On 27 March 2025, the Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 (TSA Act) received Royal Assent. This landmark legislation substantially reforms the Aviation Transport Security Act 2004 (ATSA) and the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA), modernising Australia’s transport security framework to address a rapidly evolving threat landscape.
One of the most significant amendments under the TSA Act is the introduction of the concept of ‘operational interference’ – a shift that broadens the purpose of the legislation beyond protection against unlawful physical acts. The TSA Act enables an ‘all-hazards’ approach that aligns more closely with the risk management principles established under the Security of Critical Infrastructure Act 2018 (SOCI Act) for a defined set of hazard types.
For aviation and maritime industry participants, the application of an all-hazards approach marks a clear evolution from a prescribed, compliance-based regime focused on granting access to secure zones to a risk- and principles-based, outcomes-focused risk management model that requires the mitigation of a far broader range of risks (also known as hazards).
A legacy of zone-based security
The original ATSA and MTOFSA legislative frameworks were introduced in the early 2000s in response to global terrorism concerns, particularly following the terrorist events of 9/11. These frameworks focus heavily on physical security within defined secure areas, such as aviation secure areas and maritime or offshore security zones. Regulated participants are required to develop and maintain security programs aimed at preventing unlawful interference within these designated zones.
Over time, however, the range of threats has shifted and expanded – now including cyber attacks, insider threats, and cascading disruptions from natural hazards. In addition, events such as the COVID-19 pandemic and increasing global geopolitical instability have also exposed vulnerabilities in Australia’s supply chain and logistics networks that broaden the array of threats well beyond the boundaries of mitigating risks to physical infrastructure through access control of zones.
A modernised framework for evolving threats
To respond to this broader threat environment, the TSA Act introduces enhanced obligations for regulated participants. These obligations include meeting new minimum security standards which must be embedded in transport security programs or plans. A key addition is the requirement for aviation industry participants to undertake a formal security assessment, which becomes a core component of their transport security program – bringing them into alignment with maritime participants, for whom this requirement was already in place.
Aviation and maritime industry participants are expected to demonstrate how the outcomes of the security assessment will be implemented through practical measures and procedures. This marks a clear shift toward embedding risk-based thinking and risk mitigation protecting operational outcomes into regulatory compliance.
To support continued assurance, the TSA Act also introduces a new obligation to submit an annual Statement of Compliance to the regulator, confirming whether the security assessment and the measures and procedures documented in the security program or plan, remain current and effective.
Rethinking personnel security beyond ASIC and MSIC
Historically, personnel security in the transport sector has centred on the requirement to hold an Aviation Security Identification Card (ASIC) or a Maritime Security Identification Card (MSIC). These cards are required for individuals who have an operational need to access secure areas of security-controlled airports, maritime ports, or offshore facilities.
While not access passes in themselves, ASIC and MSIC indicate that the holder has passed a mandatory AusCheck background check and is not considered to pose a significant risk to transport infrastructure and operations.
The AusCheck background check that underpins ASIC and MSIC schemes includes:
- Criminal history check
- Criminal intelligence assessment
- National security assessment conducted by ASIO
- Right to work in Australia check
- Identity verification.
These point-in-time checks were originally designed to address the risk of unlawful interference, with a primary focus on terrorism and serious or organised crime. However, the evolving threat environment – coupled with the introduction of operational interference as a legislative concept under the TSA Act – demands a broader and more adaptive approach to personnel security.
When compared to security clearance processes used in national security contexts, which may involve financial history checks, digital footprint assessments, psychological evaluations, and structured security interviews, the ASIC and MSIC schemes are limited in scope and do not address contemporary threats. Most critically, they apply only to individuals with physical access to regulated secure areas, with few exceptions.
Yet, many personnel who influence transport security today might not fall within ASIC/MSIC eligibility. For example, this might include:
- IT and cyber security staff with remote or administrative access to critical operational systems and networks
- third-party logistics and warehousing providers with system-level integration access but no physical presence in secure zones
- cloud service providers and external software vendors managing sensitive data or digital infrastructure critical to operations
- control system integrators and OT engineers with the ability to remotely monitor or manipulate key transport assets
- remote maintenance technicians or OEM engineers who provide diagnostics, software updates, or support for offshore control systems (such as subsea equipment or drilling platforms) without physically accessing the facility
- specialist consultants or contractors involved in risk assessments, emergency planning, or infrastructure design who gain access to sensitive information without ever entering a secure area.
At present, the government has not indicated any plans to expand the AusCheck background check to address these gaps. In the absence of expanded regulation, transport security participants should consider taking proactive steps to gain assurance over a broader cohort of personnel, appreciating the AusCheck service may not deliver the information required to mitigate threats from people.
The additional checking that may be required may include:
- risk-based pre-employment screening and continuous suitability monitoring
- supplier pre-qualification processes to vet third-party personnel with remote access to critical assets
- behavioural monitoring to support early detection of potential insider threats
- clear reporting mechanisms that encourage the identification and escalation of concerning or aberrant behaviours or anomalies
- development of internal personnel security frameworks that reflect the nature of access – whether physical, digital, or contractual.
These measures could form part of a comprehensive insider threat program, which is essential under the all-hazards security approach mandated by the TSA Act.
Strategic considerations for the transition
The Department of Home Affairs is currently developing amendments to the Aviation Transport Security Regulations 2005 and the Maritime Transport and Offshore Facilities Security Regulations 2003 to reflect the changes introduced by the TSA Act. Exposure draft regulations are expected to be released for consultation later in 2025.
Nonetheless, industry participants should begin preparing now. Valuable insights can be drawn from the experience of SOCI-regulated entities, which have been implementing an all-hazards security approach since 2023, offering insights into the likely obligations that will apply.
Here are five strategic priorities to consider that align with the SOCI Act security obligations:
1. Conduct an enterprise-level security risk assessment
Expand beyond traditional physical security risks to include cyber threats, supply chain dependencies, insider threats, and third-party vulnerabilities.
2. Review your compliance with the relevant cyber security framework
Ensure your organisation’s cyber security measures align with the framework identified in your security program or plan. This should include both technical controls and governance maturity.
3. Review personnel assurance measures
Identify critical roles or critical workers and develop alternative strategies to assess personnel suitability and mitigate human-based risks for this group as a minimum.
4. Map your supply chain and evaluate dependencies
Identify your major suppliers and service providers. Understand who has access to your operations – not just physically, but through systems, data, and contractual relationships.
5. Establish cross-functional security governance
Effective security requires collaboration across the business. Involve risk, operations, IT, HR, legal, procurement, and executive leadership in a unified governance structure.
Conclusion
The TSA Act 2025 represents a generational shift in how Australia secures its aviation and maritime transport sectors. Moving beyond managing access to static physical zones, the legislation calls on the industry to build adaptive, intelligence-led, risk-based security capabilities that reflect the interconnected and digital nature of modern transport operations and the array of contemporary and foreseeable threats.
By acting now and investing in a comprehensive understanding of operational threats, particularly those emerging from within systems and people, industry participants can meet regulatory expectations and also strengthen operational resilience in an increasingly complex geostrategic environment.
At Pentagram Advisory, we bring deep expertise to assist transport and critical infrastructure entities through this significant transition to achieve an effective security capability. From strategic advisory services to practical implementation tools, Pentagram’s team stands ready to help you navigate this next phase in Australia’s transport security evolution to protect critical assets and operations.