Commonwealth Consolidated Acts

SECURITY OF CRITICAL INFRASTRUCTURE ACT 2018 - SECT 30CM

  (1)   The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:

  (a)   undertake a cyber security exercise in relation to:

  (i)   the system; and

  (ii)   all types of cyber security incidents; and

  (b)   do so within the period specified in the notice.

  (2)   The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:

  (a)   undertake a cyber security exercise in relation to:

  (i)   the system; and

  (ii)   one or more specified types of cyber security incidents; and

  (b)   do so within the period specified in the notice.

  (3)   The period specified in a notice under subsection   (1) or (2) must not be earlier than the end of the 30 - day period that began when the notice was given.

  (4)   A notice under subsection   (1) or (2) may also require the entity to do any or all of the following things:

  (a)   allow one or more specified designated officers to observe the cyber security exercise;

  (b)   provide those designated officers with access to premises for the purposes of observing the cyber security exercise;

  (c)   provide those designated officers with reasonable assistance and facilities that are reasonably necessary to allow those designated officers to observe the cyber security exercise;

  (d)   allow those designated officers to make such records as are reasonably necessary for the purposes of monitoring compliance with the notice;

  (e)   give those designated officers reasonable notice of the time when the cyber security exercise will begin.

  (5)   In deciding whether to give a notice to an entity under subsection   (1) or (2), the Secretary must have regard to:

  (a)   the costs that are likely to be incurred by the entity in complying with the notice; and

  (b)   the reasonableness and proportionality of the requirement in the notice; and

  (c)   such other matters (if any) as the Secretary considers relevant.

  (6)   Before giving a notice to an entity under subsection   (1) or (2) in relation to a system of national significance, the Secretary must consult:

  (a)   the entity; and

  (b)   if there is a relevant Commonwealth regulator that has functions relating to the security of that system--the relevant Commonwealth regulator.