Download PDF
AustraliaOS

Australian Managed Network Services Provider Assessment

Subject: Australian Managed Network Services Provider (Anonymised)
Summary
Medium-risk supplier with bounded offshore dependencies. Approval can proceed under defined controls with domestic oversight maintained.
Assessment Outcome
Risk level: Medium Risk score: 46/100 Confidence: 82
Key Risks
  • External software dependency in a Five Eyes partner jurisdiction
  • Controlled offshore support escalation pathway
  • Exposure to government communications infrastructure
  • Need for domestic oversight continuity
Decision: Approve with Conditions
Required Controls
  • Offshore escalation is disabled by default.
  • Explicit approval is required for any offshore support activation.
  • Domestic oversight is retained for all privileged actions.
  • Software updates for the external dependency are reviewed through an Australian-controlled verification path.
  • No standing offshore privileged access.
  • No expansion of support scope without reassessment.
  • No use in higher-classified environments without further review.
Mandatory Mitigations
  • Require immutable logging of privileged and support actions.
  • Insert contractual notice requirements for dependency or subcontractor changes.
  • Require periodic review of software dependency and escalation pathway controls.
Enforcement Requirements
  • Require notice of any subcontractor, support-path, or ownership change within 5 business days.
  • Bind the supplier to maintain Australian control over privileged governance and approval workflows.
  • Keep offshore escalation disabled by default in production environments.
  • Require logged approval workflow before any offshore escalation activation.
  • Retain immutable logging for all privileged, support, and escalation actions.
  • Route updates for the external dependency through an Australian-controlled verification path.
  • Restrict deployment to OFFICIAL environments unless reassessed.
  • Prohibit scope expansion or persistent offshore support enablement without reassessment.
  • Preserve support records, approval records, and assessment artifacts for audit.
  • Retain evidence of dependency reviews and escalation-control testing.
Monitoring
  • Review due: 17 April 2027.
  • Change in subcontractor or software dependency
  • Change in support escalation pathway
  • New foreign legal exposure affecting a supporting vendor
  • Change in classification or operational use
Final Procurement Position
Approve with Conditions under current controls. Reassess before any expansion of offshore support, change in dependency profile, or use in higher-classified environments.
Classification: OFFICIAL
Reference: AO-CASE-002
Rendered: 17 April 2026, 17:05 UTC