Requirements for digital service providers

The DSP Operational Framework (Framework) is part of the ATO’s response to the business risks and security implications presented by the growth of our digital services across the digital economy.

If a DSP provides a software product or service that reads, modifies or routes any tax or superannuation related information, then that DSP is in scope of the Framework and will need to meet the requirements as below. This includes DSPs that use an intermediary (such as a gateway or sending service provider (SSP)) to interact with the ATO.

Due to a continually changing digital environment the requirements for DSPs will be subject to future changes based on risk.

What are the requirements?

The Framework uses a risk differentiated model in determining the requirements needed for utilising our application programming interfaces (APIs). Factors include:

  • the API risk rating
  • volume of accessible individual taxpayer or superannuation records
  • a number of elements of the DSPs operating model (eg: on premise or cloud based software, data hosting arrangements and if there is an intermediary within the supply chain to the ATO).

Further clarification and guidance for the requirements can be found in the DSP Operational Framework - Requirements to utilise ATO digital services.

Requirements for products and services controlled by the client

This includes desktop software or software hosted by the client on premise, or within either an infrastructure as a service (IaaS) or platform as a service (PaaS) environment.

Requirements

Connects directly to the ATO

Connects indirectly to the ATO (eg: via gateway or SSP)

Personnel security

(Mandatory) A personnel security integrity check process must be in place

Encryption in transit

(Mandatory) Encryption in transit is mandatory using Australian Signals Directorate Australian Government Information Security Manual (ISM) approved cryptographic algorithms and protocols (for example, TLS 1.2)

Encryption at rest

Optional

Payload encryption

Not applicable

(Mandatory where supply chain visibility is not implemented) The payload encryption solution is not currently available but will be developed in the near future.

Encryption key management

 

(Optional) Must be met where data is encrypted at rest. Encryption key management (including public key infrastructure (PKI) complies with ISM guidelines

Audit logging

(Mandatory) Appropriate audit logging functionality implemented

Product ID in message header

(Mandatory) The product ID of the software that produces the payload information must be included in the message. This requirement does not apply to Superstream messages.

The product ID must be unique to each DSP product. DSPs with multiple products will need one product ID per product.

Certification

(Mandatory) Self-assessment against either:

  • iRAP,
  • ISO/IEC 27001,
  • OWASP ASVS3.0
  • SOC2

Supply chain visibility

Not applicable

 

(Mandatory where payload encryption is not implemented). The supply chain visibility solution is being developed in the near future. Interim measures are in place.

Data hosting

Not applicable

 Multi-factor Authentication

(Optional) The ATO recommends that multi-factor authentication (MFA) is applied, or the option is made available where practical to do so.

DSPs that have not implemented MFA, should consider implementing passphrase management, account lockout and resetting passphrase practices described in the ISM guidelines

Security monitoring practices

 

(Mandatory) DSPs that utilise web services (ie: hybrid desktop environments) and are consuming medium and high risk APIs are required to have security monitoring in place.

For example:

  • network / infrastructure layer
  • application layer
  • transaction (data) layer.

Requirements for products and services controlled by the DSP

This includes software as a services (SaaS), gateways and sending service providers.

Requirements

Low volumes of taxpayer or superannuation records (<10k)

Highly leveraged or high volumes of taxpayer or superannuation records (>10k)

 

 

Consumes no/low risk APIs only

Consumes medium or high risk APIs

Personnel security

(Mandatory) A personnel security integrity check process must be in place

Encryption in transit

(Mandatory) Encryption in transit is mandatory using Australian Government Information Security Manual (ISM) approved cryptographic algorithms and protocols (for example, TLS 1.2)

Encryption at rest

(Mandatory) Encryption at rest is mandatory for data repositories that hold or manage tax or superannuation related information using Australian Government Information Security Manual (ISM) approved cryptographic algorithms and protocols Examples may include; full-disk, container, application or database level encryption techniques

Payload encryption

Applicable when the product or service does not connect directly to the ATO and the supply chain visibility functionality is not available

(Mandatory where supply chain visibility is not implemented) Payload encryption solution is not currently available, but will be developed in the near future.

 

 

Encryption key management

(Mandatory) Encryption key management (including public key infrastructure (PKI) complies with ISM guidelines

Audit logging

(Mandatory) Appropriate audit logging functionality implemented

Product ID in message header

(Mandatory) The product ID of the software that produces the payload information must be included in the message.

This requirement does not apply to Superstream messages

The product ID must be unique to each DSP product. DSPs with multiple products will need one product ID per product.

Certification

(Mandatory) Self-assessment against either:

  • iRAP,
  • ISO/IEC 27001,
  • OWASP ASVS3.0 or
  • SOC2

(Mandatory) Self-assessment against either:

  • iRAP or
  • ISO/IEC 27001

(Mandatory) Independent assessment against either:

  • iRAP or
  • ISO/IEC 27001

 

Supply chain visibility

Applicable when the product or service does not connect directly to the ATO and the payload encryption is not used

(Mandatory where payload encrytion is not implemented) The supply chain visibility solution is being developed in the near future. Until then interim measures are required.

 

Data hosting

(Mandatory) Data hosting is onshore by default. Offshore hosting arrangements (including redundant systems) are managed by exception only

 

Multi-factor Authentication

End users accessing the product or service

(Mandatory) Multi-factor authentication (MFA) is mandatory for end users that can access taxation or superannuation related information of other entities or individuals (e.g. tax agents, employers)
(Optional but recommended) MFA is optional but recommended for end users that only have access to their own information and do not have access to taxation or superannuation  related information of other entities or individuals (e.g. employees accessing employee portals)

DSP staff accessing the product or service (including contracted labour)

(Mandatory) MFA is mandatory for DSP staff with access to taxation or superannuation related information. This position applies unless the DSP can adequately demonstrate that the internal user does not perform a privileged administration role (system/database level) and the full range of compensating controls specified within the ISM guidelines have been suitably implemented.

(Optional but recommended) MFA is optional but recommended for DSP staff (other than privileged users) without access to taxation or superannuation related information of other entities.

Note

Tokens or temporary credential should be isolated to an individual device and expire once used. Any token or temporary credential should expire within 24 hours.

DSPs that have not implemented MFA, should consider implementing passphrase management, account lockout and resetting passphrase practices described in the ISM guidelines

Security monitoring practices

 

Not applicable

(Mandatory) Security monitoring is in place.

 

For example:

  • network / infrastructure layer
  • application layer
  • transaction (data) layer
Sending Service Provider

(Mandatory for Sending Service Providers only)

Sending Service Providers need to provide the following information:

  • Types of client
  • Service model offering
  • How clients connect (e.g.portal, direct API etc)