Requirements for digital service providers

Access the DSP OSF documentation

View the full Digital Service Provider Operational Security Framework Requirements for ATO Digital Services (PDF, 559KB)
View the Digital Service Provider Operational Framework Security Questionnaire (DOCX, 804KB)

Purpose

The Digital Service Provider (DSP) Operational Security Framework (OSF) seeks to protect Taxation, Accounting, Payroll and Superannuation related data and the integrity of the Taxation, Business Registry and Superannuation systems that support the Australian community. This is achieved by setting out a minimum level of security requirements a DSP needs to meet in order to access ATO Digital Services that perform a functional role in the supply chain. The DSP OSF has been established to respond to business risks and security threats presented by the continual expansion and growth of digital services across the ecosystem.

The DSP OSF is a response to known examples of:

Information misuse: including identity theft, personal gain or commercial advantage.
Financial system misuse: including tax refund fraud.
Destructive cyber behaviour: including individual or system hacks.

Scope

The DSP OSF applies to any software product or digital service that performs a functional role in the supply chain of transmitting Taxation, Accounting, Payroll, Business Registry or Superannuation data through ATO digital services.

This includes software products that reads, stores, modifies or routes any Taxation, Accounting, Payroll, Business Registry or Superannuation data that:

Connects directly to the ATO digital services.
Connects indirectly to the ATO via a sending Service Provider (SSP) for Payroll services.
Connects indirectly to the ATO via a Gateway for Superannuation Services or SuperStream.

It may also include:

Significant modification of commercial software or white labelled products.
Non-Commercial products / In-house developers.
Products or services producing a .CSV file

For large organisations or groups of companies, the DSP OSF may only apply to relevant systems and/or business sectors of the organisation.

Note: The scope of the DSP OSF is not intended to capture the end user who owns the data and does not perform a functional role in the supply chain, for example, a business using software to run their daily operations.

Products controlled by DSPs

Services include cloud and Software as a Services (SaaS), gateways and sending service providers.

Requirements	Category A	Category B	Category C
	Commercial product or service controlled by DSP, and Low to high risk APIs with greater than 10,000 unique client records, or Sending Service Providers	Commercial product or service controlled by DSP, and Medium to high risk APIs with less than 10,000 unique client records	Commercial product or service controlled by DSP, and Low risk APIs with less than 10,000 unique client records, or No risk APIs regardless of unique client records
Audit Logging	Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.
Authentication	Mandatory: Multi-Factor Authentication (MFA) must be implemented for end users and any staff member with access to Taxation, Accounting, Payroll, Business Registry or Superannuation related information of other entities or individuals, for example, Tax Agents, Employers as per Australian Government - Guidelines for system hardening. Shared logins are not permitted and must be blocked by the DSP. Remember me functionality must be limited to less than 24 hours. MFA should not include social media logins, for example, Google/Microsoft/Facebook. If social media applications are included in the proposed business model, DSPs should discuss with DPO.
Certification	Mandatory: Independent Certification against either: iRAP (ISM) ISO/IEC 27001	Mandatory: Independent certification or Self-Assessment against either: ISM ISO / IEC 27001 ISO / IEC 27002 ISO / IEC 27017 NIST (DPO may request evidence of some self-assessed controls)	Mandatory: Independent certification or Self-Assessment against either: ISM ISO / IEC 27001 ISO / IEC 27002 ISO / IEC 27017 SOC2 OWASP ASVS 3.0 or later NIST
Data Hosting	Mandatory: Data Hosting must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.
Encryption Key Management	Mandatory: Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography
Encryption at Rest	Mandatory: DSPs must apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography
Encryption in Transit	Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography
Entity Validation	Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs.
Personnel Security	Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors.
Security Monitoring	Mandatory: Security Monitoring practices must be implemented at the network/infrastructure, application and transaction layer to enable DSPs to scan environmental threats and act.
Supply Chain	Mandatory: DSPs must provide ATO with an overview of their supply chain.
Third Party Add-On	Mandatory: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls.

Products controlled by a client

Services include desktop and server-based software, including cloud applications where the application is primarily under the control of the client.

Requirements	Category D
	Commercial product or service controlled by client, and Access to low, medium or high-risk APIs regardless of unique client records, OR * ATO recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable.
	In-House developer controlled by the client and Low Risk APIs only with greater than 10,000 unique client records
Audit Logging	Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.
Authentication	Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented e.g. unique username and password. Shared logins are not permitted and must be blocked by the DSP. Remember me functionality must be limited to less than 24 hours. To strengthen your authentication, ATO recommends implementing multi-factor authentication (MFA) as best practice this can be applied as per Australian Government - Guidelines for system hardening. MFA should not include social media logins, for example, Google/Microsoft/Facebook. If social media applications are included in the proposed business model, DSPs should discuss with DPO.
Certification	Mandatory: Self-Assessment against either: ISM ISO / IEC 27001 ISO / IEC 27002 ISO / IEC 27017 SOC2 OWASP ASVS 3.0 or later NIST
Data Hosting	*Mandatory:** If the product provides any element of data hosting it must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.
Encryption Key Management	*Mandatory:** If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography
Encryption at Rest	*Mandatory:** DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography
Encryption in Transit	Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography
Entity Validation	Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product is a legitimate business and has a genuine need to access ATO APIs.
Personnel Security	Mandatory: Personnel Security procedures must be in place for hiring, managing and terminating employees including contractors.
Security Monitoring	*Mandatory:** If the product has the ability to relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action.
Supply Chain	Mandatory: DSPs must provide ATO with an overview of their supply chain and third-party add-ons.
Third Party Add-On	*Mandatory:** If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls in place for any add-on partners. ATO recommends using the Security Standards for add-on marketplaces or an equivalent set of controls.

Commercial Products / In House Developers

Services include desktop and server-based software, where the application is under the control of the client.

Requirements	Category E
	Commercial product or service controlled by the DSP or the client, and No risk APIs regardless of unique client records * ATO recognise DSPs (including in-house developers) may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable
	In-House developer controlled by the client and Low Risk APIs only with less than 10,000 unique client records, or No risk APIs regardless of unique client records
Authentication	Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password. Shared logins are not permitted and must be blocked by the DSP. Remember me functionality must be limited to less than 24 hours. To strengthen your authentication, ATO recommends implementing multi-factor authentication (MFA) as best practice this can be applied as per Australian Government - Guidelines for system hardening MFA should not include social media logins, for example, Google/Microsoft/Facebook. If social media applications are included in the proposed business model, DSPs should discuss with DPO.
Data Hosting	*Mandatory:** If the product provides any element of data hosting it must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.
Encryption Key Management	*Mandatory:** If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography
Encryption Key Management	*Mandatory:** If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography
Encryption at Rest	*Mandatory:** DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography
Encryption in Transit	Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography

Optional consideration for DSPs in Category E to strengthen security To improve the security of your ecosystem and product(s), please consider implementing the below security controls These controls are not mandatory, and you are not required to provide any evidence of implementation For further information regarding the below requirements, see page 15 onwards.
Audit Logging Certification Multi-Factor Authentication Personnel Security Security Monitoring Practices

Optional consideration for DSPs in Category E to strengthen security

To improve the security of your ecosystem and product(s), please consider implementing the below security controls
These controls are not mandatory, and you are not required to provide any evidence of implementation
For further information regarding the below requirements, see page 15 onwards.

Audit Logging
Certification
Multi-Factor Authentication
Personnel Security
Security Monitoring Practices