This page provides information about the Operational framework for you and your products.
The growth of our digital wholesale services increases productivity and community connectivity across the digital economy. This connectivity presents a range of service opportunities, business risks and security implications for the organisation and the Australian community.
The Operational Framework is part of our response to these risks and establishes how we will provide access to and monitor the digital transfer of data through software.
We have developed an interim assessment approach to provide us the confidence and certainty we need of your products. This assessment is multi-dimensional and takes into account the risk of each API against the level of confidence we have in the consumer of that API. It also establishes the obligation for joint security monitoring. The Operational Framework questionnaire is a key part of this assessment and needs to be completed by digital service providers (DSPs) wanting to consume our services.
Refer to the Operational Framework information pack for more information.
Since September 2016, work has been underway to develop the elements of the framework. We are currently working closely with a number of DSPs, industry associations and across Government to address five issues identified through our interim assessment:
- Registration and assessment (including transitioning DSPs to the updated process)
- Multi-factor authentication.
- Onshore/offshore hosting arrangements.
- Supply chain visibility.
- Encryption in transit.
We are working with ABSIA and other industry associations on ensuring our requirements are practical but sufficiently protect the integrity of the taxation and superannuation system.
An update (PDF, 732.39KB) of the certification component of the framework was discussed at the Strategic working group (SWG). The group was informed that the purpose of the questionnaire is to advise us about the product, environment and work practices of developers. We will use the information to make a decision on granting access to transact electronically. There is no minimum requirement other than completing the questionnaire accurately. Minutes (PDF, 377.49KB) are available.
An update (PDF, 732.39KB) was prepared following the discussion at the Technical Working Group (TWG) meeting. The latest version (0.8) of the instructions (PDF, 438.29KB) to assist SWD to complete the security operational questionnaire is now available.
The draft minimum Third party products and services minimum security requirement and Third party products and services security policy requirements were shared at the 21 July 2016 Technical working group. Minutes (PDF, 361.69KB) are available.
Action items include:
- The ATO to confirm to developers it complied with the minimum security requirements.
- ATO General Counsel to advise whether the consultation papers represent a software developer indemnity.
- The ATO to publish a summary of the security review outlining the intent behind and recommendations to provide minimum security requirements to software developers.
The Operational framework for developers and service providers (PDF, 724KB) is now available. Feedback can be provided to the Software Industry Partnership Office at any time.
Consultation with the working group is complete.
- 8 September - Strategic working group
- 21 July – Technical working group
- 3 March – ATO-SwD Partnership Event – framework discussion
- 17 February – Phone meeting on proposed certification minimum requirements with working group
- 19 January – Phone meeting on certification with the working group
- 17 December – Initial phone meeting on registrations with the working group
- 25 November – ABSIA representative at ATO workshop in Canberra
For feedback and questions email Software Industry Partnership Office.