Australia’s New Gateway Security Guidance: What Leaders & SOC Teams Should Know

August 19, 2025

On 24 July 2025, the Australian Department of Home Affairs released a major update to its Protective Security Policy Framework (PSPF) as part of the Commonwealth Uplift Reforms, overhauling how government agencies secure their internet gateways[1]. Gateways are the boundary systems controlling traffic between an organisation and the outside world.

This update replaces the old Gateway Security Policy with a new, mandatory Gateway Security Standard, which sets minimum security standards that Commonwealth entities must apply for gateway capabilities[1].

In tandem, the Australian Signals Directorate’s Cyber Security Centre (ASD’s ACSC) published updated guidance to align with the new standard and reflect modern security practices[2]. As someone immersed in the challenges of government gateway security at Verizon for over 14 years, I believe the recent advice marks a dramatic shift in approach.

Gateways are getting long-overdue attention to meet today’s threat environment. It’s been a long time since there’s been an in-depth review of how those systems operate, and this new guidance is the culmination of several years of effort and industry consultation.

Why now?

The impetus for this update comes from an increasingly complex cyber threat landscape and a strong push under Australia’s 2023–2030 Cyber Security Strategy for more resilient digital infrastructure.

Gateway security is explicitly part of that national strategy: the new Gateway Standard supports modern architectures (like cloud-native Security Service Edge solutions) and forms part of Australia’s broader resilient digital infrastructure initiative[3].

After decades of agencies managing their own secure Internet Gateways (SIGs) or relying on shared services, the government is formalising best practices to ensure consistency and robustness across 194 agencies. Coordinating such a wide range of entities has historically been challenging, but having a National Cyber Security Coordinator and clear strategic mandates (such as “Shield 4” in the cyber strategy, which calls for hardened government infrastructure) has proven to be a mobilising force. In short, rising threats and high-level government commitment have converged to make gateway security a renewed priority.

*Gateway security guidance package overview*

Key Updates in the 2025 Gateway Guidance

The new Gateway Security Guidance Package is comprehensive. It spans executive guidance, design principles, operations, and technical specifications[5]. For busy senior leaders, several key takeaways stand out:

Gateway Security Is Now Mandatory and Standardised.

Previously, gateway requirements were often guidelines or “opt-in” best practices; now they are formal standards. The updated guidance makes it clear that protecting internet gateways is not optional but required for government entities[1]. Agencies have greater flexibility in how to implement gateways (including using cloud services or shared providers), but any chosen solution must meet the baseline security outcomes defined by the new Gateway Standard[8].

Going Beyond Firewalls to Address Modern Threats.

The guidance recognizes that gateway architectures have evolved beyond the old monolithic firewall model. Hybrid and cloud-native gateways are now common[9]. The new standard explicitly accommodates cloud-based gateway services (e.g. SASE/SSE), remote work access, and modern architectures without forcing all traffic through one on-premise choke point. It also covers a broad range of gateway services, not just web proxies and firewalls, but also DNS security, email filtering, reverse proxy for inbound traffic, remote access gateways, and key management[10].

This holistic approach ensures that all channels between government networks and the internet are subject to security controls. The guidance brings this together in a comprehensive document. Areas like cloud services, email, and DNS, which had been discussed in isolation before, are now unified under one framework.

Explicit Emphasis on Threat Intelligence Integration.

One of the most notable additions is a requirement to embed Cyber Threat Intelligence (CTI) into gateway operations. The guidance makes clear that gateway solutions play a significant role in both the collection and actioning of threat intelligence[11]. Practically, this means agencies operating gateways are expected to gather intel from network traffic and leverage threat feeds to detect malicious activity. In fact, for the first time the government is saying that if you operate a gateway, you need a CTI program and the ability to share threat information as part of it. This ties into ASD’s Cyber Threat Intelligence Sharing (CTIS) initiative, a platform for two-way sharing of threat data across government and industry.

The recent direction to all agencies (NCCEs) was unambiguous: by mid-2025 every agency had to connect to ASD’s CTIS platform and actively share and consume threat intel[12][13]. More teams are looking at how they can operationalize threat intelligence into their environments, reflecting a broader trend to integrate CTI with Security Operations Center (SOC) activities. For executives, this translates to ensuring your security teams have dedicated threat intel capabilities (either in-house or via providers) and that they participate in community intel sharing. It’s now table stakes for gateway security.

Continuous Monitoring and Security Operations Uplift.

The guidance also reinforces the importance of robust Security Operations Centers (SOCs) and ongoing monitoring as part of gateway programs. Gateways are only as effective as the visibility and incident response around them. The standard mandates adequate logging and telemetry from gateway systems, and feeding those logs into centralised monitoring for incident detection[14]. It even specifies that encrypted traffic must be either decrypted or otherwise inspected to avoid blind spots[15].

The implication for SOC teams is a higher operational bar. They must be capable of consuming gateway logs, hunting for threats, and responding to incidents in real time. Mid-sized agencies in particular may struggle to meet these stringent requirements with existing staff.

As a leader, it’s important to assess whether your organisation’s SOC needs additional resources, tooling, or external support to handle the increased telemetry and threat hunting obligations. (Notably, the guidance encourages agencies to leverage shared services or commercial Managed Security Service Providers if they cannot do it alone, a continuation of the model where smaller agencies piggyback on larger ones or expert vendors for gateway operations.)

Risk Ownership and Shared Responsibility.

A fundamental message of the 2025 guidance is that outsourcing a service does not outsource the risk. No matter how an agency obtains its gateway security - whether building in-house, using a lead agency’s gateway, or buying from a commercial provider - the accountability for protecting government data stays with the agency. The official guidance states plainly: “the procurement of goods and services does not transfer the operational risk from the Commonwealth”[16]. In other words, an organisation always owns its security risk, even if implementation is handled by others[17]. This is a crucial point for senior executives to internalise. Agencies can’t just outsource these services and then also outsource the risk. Leaders must actively manage and govern third-party arrangements.

The new standard requires formal shared responsibility models with providers, delineating who handles which security controls and how risks are mitigated[18][19]. It also calls for third-party risk assessments (including considerations like foreign ownership influence) when using external gateway vendors[18].

For leaders, this means if you’re consuming a gateway-as-a-service, you need to ensure contracts, SLAs, and oversight mechanisms are in place so that your agency maintains visibility and control over security outcomes. Regular assurance activities, such as independent audits or IRAP assessments of the gateway, should be conducted to verify the provider is meeting the required standards[20][21]. Ultimately, the guidance underscores that risk cannot be outsourced[17], and that senior executives are accountable for their organisation’s cyber risk posture even when services are delivered by others.

“Risk-Based” and Flexible Approach.

The tone of the new guidance is notably principles-based and risk-oriented. Rather than prescribing one gateway architecture, it allows agencies to choose solutions that suit their environment - whether a traditional centralised gateway, a distributed cloud-based approach, or a hybrid model - as long as they achieve the necessary security outcomes. This shift to a “risk-managed, principles-based approach” empowers entities to innovate with new technologies (like SD-WAN or cloud security services) without needing case-by-case waivers[22][23].

However, with greater flexibility comes the need for stronger internal governance. Agencies must formally authorise their gateways via the standard Authority to Operate (ATO) process, just as they do other critical systems[24]. Gateway environments will require periodic re-authorisation (at least every two years is recommended) to ensure they keep up with evolving threats[25]. For executives, this means you should expect gateway security to be a continual process, not a one-off project, including regular risk assessments, control updates, and re-certification as your architecture or the threat environment changes. In short, the new model is “continuous assurance and improvement”[23], moving away from set-and-forget gateways.

Implications for Enterprise and Beyond Government

While the Gateway Security Standard is mandated for federal agencies, its influence will extend into the broader enterprise sector. Historically, many large Australian companies and state government bodies look to ASD’s guidance and the Essential Eight as de facto best practices. This trend will likely continue with the new gateway guidelines.

Modern enterprises face similar perimeter security challenges, from securing cloud connectivity to handling advanced threats, and there are few comprehensive frameworks tailored to them. There’s not a lot of thought leadership out there around how enterprises should set up and run their internet gateways, so industry tends to pay close attention to government standards. Forward-leaning organisations in banking, telecom, critical infrastructure, and other sectors may choose to voluntarily align with the 2025 Gateway Guidance to benchmark their own gateway and SOC programs.

There are immediate lessons for enterprise leaders here. Just like government CISOs, corporate security leaders should ask: Do we have clear ownership of cyber risk when using third-party network services? Are we leveraging cyber threat intelligence in our network defense (and participating in sharing communities)? Are our gateway controls covering the full range of services (DNS, email, web, cloud apps) and feeding into a 24x7 SOC capability? Even if not bound by the PSPF, treating these as must-have elements of your security strategy will strengthen your organisation’s defense. The government’s guidance emphasizes fundamentals applicable to any large environment, such as visibility, defence-in-depth, continuous monitoring, and risk management. By adopting a similar approach, enterprises can achieve a more resilient perimeter. In effect, the bar is being raised for what constitutes a “secure gateway,” and forward-thinking business leaders will want to ensure their organizations keep pace with this higher standard.

Next Steps for Leaders

1. Review the New Guidance and Assess Gaps. Senior executives should start by having their teams review the Gateway Security Guidance Package (Executive Guidance)[26] and the Gateway Security Standard. Identify which recommended controls and practices you already have in place and where the gaps are. Many agencies will find they need to bolster areas like threat intelligence processes, advanced threat detection at the gateway, or formalisation of vendor risk management. An honest gap analysis is the first step; some organisations may enlist an independent review (for example, an IRAP assessor or third-party consultancy like Cosive) to baseline their current gateway posture against the new standard.

2. Engage Peers and Share Strategies. I often advise executives to reach out to their counterparts in other agencies or industries, not to compare grades, but to exchange approaches. Now that everyone is tasked with meeting these gateway standards, there’s value in pooling knowledge on what solutions work best. Whether through formal forums, cross-agency working groups, or informal networks, leaders should compare notes. You might discover that another organisation has solved a challenge (for example, scalable SSL/TLS inspection or automating CTI feeds into a SIEM) that your team is grappling with. Cyber security is a team sport at the national level. The more alignment and shared wisdom among leaders, the stronger our collective defenses will be.

3. Strengthen Governance and Ownership. Make sure the governance framework around your gateway is updated. This could mean establishing a formal Gateway Security Program or steering committee that includes stakeholders from security, IT, risk, and procurement. Ensure roles and responsibilities are crystal clear, especially if you rely on an external gateway service or a lead agency provider. Document the shared responsibility model[19]: who is responsible for patching, for monitoring logs, for responding to incidents, for updating rulesets, etc. Set up regular reporting on gateway performance and security events to your risk or audit committee. The goal is to maintain executive visibility into how well the gateway controls are functioning. Remember, if something slips through the gateway and causes an incident, your organisation will be held accountable, so governance must be proactive.

4. Invest in Your SOC and CTI Capabilities. Given the new emphasis on threat intelligence and continuous monitoring, leaders should evaluate whether their security operations team has the capacity and skills to meet these expectations. Do you have a Cyber Threat Intelligence function (even a one-analyst team or an external service) to analyse threat data and advise on indicators to block? Is your SOC performing regular threat hunting on gateway logs? If not, now is the time to build those muscles. This might involve training staff on CTI analysis, joining the CTIS program, or implementing new tools for network detection and response. For some, it may be more efficient to partner with providers. Many Managed Security Service Providers offer CTI-driven monitoring that could fill a gap for mid-sized agencies. The key is not to treat the gateway as just a set-and-forget device; it should be an actively monitored and intel-informed defense platform. Leaders will need to allocate budget and attention accordingly.

5. Plan for Transition and Compliance. Finally, develop a roadmap to achieve compliance with the Gateway Standard’s “must” requirements and to adopt the “should” recommendations where feasible. The PSPF update is effective now, but entities will be working to implement changes over coming months. Prioritise quick wins like enabling Protective DNS services or updating configurations in line with ASD hardening guidance (those often have immediate security benefit).

Simultaneously, plan for more resource-intensive tasks. For example, if an IRAP assessment of your gateway is needed, schedule it sooner rather than later given the demand on the assessor pool. Treat this as an opportunity to uplift your organisation’s overall security maturity. Don’t hesitate to seek help, whether from ASD, other agencies, or industry experts, to ensure your gateway program meets the new standards.

Conclusion

The 2025 Gateway Security Guidance represents a significant step forward in Australia’s cyber defense. It codifies lessons learned over decades of securing government perimeters and responds to the realities of a cloud-connected, threat-rich world. For senior leaders, be it in government or the private sector, the message is clear: take ownership of your cyber gateway and the risks that come with it. By investing in modern gateway capabilities, integrating threat intelligence, and insisting on continuous security assurance, you comply with policy and actively protect your organisation’s mission in the digital realm.

As an executive, your support and oversight of these initiatives will determine their success. The new standards may be stringent, but they are achievable with a proactive, informed approach. In my experience, those who lean into these changes, treating them not as a checklist but as a strategic framework, will find their organisations more resilient and prepared for whatever cyber threats come next.

In the words of the ASD guidance, gateways should be “well governed, provide operational visibility, enforce security policy and protect from known cyber threats”[27]. With leadership commitment, that is exactly what we can accomplish.