Requirements for products and services

• Commercial product or service controlled by DSP, and either
• Low to high risk APIs with greater than 10,000 unique client records, or
• Sending Service Providers

• Commercial product or service controlled by DSP, and
• Medium to high risk APIs with less than 10,000 unique client records

• Commercial product or service controlled by DSP, and either
• Low risk APIs with less than 10,000 unique client records, or
• No risk APIs regardless of unique client records

Audit logging

Mandatory: Audit logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.

Authentication

Mandatory: Multi-factor authentication (MFA) must be implemented for end users and any staff member with access to Taxation, Accounting, Payroll, Business Registry or Superannuation related information of other entities or individuals, for example, Tax Agents and Employers as per Australian Government - Guidelines for system hardening.

• Shared logins are not permitted and must be blocked by the DSP.
• Remember me functionality must be limited to less than 24 hours.
• MFA should not include social media logins.
  If social media applications are included in the proposed business model, DSPs should discuss this with the DPO.

Certification

Mandatory:

Independent certification against either:

• iRAP (ISM) or
• ISO/IEC 27001

Mandatory:

Independent certification or self-assessment against one of the following:

• ISM
• ISO / IEC 27001
• ISO / IEC 27002
• ISO / IEC 27017
• NIST

(DPO may request evidence of some self-assessed controls)

Mandatory:

Independent certification or self-aAssessment against one of the following:

• ISM
• ISO / IEC 27001
• ISO / IEC 27002
• ISO / IEC 27017
• SOC2
• OWASP ASVS 3.0 or later
• NIST

Data hosting

Mandatory: Data hosting must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.

Encryption Key Management

Mandatory: Encryption key management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography

Encryption at Rest

Mandatory: DSPs must apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography

Encryption in Transit

Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography

Entity validation

Mandatory: DSPs must implement entity validation to ensure consumers or users of a commercial software product are legitimate businesses and have a genuine need to access our APIs.

Personnel security

Security monitoring

Supply chain

Third party add-on

• Commercial product or service controlled by client, and
• Low, medium or high-risk APIs regardless of unique client records

OR

• In-house developer by a client, and
• Low risk APIs only with greater than 10,000 unique client records

Note: We recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable.

Audit Logging

Authentication

Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, such as unique username and password.

• Shared logins are not permitted and must be blocked by the DSP.
• Remember me functionality must be limited to less than 24 hours.

To strengthen your authentication, we recommend implementing multi-factor authentication (MFA) as best practice. This can be applied as per Australian Government - Guidelines for system hardening.

• MFA should not include social media logins. If social media applications are included in the proposed business model, DSPs should discuss this with the DPO.

Certification

Mandatory: Self-assessment against one of the following:

• ISM
• ISO / IEC 27001
• ISO / IEC 27002
• ISO / IEC 27017 
• SOC2
• OWASP ASVS 3.0 or later
• NIST

Data hosting

Mandatory*: If the product provides any element of data hosting it must be onshore by default. Offshore hosting arrangements, including redundant systems are managed by exception only.

Encryption Key Management

Mandatory*: If the product manages Encryption key management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography

Encryption at Rest

Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography

Encryption in Transit

Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography

Entity validation

Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product are legitimate businesses and have a genuine need to access our APIs.

Personnel security

Mandatory: Personnel security procedures must be in place for hiring, managing and terminating employees including contractors.

Security monitoring

Mandatory*: If the product can relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action.

Supply chain

Mandatory: DSPs must provide us with an overview of their supply chain and third-party add-ons.

Third party add-on

Mandatory*: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls are in place for any add-on partners. We recommend using the security standards for add-on marketplaces or an equivalent set of controls.

• Commercial product or service controlled by the DSP or the client, and
• No risk APIs regardless of unique client records

OR

• In-House developer controlled by the client and
• Low Risk APIs only with less than 10,000 unique client records, or
• No risk APIs regardless of unique client records

Note: ATO recognise DSPs (including in-house developers) may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable

Authentication

Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password.

• Shared logins are not permitted and must be blocked by the DSP.
• Remember me functionality must be limited to less than 24 hours.

To strengthen your authentication, we recommend implementing multi-factor authentication (MFA) as best practice. This can be applied as per Australian Government - Guidelines for system hardening

• MFA should not include social media logins. If social media applications are included in the proposed business model, DSPs should discuss this with the DPO.

Data hosting

Encryption Key Management

Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms as per Australian Government - Guidelines for using cryptography

Encryption at Rest

Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography

Encryption in Transit

Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography