Requirements for digital service providers

Access the DSP OSF documentation

Purpose

The Digital Service Provider (DSP) Operational Security Framework (OSF) seeks to protect Taxation, Accounting, Payroll and Superannuation related data and the integrity of the Taxation, Business Registry and Superannuation systems that support the Australian community. This is achieved by setting out a minimum level of security requirements a DSP needs to meet in order to access ATO Digital Services that perform a functional role in the supply chain. The DSP OSF has been established to respond to business risks and security threats presented by the continual expansion and growth of digital services across the ecosystem.

The DSP OSF is a response to known examples of:

  • Information misuse: including identity theft, personal gain or commercial advantage.
  • Financial system misuse: including tax refund fraud.
  • Destructive cyber behaviour: including individual or system hacks.

Scope                 

The DSP OSF applies to any software product or digital service that performs a functional role in the supply chain of transmitting Taxation, Accounting, Payroll, Business Registry or Superannuation data through ATO digital services.

This includes software products that reads, stores, modifies or routes any Taxation, Accounting, Payroll, Business Registry or Superannuation data that:

  • Connects directly to the ATO digital services.
  • Connects indirectly to the ATO via a sending Service Provider (SSP) for Payroll services.
  • Connects indirectly to the ATO via a Gateway for Superannuation Services or SuperStream.

It may also include:

  • Significant modification of commercial software or white labelled products.
  • Non-Commercial products / In-house developers.
  • Products or services producing a .CSV file

For large organisations or groups of companies, the DSP OSF may only apply to relevant systems and/or business sectors of the organisation.

Note: The scope of the DSP OSF is not intended to capture the end user who owns the data and does not perform a functional role in the supply chain, for example, a business using software to run their daily operations.

Products controlled by DSPs

Services include cloud and Software as a Services (SaaS), gateways and sending service providers.

Requirements

Category A

Category B

Category C
 
  • Product or service controlled by DSP, and
  • Low to high risk APIs with greater than 10,000 unique client records, or
  • Sending Service Providers
  • Product or service controlled by DSP, and
  • Medium to high risk APIs with less than 10,000 unique client records
  • Product or service controlled by DSP, and
  • Low risk APIs with less than 10,000 unique client records, or
  • No risk APIs regardless of unique client records

Audit Logging

Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.

Authentication

 

 

Mandatory: Multi-Factor Authentication (MFA) must be implemented for end users and any staff member with privileged user access who access Taxation, Accounting, Payroll, Business Registry or Superannuation related information of other entities or individuals, for example, tax agents, employers as per Australian Government - Guidelines for system hardening (PDF, 1.0MB)

  • Shared logins are not permitted and must be blocked by the DSP.
  • Remember me functionality must be limited to less than 24 hours.
  • MFA should not include social media logins, for example, Google/Microsoft/Facebook. If social media applications are included in the proposed business model, DSPs should discuss with DPO.

 

Certification

 

 

Mandatory:

Independent Certification against either:

  • iRAP (ISM)
  • ISO/IEC 27001

 

Mandatory:

Independent certification or Self-Assessment against either:

  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017
  • NIST

(DPO may request evidence of some self-assessed controls)

Mandatory:

Independent certification or Self-Assessment against either:

  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017
  • SOC2
  • OWASP ASVS 3.0 or later
  • NIST

Data Hosting

Mandatory: Data Hosting must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.

Encryption Key Management

Mandatory: Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Encryption at Rest

Mandatory: DSPs must apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Encryption in Transit

Mandatory: Encryption in transit must use endorsed approved cryptographic protoco, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Entity Validation

Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs.

Personnel Security

Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors.

Security Monitoring

Mandatory: Security Monitoring practices must be implemented at the network/infrastructure, application and transaction layer to enable DSPs to scan environmental threats and act.

Supply Chain

Mandatory: DSPs must provide ATO with an overview of their supply chain.

Third Party Add-On

Mandatory: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls.

Products controlled by a client

Services include desktop and server-based software, including cloud applications where the application is primarily under the control of the client.

Requirements

Category D
  • Product or service controlled by client, and
  • Access to no, low, medium or high-risk APIs regardless of unique client records, OR
  • In-House developer controlled by the client and
  • Low, Medium or High-Risk APIs with less than 10,000 unique client records.

* ATO recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable.

Audit Logging

Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.

Authentication

 

 

Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password.

  • Shared logins are not permitted and must be blocked by the DSP.
  • Remember me functionality must be limited to less than 24 hours.

To strengthen your authentication, ATO recommends implementing multi-factor authentication (MFA) as best practice this can be applied as per Australian Government - Guidelines for system hardening (PDF, 1.0MB)

  • MFA should not include social media logins, for example, Google/Microsoft/Facebook. If social media applications are included in the proposed business model, DSPs should discuss with DPO.

Certification

 

Mandatory: Self-Assessment against either:
 
  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017 
  • SOC2
  • OWASP ASVS 3.0 or later
  • NIST

Data Hosting

Mandatory*: If the product provides any element of data hosting it must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.

Encryption Key Management

Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Encryption at Rest

Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Encryption in Transit

Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Entity Validation

Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs.

Personnel Security

Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors.

Security Monitoring

Mandatory*: If the product has the ability to relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action.

Supply Chain

Mandatory: DSPs must provide ATO with an overview of their supply chain and third-party add-ons.

Third Party Add-On

Mandatory*: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls.

Commercial Products / In House Developers

Services include desktop and server-based software, where the application is under the control of the client.

Requirements

Category E
  • Commercial product or service controlled by the DSP or the client, and
  • No risk APIs regardless of unique client records

* ATO recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable.
  • In-House developer controlled by the client and
  • Low, Medium or High-Risk APIs with less than 10,000 unique client records.

Audit Logging

Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.

Authentication

 

Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password.

  • Shared logins are not permitted and must be blocked by the DSP.
  • Remember me functionality must be limited to less than 24 hours.

To strengthen your authentication, ATO recommends implementing multi-factor authentication (MFA) as best practice this can be applied as per Australian Government - Guidelines for system hardening (PDF, 1.0MB)

  • MFA should not include social media logins, for example, Google/Microsoft/Facebook. If social media applications are included in the proposed business model, DSPs should discuss with DPO.

Certification

 

Optional: Self-Assessment against either:
 
  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017
  • SOC2
  • OWASP ASVS 3.0 or later
  • NIST

Data Hosting

Mandatory*: If the product provides any element of data hosting it must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.

Encryption Key Management

Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Encryption at Rest

Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Encryption in Transit

Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography (PDF, 1.0MB)

Entity Validation

Optional: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs.

Personnel Security

Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors.

Security Monitoring

Mandatory*: If the product has the ability to relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action.

Supply Chain

Mandatory: DSPs must provide ATO with an overview of their supply chain and third-party add-ons.

Third Party Add-On

Mandatory*: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls.

See also:

Last modified date