Access the DSP OSF documentation
- View the full Digital Service Provider Operational Security Framework Requirements for ATO Digital Services (PDF, 559KB)
- View the Digital Service Provider Operational Framework Security Questionnaire (DOCX, 804KB)
Purpose
The Digital Service Provider (DSP) Operational Security Framework (OSF) seeks to protect Taxation, Accounting, Payroll and Superannuation related data and the integrity of the Taxation, Business Registry and Superannuation systems that support the Australian community. This is achieved by setting out a minimum level of security requirements a DSP needs to meet in order to access ATO Digital Services that perform a functional role in the supply chain. The DSP OSF has been established to respond to business risks and security threats presented by the continual expansion and growth of digital services across the ecosystem.
The DSP OSF is a response to known examples of:
- Information misuse: including identity theft, personal gain or commercial advantage.
- Financial system misuse: including tax refund fraud.
- Destructive cyber behaviour: including individual or system hacks.
Scope
The DSP OSF applies to any software product or digital service that performs a functional role in the supply chain of transmitting Taxation, Accounting, Payroll, Business Registry or Superannuation data through ATO digital services.
This includes software products that reads, stores, modifies or routes any Taxation, Accounting, Payroll, Business Registry or Superannuation data that:
- Connects directly to the ATO digital services.
- Connects indirectly to the ATO via a sending Service Provider (SSP) for Payroll services.
- Connects indirectly to the ATO via a Gateway for Superannuation Services or SuperStream.
It may also include:
- Significant modification of commercial software or white labelled products.
- Non-Commercial products / In-house developers.
- Products or services producing a .CSV file
For large organisations or groups of companies, the DSP OSF may only apply to relevant systems and/or business sectors of the organisation.
Note: The scope of the DSP OSF is not intended to capture the end user who owns the data and does not perform a functional role in the supply chain, for example, a business using software to run their daily operations.
Products controlled by DSPs
Services include cloud and Software as a Services (SaaS), gateways and sending service providers.
Requirements |
Category A |
Category B |
Category C |
---|---|---|---|
|
|
|
|
Audit Logging |
Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months. |
||
Authentication
|
Mandatory: Multi-Factor Authentication (MFA) must be implemented for end users and any staff member with access to Taxation, Accounting, Payroll, Business Registry or Superannuation related information of other entities or individuals, for example, Tax Agents, Employers as per Australian Government - Guidelines for system hardening.
|
||
Certification
|
Mandatory: Independent Certification against either:
|
Mandatory: Independent certification or Self-Assessment against either:
(DPO may request evidence of some self-assessed controls) |
Mandatory: Independent certification or Self-Assessment against either:
|
Data Hosting |
Mandatory: Data Hosting must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only. |
||
Encryption Key Management |
Mandatory: Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography |
||
Encryption at Rest |
Mandatory: DSPs must apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography |
||
Encryption in Transit |
Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography |
||
Entity Validation |
Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs. |
||
Personnel Security |
Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors. | ||
Security Monitoring |
Mandatory: Security Monitoring practices must be implemented at the network/infrastructure, application and transaction layer to enable DSPs to scan environmental threats and act. | ||
Supply Chain |
Mandatory: DSPs must provide ATO with an overview of their supply chain. | ||
Third Party Add-On |
Mandatory: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls. |
Products controlled by a client
Services include desktop and server-based software, including cloud applications where the application is primarily under the control of the client.
Requirements |
Category D |
|
---|---|---|
* ATO recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable. |
||
|
||
Audit Logging |
Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months. | |
Authentication
|
Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented e.g. unique username and password.
To strengthen your authentication, ATO recommends implementing multi-factor authentication (MFA) as best practice this can be applied as per Australian Government - Guidelines for system hardening.
|
|
Certification
|
Mandatory: Self-Assessment against either:
|
|
Data Hosting |
Mandatory*: If the product provides any element of data hosting it must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only. |
|
Encryption Key Management |
Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography |
|
Encryption at Rest |
Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography |
|
Encryption in Transit |
Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography |
|
Entity Validation |
Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs. |
|
Personnel Security |
Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors. |
|
Security Monitoring |
Mandatory*: If the product has the ability to relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action. |
|
Supply Chain |
Mandatory: DSPs must provide ATO with an overview of their supply chain and third-party add-ons. |
|
Third Party Add-On |
Mandatory*: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls. |
Commercial Products / In House Developers
Services include desktop and server-based software, where the application is under the control of the client.
Requirements |
Category E |
|
---|---|---|
* ATO recognise DSPs (including in-house developers) may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable |
||
|
||
Authentication
|
Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password.
To strengthen your authentication, ATO recommends implementing multi-factor authentication (MFA) as best practice this can be applied as per Australian Government - Guidelines for system hardening
|
|
Data Hosting
|
Mandatory*: If the product provides any element of data hosting it must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only. | |
Encryption Key Management | Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography | |
Encryption Key Management |
Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography |
|
Encryption at Rest |
Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography |
|
Encryption in Transit |
Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography |
Optional consideration for DSPs in Category E to strengthen security
|
---|
|