Managing third-party cyber security risks

This report examines how effectively public sector entities identify and manage third-party cyber security risks. 

In this audit, we assess how effectively 3 entities manage third-party cyber security risks. We audited one state government department, one statutory body, and one local government entity. We have not named these entities to avoid publicly identifying any security vulnerabilities.

We also assess how effectively the Department of Customer Services, Open Data and Small and Family Business (CDSB) and the Department of Housing and Public Works (DHPW) lead and build capability to manage third-party cyber security risks across the public sector.

What is important to know about this audit?

The increasing frequency and sophistication of cyber attacks can expose entities who have weak cyber security. 

Entities are increasingly using third parties, such as information technology (IT) vendors, to deliver products and services. These businesses and individuals form part of entities’ supply chains. 

The use of third parties enables operational efficiency and digital innovation. However, it also introduces cyber security risks as some third parties require access to IT systems. In this report, we refer to these risks as third-party cyber security risks. 

Effective systems, processes, and controls enable entities to manage these risks. This includes robust risk management processes, strong procurement and contract management practices, and effective IT security controls.

Entities that do not manage these risks effectively may experience a cyber attack through a third-party, leading to a loss of privacy, financial cost, reputational damage, and other ramifications. 

What did we find?

The 3 entities we audited (the entities) need to strengthen their IT security controls to manage third-party cyber security risks. 

We tested the effectiveness of the entities’ IT security controls and assessed if a third-party account could bypass their controls and access sensitive information and systems.

Each entity had implemented IT security controls that provided some protection but were not effective to prevent a third-party cyber breach. 

In each of the entities, we were able to obtain passwords, access systems, and extract sensitive information outside the intended scope of a third-party user. For 2 of them, we were able to bypass controls and gain the highest level of access to their IT environments. 

The entities do not know how vulnerable they are to third-party cyber security threats. 

The entities have not adequately identified and assessed their third-party cyber security risks and have not developed appropriate mitigation controls. As such, they cannot understand the extent of their supply chain risk. 

The entities are not effectively managing their third-party cyber security risks during procurement. 

The entities are not consistently applying better practice principles in their contracts to manage their third‑party cyber security risks. Only 2 of 36 contracts we reviewed included requirements for third parties to report their cyber security incidents and vulnerabilities. This means that entities can have risks that they are unaware of and therefore cannot effectively manage. 

CDSB has begun building capability across the public sector to manage third-party cyber security risks but needs to do more to be effective.    

CDSB has established forums to lead a whole-of-government approach to managing cyber security risks, including third-party cyber security risks. These forums meet regularly and share relevant information with entities about incidents and threats. 

CDSB is not actively assessing and monitoring third-party cyber capability across the public sector. Its focus has been on entities’ overall cyber security capability, but it recognises the need for more tailored support to help entities manage their third-party cyber security risks. 

CDSB is working to improve its understanding of capability across the public sector, but more needs to be done. This will be important to ensure it effectively targets its information, training, and cyber simulations.   

The Queensland Government has been slow to develop a framework to help entities manage their third-party cyber security risks. The Australian Signals Directorate has been raising these risks since 2021. CDSB is drafting a whole-of-government framework, which incorporates better practice. 

DHPW does not know whether entities are using its guidance to manage their third-party cyber security risks during procurement. 

DHPW’s guidance aligns to better practice, and includes key principles to manage supply chain risk in the procurement process.

DHPW has no process or mechanism to follow up with entities to understand whether they are applying the guidance.

What do entities need to do?

The 3 public sector entities we audited (the entities) were unable to effectively identify and manage their third-party cyber security risks. Using a third-party account, we bypassed their controls, gained access to their corporate systems, and extracted sensitive information.

While the entities had implemented some policies, processes, and controls to identify and manage third party cyber security risks, gaps remained. In isolation, many of the gaps or issues may seem relatively minor. However, collectively they created vulnerabilities that unnecessarily exposed the entities to third party cyber attack – compromising their systems, data, and sensitive information.

The Department of Customer Services, Open Data and Small and Family Business (CDSB) and the Department of Housing and Public Works (DHPW) are not effectively building capability across the public sector to manage third-party cyber security risks. Throughout this report, we identify the increasing effort they are taking to support entities to manage these risks; however, there is more they can do.

The outcomes and findings of this audit warrant the attention of executives and key staff of all public sector entities. This includes key staff in information technology and cyber security, and those from other business functions such as procurement, contract, and risk management. Our findings and recommendations should provide all entities cause to assess and act to strengthen policies, processes, and controls to better manage third party cyber security risks. 

Reference to comments

In accordance with s. 64 of the Auditor-General Act 2009, we provided a copy of this report to relevant entities. In reaching our conclusions, we considered their views and represented them to the extent we deemed relevant and warranted. Any formal responses from the entities are at Appendix A.

This chapter describes third-party cyber security risks and the responsibilities of public sector entities to manage them.

What are third-party cyber security risks?

Entities are placing greater focus on strengthening their cyber security in response to the escalating frequency and sophistication of cyber attacks. Cyber security risks are the potential loss of confidentiality, integrity, or availability of information, data, or information systems due to a cyber attack. While there are different types of cyber security risks that entities face, an increasingly common one relates to third parties.

Entities increasingly use third parties to deliver products or services. A third-party is any person or business that provides goods and services to another entity. They include information technology (IT) vendors, software development teams, accounting firms, marketing businesses, consultants, and other companies. These third parties form part of an entity’s supply chain.

Some third parties within an entity’s supply chain require access to IT systems. If entities do not manage third-party access to their systems effectively, it can create risks. In this report, we refer to these risks as third-party cyber security risks.

Entities’ reliance on third parties expands the potential for a cyber attack beyond the perimeter of an entity’s IT environment. For example, a cyber criminal may gain access through a compromised third‑party without breaching the entity directly. In addition, if weaknesses exist in an entity’s controls, a contractor or vendor employee acting outside the scope of their agreed work may gain access to sensitive information. Figure 3A highlights common attack pathways for third-party cyber security incidents.

Types of third-party cyber security risks and their impacts

There are different types of third-party cyber security risks for public sector entities and the businesses within the entities’ supply chains.

Figure 3B captures some common third-party cyber security risks, the sources of those risks, and the potential impacts.

If entities do not manage third-party cyber security risks effectively, the impacts can be significant, leading to financial loses, reputational damage, and other consequences.

In 2023–24, the Australian Signals Directorate (ASD) responded to 107 cyber security incidents related to entities’ supply chains. This represents almost 10 per cent of all cyber security incidents that the ASD responded to in 2023–24.

Over the last 5 years, the ASD has consistently raised third-party cyber security risks as a key issue.

In its Annual Cyber Threat Report 2024–25, the ASD recommended entities bolster their cyber defences by effectively managing third-party cyber security risks.

How do entities manage these risks?

To manage third-party cyber security risks effectively, entities need to understand their supply chain, and the third parties that have access to their IT systems. By identifying and assessing risks in their supply chain, entities can design and implement effective controls.

Entities can implement a range of controls to manage third-party cyber security risks, including:

• undertaking due diligence checks before engaging a third-party
• strengthening contracts to include recommended clauses and security requirements
• developing and implementing effective IT security controls and business processes
• assessing the IT security controls of third parties and monitoring their response to cyber incidents.

Entities need to continually monitor and improve their systems and controls to ensure they effectively manage third-party cyber security risks. This is important given the rapid development in technology, such as artificial intelligence, which has enabled cyber criminals to execute attacks on a larger scale and at a faster rate.

Standards, frameworks, and guidance

The Commonwealth and Queensland Government provide a range of frameworks, policies, and standards to help entities manage their cyber security and third-party cyber security risks. In Appendix C, we describe the purpose of these relevant standards, frameworks, and guidance.

Who is responsible for managing the risks?

All state and local government entities and government owned corporations are responsible for managing their cyber security risks, including third-party cyber security risks.

The accountable officers of departments and some statutory bodies have specific responsibilities under the Queensland Government’s Information and cyber security policy (IS18). This includes maintaining minimum security requirements.

While councils do not have mandatory responsibilities under IS18, they are responsible for managing their cyber security. There is value in councils considering and, where necessary, applying better practice guidance provided by the Queensland Government and other entities.

The Department of Customer Services, Open Data and Small and Family Business

The Department of Customer Services, Open Data and Small and Family Business (CDSB) came into effect in November 2024. It has a lead role in strengthening the Queensland Government’s cyber security capabilities. 

This includes third-party cyber security:

• leadership and direction
• governance, policy, standards and guidance
• intelligence capability, and awareness.

These responsibilities previously sat with the cyber security unit within the Department of Transport and Main Roads. 

CDSB is also responsible for overseeing implementation of the Queensland Cyber Security Strategy 2025–2027. 

Department of Housing and Public Works

The Department of Housing and Public Works (DHPW) is responsible for whole-of-government procurement policy and has issued guidance on managing cyber security in procurement. It outlines the principles and controls entities should apply to manage their cyber security risks when procuring IT goods and services. DHPW’s guidance is primarily intended for state government entities, however, it is also relevant to local governments.

What did we audit?

In this audit, we examined how effectively public sector entities identify and manage third-party cyber security risks. We assessed how effectively central agencies lead and build capability to manage third‑party cyber security risks across the public sector. We also assessed the effectiveness of third-party cyber security controls and risk management practices of 3 selected entities across state and local governments. We have not named these entities to avoid publicly identifying any security vulnerabilities. Appendix B outlines our audit approach.

In this chapter, we examine how effectively 3 public sector entities (the entities) manage their third-party cyber security risks. This includes how effectively they:

• identify and assess their risk
• design and implement effective controls
• monitor their risks and improve their processes.

We tested the effectiveness of the entities’ information technology (IT) security controls to manage their third-party cyber security risks. We assessed if a third-party account could bypass the entities’ IT security controls and access sensitive information and systems.

We audited one state government department, one statutory body, and one local government. We have not named them in this report to avoid compromising their security.

Are entities effective at preventing a third-party cyber breach?

The entities need to strengthen their IT security controls to manage third-party cyber security risks

The 3 entities we audited did not have effective IT security controls to prevent a third-party cyber breach.

We tested the effectiveness of the entities’ security controls to manage their third-party cyber security risks, including their:

• identity and access management controls
• monitoring and alerting controls.

We assessed if a third-party account could bypass the entities’ IT security controls and access sensitive information and systems. We undertook technical testing over 2 weeks, using common testing techniques to reflect realistic cyber criminal behaviour. We did not use advanced tactics, which some cyber criminals may use, but are less common.

The entities had implemented security controls to manage their third-party cyber security risks. While these controls provided a level of protection, we found gaps in how they manage access and monitor activity, which we could exploit.

Managing what third-parties can access

The entities need to strengthen their IT security controls for managing third-party access in their corporate networks. We were able to access their networks in a way that extended beyond what the entities intended for their third-party users. We also identified weaknesses in their security controls. We were able to exploit some of these weaknesses to access credentials and exfiltrate sensitive information.

Effective identity and access management controls help ensure entities manage the lifecycle of accounts, including creating and maintaining accounts in line with their business needs. Identity and access management governs who can access what resources and under what conditions. It helps to ensure third parties can only access the systems necessary for their roles, giving them the least privilege necessary to perform their work.

All 3 entities had security controls for managing a user’s access to the systems and applications inside their networks. Some of these identity and access management controls worked effectively and prevented us accessing applications outside the scope of a third-party user. They:

• disconnected access when our test user account became idle, and required reauthentication
• prevented us from bypassing logon restrictions
• blocked attempts to access the internet through different channels.

Other controls were not effective and allowed us to move laterally to parts of the entities’ networks that were beyond the business need.

We were able to find sensitive information, including some passwords and credentials. Some of these passwords and credentials were in cleartext. This is not good practice because it creates a weakness that a cyber criminal can exploit. For 2 entities, we were able to use the passwords we found and elevate permissions to administrator level without appropriate approval. With this level of access, a user can install and uninstall software, change system settings, manage other users, access all files, and modify security settings. It also allows a user to delete audit logs, enabling them to cover their tracks.

In one entity, we created a fake third-party account, elevated the permissions, and gained access to the entity’s key corporate system that captures its finance, payroll, and human resources information. We did not undertake further testing in this entity’s corporate system to ensure we did not disrupt its operations.

Monitoring what third parties are doing

The 3 entities we audited need to strengthen their monitoring and alerting controls to ensure they quickly detect unauthorised third-party activity and respond effectively.

Effective monitoring and alerting controls enable organisations to identify, investigate, and respond to suspicious or malicious activity within their IT environment. When implemented effectively, these controls form a critical layer of defence against both internal misuse and external attacks.

All 3 entities have dedicated IT security teams that continuously monitor user activity. They have controls designed to block inappropriate activity or flag it for further investigation. In addition, the entities log third‑party access and activity. If an incident occurs, the logs provide an audit trail, which can help IT teams determine what, when, and how the incident occurred.

Some of the entities’ monitoring and alerting controls worked effectively. They identified and alerted login attempts outside of standard business hours and identified the use of unauthorised tools, which could be used for cyber attacks.

Across the 3 entities, we also found gaps in their monitoring and alerting controls. We were able to undertake unauthorised activity without the entities identifying and blocking it. This included:

• extracting data and files from the entities’ IT environments
• running malicious code and custom scripts
• creating or changing user accounts and user permissions.

Are entities proactively managing their third-party cyber security risks?

Entities do not effectively identify and assess their third-party cyber security risks and develop mitigation controls

The entities were aware of their cyber security threats and their risks, and all had taken measures to manage them. However, the entities had not effectively identified and assessed their third-party cyber security risks or the potential impact and likelihood of those risks. As such, they may be vulnerable to a third-party cyber attack and unprepared to manage any attack that does occur.

All 3 entities had IT security policies and procedures in place to manage their cyber security risks. While the entities had IT policies and procedures, they lacked sufficient detail about identifying and assessing third-party cyber security risk and staff were not consistently applying them.

None of the entities had identified their supply chain, including all their manufacturers, suppliers, vendors, and contractors. Nor had they assessed risks across their supply chain. Entities need this detail to inform their risk assessments and develop strategies to manage the risk.

The entities did have asset and IT risk registers that captured information about their systems, including information security risks. Two of the 3 entities had identified some third-party cyber security risks in their risk registers. The remaining entity only identified general cyber security risks. Of the 2 entities that had identified third-party cyber security risks, only one had assessed the impact and likelihood of some of its risks and documented mitigation controls.

Identifying and assessing third-party cyber security risks when procuring goods and services enables entities to make informed decisions about the level of risk, contractual arrangements, and security requirements.

Entities do not consistently assess risk during procurement

The 3 entities we audited did not effectively identify and assess third-party cyber security risk during procurement.

There is a range of guidance that highlights the importance of identifying and assessing third-party cyber security risks during procurement. This includes the:

• Queensland Information Technology Contracting (QITC) framework
• Australian Signals Directorate (ASD) Information Security Manual and standards
• International Organisation for Standardisation (ISO) standards.

In addition to this, the Department of Housing and Public Works published the Managing cyber security in procurement guideline in June 2025.

The QITC framework and other guidance highlight the importance of entities undertaking due diligence checks about suppliers’ information security. All 3 entities use risk assessment questionnaires to collect information about third parties’ IT security. However, only one of the entities assesses this information to understand its risks.

We reviewed 12 contracts and supporting information for each entity and assessed whether they had identified and assessed third-party cyber security risks during procurement. In total, we reviewed 36 contracts. These contracts were for a service or a software provided by a third-party and therefore presented an elevated level of third-party cyber security risk. Figure 4A below summarises the results.

Contracts do not contain recommended clauses and requirements

Including appropriate clauses and security requirements in contracts with third parties helps entities effectively manage their third-party cyber security risks. We found the 3 entities are not consistently including these recommended clauses and requirements in their contracts with third parties.

We reviewed 36 contracts and assessed whether they incorporated better practice requirements from the ASD and ISO standards. This includes:

• security requirements for the third-party
• a clause giving the entity a right to audit the third-party’s IT security controls
• a requirement for the third-party to report cyber security incidents and vulnerabilities
• security requirements for suppliers to the third-party – often called a fourth-party cyber risk.

Figure 4B summarises the results of this testing.

Only 2 of the 36 contracts included requirements for third parties to report their cyber security incidents and vulnerabilities. Without this information, entities cannot rapidly detect and contain breaches that may occur across their supply chain. No contracts stipulated IT security requirements for the third-party’s vendors and suppliers. As such, the entities have no visibility of whether the vendors or suppliers of their third parties have appropriate security controls and cannot determine if they are comfortable with their risk exposure.

Entities can strengthen their contract management practices

Entities can use contract management plans to manage risks and ensure the goods and services they procure deliver the intended value.

One entity had developed a contract management plan to manage cyber security risks, including third‑party cyber security risks, for one of its 12 contracts. Another entity had contract management plans for some contracts, but the plans did not capture third-party cyber security risks and primarily focused on delivery. The third entity did not use contract management plans.

We found the ongoing management of contracts and cyber security risks varied across the entities. Staff we spoke to from one entity confirmed that there is little ongoing review of risks and the effectiveness of controls after they procure goods or services. Its focus is primarily on monitoring contract deliverables. Another entity is embedding a new process to follow up with its third parties each year and assess the appropriateness of their IT security controls. It has commenced these assessments for some third parties but not all.

Are entities monitoring their third-party cyber security risks?

Entities are monitoring their third-party cyber security risks but can strengthen their practices

The 3 entities we audited applied different methods for monitoring their cyber security threats. They gathered intelligence about potential threats from a range of sources, including alerts from public sector entities, newsfeeds, and commercial services. Their sources included intelligence from the ASD’s Australian Cyber Security Centre and the Department of Customer Services, Open Data and Small and Family Business (CDSB). CDSB provides a vulnerability management service, which identifies, assesses, and prioritises cyber security vulnerabilities in an entity’s IT systems and networks. CDSB offers this service to all public sector entities and has promoted it through various channels, including on its website. Only one of the 3 entities we audited has subscribed to this service.

The entities do not effectively identify and assess their third-party cyber risks and, therefore, cannot effectively monitor them. Improving these practices will help ensure mitigation controls are working effectively and give governance committees appropriate oversight. One of the entities is implementing software to streamline and standardise their management of third-party cyber risk assessments.

All 3 entities capture information about their cyber security incidents, including third party incidents. One had a detailed incident register, which captured key information about the severity of the incident, corrective actions, and improvement opportunities.

We found evidence across all 3 entities that they were analysing their cyber security incidents and addressing gaps identified. The actions that some of the entities are taking include:

• delivering targeted training
• undertaking cyber simulations and penetration testing
• enhancing their IT governance arrangements to better monitor and manage risks.

This chapter examines how effectively the Department of Customer Services, Open Data and Small and Family Business (CDSB) leads and builds capability to manage third-party cyber security risks across the public sector.

It also examines whether the Department of Housing and Public Works (DHPW) provides effective guidance to help entities manage third-party cyber security risks when procuring goods and services.

How well are CDSB and DHPW building capability across the public sector?

CDSB cannot build capability effectively because it does not know where to target its efforts

CDSB lacks visibility into which public sector entities rely most heavily on third parties, and which ones carry the greatest risk. In addition to this, it lacks the information needed to know whether entities are effectively managing these risks. This insight is necessary to help CDSB understand third-party cyber risk across the public sector and prioritise its training and guidance. For CDSB to gain this insight, entities need to understand their third-party cyber risks and provide reliable information about these risks and how they are managing them.

CDSB captures some information from departments and some statutory bodies about their cyber security. The Queensland Government’s Information and cyber security policy (IS18), requires accountable officers to assess and report their information security each year. But this information focuses more broadly on entities’ cyber security posture and does not include detailed information about their third-party cyber security risks and mitigation controls. In 2023–24, 33 public sector entities completed their annual IS18 assessment. CDSB does not capture information from the 77 Queensland councils or the remaining public sector entities as IS18 does not apply to these entities.

CDSB needs to ensure training and simulations target gaps across the public sector

While CDSB is taking action to build capability across the public sector to manage third-party cyber security risks, it could be more effective and targeted in its approach.

The CDSB Cyber Security Unit’s mission and strategic objective is to strengthen the Queensland Government’s cyber security capability. Building capability is essential for managing the evolving cyber security threats to Queensland public sector entities.

In our report, Responding to and recovering from cyber attacks (Report 12: 2023–24), we recommended CDSB increase public sector cyber skills and capabilities. This included developing or adopting a cyber security capability framework that public sector entities could apply. In response, CDSB developed and published a cyber skills framework in June 2025. While the framework covers key skills, it does not cover third-party cyber security. The ASD cyber skills framework identifies third-party management as a key skill under information security governance and management. CDSB can strengthen its framework by including third-party cyber security.

CDSB undertakes a range of activities to build cyber security capability, including third-party cyber risk management. It shares information, coordinates training, and runs whole-of-government cyber simulations. However, it has not undertaken a capability assessment to help inform where it should target its effort. As such, it cannot be certain that its activities are targeting the right areas or the right entities. It organises training based on requests, not needs, which diminishes the likely value.

CDSB has a dashboard that captures relevant training information, including the training courses it offers and those that attend the training. It offers a range of cyber security training courses, including one that focuses on third-party cyber security. Fourteen public sector entities sent staff to attend the training in 2025. The course covers the key aspects of managing third-party cyber security. Early feedback was positive and CDSB plans to offer the course again in 2026. While this training is beneficial, CDSB needs to consider how it can upskill more of the public sector to manage third-party cyber security risks.

CDSB shares key information about third-party cyber security risks with stakeholders across the public sector

CDSB gathers and analyses intelligence about cyber security risks, including third-party cyber security risks. Its sources include the Australian Signals Directorate (ASD), commercial services, and publicly available information such as social media. CDSB prioritises collecting intelligence about cyber risks to the Queensland Government, followed by incidents and threats in other states and territories.

The threat intelligence collected by CDSB is essential for cyber security. It helps entities anticipate and block threats before they escalate to significant breaches.

CDSB’s cyber security team analyse threat intelligence manually each morning. This process is time consuming and creates a risk that staff may overlook pertinent information or not act on the intelligence quickly.

CDSB is considering how to automate its processes. This aligns to its strategic priority of enhancing its monitoring and detection capabilities, as outlined in its cyber security unit’s 2024–2028 strategic plan.

CDSB issues alerts about risks but does not confirm entities have acted on the advice

CDSB notifies relevant entities about cyber security and threats, including supply chain risks, through its alerts, advisories, and flash reports. These alerts contain important information, including known incidents, threats, and vulnerabilities and any recommended actions entities need to take.

CDSB has no internal procedures to guide staff about what information to include or when to issue alerts. In addition to this, it has no guidance about following up with entities to ensure they act on the advice. We spoke to staff from CDSB who confirmed that it does not consistently follow up with entities about the action they take for high risk threats. Guidance would help to ensure consistency in CDSB’s messaging and follow up.

In September 2025, CDSB issued an advisory brief to chief information officers and managers at 165 public sector entities advising them of a third-party data breach incident. The guidance included a clear summary of the incident and recommended actions for entities. CDSB does not know whether any of the 165 entities acted on this advice.

CDSB is helping to raise awareness about supply chain risk through other forms of communication. In September 2025, it issued its first quarterly strategic threat review, which it sent to the chief information officers at public sector entities. It highlighted supply chain risk as a priority focus.

CDSB has established forums to lead a whole-of-government approach

CDSB shares information about third-party cyber security risks through various methods, including whole‑of-government forums. However, there is opportunity to strengthen these arrangements.

These forums, including the Digital Leaders Group, meet regularly and include key stakeholders from entities. CDSB uses these forums to share information about third-party cyber security incidents and threats. They also discuss key intiatives underway to manage these risks. At the Digital Leaders Group meetings in May and September 2025, CDSB discussed the new procurement guidance and framework it is developing to help entities manage their supply chain risk. The Digital Leaders Group has no terms of reference, which would be valuable to help communicate its purpose and intent.

CDSB’s draft guidance incorporates better practice

CDSB has drafted appropriate guidance to help entities manage their third-party cyber security risks. The guidance will include a supply chain risk framework that outlines a preferred approach for public sector entities and their suppliers. The draft framework incorporates key principles from better practice guidance from national and international sources, including the ASD and the USA-based National Institute of Standards and Technology. Figure 5A shows the key elements of ASD better practice covered in the CDSB framework.

The Queensland Government has been slow to develop its guidance, given that supply chain risk is a well-known threat. Since 2021, the ASD has raised supply chain risk as a key trend and risk in its annual cyber threat reports.

CDSB plans to publish the framework in the first quarter of 2026. This guidance is important and will help entities to strengthen their controls for managing third-party cyber security risks.

DHPW’s guidance to help entities manage third-party cyber security risks during procurement aligns to good practice

DHPW in partnership with CDSB has developed and shared appropriate guidance to help entities manage their third-party cyber security risks when procuring goods and services. In June 2025, DHPW published its Managing cyber security risk in procurement guideline. The guideline is aligned to the ASD better practice, and includes key principles to manage supply chain risk in the procurement process. This includes information about determining the expectations of suppliers, including any security requirements.

DHPW does not know whether entities are applying its guidance and effectively managing their third-party cyber security risks during procurement. The 3 entities we audited were not effectively identifying and assessing their third-party cyber security risks during procurement. Without following up with entities, DHPW cannot know whether public sector entities are aware of and applying its guidance.