Adopt Essential Eight Maturity Level 2 (federal subcontractors)
Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
Who must comply
Federal government contractors and subcontractors handling OFFICIAL: Sensitive data.
What triggers it
Government contract requiring RFFR compliance.
When due
Before access to data; annual reassessment.
Evidence required
IRAP assessment report, ISM compliance documentation, E8 maturity attestation.
Max penalty
Loss of contract / panel access; reputational exposure on Commonwealth supplier registers
Summary
Right Fit For Risk requirements apply to providers handling OFFICIAL: Sensitive Commonwealth data. The ASD Information Security Manual (ISM) and Essential Eight Maturity Model are the baseline. Independent assessment by an IRAP-endorsed assessor is required.
Enforced by
Industries
Topics
Source: https://cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight. Rules Mate is not a law firm. Always verify against the live regulator source before acting.