The DSP Operational Framework (Framework) is part of the ATO’s response to the business risks and security implications presented by the growth of our digital services across the digital economy.
If a DSP provides a software product or service that reads, modifies or routes any tax or superannuation related information, then that DSP is in scope of the Framework and will need to meet the requirements as below. This includes DSPs that use an intermediary (such as a gateway or sending service provider (SSP)) to interact with the ATO.
Due to a continually changing digital environment the requirements for DSPs will be subject to future changes based on risk.
What are the requirements?
The Framework uses a risk differentiated model in determining the requirements needed for utilising our application programming interfaces (APIs). Factors include:
- the API risk ratings
- volume of accessible individual taxpayer or superannuation records
- a number of elements of the DSPs operating model (eg: on premise or cloud based software, data hosting arrangements and if there is an intermediary within the supply chain to the ATO).
Further clarification and guidance for the requirements can be found in the DSP Operational Framework - Requirements to utilise ATO digital services (DOCX, 804KB).
There is a transition plan available for existing superannuation providers. Further information can be found at Transitioning existing superannuation providers.
Requirements for products and services controlled by the client
This includes desktop software or software hosted by the client on premise, or within either an infrastructure as a service (IaaS) or platform as a service (PaaS) environment.
|
Requirements |
Connects directly to the ATO |
Connects indirectly to the ATO (eg: via gateway or SSP) |
|---|---|---|
|
Personnel security |
(Mandatory) A personnel security integrity check process must be in place |
|
|
Encryption in transit |
(Mandatory) Encryption in transit is mandatory using Australian Signals Directorate Guidelines for using crytography (March 2019) (DOCX, 839KB) (for example, TLS 1.2) |
|
|
Encryption at rest |
Optional |
|
|
Payload encryption |
Not applicable |
(Mandatory where supply chain visibility is not implemented) The payload encryption solution is not currently available but will be developed in the near future. |
|
Encryption key management
|
(Optional) Must be met where data is encrypted at rest. Encryption key management (including public key infrastructure (PKI) complies with the Australian Government Information Security Manual (ISM). |
|
|
Audit logging |
(Mandatory) Appropriate audit logging functionality implemented |
|
|
Product ID in message header |
(Mandatory) The product ID of the software that produces the payload information must be included in the message. This requirement does not apply to Superstream messages. The product ID must be unique to each DSP product. DSPs with multiple products will need one product ID per product. |
|
|
Certification |
(Mandatory) Self-assessment against either:
|
|
|
Supply chain visibility |
Not applicable
|
(Mandatory where payload encryption is not implemented). The supply chain visibility solution is being developed in the near future. Interim measures are in place. |
|
Data hosting |
Not applicable |
|
|
Multi-factor Authentication |
(Optional) The ATO recommends that multi-factor authentication (MFA) is applied, or the option is made available where practical to do so. DSPs that have not implemented MFA, should consider implementing passphrase management, account lockout and resetting passphrase practices described in the Australian Government Information Security Manual (ISM). |
|
|
Security monitoring practices
|
(Mandatory) DSPs that utilise web services (ie: hybrid desktop environments) and are consuming medium and high risk APIs are required to have security monitoring in place. For example:
|
|
Requirements for products and services controlled by the DSP
This includes software as a services (SaaS), gateways and sending service providers.
|
Requirements |
Low volumes of taxpayer or superannuation records (<10k) |
Highly leveraged or high volumes of taxpayer or superannuation records (>10k) |
|
|---|---|---|---|
|
|
Consumes no/low risk APIs only |
Consumes medium or high risk APIs |
|
|
Personnel security |
(Mandatory) A personnel security integrity check process must be in place |
||
|
Encryption in transit |
(Mandatory) Encryption in transit is mandatory using the Guidelines for using cryptography (March 2019) (DOCX, 839KB) (for example, TLS 1.2) |
||
|
Encryption at rest |
(Mandatory) Encryption at rest is mandatory for data repositories that hold or manage tax or superannuation related information using the Guidelines for using cryptography (March 2019) (DOCX, 839KB). Examples may include; full-disk, container, application or database level encryption techniques |
||
|
Payload encryption Applicable when the product or service does not connect directly to the ATO and the supply chain visibility functionality is not available |
(Mandatory where supply chain visibility is not implemented) Payload encryption solution is not currently available, but will be developed in the near future.
|
||
|
Encryption key management |
(Mandatory) Encryption key management (including public key infrastructure (PKI) complies with the Australian Government Information Security Manual (ISM). |
||
|
Audit logging |
(Mandatory) Appropriate audit logging functionality implemented |
||
|
Product ID in message header |
(Mandatory) The product ID of the software that produces the payload information must be included in the message. This requirement does not apply to Superstream messages The product ID must be unique to each DSP product. DSPs with multiple products will need one product ID per product. |
||
|
Certification |
(Mandatory) Self-assessment against either:
|
(Mandatory) Self-assessment against either:
|
(Mandatory) Independent assessment against either:
|
|
Supply chain visibility Applicable when the product or service does not connect directly to the ATO and the payload encryption is not used |
(Mandatory where payload encrytion is not implemented) The supply chain visibility solution is being developed in the near future. Until then interim measures are required.
|
||
|
Data hosting |
(Mandatory) Data hosting is onshore by default. Offshore hosting arrangements (including redundant systems) are managed by exception only
|
||
|
Multi-factor Authentication |
End users accessing the product or service (Mandatory) Multi-factor authentication (MFA) is mandatory for end users that can access taxation or superannuation related information of other entities or individuals (e.g. tax agents, employers) DSP staff accessing the product or service (including contracted labour) (Mandatory) MFA is mandatory for DSP staff with access to taxation or superannuation related information. This position applies unless the DSP can adequately demonstrate that the internal user does not perform a privileged administration role (system/database level) and the full range of compensating controls specified within the Australian Government Information Security Manual (ISM) have been suitably implemented. (Optional but recommended) MFA is optional but recommended for DSP staff (other than privileged users) without access to taxation or superannuation related information of other entities. Note Tokens or temporary credential should be isolated to an individual device and expire once used. Any token or temporary credential should expire within 24 hours. DSPs that have not implemented MFA, should consider implementing passphrase management, account lockout and resetting passphrase practices described in the Australian Government Information Security Manual (ISM). |
||
|
Security monitoring practices
|
Not applicable |
(Mandatory) Security monitoring is in place.
For example:
|
|
| Sending Service Provider |
(Mandatory for Sending Service Providers only) Sending Service Providers need to provide the following information:
|
||