Context
An Australian government entity is assessing a managed network services provider responsible for monitoring, maintenance, and escalation support across critical communications infrastructure.
The provider operates domestically but relies on external software dependencies and maintains an offshore escalation pathway for specialist support functions.
Intake
- Core service delivery is performed within Australia under domestic control.
- External software dependency is maintained by a third-party vendor in a Five Eyes jurisdiction.
- Offshore escalation support exists for specialist fault resolution and incident handling.
- Privileged access is controlled but may be extended during escalation events.
- Update and patching processes involve third-party coordination.
- No direct foreign ownership or board-level control is present.
Assessment
Risk level is medium.
Ownership and direct influence risk remain low. However, dependency on externally maintained software and the presence of an offshore escalation pathway introduce control and exposure risks during fault conditions.
Risk is bounded but not eliminated. Control may shift temporarily during escalation events, and dependency on external update and maintenance processes introduces operational exposure.
These risks can be managed under defined constraints.
Directive
Decision: Approve with Conditions.
Approval may proceed under controlled conditions. Offshore escalation pathways, dependency management, and privileged access must be constrained and subject to explicit control.
Approval does not extend to higher-classified environments without reassessment.
Enforcement
Conditions are implemented through contract controls, technical restrictions, and monitored access pathways.
Offshore escalation must be disabled by default and require explicit approval for activation.
Privileged access must remain under Australian control with full audit visibility.
All updates and dependency changes must pass through an Australian-controlled verification stage.
Support scope must remain bounded to defined functions.
Monitoring
The case remains under scheduled review.
Reassessment is triggered by changes in software dependency, expansion of offshore support scope, changes in escalation pathways, and changes in classification or operational use.
Control effectiveness must be validated periodically.
Procurement Brief
Decisions are issued as procurement briefs used in formal review and approval processes.
Outputs align to existing authority structures. Final decisions remain with the designated authority.
The current environment is for controlled demonstration and validation. Sensitive operational use requires a domestically governed production deployment.