Part 1 Preliminary
1 Name
This instrument is the Security of Critical Infrastructure (Naval shipbuilding precinct) Rules (LIN 23/007) 2023.
2 Commencement
This instrument commences on the later of:
(a) immediately after the AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 commence; and
(b) the day after registration.
Note For pre-conditions to making this instrument—see Act, sections 30ABA and 30AL.
3 Definitions
Note Some terms used in this instrument are defined in the Act, including:
(a) asset;
(b) AusCheck scheme;
(c) critical infrastructure asset;
(d) entity;
(e) relevant impact;
(f) responsible entity;
(g) security.
In this instrument:
AusCheck Act means the AusCheck Act 2007.
AusCheck Regulations means the AusCheck Regulations 2017.
background check means a background check under the AusCheck scheme.
CIRMP is short for critical infrastructure risk management program.
CIRMP criminal record has the same meaning as defined in the AusCheck Regulations.
criminal history criteria means the assessment of:
(a) whether the person has a CIRMP criminal record; and
(b) the nature of the offence.
Department of Defence means the Department administered by the Minister administering the Defence Act 1903.
personnel hazard includes where a person acts, through malice or negligence:
(a) to compromise the proper function of the asset; or
(b) to cause significant damage to the asset.
4 Critical infrastructure asset
(1) For paragraph 9(1)(f) of the Act, an asset is a critical infrastructure asset if it is:
(a) within an area identified, using a colour, on a map in Schedule 1; and
(b) owned or operated for naval shipbuilding or sustainment.
Note The map in Schedule 1 depicts the Osborne Naval Shipyard precinct, on Lefevre Peninsula, South Australia.
(2) For subsection 12L(23) of the Act, the responsible entity for a critical infrastructure asset mentioned in subsection (1) is the entity mentioned in Schedule 1 for the area identified.
5 Application of Part 2A of the Act
(1) For paragraph 30AB(1)(a) of the Act, Part 2A of the Act applies to a critical infrastructure asset mentioned in subsection 4(1).
(2) For subsection 30AB(3) of the Act, Part 2A of the Act applies to a critical infrastructure asset mentioned in subsection 4(1), 12 months after the asset becomes a critical infrastructure asset.
(3) The requirements specified in this instrument for paragraph 30AH(1)(c) of the Act apply to a critical infrastructure asset that:
(a) is mentioned in subsection 4(1); and
(b) is not specified in another instrument for paragraph 30AB(1)(a) of the Act.
6 Relevant Commonwealth Regulator
For paragraph (a) of the definition of relevant Commonwealth regulator in section 5 of the Act, the Department of Defence is specified for a critical infrastructure asset mentioned in subsection 4(1).
Part 2 Requirements for a critical infrastructure risk management program
7 Material risks
For subsection 30AH(8) of the Act, the material risks include the following:
(a) a stoppage or major slowdown of the critical infrastructure asset’s function for an unmanageable period;
(b) a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the critical infrastructure asset;
Example The position, navigation and timing systems affecting provision of service or functioning of the asset.
(c) an interference with the critical infrastructure asset’s operation technology or information communication technology essential to the functioning of the asset;
Example A Supervisory Control and Data Acquisition (SCADA) system.
(d) the storage, transmission or processing of sensitive operational information outside Australia, which includes:
(i) layout diagrams;
(ii) schematics;
(iii) geospatial information;
(iv) configuration information;
(v) operational constraints or tolerances information;
(vi) data that a reasonable person would consider to be confidential or sensitive about the asset;
(e) remote access to operational control or operational monitoring systems of the critical infrastructure asset.
8 Personnel hazards
(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in a CIRMP:
(a) to permit a person unescorted access to a critical infrastructure asset mentioned in subsection 4(1) only where:
(i) a background check of the person has been conducted in accordance with section 9; and
(ii) a person has been found suitable to have unescorted access to the critical infrastructure asset in accordance with section 10; and
(iii) an identity card has been issued to a person who meets the requirements in subparagraphs (i) and (ii); and
(b) to collect the identity and contact information for each person who has access to the critical infrastructure asset; and
(c) to record the date, time and duration of access to the critical infrastructure asset by each person; and
(d) as far as it is reasonably practicable to do so—to minimise or eliminate material risks:
(i) arising from a malicious or negligent person; and
(ii) arising from the off-boarding process for outgoing employees and contractors.
(2) For subsection 30AH(12) of the Act, the establishment and maintenance of processes or systems mentioned in subsection (1) is taken to be action that mitigates the relevant impact of personnel hazards on the critical infrastructure asset.
9 Background checks
(1) A background check is required:
(a) before a person is granted unescorted access to the critical infrastructure asset; and
(b) if the person requires ongoing access to the critical infrastructure asset—every 2 years.
(2) For paragraph 30AH(4)(a) of the Act, a background check of a person must be conducted under the AusCheck scheme.
(3) A background check must include an assessment of information relating to the matters mentioned in paragraphs 5(a), (b), (c) and (d) of the AusCheck Act; and
(a) for paragraph 30H(4)(c) of the Act—the criteria against which the information must be assessed are the criminal history criteria; and
(b) for paragraph 30AH(4)(d) of the Act—the assessment must consist of both an electronic identity verification check and an in person identity verification check.
(4) A responsible entity must notify the Secretary if a background check is no longer required for a person.
10 Suitability assessment
(1) Following a background check under section 9, a responsible entity must assess the suitability of a person to have unescorted access to the critical infrastructure asset.
(2) In making a suitability assessment for subsection (1), a responsible entity must consider:
(a) any advice from the Secretary under the following provisions of the AusCheck Regulations:
(i) paragraph 21DA(2)(a);
(ii) paragraph 21DA(2)(b);
(iii) subsection 21DA(4);
(iv) subsection 21DA(5); and
(b) whether permitting the person unescorted access to a critical infrastructure asset mentioned in subsection 4(1) would be prejudicial to security; and
(c) any other information that may affect the person’s suitability to have unescorted access to the asset.
Note A responsible entity may be required to inform the Secretary of a decision to grant or revoke access to a critical infrastructure asset, in certain circumstances—see AusCheck Regulations, section 21ZA.
Schedule 1 Naval shipbuilding precinct
1 Osborne Naval Shipyard
For an area identified in the map by the colour mentioned in item 1 of the table, the entity mentioned in the table for that item, is the responsible entity for a critical infrastructure asset within the area.
| Item | Colour | Responsible entity |
| 1 | Red | ASC Shipbuilding Pty Ltd (trading as ‘BAE Systems Maritime Australia) (ABN 15 051 899 864) |
| 2 | Blue | ASC Pty Ltd (ABN 64 008 605 034) |
| 3 | Green | Australian Naval Infrastructure Pty Ltd (ABN 45 051 762 639) |
| 4 | Teal | Luerssen Australia Pty Ltd (ABN 39 618 700 637) |