The AUKUS security partnership between Australia, the United Kingdom, and the United States has created a new compliance frontier for Australian businesses. Pillar II of AUKUS — advanced capability sharing in AI, cyber, quantum, and undersea domains — requires Australian businesses participating in the defence industrial base to meet security standards comparable to those applied to US and UK government contractors. For email specifically, this means satisfying not just the Australian Protective Security Policy Framework (PSPF) and Information Security Manual (ISM), but demonstrating compliance alignment with US NIST 800-171 and UK Cyber Essentials Plus.
Which Australian Businesses Are Affected?
- ASC (Australian Submarine Corporation) suppliers and sub-contractors in the nuclear-powered submarine program.
- BAE Systems, Hanwha, Rheinmetall, and other prime contractor supply chains for vehicle, ship, and aircraft programs.
- ITAR-controlled technology businesses — any company dealing with US-origin defence articles, technical data, or services under the US International Traffic in Arms Regulations.
- Cleared Defence Contractors (CDCs) — organisations holding facility security clearances (FACILITY SECRET or above).
- Defence Science and Technology Group (DSTG) research partners — universities and commercial entities collaborating on sensitive research.
- ADF-adjacent businesses — those with RAAF, Army, or Navy supply relationships involving sensitive technical information.
The PSPF and ISM Email Requirements
The Australian Government's Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) set the baseline security requirements for businesses handling government information. For email, ISM controls require: DMARC at enforcement level (p=reject or p=quarantine minimum), DKIM signing and SPF, TLS 1.2+ for all email in transit, AES-256 encryption at rest, multi-factor authentication for all email access (hardware security keys for PROTECTED-level), role-based access controls, and audit logging retained for at least 7 years for PROTECTED-level information. IRAP assessment of the email infrastructure is required for systems handling OFFICIAL: Sensitive and PROTECTED-classified information.
ITAR and Email: A Significant Compliance Risk
The US International Traffic in Arms Regulations (ITAR) control the export of defence articles and technical data. For Australian businesses licensed to access ITAR-controlled technical data — drawings, specifications, software source code for defence systems — email is a primary channel through which ITAR violations can inadvertently occur. Forwarding an ITAR-controlled document as an email attachment to a non-US-Person colleague, or storing it in a cloud email system accessible by non-US-Persons, is a potential ITAR re-export violation. US authorities have imposed significant penalties on Australian businesses for ITAR violations — fines up to USD $1 million per violation and potential debarment from US government contracts. Email systems that store ITAR-controlled data must be hosted in facilities that can satisfy US government access controls and handle citizenship-based access restrictions.
ITAR compliance for email: ShieldBox's PROTECTED-level IRAP-assessed platform supports the configuration of citizenship-based access controls, mandatory access logging, and data handling policies required for ITAR-controlled technical data. Contact compliance@shieldbox.com.au for ITAR-specific configuration guidance.
ASD Essential Eight for Defence Contractors
- Maturity Level 2 minimum for most defence contractors — Maturity Level 3 for prime contractors and those handling PROTECTED information.
- Patching applications: Email clients and servers patched within 48 hours for critical vulnerabilities (ML3).
- MFA: Phishing-resistant MFA (hardware security keys or passkeys) required for email at ML3 — SMS-based MFA is insufficient.
- Restrict administrative privileges: Email server administration strictly limited to cleared and vetted personnel.
- Application control: Approved email clients only on devices accessing sensitive email.
- Email content filtering: Sandboxing of all email attachments to detect malicious payloads.
- Evidence and assurance: IRAP assessment of your email system is the primary mechanism for demonstrating ASD Essential Eight compliance to Defence procurement teams.