What is Right Fit for Risk (RFFR) and it's Accreditation Framework?
Right Fit For Risk (RFFR) is a risk-based approach used by the Australian Federal Government’s Department of Education, Skills, and Employment (DESE) to ensure the security of confidential data stored outside the department’s IT environment, particularly in the IT systems of contracted service providers.
RFFR accreditation ensures that providers meet specific IT security requirements to protect sensitive information related to delivering employment services, as well as digital information and records supporting the program. It involves implementing an information security management system (ISMS) and complying with relevant security controls.
Let Calvert guide you through the Right Fit For Risk (RFFR) Accreditation
Calvert's Expertise in Navigating Cybersecurity: Unveiling the Right Fit for Risk Questions
Right Fit For Risk accreditation is in place to ensure the security and protection of sensitive information collected and managed in the administration of employment services. As this information may be stored outside the Department of Education, Skills, and Employment’s (DESE) IT environment, it’s crucial to have a standardised approach that verifies the IT security of contracted service providers.
RFFR accreditation helps mitigate the risk of data breaches, unauthorised access, and other security vulnerabilities, thereby safeguarding the confidentiality and integrity of the information.
Not all businesses are required by the government to be RFFR compliant. This requirement specifically pertains to contracted service providers who are involved in delivering employment services under the New Employment Services Model. These service providers, if awarded a licence, are mandated to obtain and maintain RFFR accreditation for their IT systems.
The accreditation process involves meeting the IT security standards set out in the External Systems Assurance Framework (ESAF) and adhering to the relevant security controls.
Yes, the Essential 8 is a part of the RFFR framework. The Essential 8 is a set of cybersecurity controls developed by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves against a range of cyber threats.
These controls are designed to provide a baseline level of security that organisations can implement to mitigate common and high-impact cyber threats.
It’s important to note the Essential 8 is NOT a security framework and just because an organisation may have full adherence to the Essential 8 does not mean they are secure.
There are plenty of areas which are not covered by the Essential 8 (eg end point protection, perimeter protection (aka firewalls), device management, and more)
In recent news, the Australian federal government has appointed its inaugural Cyber Security Coordinator, Air Vice-Marshal Darren Goldie AM CSC, with the aim of advancing the nation’s cyber security efforts and positioning Australia as a global leader in this realm.
Operating within the framework of the Home Affairs office and with support from the National Office for Cyber Security, the National Cyber Security Coordinator will work alongside the Minister of Cyber Security to coordinate national cyber security policies, manage responses to significant cyber incidents, bolster government-wide cyber incident readiness, and enhance Commonwealth cyber security capabilities
Recent announcements from the Australian Government about changes to the Privacy Act, and other announcements about the desire for Australia to become the most cyber-secure nation mean all organisations are going to need to improve their cyber-security posture.
Other frameworks are expected to be adopted by the rest of the government departments, with these filtering down to the state and territory based departments and subsidiaries as well. The ultimate impact will be the requirement for every organisation to meet both contractual requirements, as well as legislated requirements.
A few years ago the European Union adopted the General Data Protection Regulation (GDPR) which is a European Union regulation on information privacy applied to all European organisations and the European Economic Area. GDPR adoption was first announced in 2016, and became enforceable in 2018, giving organisations 24 months to get compliant.
The government of the USA has begun to take steps toward adopting similar regulatory changes and we anticipate a similar approach by the Australian Government – in fact based on the 2022 Optus and Medibank data breaches they have already begun the journey, as is evidenced by the announced Privacy Act changes.
So what should you do? Don’t wait until you only have 24 months to get compliant as it can be a major change for an organisation. Our recommendation is to start taking steps to improve your cyber-security posture now so the final leap is less onerous.
Calvert Technologies is well equipped to assist businesses along the journey of ensuring they are ready for when compliance becomes mandated.
Calvert were instrumental in our achieving RFFR accreditation. Calvert provided us with incredible service and went above and beyond to ensure our systems compliance against a significant number of strict cybersecurity controls.
Calvert were approachable, adaptable, and knowledgeable in the technical aspects of the RFFR programs requirements and worked diligently with all stakeholders to ensure we achieved our business goals.