Skip to main content

There are three tiers of rules that guide the procurement decisions of Australian Government officials. The top two tiers are mandatory and apply to all agencies - they are also universal in nature as they apply to all forms of procurement.

These are outlined in the Commonwealth Resource Management Framework and the Commonwealth Procurement Framework. 14 In addition, security requirements are set out in the Protective Security Policy Framework.

Below this, there is a third tier of rules that are created by individual agencies. These rules are agency-specific policies and guidelines that interpret the central rules and provide practical advice to officials on how procurement should be conducted. These rules can apply to ICT procurement specifically or to all forms of procurement.

Outside of specific procurement rules, there is a range of other legislation that guides the actions of government officials. For example, the Public Service Act 1999 and the Crimes Act 1914 require officials to ensure the proper use of resources, act ethically and manage any conflicts of interest.

Overview of rules relating to Australian Government procurement - Australian Government procurement is affected by a number of rules, which are both whole-of-government and agency-specific.
The Resource Management Framework is whole-of-government. It governs how government resources are used and specifies how government policies (such as risk management, internal controls and the use of cloud services) should be applied. This includes the Public Governance, Performance and Accountability Act 2013 (PGPA Act), PGPA Rules, and Financial Reporting Rules.
The Procurement framework and other rules are whole-of-government. The procurement framework is a flexible, principles-based framework which governs how procurement is undertaken. Key principles include value for money, encouraging competition, ethical behaviour and transparency. This gives effect to international obligations, mandating when open tenders are required, and outlining non-discriminatory processes and reporting requirements. The Commonwealth Procurement Rules, Department of Finance Procurement Policies and Procurement Connected Policies (such as the Indigenous Procurement Policy) are part of the procurement framework.
Other whole-of-government rules that affect ICT procurement are the Protective Security Policy Framework and the Information Security Manual. These outline the security requirements around Australian Government ICT and information.
Agency specific policies and rules govern how procurement is undertaken within agencies. They provide operational rules and processes, such as the number of quotes or the minimum insurance required. As these rules are set by agencies, they can differ markedly throughout government. These policies include Accountable Authority Instructions, Internal procedure and operational guidelines.
Other legislation and international obligations can impact ICT procurement. These include the Public Service Act and Crimes Act, competition policy, and trade agreements (including those with the USA, New Zealand, Chile and Singapore).

Key procurement principles: value for money and flexibility

The Commonwealth Procurement Rules, under the Commonwealth Procurement Framework, set out key principles for procurement.

Value for money is a core principle of the Commonwealth Procurement Rules. Achieving value for money requires government officials to consider relevant financial and non-financial costs and benefits such as quality, fitness for purpose, flexibility (including innovation) and whole-of-life costs. Under the rules, officials must also establish risk management processes when conducting a procurement and be satisfied that risks have been properly considered and treated. 16 This includes the security risks detailed in the Protective Security Policy Framework. The Framework provides policy, guidance and advice for governance, personnel, physical and information security (including for ICT systems).

Case Study: Cloud Services Panel and ASD Certification

Secured ICT systems e.g. those used to process or transmit sensitive data must first pass through a security accreditation process. This consists of three phases: audit, certification, and accreditation. Although accreditation for most systems is conducted on an agency-by-agency basis, the Australian Signals Directorate (ASD) must conduct all certifications of cloud products (certified providers are on the ASD website). These certification requirements are specified in the Information Security Manual.

Of the 110 current providers on the whole-of-government Cloud Services Panel (panels are a key government procurement mechanism) only five have certified systems. As non-certified providers can't provide cloud services until certified; this may impact on procurement from these businesses. The limited number of certified cloud providers could also affect take-up of cloud services across government.

Key considerations for Australian Government procurement decisions - There are two categories of considerations when procuring for government: Value for money and risk.
Value for money includes the Quality of the goods and services, whether they are fit for purpose, whether the vendor has relevant experience, the flexibility of the proposal (including whether the proposal allows for new or innovative ideas), and Environmental sustainability and whole-of-life costs.
Risk includes: ensuring that processes are established for the identification, analysis and treatment of risk; Considering the potential impacts on value for money, approvals and contract terms; and ensuring that particular risks are borne by the party best placed to manage them.

Australia is a party to a range of bilateral free trade arrangements. International obligations arising from these agreements are reflected in the current Commonwealth Procurement Rules and must be considered in the development of any new rules.

The Commonwealth Procurement Rules do not formally prevent agencies from buying innovative technologies and services. Innovation can be taken into account under the "flexibility of proposal" criteria (above). In addition, the Commonwealth Procurement Rules also allow agencies to contract with industry following unsolicited proposals, as long as value for money is achieved. While the Commonwealth Procurement Rules are flexible in-principle, in combination with agency-specific rules, security requirements and contract terms, they may constrain innovative ICT technologies entering into government.

Agency-specific rules

The implementation of the Commonwealth Procurement Rules differs across agencies. The devolved nature of the Procurement Framework means that each agency can establish a third tier of rules in response to their particular business needs and risk appetite.

In practice, this means that each agency can create additional agency-specific rules or internal processes. These rules may not be publicly available and create a wide diversity of requirements across Australian Government agencies. The impact of this is that vendors must learn multiple sets of rules if they wish to contract with more than one agency. Navigating these rules can consume additional time and resources without guarantee of return.

Role of ICT panels

Panel arrangements are a key mechanism used by the Australian Government to streamline procurement. In a panel arrangement, an initial approach to market is made and a number of suppliers are selected – after which procurement from selected panel suppliers can be made directly, removing the need to re-approach the market. This can mean a more streamlined and efficient process for procurers. In 2015-16, over 35 per cent of government ICT contracts by number, and almost 30 per cent by value were procured through panel arrangements.

Panels can be established at a whole-of-government level or created by individual agencies. There are currently almost 70 ICT and engineering services panels across government. Agencies that need to purchase certain ICT products such as telecommunications, end-user hardware and data centres 18 must purchase them through seven specific whole-of-government panels. It is estimated that the implementation of mandatory whole-of-government ICT panels has resulted in over $1.2 billion of cost reductions and savings since their introduction in 2008.

Despite the cost savings for government, for industry members getting onto panels can be resource intensive and there is no guarantee of work once a business is on a government panel. Panels may also require certifications or indemnities that some businesses are unable or unwilling to give. In addition, panels are often for fixed terms, which can make it difficult for new businesses to get onto existing panels. As such, panel processes and conditions create barriers to working with government.

The Department of Finance provides model contracts to simplify ICT procurement through the SourceIT contract suite. Model contracts exist for simple ICT procurement (e.g. hardware acquisition) and semi-complex ICT services (e.g. systems integration). In addition, there is ongoing work to simplify government ICT procurement. For example, the Digital Marketplace aims to make it much easier for businesses to connect, transact and collaborate with government buyers. Currently, all sellers listed on the Digital Marketplace are members of the Australian Government’s Digital Service Professionals Panel. In addition to Australian Government buyers, the Marketplace is open to local, state and territory government buyers. 20

The Department of Finance is also developing standardised templates for new panel arrangements. These templates are designed to be used for all government procurement and include the option to create a refreshable panel where new businesses can be added during the life of the panel. The whole-of-government Cloud Services Panel arrangement is an example of this new approach.


  • 6. Are the Australian Government's procurement rules easily accessible, easy to understand and navigate?
  • 7. How could the Australian Government's procurement rules and processes be improved to make it easier to offer innovative solutions to government?
  • 8. What rules, including any security requirements, limit the Australian Government's use of cloud services?