The Australian Government announced an update to its Information Security Manual and introduced new Guidelines for Software Development released in September 2025. This initiative enhances the protection of software throughout the entire development and deployment lifecycle across Canberra and all Commonwealth entities. All software artefacts must be scanned for malicious code before importing them into the authoritative source for software. Each software artefact must undergo verification through a digital signature or secure hash before integration.
The recent modifications address increasing threats linked to data infrastructure, cloud storage, data sharing, artificial intelligence and vulnerabilities within the software supply chain. They follow national cybersecurity standards outlined in the ISM. The objective is to ensure the integrity of sources, thwart the infiltration of malicious code and guarantee that digital government services in the public sector uphold trust, safeguard privacy and eliminate data silos.
The framework sets essential requirements for agencies to enforce controls during all phases of software development, including source code management, build and deployment processes and third-party integrations. Regulations require implementing multi-factor authentication for repository access, using verified cryptographic signatures for codes, and conducting ongoing surveillance of cloud storage environments. Agencies must carry out risk assessments to pinpoint vulnerabilities within artificial intelligence applications, data infrastructure and systems that facilitate data collection and sharing.
Check out: “DETSI drives data privacy compliance”
Protect Commonwealth information from unauthorised disclosure during interactions between software and non-government systems. The official guidance states that you must evaluate several factors before disclosing non-public Commonwealth information to non-government recipients. These factors include the context, scope, sensitivity and value of the information, as well as potential recipients and the associated risks of the proposed disclosure. The framework incorporates this principle into software design and deployment practices. It mandates that agencies classify data and implement controls that match the associated risk.
Significant changes to policy include:
- Mandatory source integrity protections: Agencies must implement cryptographic verification and automate all code scanning before deployment. This proactive measure significantly reduces the risk of malicious code insertion that could disrupt critical services like taxation systems and health records platforms.
- Expanded confidentiality requirements: Sharing software components with external parties requires formal confidentiality measures and non-disclosure agreements in high-risk scenarios to protect sensitive government datasets, like censuses or defence information, from exposure.
- Data governance obligations: Agencies must enhance oversight of data silos and facilitate effective data collaboration by implementing strict access permissions, bolstering privacy safeguards, and promoting secure data sharing among departments, including health, social services, and immigration.
- Enhanced risk assessments: Risk assessments now require encompassing the resilience of cloud storage, dependencies on third parties and the use of artificial intelligence applications. This approach enables agencies to foresee potential disruptions in digital service delivery and protect essential data infrastructure.
- Ongoing compliance monitoring: Entities must take proactive measures to monitor non-government recipients of Commonwealth information. They must guarantee ongoing compliance with security obligations and minimise the risk of data misuse or damaging reputations.
The framework shows the government’s commitment to enhancing cybersecurity and fostering digital trust. Integrating security measures throughout the software development process helps the public sector reduce vulnerability risks, ensure uninterrupted digital services, and protect sensitive information belonging to citizens.
The Department of Finance emphasised the need to apply confidentiality and security measures uniformly across all engagements and highlighted that “different levels of sensitivity require different precautions.”
This follows the framework’s structured methodology that modifies security responsibilities based on the importance of the software and the sensitivity of the information it processes. The framework represents a significant step forward in Australia’s Digital Government strategy, effectively aligning service delivery with security measures. This initiative strengthens data governance practices.
It ensures the upholding of privacy protections while facilitating secure collaboration and data sharing. The actions taken address the challenges that arise when artificial intelligence systems and extensive data collection tools interact with sensitive information about the Commonwealth. Agencies can foster innovation and maintain integrity by eliminating data silos and implementing uniform cybersecurity measures.
Australia’s public sector must ensure the security of software during development and deployment. The revised ISM guidelines, unveiled in September 2025, present targeted measures to prevent malicious codes, verify artefacts, and enforce traceability within the supply chain. Agencies must now use a reliable source for all software development activities, limit third-party libraries to trustworthy ones, and implement both static and dynamic testing for software components.
Effective strategies separate development, testing and production environments. They guarantee that all the artefacts will be scanned and signed. They also uphold build provenance and software bills of materials to enhance accountability. In the future, public sector organisations must prioritise investing in the security of their data infrastructure.
Enhance oversight of artificial intelligence initiatives, bolster data management to prevent data silos and privacy concerns, and guarantee that cloud storage and data sharing adhere to national cybersecurity regulations. The vision is a strong digital government where cybersecurity builds confidence in artificial intelligence and enhances data collaboration and service delivery.
Justin Lavadia is a content producer and editor at Public Spectrum with a diverse writing background spanning various niches and formats. With a wealth of experience, he brings clarity and concise communication to digital content. His expertise lies in crafting engaging content and delivering impactful narratives that resonate with readers.
Latest
Popular