Digital Government Solutions That Serve Citizens Better

An Information Security Registered Assessors Program (IRAP) assessment is conducted by an ASD-certified assessor — that's not us, and you should be wary of any vendor claiming to do their own IRAP assessment. What we do is design and build systems that are genuinely ready for IRAP assessment: we map system controls to the ACSC's Information Security Manual (ISM) from the architecture phase, implement the Essential Eight mitigation strategies (application control, patching applications and OS, restricting Microsoft Office macros, user application hardening, restricting admin privileges, patching OS, MFA and regular backups) at the appropriate maturity level for your system's risk profile, and produce the security documentation artefacts that an IRAP assessor will request. We've worked alongside multiple IRAP assessors across federal and state government engagements.

We are registered on the Digital Marketplace (now the DITESA ICT Procurement Panel) under relevant categories including software development and cloud services. We can also be engaged via state government standing offer arrangements including the NSW Government ICT Services Scheme, the Victorian Government Technology Products and Services panel, and Queensland Government QAssure. For smaller local government engagements below the mandatory tender threshold, we can be engaged directly. If your agency requires engagement via a specific panel arrangement that we're not currently on, talk to us — panel registration processes are straightforward and we can usually be onboarded within four to six weeks.

The Australian Government's Digital Identity system (built on the Trusted Digital Identity Framework) provides a federated identity layer that lets citizens authenticate once using their myGovID credential and access multiple government services. We implement OIDC/OAuth 2.0 integration with the identity exchange (currently administered by Services Australia) following the TDIF technical specifications. For state government services, we also integrate with state-level identity providers including the NSW Digital ID (Service NSW account), the Victorian Digital Identity and similar schemes. Beyond authentication, we implement the claims and attributes API to retrieve pre-verified identity information (name, DOB, address) to pre-populate forms — a significant citizen experience improvement.

Australia's Protective Security Policy Framework (PSPF) defines the handling requirements for OFFICIAL, OFFICIAL:Sensitive and PROTECTED data. For OFFICIAL and OFFICIAL:Sensitive systems, we typically deploy to commercial Azure Government or AWS GovCloud (Sydney) regions with appropriate encryption, access controls and audit logging. For PROTECTED systems, the PSPF requires storage on infrastructure with explicit PROTECTED authorisation — currently a small number of certified providers including Microsoft Azure (with PROTECTED assessment), AWS and some on-premises managed environments. We design systems with data classification in mind from the start, including appropriate labelling, handling procedures for API consumers, and the access control architecture needed to enforce classification boundaries.

Yes. The DTA's Digital Service Standard (and equivalent state frameworks like the NSW Digital Design System and the Victorian Digital Service Standard) require a user-centred, iterative delivery approach. We're comfortable operating in the delivery model these frameworks prescribe: discovery phases producing validated problem statements and user research insights; alpha phases producing low-fidelity prototypes tested with real users; beta phases delivering progressively complete services; and live phases with ongoing continuous improvement. We use Jira and Confluence for delivery transparency (standard across most government ICT environments), and our delivery leads are familiar with the reporting cadences and governance artefacts required by government programme management offices.