Overview · for boards and procurement

If you sign the attestation, this is for you.

cirmp AI is an Australian-owned compliance engine being built to write the Critical Infrastructure Risk Management Program (CIRMP) pack the board signs every year. It reads the security and IT tool exports you already produce. It assembles the four-hazard report. Your CISO signs. The board attests.

What is this, in plain English?

The regulation. The problem today. What cirmp AI does.

The regulation

SOCI Act 2018, s.30AC, requires responsible entities of covered asset classes to maintain a written Critical Infrastructure Risk Management Program. The board attests once a year under s.30AG. False or misleading attestation carries civil penalty exposure.

The problem today

The pack is assembled by hand. Spreadsheets, SharePoint folders, vendor exports, a consultancy retainer. Cost lands somewhere between an annual audit and a small refurb. Same scramble next year.

What cirmp AI does

It is being built to read the security and IT tool exports you already produce, draft the four-hazard CIRMP report with a citation for every line, and let your CISO and board sign the SHA-256-sealed PDF. Continuous, not annual. Watch the engine demo run a pack end to end.

What you walk away with

One signed PDF. Four hazard domains.

One pack. Every line cited. The board attests to a single signed artefact your regulator can verify offline.

● Illustrative · pre-release preview

Illustrative pack · Energy entity

CIRMP attestation · Q3 FY26

Northern Water Authority
s.30AG annual attestation

p. 1 / 84

14 Mar 2026

4.2 Cyber and information security hazard

The responsible entity maintains a cyber security framework aligned to AESCSF^[A] covering its operational technology estate. Identity controls enforce phishing-resistant MFA for all privileged access per Essential Eight ML2^[B], evidenced by Microsoft Entra exports dated 11 Mar 2026^[C]. Patch cadence for internet-facing services remains within 48 hours (CrowdStrike Falcon, March cycle)^[D].

4.2.1 Material risks identified

Legacy SCADA at Mt Crawford. Vendor support to Dec 2027. Compensating control: segregated VLAN, OT firewall ruleset frozen.
Third-party SIEM access reduced from 7 to 2 named operators following Mar 4 review.

SHA-256 · 9f3c…b14e● sealed

Reasoning trail · 4 citations

AESCSF framework mapping

aescsf-v2-mapping.xlsx

IDM 02:14

Entra ID. MFA policy

entra-export-2026-03-11.json

IDM 02:21

Entra ID. Privileged users

priv-users-2026-03-11.csv

IDM 02:21

CrowdStrike Falcon. March cycle

falcon_posture_export_apr_2026.csv

IDM 02:28

offline-verifiableview all 271 →

●Cyber and information security

The risks of an attack or breach landing on the asset's systems.

●Personnel

The risks from people inside or close to the operation. Insider threat, hiring practice, training gaps.

●Supply chain

The risks from suppliers and vendors that touch the asset.

●Physical and natural

The risks from physical attack, sabotage, fire, flood, and other natural hazards.

Engine demo

See the engine assemble a pack →

Pick an entity. Watch ingest, four-hazard assembly, and SHA-256 seal run end to end in real time.

Try the engine →

What it costs you

Continuous engagement. Not a one-off audit.

Two parts. Implementation up front, sized to your environment. Then four CIRMP cycles a year, engine always on between them. We don't publish dollar figures on this page. Talk to us about pricing.

Talk to us about pricing →

The next cycle

Twenty minutes.
See it assemble itself.

See a sample CIRMP pack assembled live from real-world exports.

Book a walkthrough →See the live demo →