Securing the Software Supply Chain: A Guide to ISM, IRAP, and the Essential Eight

Australia has long been a global leader in setting cybersecurity standards, with formal regulatory frameworks dating back to the early 2000s with the introduction of the Information Security Manual (ISM). Originally developed by the Defence Signals Directorate (now updated by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate), the ISM was designed to safeguard government systems against emerging cyber threats. Over the years, it has evolved significantly, transitioning from a government-only focus to broader applicability across critical infrastructure and private sectors. In 2017, the Essential Eight mitigation strategies were introduced, distilling the most critical elements of the ISM into a practical, prioritised set of controls to help organisations uplift their cyber resilience against a rapidly changing threat landscape.

In the past five years, software supply chain security has become a dominant concern, fueled by high-profile incidents like SolarWinds, Kaseya, and Log4Shell. These events exposed the vulnerabilities inherent in the complex, interconnected systems that underpin modern software delivery. In response, Australia’s cybersecurity frameworks have adapted.

In this blog, we’ll walk through the background and structure of both the ISM (and its assessor program, the Information Security Registered Assessors Program (IRAP)) and the Essential Eight, explain who these frameworks impact, and examine how they have been updated to better address software supply chain security risks. We’ll also outline how Chainguard’s solutions can help organisations not just meet these evolving requirements but build a stronger, more resilient foundation for securing their software supply chains.

The relationship between ISM, IRAP, and the Essential Eight

Originally focused on safeguarding Australian government systems, the application of the ISM has expanded over time to include critical infrastructure, state governments, and private organisations handling sensitive information. It lays out a principles-based approach to cybersecurity, covering governance, risk management, and technical controls across a wide range of domains.

To help organisations demonstrate compliance with the ISM, particularly when seeking to work with government clients, the government established IRAP. Through IRAP, certified assessors evaluate systems against ISM standards, assessing the effectiveness of those controls necessary for processing classified information up to the SECRET level. Together, the ISM and IRAP form a structured pathway for organisations aiming to achieve and prove strong cybersecurity postures.

While the ISM provides a comprehensive and detailed set of security principles, implementing its full scope can be complex. Recognising the need for a more practical, prioritised approach, the ACSC introduced the Essential Eight. This set of eight critical mitigation strategies helps organisations, especially those with fewer resources, focus their efforts on the most impactful security controls. In effect, the Essential Eight complements the ISM, offering a practical starting point or subset for organisations aiming to uplift their cybersecurity maturity.

Who is impacted by IRAP and the Essential Eight?

IRAP assessment is mandatory for outsourced information technology, cloud service providers, and gateway providers, prior to processing and storing Australian government data. An IRAP assessment may also be conducted for on-premise government systems.

An IRAP security assessment report is prepared by the independent IRAP assessor. This report is used as part of the package of documents provided to the Authorising Officer to enable a decision to be made as to whether to authorise a system.

The Essential Eight is mandatory for Federal government agencies, which are required to implement the Essential Eight to Maturity Level Two as part of the Australian Government Protective Security Policy Framework.  Annual reporting on compliance is required to both the relevant minister and the Department of Home Affairs.

State and territory government agencies holding or accessing Australian Government security classified information are also required to implement Essential Eight Level Two as part of this framework. Additionally, most state and territory governments require their agencies to implement the Essential Eight and also provide an annual security attestation.

The private sector—from SMBs through to Critical Infrastructure—may also adopt Essential Eight. Generally, Level One is suitable for small to medium enterprises, Level Two for large enterprises, through to Level Three for Critical Infrastructure Providers. Meeting Essential Eight requirements can also be a contractual requirement, as part of a third-party provider to either government or private enterprises.

What are the requirements, and how have they evolved?

IRAP and the ISM

IRAP assessments are grounded in the ISM’s comprehensive security framework, which covers categories like governance, personnel security, physical security, and information and communications technology (ICT) security.

As supply chain risks have become more prominent, the ISM has incorporated new areas of focus to ensure organisations are addressing vulnerabilities not just in their own environments, but across their vendor and software ecosystems.

Key ISM areas related to supply chain security include:

• Software integrity validation: A cryptographically verifiable chain of trust is provided and assessed before deployment.

• Software Bill of Materials: Transparency of software composition is provided to the consumers of that software.

• Third-party supplier assessments: Applications are sourced from suppliers that have demonstrated a commitment to security.

• Vendor commitment to Secure by Design and by Default: Including memory-safe programming practices.

• Secure software development lifecycle (SDLC) practices: Integrating SecDevOps practices into the development pipeline.

• Patch and vulnerability management: Ensuring rapid remediation of third-party software vulnerabilities.

• Hardening build and deployment environments: Preventing access and modification of the authoritative source for software.

For IRAP assessment success, engineering and security teams must align with assessors on all evaluation aspects, prepare comprehensive documentation, and ensure readiness for the in-depth assessment of key areas. Significant effort needs to be made to ensure organisations are ready for the IRAP assessment.

The Essential Eight

The Essential Eight framework, while narrower in scope, has also evolved to meet the demands of modern threat landscapes. While specifics vary by Maturity Level, broadly, the strategies are:

1. Patch Applications: Prevent exploitation of known vulnerabilities by patching all online services and applications within 2 weeks of release (or 48 hours for critical or known exploited vulnerabilities). 

2. Patch Operating Systems: Ensure the OS is secure and current by applying OS patches within 2 weeks of release for internet-facing servers (or 48 hours for critical or known exploited vulnerabilities).

3. Multi-Factor Authentication: Strengthen authentication processes using authentication techniques that rely on something users know as well as something users have.

4. Restrict Administrative Privileges: Limit the ability of attackers to escalate privileges or modify systems.

5. Application Control: Prevent execution of unauthorised or malicious applications.

6. Restrict Office Macros: Prevent macro-based malware attacks by disabling macros unless digitally signed by a trusted source. 

7. User Application Hardening: Limit features that can be exploited by attackers by disabling unnecessary features in applications and blocking browser pop-ups and plug-ins. 

8. Regular Backups: Regularly back up data to ensure data recovery after a compromise. 

These strategies are organised into four maturity levels (Level Zero indicating gaps below baseline), guiding organisations from a basic baseline (Level One) to a more robust security posture (Level Three) designed to defend against more malicious and adaptive actors.

Recognising that adversaries quickly weaponise new vulnerabilities, the ACSC updated their guidance in 2023 that any vulnerability assessed as critical by the vendor—not just known to be exploited—should be addressed within 48 hours. This applies for both internet facing applications and operating systems.

How can Chainguard help?

Chainguard provides the building blocks for a secure open source software supply chain, abstracting away much of the vulnerability assessment and management for security and developers, and providing attestations and provenance for software out of the box.

Chainguard’s product portfolio includes Chainguard Containers, Chainguard Libraries, and Chainguard VMs. These products have the following features that help customers meet the Essential Eight, ISM, and IRAP requirements:

• Minimal attack surface: Chainguard Containers are minimal. Powered by the distroless Chainguard OS, they include only those pieces of software that are necessary to run the application. These purpose-built images don’t include package managers or shells in production images to shrink the attack surface. They do not run as root and remove bloat that potentially contains vulnerabilities.

• Hardened by design: Protecting against exploits from a range of memory safety issues by compiling with enhanced compiler hardening flags.

• Transparent by design: Build-time generated Software Bill of Materials (SBOMs) and digitally-signed attestations provide complete transparency into an artifact’s build date and configuration, ensuring full reproducibility and provenance. 

• Vulnerability Elimination: Being fully rebuilt daily from source. Chainguard artifacts limit the potential for vulnerabilities in software, often patching CVEs before scanners are aware of the vulnerabilities, with a constantly updated security advisory feed capturing CVEs removed and those pending upstream fixes for Chainguard container images. According to our analysis, 80% of Chainguard OS updates happen within 24 hours. Of these, the majority of the updates happen within 8 hours. The median time to update is 4 hours. 

The Chainguard product portfolio is underpinned by Chainguard OS and rebuilt through the Chainguard Factory. Chainguard OS is a purpose-built Linux distribution bootstrapped by Chainguard, where every component is always up to date. By combining Chainguard OS with the world-class build infrastructure and automation in its Factory, Chainguard continuously rebuilds software directly from upstream sources, capturing the latest security updates, new functionality improvements, and performance optimisation.

Learn more about how Chainguard can help your organisation with its compliance, security, and developer velocity challenges in our upcoming webinar! Register here.