical infrastructure risk management programs]
(9) Schedule 1, item 6, page 5 (lines 20 and 21), omit paragraph (d) of the paragraph beginning “The framework consists of the following:” in section 4.
[enhanced cyber security obligations]
(10) Schedule 1, item 6, page 6 (lines 20 and 21), omit the paragraph beginning “The Minister may privately declare a critical infrastructure asset” in section 4.
[systems of national significance]
(11) Schedule 1, item 7, page 13 (lines 23 and 24), omit the definition of critical infrastructure risk management program in section 5.
[critical infrastructure risk management programs]
(12) Schedule 1, item 7, page 14 (line 22), omit the definition of cyber security exercise in section 5.
[enhanced cyber security obligations]
(13) Schedule 1, item 7, page 15 (line 16), omit the definition of designated officer in section 5.
[enhanced cyber security obligations]
(14) Schedule 1, item 7, page 16 (line 1), omit the definition of evaluation report in section 5.
[enhanced cyber security obligations]
(15) Schedule 1, item 7, page 16 (lines 2 and 3), omit the definition of external auditor in section 5.
[enhanced cyber security obligations]
(16) Schedule 1, item 7, page 19 (line 3), omit the definition of incident response plan in section 5.
[enhanced cyber security obligations]
(17) Schedule 1, item 7, page 20 (line 32), omit “52(4); or”, substitute “52(4).”.
[notification provision]
(18) Schedule 1, item 7, page 20 (lines 33 and 34), omit paragraphs (r) and (s) of the definition of notification provision in section 5.
[systems of national significance]
(19) Schedule 1, item 11, page 21 (lines 22 and 23), omit paragraph (ba).
[systems of national significance]
(20) Schedule 1, item 11, page 21 (lines 27 to 31), omit paragraphs (bc) and (bd).
[critical infrastructure risk management programs]
(21) Schedule 1, item 11, page 22 (lines 1 to 6), omit paragraphs (bf) to (bh).
[enhanced cyber security obligations]
(22) Schedule 1, item 16, page 23 (line 23), before “10”, insert “sections”.
[security]
(23) Schedule 1, item 16, page 23 (lines 24 and 25), omit “, 12N,”, substitute “and 12N”.
[security]
(24) Schedule 1, item 16, page 23 (line 25), omit “30AG,”.
[critical infrastructure risk management programs]
(25) Schedule 1, item 16, page 23 (line 25), omit “30CB, 30CM, 30CR, 30CU and 30CW”.
[enhanced cyber security obligations]
(26) Schedule 1, item 17, page 23 (line 27), before “10”, insert “sections”.
[security]
(27) Schedule 1, item 17, page 23 (lines 28 and 29), omit “, 12N,”, substitute “and 12N”.
[security]
(28) Schedule 1, item 17, page 23 (line 29), omit “30AG,”.
[critical infrastructure risk management programs]
(29) Schedule 1, item 17, page 23 (line 29), omit “30CB, 30CM, 30CM, 30CR, 30CU and 30CW”.
[enhanced cyber security obligations]
(30) Schedule 1, item 18, page 24 (lines 20 and 21), omit the definition of system information event-based reporting notice .
[enhanced cyber security obligations]
(31) Schedule 1, item 18, page 24 (lines 22 and 23), omit the definition of system information periodic reporting notice .
[enhanced cyber security obligations]
(32) Schedule 1, item 18, page 24 (lines 24 and 25), omit the definition of system information software notice .
[enhanced cyber security obligations]
(33) Schedule 1, item 18, page 24 (lines 26 and 27), omit the definition of system of national significance .
[systems of national significance]
(34) Schedule 1, item 18, page 25 (line 13), omit the definition of vulnerability assessment .
[enhanced cyber security obligations]
(35) Schedule 1, item 18, page 25 (lines 14 and 15), omit the definition of vulnerability assessment report .
[enhanced cyber security obligations]
(36) Schedule 1, item 21, page 29 (lines 1 to 14), omit subsection 8G(3).
[systems of national significance]
(37) Schedule 1, item 32, page 53 (lines 10 to 13), omit subsection 12L(25).
[systems of national significance]
(38) Schedule 1, item 32, page 54 (after line 15), after subsection 12N(1), insert:
(1A) The following is an example of a situation where a person is not entitled to cause access, modification or impairment of a kind mentioned in subsection (1): a person who is an employee or agent of the responsible entity for an asset would exceed the person’s authority as such an employee or agent in causing such access, modification or impairment in relation to the asset.
[unauthorised access, modification or impairment]
(39) Schedule 1, item 39, page 57 (line 9) to page 66 (line 15), omit Part 2A.
[critical infrastructure risk management programs]
(40) Schedule 1, item 39, page 67 (line 23), at the end of subsection 30BBA(2), add:
; and (d) if the Minister is aware that an entity is the responsible entity for an asset that is, or is proposed to be, specified in the rules:
(i) give the entity a copy of the draft rules or amendments; and
(ii) if a submission is received from the entity within the 28-day period mentioned in paragraph (a)—give the entity a written statement that sets out the Minister’s response to the submission.
[consultation—rules]
(41) Schedule 1, item 39, page 68 (line 23), omit “48”, substitute “84”.
[notification of critical cyber security incidents]
(42) Schedule 1, item 39, page 68 (after line 27), at the end of section 30BC, add:
Exemption—written record
(5) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by written notice given to an entity, exempt the entity from subsection (3) in relation to a report about a specified cyber security incident.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(6) A notice under subsection (5) is not a legislative instrument.
(7) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by writing, delegate any or all of the head’s powers under subsection (5) to a person who:
(a) is an SES employee, or acting SES employee, in the relevant Commonwealth body; or
(b) holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901 .
(8) In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.
[notification of critical cyber security incidents]
(43) Schedule 1, item 39, page 69 (after line 28), at the end of section 30BD, add:
Exemption—written record
(5) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by written notice given to an entity, exempt the entity from subsection (3) in relation to a report about a specified cyber security incident.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(6) A notice under subsection (5) is not a legislative instrument.
(7) The head (however described) of the relevant Commonwealth body (see section 30BF) may, by writing, delegate any or all of the head’s powers under subsection (5) to a person who:
(a) is an SES employee, or acting SES employee, in the relevant Commonwealth body; or
(b) holds, or is acting in, a position in the relevant Commonwealth body that is equivalent to, or higher than, a position occupied by an SES employee.
Note: The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901 .
(8) In exercising powers under a delegation, the delegate must comply with any directions of the head (however described) of the relevant Commonwealth body.
[notification of other cyber security incidents]
(44) Schedule 1, item 39, page 70 (after line 4), after section 30BE, insert:
For the purposes of this Part, a cyber security incident has a significant impact (whether direct or indirect) on the availability of an asset if, and only if:
(a) both:
(i) the asset is used in connection with the provision of essential goods or services; and
(ii) the incident has materially disrupted the availability of those essential goods or services; or
(b) any of the circumstances specified in the rules exist in relation to the incident.
Scope
(1) This section applies to rules made for the purposes of paragraph 30BEA(b).
Consultation
(2) If the Minister is aware that an entity is the responsible entity for a critical infrastructure asset, then, before making or amending the rules, the Minister must:
(a) give the entity a copy of the draft rules or amendments; and
(b) give the entity a written notice inviting the entity to make a submission to the Minister about the draft rules or amendments within 28 days after the notice is given; and
(c) consider any submission received within the 28-day period mentioned in paragraph (b) ; and
(d) if a submission is received from the entity within the 28-day period mentioned in paragraph (b)—give the entity a written statement that sets out the Minister’s response to the submission.
[significant impact]
(45) Schedule 1, item 39, page 70 (line 17) to page 95 (line 3), omit Part 2C.
[enhanced cyber security obligations]
(46) Schedule 1, item 44, page 95 (lines 19 to 24), omit section 35AAA.
[critical infrastructure risk management programs]
(47) Schedule 1, item 45, page 103 (after line 16), at the end of section 35AD, add:
(3) If subsection (1) or (2) requires an entity to be consulted, that consultation must involve:
(a) giving the entity a copy of the draft Ministerial authorisation; and
(b) inviting the entity to make a submission to the Minister about the draft Ministerial authorisation within 24 hours after receiving the copy of the draft Ministerial authorisation.
[consultation—Ministerial authorisation]
(48) Schedule 1, item 45, page 114 (lines 5 to 10), omit section 35AU.
[critical infrastructure risk management programs]
(49) Schedule 1, item 45, page 122 (after line 23), at the end of Part 3A, add:
Division 6 — Reports to the Parliamentary Joint Committee on Intelligence and Security
35BK Reports to the Parliamentary Joint Committee on Intelligence and Security
(1) If the Secretary gives one or more directions under section 35AK or 35AQ, or one or more requests under section 35AX, in relation to a cyber security incident, the Secretary must give the Parliamentary Joint Committee on Intelligence and Security a written report about the incident.
(2) The report must include a description of each of the directions or requests.
[reports to the PJCIS]
(50) Schedule 1, item 53A, page 124 (lines 15 to 17), omit the item.
[systems of national significance]
(51) Schedule 1, item 61, page 134 (line 12), omit paragraph (2A)(b).
[critical infrastructure risk management programs]
(52) Schedule 1, item 66, page 135 (line 18) to page 140 (line 8), omit the item.
[systems of national significance]
(53) Schedule 1, item 69, page 140 (lines 15 to 20), omit paragraphs (f) and (g).
[critical infrastructure risk management programs]
(54) Schedule 1, item 69, page 140 (line 21), before “(h)”, insert “; and”.
[periodic report]
(55) Schedule 1, item 69, page 140 (lines 25 to 32), omit paragraphs (j) to (m).
[enhanced cyber security obligations]
(56) Schedule 1, item 69, page 141 (line 8), omit “financial year; and”, substitute “financial year.”.
[periodic report]
(57) Schedule 1, item 69, page 141 (lines 9 to 11), omit paragraph (r).
[systems of national significance]
(58) Schedule 1, page 142 (after line 3), after item 70, insert:
70A After section 60A
Insert:
60B Review of this Act
The Parliamentary Joint Committee on Intelligence and Security may:
(a) review the operation, effectiveness and implications of this Act; and
(b) report the Committee’s comments and recommendations to each House of the Parliament;
so long as the Committee begins the review before the end of 3 years after the Security Legislation Amendment (Critical Infrastructure) Act 2021 receives the Royal Assent.
[review]
(59) Schedule 1, heading to Part 3, page 144 (line 3), omit “ 2020 ”, substitute “ 2021 ”.
[citation of Act]