Home Affairs minister Karen Andrews has published the implementation of Australia's critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors.
Under the Security of Critical Infrastructure 2018 Act, multiple industry assets are deemed to be critical.
These range from telcos and internet service providers to fuel companies, data storage and processing organisations, freight forwarders, banking, insurnance and finance, along with food and grocery assets.
Domain name systems are deemed critical, for resolving consumer queries of links to internet protocol addresses.
Four Queensland sugar mills are exempted by name from the law.
ACSC asks that critical cyber security incidents that have significant impact on the availability of assets covered by the Act are reported within 12 hours after the operators become aware of the issue.
Verbal reports to ACSC must be accompanied by written notifications with in 84 hours, the government says.
Significant impact is defined as an infrastructure incident has materially disrupted the availability of essential good and services.
Other incidents that have a relevant impact on industry assets must be reported to the ACSC within 72 hours.
Update: A grace period of up to three months from April 8 2022 applies for the mandatory incident reporting to ACSC.
This gives critical infrastructure operators until July 8 to report incidents; however, Home Affairs strongly encourages all assets to voluntarily report to the ACSC now.