The Australian government's Department of the Treasury has released a request for information (RFI) around procuring a modern security solution to support a hybrid environment.
Treasury is seeking to strengthen its existing security controls to deliver consistent, unified visibility, policy enforcement, and threat protection across internet traffic and cloud applications.
This need is driven by the growing distribution of users and data beyond traditional network boundaries.
Treasury is transitioning from a perimeter-based security model to a cloud-native Zero Trust architecture to ensure secure access and protection in a modern, distributed environment.
The objective of the RFI is to inform Treasury’s options for future networking and cyber security capabilities.
It also seeks to understand how modern solutions can improve visibility and control over web and cloud application usage, including sanctioned and unsanctioned services, and the use of AI applications; protect Treasury information from threats, data loss, and unauthorised access; enable consistent enforcement of security and data protection policies regardless of user location or device; and reduce security risks associated with direct internet access, shadow IT, AI and cloud service adoption.
Treasury’s current operating environment includes a highly mobile workforce (estimated around 2,500 users), increasing reliance on Software-as-a-Service (SaaS) platforms, and access to sensitive information from both on-premises and remote work locations.
This RFI will inform Treasury’s understanding of available market capabilities, associated costs (inclusive of any infrastructure or networking costs), and assist in determining potential approaches to enhancing web and cloud security in a manner that supports secure, flexible, and modern ways of working.
The potential supplier must have successfully completed an independent Information Security Registered Assessors Program (IRAP) assessment at the PROTECTED level, conducted by an Australian Signals Directorate (ASD) accredited assessor.
The solution must also ensure that all data (including backups, metadata, logs, and disaster recovery copies) is hosted and processed exclusively within Australia. No data may be accessed, transferred, or stored outside this jurisdiction, including by subcontractors or cloud service providers.
The RFI closes 8 March 2026 at 11:59pm, Canberra time.
.png&h=142&w=230&c=1&s=1)
.jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
_(1).jpg&q=95&h=298&w=480&c=1&s=1)
